[cabfpub] Fwd: Re: [EXTERNAL] The purpose of the CA/B Forum

Dimitris Zacharopoulos (HARICA) dzacharo at harica.gr
Mon Oct 21 18:24:22 UTC 2019


Forwarding on behalf of Phil.



-------- Forwarded Message --------
Subject: 	Re: [cabfpub] [EXTERNAL] The purpose of the CA/B Forum
Date: 	Mon, 21 Oct 2019 14:21:43 -0400
From: 	Phillip Hallam-Baker <phill at hallambaker.com>
To: 	Kirk Hall via Public <public at cabforum.org>
CC: 	Dimitris Zacharopoulos (HARICA) <dzacharo at harica.gr>, Dimitris 
Zacharopoulos <jimmy at it.auth.gr>



[I am not able to send to the list, this may be forwarded should you choose]

As one of the two people who called the meeting that led to the creation 
of CABForum, I can confirm that Dimitris is correct.

There is however another much more important reason for representatives 
whose companies operate root key programs to avoid making threats: The 
operation of CABForum is subject to US and EU anti-trust law. This was 
of course a major concern for Microsoft at the time CABForum was being 
formed.

I recently had to point out to one root key program operator that they 
should run a proposed internal ballot on through their internal lawyers 
as they would face an obvious anti-Trust challenge if they allowed it to 
go ahead.

It would probably be wise for all parties operating root programs to 
note that there are storms brewing in Washington as well as Brussels. 
And not just in one party.





On Mon, Oct 21, 2019 at 1:09 PM Kirk Hall via Public 
<public at cabforum.org <mailto:public at cabforum.org>> wrote:

    +1 Dimitris.  As the immediate past Chair of the Forum and someone
    involved in creating the Forum in 2005, your analysis below is correct.

    *From:* Public <public-bounces at cabforum.org
    <mailto:public-bounces at cabforum.org>> *On Behalf Of *Dimitris
    Zacharopoulos via Public
    *Sent:* Monday, October 21, 2019 8:54 AM
    *To:* public at cabforum.org <mailto:public at cabforum.org>
    *Subject:* [EXTERNAL][cabfpub] The purpose of the CA/B Forum

    *WARNING:* This email originated outside of Entrust Datacard.
    *DO NOT CLICK* links or attachments unless you trust the sender and
    know the content is safe.

    ------------------------------------------------------------------------


    Dear CA/B Forum Members,

    Recent posts [1], [2] were brought to my attention with a statement
    from a representative of a Certificate Consumer Member who believes
    that the role of the Forum is the following:

    "The Forum provides a venue to ensure Browsers do not place
    conflicting requirements on CAs that voluntarily participate within
    the browsers root programs, by facilitating discussion and feedback.
    This allows interoperability among the Web PKI space, which refers
    to the set of CAs within browsers, and thus allows easier
    interoperability within browsers. Prior to the Forum, it was much
    easier to see this reflected in the private arrangements between CAs
    and browsers. If different browsers had different requirements, CAs
    would have to act as the intermediary to identify and communicate
    those conflicts. Similarly, browsers had to spend significant effort
    working to communicate with all of the CAs in their programs, often
    repeatedly answering similar questions. By arranging a common
    mailing list, and periodic meetings, those barriers to communication
    can be reduced.


    That is the sole and only purpose of the Forum. Any other suggestion
    is ahistorical and not reflected in the past or present activities."


    We should not interpret silence as consent for such statements that
    can create misunderstandings. I put a lot of thought before posting
    this message because I represent a CA but I was also voted as Chair
    to ensure the Bylaws are followed. I personally don’t agree with
    that view of the purpose of the Forum (or the statement that any
    other suggestion is ahistorical), and I think other members disagree
    as well. As Chair of the Forum, I feel obligated to share some
    thoughts and my perspective about the purpose of the Forum.

    When I first learned about the CA/B Forum and started receiving the
    public list emails, I was thrilled with the level of engagement,
    participation and contributions of industry leaders in the
    publicly-trusted certificate sector. Industry leaders, that made
    SSL/TLS and Code Signing Certificates known and usable around the
    Globe in order to secure communications and code execution, were
    voluntarily contributing with their valuable technical and
    operational experience. When critical incidents occurred that
    affected a large part of the webPKI, industry leaders freely shared
    their internal security policies/practices, so that others could
    publicly evaluate and use them. When it was decided for Domain
    Validation methods to be disclosed, Certificate Issuers disclosed
    their methods and the less secure methods were identified and
    removed. Some of the Forum's popular projects, such as the EV
    Guidelines and the Network Security Requirements, were driven by
    Certificate Issuers and were not directly linked to Certificate
    Consumer's Root program policies; they are now required by Root
    programs. This industry continues to improve Guidelines and overall
    security by continuously raising the security bar. It is natural for
    Certificate Consumers to lead and push for stricter rules but
    Certificate Issuers also participate in these discussions and
    contribute with ideas. These contributions are not made "to make
    Browsers happy" but to improve the overall security of the ecosystem.

