[cabfpub] The purpose of the CA/B Forum

Dimitris Zacharopoulos (HARICA) dzacharo at harica.gr
Mon Oct 21 17:48:17 UTC 2019



On 2019-10-21 7:19 μ.μ., Ryan Sleevi via Public wrote:
>
>
> On Mon, Oct 21, 2019 at 11:54 AM Dimitris Zacharopoulos via Public 
> <public at cabforum.org <mailto:public at cabforum.org>> wrote:
>
>
>     Dear CA/B Forum Members,
>
>     Recent posts [1], [2] were brought to my attention with a
>     statement from a representative of a Certificate Consumer Member
>     who believes that the role of the Forum is the following:
>
>     "The Forum provides a venue to ensure Browsers do not place
>     conflicting requirements on CAs that voluntarily participate
>     within the browsers root programs, by facilitating discussion and
>     feedback. This allows interoperability among the Web PKI space,
>     which refers to the set of CAs within browsers, and thus allows
>     easier interoperability within browsers. Prior to the Forum, it
>     was much easier to see this reflected in the private arrangements
>     between CAs and browsers. If different browsers had different
>     requirements, CAs would have to act as the intermediary to
>     identify and communicate those conflicts. Similarly, browsers had
>     to spend significant effort working to communicate with all of the
>     CAs in their programs, often repeatedly answering similar
>     questions. By arranging a common mailing list, and periodic
>     meetings, those barriers to communication can be reduced.
>
>
>     That is the sole and only purpose of the Forum. Any other
>     suggestion is ahistorical and not reflected in the past or present
>     activities."
>     <SNIP>
>     It is fortunate that we are given the opportunity to take a step
>     back and re-check why we are all here. I can only quote from the
>     Bylaws (emphasis mine):
>
>     "1.1 Purpose of the Forum
>
>     The Certification Authority Browser Forum (CA/Browser Forum) is a
>     voluntary gathering of leading Certificate Issuers and vendors of
>     Internet browser software and other applications that use
>     certificates (Certificate Consumers).
>
>     Members of the CA/Browser Forum have worked closely together in
>     defining the guidelines and means of *implementation for best
>     practices **as a way of providing a heightened security for
>     Internet transactions and creating a more intuitive method of
>     displaying secure sites to Internet users*."
>
>
> Dimitris,
>
> I don't believe there is the conflict you suggest between the 
> statement and the bylaws.

I see a conflict because the statement considers a different purpose 
than what is described in section 1.1 of the Bylaws. I was also 
surprised ("shocked" might better describe it) to read that any other 
purposes are "ahistorical", and see this statement being directed to a 
new Interested Party who just recently joined the Server Certificate 
Working Group.

>
> I think we're in agreement the the CA/Browser Forum is voluntary.
> I think we're in agreement that the CA/Browser Forum does not, nor has 
> it ever, defined Root Program Policy.
> I think we're in agreement that the CA/Browser Forum does not, nor has 
> it ever, "enforced" any action upon CAs.

I agree with all three. I have also been pointing out these three 
elements in every presentation related to the Forum :-) However, the 
fact that the Forum:

  * is voluntary
  * does not define "Root Program Policy" and
  * does not "enforce" nor "supervise" the CAs,

are not related to the purpose of the Forum. You can say the same thing 
about IETF or other STOs. The CA/B Forum is a consensus driven STO that 
produces guidelines. How these guidelines are used is a different topic. 
We know for a fact that they are used as input for two International 
Standards, ETSI and WebTrust. Who knows how many other government or 
private sector areas are using the CA/B Forum's work product to define 
their policies.

>
> I think this is much clearer if you continue quoting from the Bylaws. 
> Indeed, the two sentences that immediately follow, emphasis mine, 
> highlight this:
>
> 1.2 Status of the Forum and the Forum Activities
> The Forum has no corporate or association status, but is *simply a 
> group of
> Certificate Issuers and Certificate Consumers that communicates or 
> meets from time
> to time to discuss matters of common interest relevant to the Forum’s 
> purpose. The
> Forum has no regulatory or industry powers over its members or others.*

Yes, already acknowledged that.

>
>     I read this purpose as an "unofficial" agreement between
>     Certificate Issuers and Certificate Consumers to improve security
>     for internet transactions AND to create a more intuitive method of
>     displaying secure sites to internet users.
>
>
> No. It's a statement about what the Forum has done in the past. If you 
> continue reading, you will find out what the Forum does. It merely 
> discusses.

Well, these discussions result in ballot motions, ballot motions are 
voted and Guidelines are created or updated ("maintained"). And from 
there, we know how these Guidelines are used.

