[cabfpub] The purpose of the CA/B Forum

Dimitris Zacharopoulos jimmy at it.auth.gr
Mon Oct 21 15:53:59 UTC 2019 

Dear CA/B Forum Members,

Recent posts [1], [2] were brought to my attention with a statement from 
a representative of a Certificate Consumer Member who believes that the 
role of the Forum is the following:

"The Forum provides a venue to ensure Browsers do not place conflicting 
requirements on CAs that voluntarily participate within the browsers 
root programs, by facilitating discussion and feedback. This allows 
interoperability among the Web PKI space, which refers to the set of CAs 
within browsers, and thus allows easier interoperability within 
browsers. Prior to the Forum, it was much easier to see this reflected 
in the private arrangements between CAs and browsers. If different 
browsers had different requirements, CAs would have to act as the 
intermediary to identify and communicate those conflicts. Similarly, 
browsers had to spend significant effort working to communicate with all 
of the CAs in their programs, often repeatedly answering similar 
questions. By arranging a common mailing list, and periodic meetings, 
those barriers to communication can be reduced.


That is the sole and only purpose of the Forum. Any other suggestion is 
ahistorical and not reflected in the past or present activities."


We should not interpret silence as consent for such statements that can 
create misunderstandings. I put a lot of thought before posting this 
message because I represent a CA but I was also voted as Chair to ensure 
the Bylaws are followed. I personally don’t agree with that view of the 
purpose of the Forum (or the statement that any other suggestion is 
ahistorical), and I think other members disagree as well. As Chair of 
the Forum, I feel obligated to share some thoughts and my perspective 
about the purpose of the Forum.

When I first learned about the CA/B Forum and started receiving the 
public list emails, I was thrilled with the level of engagement, 
participation and contributions of industry leaders in the 
publicly-trusted certificate sector. Industry leaders, that made SSL/TLS 
and Code Signing Certificates known and usable around the Globe in order 
to secure communications and code execution, were voluntarily 
contributing with their valuable technical and operational experience. 
When critical incidents occurred that affected a large part of the 
webPKI, industry leaders freely shared their internal security 
policies/practices, so that others could publicly evaluate and use them. 
When it was decided for Domain Validation methods to be disclosed, 
Certificate Issuers disclosed their methods and the less secure methods 
were identified and removed. Some of the Forum's popular projects, such 
as the EV Guidelines and the Network Security Requirements, were driven 
by Certificate Issuers and were not directly linked to Certificate 
Consumer's Root program policies; they are now required by Root 
programs. This industry continues to improve Guidelines and overall 
security by continuously raising the security bar. It is natural for 
Certificate Consumers to lead and push for stricter rules but 
Certificate Issuers also participate in these discussions and contribute 
with ideas. These contributions are not made "to make Browsers happy" 
but to improve the overall security of the ecosystem.

Mistakes happened, CAs were distrusted but that has nothing to do with 
the CA/B Forum. We are not here at the Forum to judge how CAs complied 
or not to the Guidelines or how strict or not the Browser decisions 
were. In my understanding these are out of CA/B Forum scope discussions. 
To my eyes, every contribution to the Forum is done in good faith, 
reviewed by some of the world's most talented and competent people I 
know and they are accepted into the work product of the Forum, which is 
our Guidelines. It is also very clear that our Guidelines need 
continuous improvements and it is very possible that some requirements 
are mis-interpretated. We are here to remove ambiguities and make these 
requirements as clear as possible.

I have no doubt that the CA/B Forum serves the "undocumented" purpose of 
aligning requirements between Certificate Consumer Policies, although it 
is not stated in the Forum's Bylaws. Perhaps this is how things started 
with the Forum. I don't know, I wasn't there :) But I believe things 
have evolved. I strongly believe that the CA/B Forum is an earnest 
effort by the publicly-trusted certificate industry to *self-regulate* 
in the absence of other National or International regulatory 
Authorities. These efforts to self-regulate exceed the purpose for Root 
Programs to align. After all, if that was the sole and only purpose, it 
might as well have been the "Browser Forum" where Browsers meet, set the 
common rules and then dictate CAs to follow these rules. I believe the 
Forum is more than that.

It is fortunate that we are given the opportunity to take a step back 
and re-check why we are all here. I can only quote from the Bylaws 
(emphasis mine):

"1.1 Purpose of the Forum

The Certification Authority Browser Forum (CA/Browser Forum) is a 
voluntary gathering of leading Certificate Issuers and vendors of 
Internet browser software and other applications that use certificates 
(Certificate Consumers).

Members of the CA/Browser Forum have worked closely together in defining 
the guidelines and means of *implementation for best practices **as a 
way of providing a heightened security for Internet transactions and 
creating a more intuitive method of displaying secure sites to Internet 
users*."

I read this purpose as an "unofficial" agreement between Certificate 
Issuers and Certificate Consumers to improve security for internet 
transactions AND to create a more intuitive method of displaying secure 
sites to internet users. I have only been involved in the Forum for the 
last couple of years and although I see a lot of effort to improve 
security policies/practicies (as demonstrated in all the updates of the 
BRs, EVGs, NetSec guidelines), there are no documented efforts for the 
purpose of creating a more intuitive method of displaying secure sites 
to Internet users.

Setting this aside, I believe we either need to agree that the purpose 
of the Forum, as described in the Bylaws, is incorrect and update the 
Bylaws, or to take a step back and consider all that the Forum has 
accomplished over the last years with the Contributions of its Members, 
Associate Members, Interested Parties, even non-Members, and work 
collaboratively, in good faith to make further progress.

Looking back at my notes during a presentation at the F2F 46 meeting in 
Cupertino, I mentioned:

"Forum members should exercise their participation in a neutral way as 
much as possible. We are here to create and improve guidelines and we 
need to be able to do that with more participation and consensus. Some 
members feel “exposed” during Forum discussions. All members must have a 
more “neutral” behavior in the CA/B Forum discussions around guidelines. 
We welcome more contributions from Certificate Issuers in order to 
understand real cases and improve overall security". I do not recall 
hearing any objections to this statement, but that was perhaps because 
members were very polite :-)

I'm afraid this cannot be achieved if Certificate Consumer Members 
continuously bring their "guns" (i.e. Root Program Requirements) in CA/B 
Forum discussions. I would expect these "guns" to be displayed and used 
in the independent Root Program venues and not the CA/B Forum.

I would personally feel very disappointed (as the CA/B Forum Chair) if 
we were to re-purpose of the Forum to match the statement at the 
beginning of this email. In any case, I would like to give the 
opportunity for members to publicly express their opinion about the 
purpose of the Forum and especially the Server Certificate Working 
Group. I also understand and respect if some Members are reluctant to 
publicly state their opinion.


Dimitris.
CA/B Forum and Server Certificate Working Group Chair

[1] https://cabforum.org/pipermail/validation/2019-September/001326.html
[2] https://cabforum.org/pipermail/servercert-wg/2019-October/001171.html

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20191021/22f64421/attachment-0002.html>

More information about the Public mailing list