[cabfpub] [EXTERNAL]Re: Voting has started on Ballot 214 - CAA Discovery CNAME Errata

Ryan Sleevi sleevi at google.com
Mon Sep 25 21:52:50 MST 2017


Kirk,

I think it again highlights a misunderstanding about the role and relevance
of the Forum to suggest that the Forum can excuse anything, lest we also
suggest that the Forum also enforces compliance on its members. Similarly,
it highlights a misunderstanding about whether or not compliance is a
binary state. I'm sure no CA would want to be in the unenviable position of
finding them retroactively sanctioned for something expressly permitted in
the BRs, on the basis that the Forum later decided it was non-compliant.

That is, it would be unimaginable to suggest that the Forum could adopt a
ballot that suggests that everything issued under 3.2.2.4 in the past year
was misissuance. As such, it must also remain unimaginable to suggest that
the Forum could adopt a ballot that suggests something prohibited under the
past year was valid issuance. Merely, the Forum can decide what its
documents state for the future. They cannot state what they want about the
past, at least not without sacrificing the legitimacy and value of the
Forum.

This is why it's terribly unproductive to keep suggesting such ballots, and
instead focus on allowing discussions about the future to inform how
browsers - and auditors - evaluate the past.

On Tue, Sep 26, 2017 at 1:35 PM, Kirk Hall <Kirk.Hall at entrustdatacard.com>
wrote:

> Ryan, of course the browsers can make any rules they like – neither I nor
> anyone else has questioned that.
>
>
>
> But likewise, the CA/Browser Forum can make any rules it likes, and it
> (like any Legislature in the world) can adopt its rules in the manner I
> described below, including retroactively making changes to rules that have
> been adopted.  I can provide numerous examples if you like.
>
>
>
> So it could be that the Forum retroactively excuses brief non-compliance
> with a rule that was adopted by the Forum in error.  At that point, it’s up
> to browsers like Google and others to decide and announce whether they
> agree (through their root program) or not.  Both groups – the Forum and
> individual browsers – get to decide for themselves.
>
>
>
> *From:* Ryan Sleevi [mailto:sleevi at google.com]
> *Sent:* Monday, September 25, 2017 6:22 PM
> *To:* Kirk Hall <Kirk.Hall at entrustdatacard.com>; CA/Browser Forum Public
> Discussion List <public at cabforum.org>
> *Cc:* Tim Hollebeek <THollebeek at trustwave.com>; Jacob Hoffman-Andrews <
> jsha at letsencrypt.org>; Doug Beattie <doug.beattie at globalsign.com>
> *Subject:* [EXTERNAL]Re: [cabfpub] Voting has started on Ballot 214 - CAA
> Discovery CNAME Errata
>
>
>
>
>
>
>
> On Tue, Sep 26, 2017 at 5:39 AM, Kirk Hall via Public <public at cabforum.org>
> wrote:
>
>  So Ballot 214 would be in effect for about 12 days (Oct. 27 – Nov. 9).
> It’s possible a new ballot could say “It is not a violation of the BRs if
> CAs did not comply with Ballot 214 after its effective date but before the
> effective date of this ballot.”  We would know that provision had passed on
> about Oct. 10, but wouldn’t be effective until about Nov. 9 – but if worded
> correctly it would be retroactive to the effective date of Ballot 214.  I
> think auditors would take the position that CAs who ignored Ballot 214 for
> the 12 day period had not violated the BRs – we can check.
>
>
>
> As noted many, many times before, the suggestion of retroactive immunity
> is a decision for root stores - not the CA/Browser Forum. Compliance is
> binary, measured over time. You are either compliant or non-compliant. Our
> voting process establishes what compliance is - and redefining it changes
> it at a future point.
>
>
>
> Your suggestion of "not violating the BRs" is also not consistent. It
> would be a violation of the BRs - but the suggestion is that it can be
> informed through the CA/Browser Forum's consensus process whether that
> violation is material to the stated principles and criteria. That is very
> different than what you suggest, but a subtle and important distinction
> worth reiterating :)
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20170926/cfd164d4/attachment-0001.html>


More information about the Public mailing list