[cabfpub] The purpose of the CA/B Forum

Robin Alden robin.alden at sectigo.com
Tue Oct 22 18:17:07 UTC 2019 

Ryan,

Referring back to Dimitris’s reference [1], i.e. your response to Stephan Wolf, I think he (Stephan Wolf) probably overstated the forum’s purpose somewhat, but your response goes too far in the opposite direction to be considered accurate 

 

Stephan Wolf said:

> > My understanding of the formation of the Forum was always about adopting

> > “best practices” by strong consensus of the CA and browser community,

> > acting cooperatively and by consensus.

 

Ryan Sleevi said:

> "The Forum provides a venue to ensure Browsers do not place conflicting requirements on CAs that voluntarily participate within the browsers root programs, by facilitating discussion and feedback.

> <snip>

> That is the sole and only purpose of the Forum. Any other suggestion is ahistorical and not reflected in the past or present activities."



I think Stephan’s statement could have said ‘developing’ instead of ‘adopting’, ‘better practices’ instead of ‘best practices’, and he would have been pretty close to the mark.  

 

I had to look up ‘ahistoric’ in a dictionary, since it is not a word in my vocabulary, and one of the two definitions Merriam-Webster says it is “historically inaccurate or ignorant”.

 

I accept that it could be the view of a representative from a browser that the only point of the forum is as “a venue to ensure Browsers do not place conflicting requirements on CAs”.

However, if the other members of the forum are of the opinion that there is value in the activity of developing, not just receiving, even minimum requirements that may be used to raise the bar in the Web PKI, and especially if there are other parties within or without the forum that consider those minimum requirements as being worthy of adoption or formalization within their use of PKI, for the web or elsewhere, then that gives the forum purpose beyond the resolution of conflicting requirements and therefore your view of the forum is not accurate from the wider perspective.

 

Regards
Robin Alden

Sectigo Limited

 

From: Public <public-bounces at cabforum.org> On Behalf Of Ryan Sleevi via Public
Sent: 21 October 2019 19:02
To: Dimitris Zacharopoulos (HARICA) <dzacharo at harica.gr>
Cc: CA/Browser Forum Public Discussion List <public at cabforum.org>
Subject: Re: [cabfpub] The purpose of the CA/B Forum

 

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.

 

 

 

On Mon, Oct 21, 2019 at 1:48 PM Dimitris Zacharopoulos (HARICA) <dzacharo at harica.gr <mailto:dzacharo at harica.gr> > wrote:

I see a conflict because the statement considers a different purpose than what is described in section 1.1 of the Bylaws. I was also surprised ("shocked" might better describe it) to read that any other purposes are "ahistorical", and see this statement being directed to a new Interested Party who just recently joined the Server Certificate Working Group.

 

Again, I want to emphasize, you're conflating an informative statement of fact - what the Forum has done in the past - with a statement of purpose, what the Forum does or will do. I can understand that this confusion exists, but it's not a conflict. It's further ahistorical is that while the Forum may have done X in the past, it no longer does those things in the section you cited! You'll recall that the Processing of EV SSL Certificates was not adopted as a continued Forum work item, precisely because it was seen as inappropriate for the Forum.

 

I agree with all three. I have also been pointing out these three elements in every presentation related to the Forum :-) However, the fact that the Forum:

*	is voluntary
*	does not define "Root Program Policy" and 
*	does not "enforce" nor "supervise" the CAs, 

are not related to the purpose of the Forum. You can say the same thing about IETF or other STOs. The CA/B Forum is a consensus driven STO that produces guidelines. How these guidelines are used is a different topic. We know for a fact that they are used as input for two International Standards, ETSI and WebTrust. Who knows how many other government or private sector areas are using the CA/B Forum's work product to define their policies.

 

Did you mean Standards Defining Organization (SDO)? It's unclear what you mean by STO.

 

You're correct that we could certainly look to make the CA/Browser Forum as ineffective as, say, the CA Security Council, and just as captured. However, it would simply mean that the CA/Browser Forum requirements no longer reflect or align with Root Program requirements, Root Programs would abandon the WebTrust and ETSI documents (as has been discussed in the past and is a /very real/ possibility), and develop their own auditing standards, to directly oversee. This is important to understand that the only value - and legitimacy - that the Forum has is not in producing the Guidelines, but in providing a venue for discussion. The Guidelines utility is certainly in providing input to audit criteria that can be developed, but it's important to recognize that the only utility in the development in that audit criteria is when they're accepted - i.e. by browsers.

 

Many other organizations /reject/ the CA/B Forum's work precisely because it's not aligned with their security or disclosure requirements. For good reason - the BRs are incomplete!

 

I will let others state their opinion and comment about this. I, for one, disagree. 

Although the CA/B Forum takes input from its Members (Issuers and Consumers), it has a consensus-driven process. This means that if a CA or a Browser proposes an unreasonable or insecure change to the Forum's Guidelines, it will need 2/3 of CAs and majority of Browsers to enter the Guidelines.

If a new Certificate Consumer with completely ridiculous "My Program Requirements" joins the Forum, the Forum is not forced by anyone to adopt changes that would jeopardize the quality of the Guidelines.

I understand where you're coming from and respect the fact that you are trying to make Root Programs align, but the way you frame it, doesn't align with the Forum's purpose nor its processes. For better or worse, each recommendation will have to go through the ballot process and get consensus to be voted. No Certificate Consumer can enforce changes to the Guidelines, at least with the current Bylaws.

 

I think we're in more agreement than you realize. It's certainly true that the Forum adoption to the Baseline Requirements is a consensus-driven process. However, to the extent those documents diverge from real use, they simply cease to be valuable as input - for the audit criteria or for the Root Program.

 

And I think that's an essential point that your message both fails to capture and arguably denies - it suggests the Forum has value outside of the Root Programs that consume its inputs. If it no longer has value, Root Programs won't consume it. If Ballots are rejected, Root Programs can and should go above it.

 

The BRs, as they stand, have no value outside of Root Programs' requiring them (or more aptly, accepting the audits derived from them).

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20191022/3e887a1e/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5711 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20191022/3e887a1e/attachment-0003.p7s>

More information about the Public mailing list