[cabfpub] [EXTERNAL] The purpose of the CA/B Forum

Paul Walsh paul at metacert.com
Wed Oct 23 17:01:08 MST 2019 

I have a few things to say below, so please grab a coffee or glass of wine before reading it. 


> On Oct 21, 2019, at 12:59 PM, Christian Heutger via Public <public at cabforum.org> wrote:
> 
> +1
>  
> Thanks Phil,
>  
> I already started twice to post something similar but didn’t want to pour oil on fire. I attended many IETF and ICANN meetings and all were about to find a consense, build a base and improve the ecosystem. I always thought, that the CA/B Forum should be the same. Maybe it was in the past, maybe it wasn’t ever. What I currently see are hardened fronts, endless discussions without any results, members not posting at all as keeping better in the background, assign blame, … If there are topics, which didn’t work in the past, it’s now the time to work on it, if there are weakness, they should be worth to work on, together, I believe in that’s the idea of the CA/B Forum, that should be seen as the order of the users to such institutions like the CA/B Forum with members, which are big enterprises or trusts, which should also see their macro economy mandate as to be worth enough to be a big enterprise or trust, to be tolerated to exist on the market.
>  
> E.g. improve OCSP now (to be able to revoke trustworth) with all topics arised covered, it can be privacy enabled, improve the baseline requirements to be a common set of requirements and audit scheme to be trustworth, develop a validation indicator, which is valuable to be such to provide the users trust, …
>  
> Regards
> Christian
>  
> Von: Public <public-bounces at cabforum.org <mailto:public-bounces at cabforum.org>> im Auftrag von "Dimitris Zacharopoulos (HARICA) via Public" <public at cabforum.org <mailto:public at cabforum.org>>
> Antworten an: "Dimitris Zacharopoulos (HARICA)" <dzacharo at harica.gr <mailto:dzacharo at harica.gr>>, CA/Browser Forum Public Discussion List <public at cabforum.org <mailto:public at cabforum.org>>
> Datum: Montag, 21. Oktober 2019 um 20:24
> An: "public at cabforum.org <mailto:public at cabforum.org>" <public at cabforum.org <mailto:public at cabforum.org>>
> Betreff: [cabfpub] Fwd: Re: [EXTERNAL] The purpose of the CA/B Forum
>  
>  
> Forwarding on behalf of Phil.
> 
> 
> 
> -------- Forwarded Message -------- 
> Subject: 
> Re: [cabfpub] [EXTERNAL] The purpose of the CA/B Forum
> Date: 
> Mon, 21 Oct 2019 14:21:43 -0400
> From: 
> Phillip Hallam-Baker <phill at hallambaker.com> <mailto:phill at hallambaker.com>
> To: 
> Kirk Hall via Public <public at cabforum.org> <mailto:public at cabforum.org>
> CC: 
> Dimitris Zacharopoulos (HARICA) <dzacharo at harica.gr> <mailto:dzacharo at harica.gr>, Dimitris Zacharopoulos <jimmy at it.auth.gr> <mailto:jimmy at it.auth.gr>
>  
> 
> [I am not able to send to the list, this may be forwarded should you choose]
>  
> As one of the two people who called the meeting that led to the creation of CABForum, I can confirm that Dimitris is correct.
>  
> There is however another much more important reason for representatives whose companies operate root key programs to avoid making threats: The operation of CABForum is subject to US and EU anti-trust law. This was of course a major concern for Microsoft at the time CABForum was being formed. 
>  
> I recently had to point out to one root key program operator that they should run a proposed internal ballot on through their internal lawyers as they would face an obvious anti-Trust challenge if they allowed it to go ahead.
>  
> It would probably be wise for all parties operating root programs to note that there are storms brewing in Washington as well as Brussels. And not just in one party.

[PW] +1

I look forward to Google’s response to Phil’s message. It’s important because Phil was responding to Google's inaccurate assertions about the purpose of the forum. I apologize if it was posted and I missed it. This doesn’t preclude other browser vendors from participating in this conversation. 

When the “Purpose" of this Forum is used to make a point, it's usually by a browser vendor to highlight "voluntary participation”. Yet, it’s acceptable for browser vendors to also mandate what CAs must do and shall not do. “CA/Browser Forum" has become an oxymoron, not by design, but by how it’s being used.