>     I'm afraid this cannot be achieved if Certificate Consumer Members
>     continuously bring their "guns" (i.e. Root Program Requirements)
>     in CA/B Forum discussions. I would expect these "guns" to be
>     displayed and used in the independent Root Program venues and not
>     the CA/B Forum.
>
>
> While I can understand if you're unhappy to discuss Root Program 
> Requirements, I think it belies a fundamental misunderstanding of the 
> Forum and the Baseline Requirements.
>
> Recall: PKI was designed to allow different communities - i.e. 
> different browsers - to define different policies, profiles, and 
> practices for the CAs that participate in their different PKIs. The 
> Microsoft PKI is distinct from the Google PKI is distinct from the 
> Mozilla PKI, each of which has those vendors as the Root of Trust, 
> signing a Trust List for use within their products, based on their 
> product security requirements.
>
> Conceptually, each of these PKIs define their own profiles and 
> practices (the Root Program Requirements) and define their own means 
> of assessing (e.g. Mozilla distrusting certain auditors, Microsoft 
> allowing certain auditors). The Forum exists to allow for 
> interoperability between these distinct PKIs. The Baseline 
> Requirements serve as a means of expressing a common set of 
> requirements, in order to reduce the need of obtaining a distinct 
> Microsoft audit or a distinct Mozilla audit, which are entirely 
> plausible scenarios.
>
> Thus, it's inherent that the /only/ value of useful discussion to be 
> had is with respect to Root Program Requirements. It's also the 
> opportunity for CAs to provide input and insight into these 
> requirements, to understand what practical impact might be had, and 
> whether that's desirable or undesirable - by the Root Program.
>
> Put simply, if folks don't want to discuss Root Program Requirements, 
> then there's no point in continuing the Forum itself. If the Forum is 
> not the venue to discuss that, then we can simply use the existing 
> methods that Root Programs use to gather feedback and input from their 
> participants - CA communications directly to program participants, and 
> collaborative discussion within SDOs relevant to browser activities 
> (e.g. WHATWG/W3C). There's no need to the Forum to continue to exist, 
> because it would literally not be solving any problem or providing any 
> benefit.
>
> That seems extreme, and certainly presents it as "us v them", which is 
> an unfortunate viewpoint. However, it's inherent that the choice in 
> administering the set of trusted CAs is going to be a product security 
> decision, defined by product-specific capabilities and 
> product-specific priorities, and that's not something that can or 
> should generalize. PKI was precisely designed not to have this "one 
> size fits all" mentality, but to support the notion of many small 
> islands, sometimes with overlap and interoperability. We do not chuff 
> at the fact that the Nuclear Power Grid uses a different PKI than, 
> say, a departmental e-mail server, nor should we - it's simply a tool 
> and technology to solve a problem. To the extent browsers care about 
> interoperability, it's useful to have a place to discuss different, 
> potentially conflicting, requirements. To the extent CAs can provide 
> useful and valuable feedback about the implications of potential 
> changes, it's useful to discuss. But that's it.

I will let others state their opinion and comment about this. I, for 
one, disagree.

Although the CA/B Forum takes input from its Members (Issuers and 
Consumers), it has a consensus-driven process. This means that if a CA 
or a Browser proposes an unreasonable or insecure change to the Forum's 
Guidelines, it will need 2/3 of CAs and majority of Browsers to enter 
the Guidelines.

If a new Certificate Consumer with completely ridiculous "My Program 
Requirements" joins the Forum, the Forum is not forced by anyone to 
adopt changes that would jeopardize the quality of the Guidelines.

I understand where you're coming from and respect the fact that you are 
trying to make Root Programs align, but the way you frame it, doesn't 
align with the Forum's purpose nor its processes. For better or worse, 
each recommendation will have to go through the ballot process and get 
consensus to be voted. No Certificate Consumer can enforce changes to 
the Guidelines, at least with the current Bylaws.

>
>     I would personally feel very disappointed (as the CA/B Forum
>     Chair) if we were to re-purpose of the Forum to match the
>     statement at the beginning of this email.
>
>
> It's stated in the Bylaws, and precisely why the Forum has voluntary 
> participation. It's useful to have a central, public mailing list to 
> discuss this and get useful, actionable, data-driven feedback to 
> inform Root Programs.

I can't see the relevance of the Forum's voluntary participation with 
the feedback towards Root Programs. The Forum is open to Interested 
Parties that can join and Contribute with ideas and improvements that 
the Root Programs or CAs didn't even consider. Of course it is voluntary 
just like most standards organizations.

Dimitris.


>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20191021/de651deb/attachment-0002.html>


More information about the Public mailing list