[cabfpub] List of which CAs use which methods from Section 3.2.2.4?

Ryan Sleevi sleevi at google.com
Thu Jul 12 14:22:40 UTC 2018


On Thu, Jul 12, 2018 at 7:42 AM Paul Hoffman via Public <public at cabforum.org>
wrote:

> Greetings. I am interested in finding out which member CAs use each of the
> methods listed in Section 3.2.2.4 of the BRs. I looked around the CABF web
> site and could not find any such list, but could have missed it. If the
> CABF doesn't keep such a list, does anyone know of an external researcher
> who has created such a list in the past few years?
>
> Note that I'm not asking for each CA to say on this mailing list "we use
> 3.2.2.4.1 and 3.2.2.4.6"; that would not be a good use of bandwidth here. I
> just hope that someone has already collected that data.
>
> A related request would be for the CAs that allow multiple methods to
> report somewhere what percentage of their certificates from the last year
> were from each method. I really don't expect that to exist as a whole, but
> maybe CAs are reporting this on their own sites.
>
> If no one is collecting this information, maybe the CABF could start?
>

Hi Paul,

As you can know, providing information in a transparent and verifiable way
tends to be a challenge, and in general, is unsuccessful within the
CA/Browser Forum itself. However, it's also important to consider that the
CA/Browser Forum does not serve as a clearinghouse for CA information - the
set of publicly trusted CAs are a 1:1 representation of the Forum, and the
Forum is simply a non-incorporated discussion clearing house for CAs that
wish to streamline their communications with root programs. As such, your
questions are better directed to root programs directly, in practice.

To your first question - what methods are used - the CA/Browser Forum
membership does not collect nor publish that information. Efforts to
determine what CAs are using which methods are often ad-hoc, as CAs seem
reticent to discuss in the Forum the methods they use to validate the
certificates they issue. There is some information publicly available, in
response to Mozilla's CA communications [1], in particular, the January
2018 survey. Additionally, the BR Self-Assessment [2] also seeks to better
document, on an annual basis, what methods CAs are reportedly using.

As to your second question, the volume of issuance, a number of CAs have
been quite opposed to providing those details. While the BRs require that
CAs record the method of validation used, as of CA/Browser Forum Ballot 169
[3], although given the ability of CAs to reuse previously validated
information, it's unclear whether CAs are attempting to misinterpret those
requirements by claiming information reuse, as the discussion around
Ballots 185 and 193 revealed some were prone to do.

That said, there are efforts to revisit the proposals from Ballot 193's
discussion to aid in the transparency and assurance of Relying Parties, and
to better assess ecosystem risk and impact to more effectively respond to
security incidents (as captured in [1]'s January communication), by
requiring certificates to disclose the method that was used to validate the
domain information within the certificate. This will allow for more
effective improvements to the security of the ecosystem, by ensuring
subscriber needs are met and balanced with those of Relying Parties.

[1] https://wiki.mozilla.org/CA/Communications
[2] https://wiki.mozilla.org/CA/BR_Self-Assessment
[3]
https://cabforum.org/2016/08/05/ballot-169-revised-validation-requirements/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20180712/c338ab05/attachment-0002.html>


More information about the Public mailing list