I propose either changing the purpose, or change how things are done around here. This could reduce the risk of newer participants getting confused in the future. 

Either all members agree to comply with guidelines / best practices after consensus has been reached, OR everything is voluntary for everyone, all the time. From what I’ve witnessed over time, discussing anything that is mandatory inside a voluntary-based group is the biggest reason for ongoing debates over the purpose. There is something very wrong when an important member like Google doesn’t know what the purpose of the forum is. I assert that with confidence because no single member can possibly know better than the creators and Chair of the forum.

Why I think there are much deeper issues that need to be resolved:

Excluding how the story begins, the Forum of today reminds me of the satirical story 'Animal Farm' by George Orwell [1]. Over time the Forum has become a place where “all members are equal, but some members are more equal than others.” 

Can we please take ten steps back and pause. Why is everyone here? Look at what the “stakeholder benefits” say on https://cabforum.org/ <https://cabforum.org/> - security. There should only be one metric; security. And that can only be measured by how more or less secure the internet is. 

Despite billions of dollars being invested in cybersecurity technologies, data breaches and incidents of innocent people becoming victims of identity theft and fraud are on the rise. It’s quicker, easier and cheaper to use social engineering to compromise an organization than it is to find and exploit vulnerabilities. It’s **2019** (23 years after I built my first website) and dangerous URIs that lead to deceptive websites is *the* most troubling techniques favored by criminals. Seriously?! 

As one of the two people who co-instigated the creation of the W3C Standard for URI Classification that replaced PICS in 2009, and as one of the original seven Founders of the W3C Mobile Web Initiative, this stuff isn’t that hard when smart people work together. It is technically impossible to detect every new dangerous URI or website - impossible. So something new is needed - hardware USB keys are awesome - but all of society on the web ain’t going to use them. 

Security encompasses both privacy *and* safety. But it would appear that privacy (i.e. encryption) is the only thing being discussed these days. Why? Because browser vendors did what they felt was right irrespective of what other stakeholders think and the data they provided. When CAs and others [2] provide data, it's classified as biased and “vendor marketing". When Google provides data, it’s classified as independent expert peer-reviewed white papers - or something like that. You get my point.

Mozilla released Firefox 70.0 yesterday [3]. One of the major changes was the removal of UI from the address bar for EV. They didn’t even include this in their release notes until I brought it to their attention. And even then, they explained in a bullet point to millions of everyday consumers with:

"The Extended Validation (EV) indicator has been moved to the identity popup that appears when clicking the lock icon”.

Does anyone at Mozilla really think their everyday users know what EV is. There should be some kind of collaboration on this type of communication across industry with this forum being the catalyst for such communication and education. 

While I’m here, the latest version of Firefox educates users about a new visual indicator for tracking. When updated, users are prompted with a pop-out to explain what it is. Let this serve as a receipt for any time a browser vendor tries to assert that consumers can’t be trained to look at new UI for identity. 

Discussing new stuff coming down the road to get feedback is a great idea. But allowing browser vendors to mandate anything of CAs in this forum while then saying they’re here as volunteers, isn’t healthy for anyone. This forum has become toxic with a “them and us” atmosphere between CAs and browser vendors. It’s ugly and it’s not helping stakeholders that are impacted by the decisions made here. 

CA’s don’t get away that easily though. Some CAs are still promoting old browser UI for EV on their website today. This needs to stop as it’s now false advertising. While I understand and appreciate the need to market products and services, it only helps the CA-haters with their petty data-free opinions about how “website identity” can work. They say EV is dead because they hate everything to do with CAs. What they don’t realize is that they’re voicing an opinion on the design implementations of browser vendors. 

There are two main things that CA-haters hate:

1. “Overzealous marketing of the benefits of EV”
2. “Verification process”

While we know that there are literally no real world use cases of actual fraud taking place on a site that uses an EV cert, it’s still possible to cheat the system. Researchers don’t care that 93% of all new phishing sites favor DV and that over 95% of all of those come from Let’s Encrypt because they are automatically issued for free and they have terrible if any, revocation processes. 

CAs need to be seen as investing R&D budget into improving the verification process while fixing their marketing efforts online. EV will become a target the minute software makes use of them in a more meaningful way that makes it worth the effort for criminals to use as an attack vector. 