    Mistakes happened, CAs were distrusted but that has nothing to do
    with the CA/B Forum. We are not here at the Forum to judge how CAs
    complied or not to the Guidelines or how strict or not the Browser
    decisions were. In my understanding these are out of CA/B Forum
    scope discussions. To my eyes, every contribution to the Forum is
    done in good faith, reviewed by some of the world's most talented
    and competent people I know and they are accepted into the work
    product of the Forum, which is our Guidelines. It is also very clear
    that our Guidelines need continuous improvements and it is very
    possible that some requirements are mis-interpretated. We are here
    to remove ambiguities and make these requirements as clear as possible.

    I have no doubt that the CA/B Forum serves the "undocumented"
    purpose of aligning requirements between Certificate Consumer
    Policies, although it is not stated in the Forum's Bylaws. Perhaps
    this is how things started with the Forum. I don't know, I wasn't
    there :) But I believe things have evolved. I strongly believe that
    the CA/B Forum is an earnest effort by the publicly-trusted
    certificate industry to *self-regulate* in the absence of other
    National or International regulatory Authorities. These efforts to
    self-regulate exceed the purpose for Root Programs to align. After
    all, if that was the sole and only purpose, it might as well have
    been the "Browser Forum" where Browsers meet, set the common rules
    and then dictate CAs to follow these rules. I believe the Forum is
    more than that.

    It is fortunate that we are given the opportunity to take a step
    back and re-check why we are all here. I can only quote from the
    Bylaws (emphasis mine):

    "1.1 Purpose of the Forum

    The Certification Authority Browser Forum (CA/Browser Forum) is a
    voluntary gathering of leading Certificate Issuers and vendors of
    Internet browser software and other applications that use
    certificates (Certificate Consumers).

    Members of the CA/Browser Forum have worked closely together in
    defining the guidelines and means of *implementation for best
    practices as a way of providing a heightened security for Internet
    transactions and creating a more intuitive method of displaying
    secure sites to Internet users*."

    I read this purpose as an "unofficial" agreement between Certificate
    Issuers and Certificate Consumers to improve security for internet
    transactions AND to create a more intuitive method of displaying
    secure sites to internet users. I have only been involved in the
    Forum for the last couple of years and although I see a lot of
    effort to improve security policies/practicies (as demonstrated in
    all the updates of the BRs, EVGs, NetSec guidelines), there are no
    documented efforts for the purpose of creating a more intuitive
    method of displaying secure sites to Internet users.

    Setting this aside, I believe we either need to agree that the
    purpose of the Forum, as described in the Bylaws, is incorrect and
    update the Bylaws, or to take a step back and consider all that the
    Forum has accomplished over the last years with the Contributions of
    its Members, Associate Members, Interested Parties, even
    non-Members, and work collaboratively, in good faith to make further
    progress.

    Looking back at my notes during a presentation at the F2F 46 meeting
    in Cupertino, I mentioned:

    "Forum members should exercise their participation in a neutral way
    as much as possible. We are here to create and improve guidelines
    and we need to be able to do that with more participation and
    consensus. Some members feel “exposed” during Forum discussions. All
    members must have a more “neutral” behavior in the CA/B Forum
    discussions around guidelines. We welcome more contributions from
    Certificate Issuers in order to understand real cases and improve
    overall security". I do not recall hearing any objections to this
    statement, but that was perhaps because members were very polite :-)

    I'm afraid this cannot be achieved if Certificate Consumer Members
    continuously bring their "guns" (i.e. Root Program Requirements) in
    CA/B Forum discussions. I would expect these "guns" to be displayed
    and used in the independent Root Program venues and not the CA/B Forum.

    I would personally feel very disappointed (as the CA/B Forum Chair)
    if we were to re-purpose of the Forum to match the statement at the
    beginning of this email. In any case, I would like to give the
    opportunity for members to publicly express their opinion about the
    purpose of the Forum and especially the Server Certificate Working
    Group. I also understand and respect if some Members are reluctant
    to publicly state their opinion.


    Dimitris.
    CA/B Forum and Server Certificate Working Group Chair

    [1] https://cabforum.org/pipermail/validation/2019-September/001326.html
    [2]
    https://cabforum.org/pipermail/servercert-wg/2019-October/001171.html

    _______________________________________________
    Public mailing list
    Public at cabforum.org <mailto:Public at cabforum.org>
    https://cabforum.org/mailman/listinfo/public

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20191021/d79d99f2/attachment-0002.html>


More information about the Public mailing list