[cabfpub] The purpose of the CA/B Forum

[Ryan Sleevi]

On Mon, Oct 21, 2019 at 1:48 PM Dimitris Zacharopoulos (HARICA) <
dzacharo at harica.gr> wrote:

> I see a conflict because the statement considers a different purpose than
> what is described in section 1.1 of the Bylaws. I was also surprised
> ("shocked" might better describe it) to read that any other purposes are
> "ahistorical", and see this statement being directed to a new Interested
> Party who just recently joined the Server Certificate Working Group.
>

Again, I want to emphasize, you're conflating an informative statement of
fact - what the Forum has done in the past - with a statement of purpose,
what the Forum does or will do. I can understand that this confusion
exists, but it's not a conflict. It's further ahistorical is that while the
Forum may have done X in the past, it no longer does those things in the
section you cited! You'll recall that the Processing of EV SSL Certificates
was not adopted as a continued Forum work item, precisely because it was
seen as inappropriate for the Forum.


> I agree with all three. I have also been pointing out these three elements
> in every presentation related to the Forum :-) However, the fact that the
> Forum:
>
>    - is voluntary
>    - does not define "Root Program Policy" and
>    - does not "enforce" nor "supervise" the CAs,
>
> are not related to the purpose of the Forum. You can say the same thing
> about IETF or other STOs. The CA/B Forum is a consensus driven STO that
> produces guidelines. How these guidelines are used is a different topic. We
> know for a fact that they are used as input for two International
> Standards, ETSI and WebTrust. Who knows how many other government or
> private sector areas are using the CA/B Forum's work product to define
> their policies.
>

Did you mean Standards Defining Organization (SDO)? It's unclear what you
mean by STO.

You're correct that we could certainly look to make the CA/Browser Forum as
ineffective as, say, the CA Security Council, and just as captured.
However, it would simply mean that the CA/Browser Forum requirements no
longer reflect or align with Root Program requirements, Root Programs would
abandon the WebTrust and ETSI documents (as has been discussed in the past
and is a /very real/ possibility), and develop their own auditing
standards, to directly oversee. This is important to understand that the
only value - and legitimacy - that the Forum has is not in producing the
Guidelines, but in providing a venue for discussion. The Guidelines utility
is certainly in providing input to audit criteria that can be developed,
but it's important to recognize that the only utility in the development in
that audit criteria is when they're accepted - i.e. by browsers.

Many other organizations /reject/ the CA/B Forum's work precisely because
it's not aligned with their security or disclosure requirements. For good
reason - the BRs are incomplete!


> I will let others state their opinion and comment about this. I, for one,
> disagree.
>
> Although the CA/B Forum takes input from its Members (Issuers and
> Consumers), it has a consensus-driven process. This means that if a CA or a
> Browser proposes an unreasonable or insecure change to the Forum's
> Guidelines, it will need 2/3 of CAs and majority of Browsers to enter the
> Guidelines.
>
> If a new Certificate Consumer with completely ridiculous "My Program
> Requirements" joins the Forum, the Forum is not forced by anyone to adopt
> changes that would jeopardize the quality of the Guidelines.
>
> I understand where you're coming from and respect the fact that you are
> trying to make Root Programs align, but the way you frame it, doesn't align
> with the Forum's purpose nor its processes. For better or worse, each
> recommendation will have to go through the ballot process and get consensus
> to be voted. No Certificate Consumer can enforce changes to the Guidelines,
> at least with the current Bylaws.
>

I think we're in more agreement than you realize. It's certainly true that
the Forum adoption to the Baseline Requirements is a consensus-driven
process. However, to the extent those documents diverge from real use, they
simply cease to be valuable as input - for the audit criteria or for the
Root Program.

And I think that's an essential point that your message both fails to
capture and arguably denies - it suggests the Forum has value outside of
the Root Programs that consume its inputs. If it no longer has value, Root
Programs won't consume it. If Ballots are rejected, Root Programs can and
should go above it.

The BRs, as they stand, have no value outside of Root Programs' requiring
them (or more aptly, accepting the audits derived from them).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20191021/d4c88f2d/attachment-0003.html>