[cabfpub] The purpose of the CA/B Forum

Ryan Sleevi sleevi at google.com
Mon Oct 21 16:19:15 UTC 2019


On Mon, Oct 21, 2019 at 11:54 AM Dimitris Zacharopoulos via Public <
public at cabforum.org> wrote:

>
> Dear CA/B Forum Members,
>
> Recent posts [1], [2] were brought to my attention with a statement from a
> representative of a Certificate Consumer Member who believes that the role
> of the Forum is the following:
>
> "The Forum provides a venue to ensure Browsers do not place conflicting
> requirements on CAs that voluntarily participate within the browsers root
> programs, by facilitating discussion and feedback. This allows
> interoperability among the Web PKI space, which refers to the set of CAs
> within browsers, and thus allows easier interoperability within browsers.
> Prior to the Forum, it was much easier to see this reflected in the private
> arrangements between CAs and browsers. If different browsers had different
> requirements, CAs would have to act as the intermediary to identify and
> communicate those conflicts. Similarly, browsers had to spend significant
> effort working to communicate with all of the CAs in their programs, often
> repeatedly answering similar questions. By arranging a common mailing list,
> and periodic meetings, those barriers to communication can be reduced.
>
>
> That is the sole and only purpose of the Forum. Any other suggestion is
> ahistorical and not reflected in the past or present activities."
> <SNIP>
> It is fortunate that we are given the opportunity to take a step back and
> re-check why we are all here. I can only quote from the Bylaws (emphasis
> mine):
>
> "1.1 Purpose of the Forum
>
> The Certification Authority Browser Forum (CA/Browser Forum) is a
> voluntary gathering of leading Certificate Issuers and vendors of Internet
> browser software and other applications that use certificates (Certificate
> Consumers).
>
> Members of the CA/Browser Forum have worked closely together in defining
> the guidelines and means of *implementation for best practices **as a way
> of providing a heightened security for Internet transactions and creating a
> more intuitive method of displaying secure sites to Internet users*."
>

Dimitris,

I don't believe there is the conflict you suggest between the statement and
the bylaws.

I think we're in agreement the the CA/Browser Forum is voluntary.
I think we're in agreement that the CA/Browser Forum does not, nor has it
ever, defined Root Program Policy.
I think we're in agreement that the CA/Browser Forum does not, nor has it
ever, "enforced" any action upon CAs.

I think this is much clearer if you continue quoting from the Bylaws.
Indeed, the two sentences that immediately follow, emphasis mine, highlight
this:

1.2 Status of the Forum and the Forum Activities
The Forum has no corporate or association status, but is


*simply a group ofCertificate Issuers and Certificate Consumers that
communicates or meets from timeto time to discuss matters of common
interest relevant to the Forum’s purpose. TheForum has no regulatory or
industry powers over its members or others.*

I read this purpose as an "unofficial" agreement between Certificate
> Issuers and Certificate Consumers to improve security for internet
> transactions AND to create a more intuitive method of displaying secure
> sites to internet users.
>

No. It's a statement about what the Forum has done in the past. If you
continue reading, you will find out what the Forum does. It merely
discusses.


> I'm afraid this cannot be achieved if Certificate Consumer Members
> continuously bring their "guns" (i.e. Root Program Requirements) in CA/B
> Forum discussions. I would expect these "guns" to be displayed and used in
> the independent Root Program venues and not the CA/B Forum.
>

While I can understand if you're unhappy to discuss Root Program
Requirements, I think it belies a fundamental misunderstanding of the Forum
and the Baseline Requirements.

Recall: PKI was designed to allow different communities - i.e. different
browsers - to define different policies, profiles, and practices for the
CAs that participate in their different PKIs. The Microsoft PKI is distinct
from the Google PKI is distinct from the Mozilla PKI, each of which has
those vendors as the Root of Trust, signing a Trust List for use within
their products, based on their product security requirements.

Conceptually, each of these PKIs define their own profiles and practices
(the Root Program Requirements) and define their own means of assessing
(e.g. Mozilla distrusting certain auditors, Microsoft allowing certain
auditors). The Forum exists to allow for interoperability between these
distinct PKIs. The Baseline Requirements serve as a means of expressing a
common set of requirements, in order to reduce the need of obtaining a
distinct Microsoft audit or a distinct Mozilla audit, which are entirely
plausible scenarios.

Thus, it's inherent that the /only/ value of useful discussion to be had is
with respect to Root Program Requirements. It's also the opportunity for
CAs to provide input and insight into these requirements, to understand
what practical impact might be had, and whether that's desirable or
undesirable - by the Root Program.

Put simply, if folks don't want to discuss Root Program Requirements, then
there's no point in continuing the Forum itself. If the Forum is not the
venue to discuss that, then we can simply use the existing methods that
Root Programs use to gather feedback and input from their participants - CA
communications directly to program participants, and collaborative
discussion within SDOs relevant to browser activities (e.g. WHATWG/W3C).
There's no need to the Forum to continue to exist, because it would
literally not be solving any problem or providing any benefit.

That seems extreme, and certainly presents it as "us v them", which is an
unfortunate viewpoint. However, it's inherent that the choice in
administering the set of trusted CAs is going to be a product security
decision, defined by product-specific capabilities and product-specific
priorities, and that's not something that can or should generalize. PKI was
precisely designed not to have this "one size fits all" mentality, but to
support the notion of many small islands, sometimes with overlap and
interoperability. We do not chuff at the fact that the Nuclear Power Grid
uses a different PKI than, say, a departmental e-mail server, nor should we
- it's simply a tool and technology to solve a problem. To the extent
browsers care about interoperability, it's useful to have a place to
discuss different, potentially conflicting, requirements. To the extent CAs
can provide useful and valuable feedback about the implications of
potential changes, it's useful to discuss. But that's it.

I would personally feel very disappointed (as the CA/B Forum Chair) if we
> were to re-purpose of the Forum to match the statement at the beginning of
> this email.
>

It's stated in the Bylaws, and precisely why the Forum has voluntary
participation. It's useful to have a central, public mailing list to
discuss this and get useful, actionable, data-driven feedback to inform
Root Programs.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20191021/db872b79/attachment-0003.html>


More information about the Public mailing list