I’ve been wanting to say those things for a VERY long time. 

[1] https://en.wikipedia.org/wiki/Animal_Farm#Plot_summary
[2] https://casecurity.org/2019/10/10/the-insecure-elephant-in-the-room/ <https://casecurity.org/2019/10/10/the-insecure-elephant-in-the-room/>
[3] https://www.mozilla.org/en-US/firefox/70.0/releasenotes/ <https://www.mozilla.org/en-US/firefox/70.0/releasenotes/>

Regards,

- Paul

>  
>  
>  
>  
>  
> On Mon, Oct 21, 2019 at 1:09 PM Kirk Hall via Public <public at cabforum.org <mailto:public at cabforum.org>> wrote:
>> +1 Dimitris.  As the immediate past Chair of the Forum and someone involved in creating the Forum in 2005, your analysis below is correct. 
>>  
>> From: Public <public-bounces at cabforum.org <mailto:public-bounces at cabforum.org>> On Behalf Of Dimitris Zacharopoulos via Public
>> Sent: Monday, October 21, 2019 8:54 AM
>> To: public at cabforum.org <mailto:public at cabforum.org>
>> Subject: [EXTERNAL][cabfpub] The purpose of the CA/B Forum
>>  
>> WARNING: This email originated outside of Entrust Datacard.
>> DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.
>> 
>> Dear CA/B Forum Members,
>> 
>> Recent posts [1], [2] were brought to my attention with a statement from a representative of a Certificate Consumer Member who believes that the role of the Forum is the following:
>> 
>> "The Forum provides a venue to ensure Browsers do not place conflicting requirements on CAs that voluntarily participate within the browsers root programs, by facilitating discussion and feedback. This allows interoperability among the Web PKI space, which refers to the set of CAs within browsers, and thus allows easier interoperability within browsers. Prior to the Forum, it was much easier to see this reflected in the private arrangements between CAs and browsers. If different browsers had different requirements, CAs would have to act as the intermediary to identify and communicate those conflicts. Similarly, browsers had to spend significant effort working to communicate with all of the CAs in their programs, often repeatedly answering similar questions. By arranging a common mailing list, and periodic meetings, those barriers to communication can be reduced.
>> 
>> 
>> That is the sole and only purpose of the Forum. Any other suggestion is ahistorical and not reflected in the past or present activities."
>> 
>> 
>> We should not interpret silence as consent for such statements that can create misunderstandings. I put a lot of thought before posting this message because I represent a CA but I was also voted as Chair to ensure the Bylaws are followed. I personally don’t agree with that view of the purpose of the Forum (or the statement that any other suggestion is ahistorical), and I think other members disagree as well. As Chair of the Forum, I feel obligated to share some thoughts and my perspective about the purpose of the Forum.
>> 
>> When I first learned about the CA/B Forum and started receiving the public list emails, I was thrilled with the level of engagement, participation and contributions of industry leaders in the publicly-trusted certificate sector. Industry leaders, that made SSL/TLS and Code Signing Certificates known and usable around the Globe in order to secure communications and code execution, were voluntarily contributing with their valuable technical and operational experience. When critical incidents occurred that affected a large part of the webPKI, industry leaders freely shared their internal security policies/practices, so that others could publicly evaluate and use them. When it was decided for Domain Validation methods to be disclosed, Certificate Issuers disclosed their methods and the less secure methods were identified and removed. Some of the Forum's popular projects, such as the EV Guidelines and the Network Security Requirements, were driven by Certificate Issuers and were not directly linked to Certificate Consumer's Root program policies; they are now required by Root programs. This industry continues to improve Guidelines and overall security by continuously raising the security bar. It is natural for Certificate Consumers to lead and push for stricter rules but Certificate Issuers also participate in these discussions and contribute with ideas. These contributions are not made "to make Browsers happy" but to improve the overall security of the ecosystem. 
>> 
>> Mistakes happened, CAs were distrusted but that has nothing to do with the CA/B Forum. We are not here at the Forum to judge how CAs complied or not to the Guidelines or how strict or not the Browser decisions were. In my understanding these are out of CA/B Forum scope discussions. To my eyes, every contribution to the Forum is done in good faith, reviewed by some of the world's most talented and competent people I know and they are accepted into the work product of the Forum, which is our Guidelines. It is also very clear that our Guidelines need continuous improvements and it is very possible that some requirements are mis-interpretated. We are here to remove ambiguities and make these requirements as clear as possible.
