[cabfpub] C=GR, C=UK exceptions in BRs

Dimitris Zacharopoulos jimmy at it.auth.gr
Tue Mar 21 13:01:11 UTC 2017



On 21/3/2017 2:44 μμ, philliph at comodo.com wrote:
>
> Ryan,
>> Do you think you could at least try to conduct your discussion here in 
> an approximately professional fashion?
>
> The constant personal attacks are really unhelpful.
>
> Phill
>

Philliph, I didn't take Ryan's reply as a personal attack. I understand 
that he often uses strong words and metaphors but the arguments are 
logical from his point of view. We don't have to agree, although it 
would help from time-to-time :)


Dimitris.

>
>> On Mar 20, 2017, at 11:44 PM, Ryan Sleevi via Public 
>> <public at cabforum.org <mailto:public at cabforum.org>> wrote:
>>
>> Dimitris,
>>
>> Thanks for providing concrete reasons to support such a change. 
>> Replies inline.
>>
>> On Mon, Mar 20, 2017 at 4:03 AM, Dimitris Zacharopoulos 
>> <jimmy at it.auth.gr <mailto:jimmy at it.auth.gr>> wrote:
>>
>>     Let me try to provide some reasons in favor of allowing these two
>>     exceptions.
>>
>>      1. For reasons unrelated to the CA/B Forum (political or
>>         whatever non-technical reasons), two EU Countries have been
>>         using different two-letter Country Identifiers in addition to
>>         the ones listed in ISO3166-1. These exceptions have been
>>         well-defined in legal EU documents, like the 1505/2015
>>         <http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32015D1505>
>>         implementing decision. Since these exceptions are used
>>         Internationally, are well-defined and globally recognized, it
>>         makes sense to allow them to be used in the webPKI as well.
>>
>> So I object to this reasoning because it's unclear what the 
>> justification is for this change. As mentioned, there are clearly 
>> international political issues at play here, and while I think 
>> Phillip's examples are actively unhelpful to making productive 
>> discussion, the fact that he feels they're relevant and on-topic to 
>> this discussion - or the remarks Geoff have made - actively highlight 
>> this.
>>
>> As mentioned elsewhere, these documents don't apply from a 9.16.3 or 
>> from a perspective of law. Further, I think you can agree that even 
>> if we accept such documents, their scope is to apply to a 
>> jurisdictional boundary, except you're proposing that these be 
>> adopted at an international level (as all certificates are inherently 
>> worldwide). So, in effect, you're proposing that the first country to 
>> pass a law gets to bypass any form of international agreement or 
>> consensus, and instead declare 'squatters' rights.
>>
>> I don't believe you intended to put it like that, but I want to 
>> highlight that is effectively what this justification is, so that you 
>> can understand why it's undesirable.
>>
>>      1. Introducing these well-defined exceptions pose no security
>>         threat because these identifiers are already known for so
>>         long. AFAIU, by adding these two exceptions, no significant
>>         problems have been identified so far in the discussion.
>>         Please note that I am not suggesting "replacing C=GR with
>>         C=EL and C=GB with C=UK" but allowing all of them to be
>>         acceptable.
>>
>> But now you've introduced an ambiguity and overload whose "source of 
>> truth" can no longer be discerned.
>>
>> For example, the conflicting examples Rob and Phillip have given - 
>> only the former of which I'm inclined to trust in this case - do 
>> create ambiguities. If the purpose of the Baseline Requirements is to 
>> agree upon unambiguous representations to the extent possible, by 
>> including full jurisdictional information (as the discussion with 
>> Li-Chun related to the X.500 DIT has shown), then introducing this 
>> change introduces unnecessary ambiguity, and through it, undermines 
>> the goal of including identity information in certificates.
>>
>> Put differently, this poses a thread to the value and usefulness of 
>> the identity information. Since a number of CAs have asserted 
>> identity information is security relevant (hence why they revoke 
>> certificates whose identity information is incorrect or misleading), 
>> we must naturally conclude that this either _does_ represent a 
>> security threat, or that identity information in certificates is not 
>> security relevant, and we should update our documents accordingly.
>>
>>      1. There may be legal reasons for some official government
>>         agencies to be represented by using C=EL or C=UK in the
>>         subject field. Should the Forum prevent that? Should the
>>         Forum question these reasons?
>>
>> Yes. Because the Forum should strive to stay apolitical to the extent 
>> possible, and we achieve that by standing on the shoulder of the 
>> giants who have gone before us, seeking out international consensus 
>> through an assemblage of experts, and when we find reason to deviate, 
>> to do so in a manner that is a consistent application of principles 
>> rather than of en-vogue politics.
>>
>> In this case, as has been mentioned, the appropriate discussion point 
>> would minimally be within the realm of ISO, as Gerv has highlighted.
>>
>> If it helps, you can think of this much like the .onion discussion, 
>> for which Google was opposed to support for such certificates without 
>> an appropriate IANA-reservation of the '.onion' TLD. Without that, 
>> the Forum would have been squatting on a domain without the consensus 
>> process. And while it might have been argued then, much like here, 
>> that .onion wouldn't produce a security risk, we can actually see 
>> that the principle applied (that it's appropriate for the Forum to 
>> squat on TLDs) _did_ create a significant security risk when applied 
>> as a rule ("Internal Server Names"). And if our principles and 
>> justifications are unsafe as general rules, then they are likely 
>> unsafe as exceptions as well, since an exception that is 
>> inconsistently applied is simply exclusionary politics.
>>
>> _______________________________________________
>> Public mailing list
>> Public at cabforum.org <mailto:Public at cabforum.org>
>> https://cabforum.org/mailman/listinfo/public
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170321/6213b245/attachment-0003.html>


More information about the Public mailing list