>> 
>> I have no doubt that the CA/B Forum serves the "undocumented" purpose of aligning requirements between Certificate Consumer Policies, although it is not stated in the Forum's Bylaws. Perhaps this is how things started with the Forum. I don't know, I wasn't there :) But I believe things have evolved. I strongly believe that the CA/B Forum is an earnest effort by the publicly-trusted certificate industry to self-regulate in the absence of other National or International regulatory Authorities. These efforts to self-regulate exceed the purpose for Root Programs to align. After all, if that was the sole and only purpose, it might as well have been the "Browser Forum" where Browsers meet, set the common rules and then dictate CAs to follow these rules. I believe the Forum is more than that.
>> 
>> It is fortunate that we are given the opportunity to take a step back and re-check why we are all here. I can only quote from the Bylaws (emphasis mine):
>> 
>> "1.1 Purpose of the Forum
>> 
>> The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of leading Certificate Issuers and vendors of Internet browser software and other applications that use certificates (Certificate Consumers).
>> 
>> Members of the CA/Browser Forum have worked closely together in defining the guidelines and means of implementation for best practices as a way of providing a heightened security for Internet transactions and creating a more intuitive method of displaying secure sites to Internet users."
>> 
>> I read this purpose as an "unofficial" agreement between Certificate Issuers and Certificate Consumers to improve security for internet transactions AND to create a more intuitive method of displaying secure sites to internet users. I have only been involved in the Forum for the last couple of years and although I see a lot of effort to improve security policies/practicies (as demonstrated in all the updates of the BRs, EVGs, NetSec guidelines), there are no documented efforts for the purpose of creating a more intuitive method of displaying secure sites to Internet users.
>> 
>> Setting this aside, I believe we either need to agree that the purpose of the Forum, as described in the Bylaws, is incorrect and update the Bylaws, or to take a step back and consider all that the Forum has accomplished over the last years with the Contributions of its Members, Associate Members, Interested Parties, even non-Members, and work collaboratively, in good faith to make further progress.
>> 
>> Looking back at my notes during a presentation at the F2F 46 meeting in Cupertino, I mentioned:
>> 
>> "Forum members should exercise their participation in a neutral way as much as possible. We are here to create and improve guidelines and we need to be able to do that with more participation and consensus. Some members feel “exposed” during Forum discussions. All members must have a more “neutral” behavior in the CA/B Forum discussions around guidelines. We welcome more contributions from Certificate Issuers in order to understand real cases and improve overall security". I do not recall hearing any objections to this statement, but that was perhaps because members were very polite :-)
>> 
>> I'm afraid this cannot be achieved if Certificate Consumer Members continuously bring their "guns" (i.e. Root Program Requirements) in CA/B Forum discussions. I would expect these "guns" to be displayed and used in the independent Root Program venues and not the CA/B Forum.
>> 
>> I would personally feel very disappointed (as the CA/B Forum Chair) if we were to re-purpose of the Forum to match the statement at the beginning of this email. In any case, I would like to give the opportunity for members to publicly express their opinion about the purpose of the Forum and especially the Server Certificate Working Group. I also understand and respect if some Members are reluctant to publicly state their opinion.
>> 
>> 
>> Dimitris.
>> CA/B Forum and Server Certificate Working Group Chair
>> 
>> [1] https://cabforum.org/pipermail/validation/2019-September/001326.html <https://cabforum.org/pipermail/validation/2019-September/001326.html>
>> [2] https://cabforum.org/pipermail/servercert-wg/2019-October/001171.html <https://cabforum.org/pipermail/servercert-wg/2019-October/001171.html>
>> _______________________________________________
>> Public mailing list
>> Public at cabforum.org <mailto:Public at cabforum.org>
>> https://cabforum.org/mailman/listinfo/public <https://cabforum.org/mailman/listinfo/public>_______________________________________________
> Public mailing list
> Public at cabforum.org <mailto:Public at cabforum.org>
> https://cabforum.org/mailman/listinfo/public <https://cabforum.org/mailman/listinfo/public>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20191023/25500744/attachment-0001.html>

More information about the Public mailing list