[Servercert-wg] Displaying secure sites to Internet users

Ryan Sleevi sleevi at google.com
Fri Nov 15 11:56:01 MST 2019

On Fri, Nov 15, 2019 at 12:19 PM Christian Heutger <ch at psw.net> wrote:

> Hi,
>    - It's a bit confusing to suggestion "Encryption alone is just one
>    piece of the puzzle.". As noted with to others, if you'd like to
>    productively contribute, to offer new or useful insight, it might be useful
>    to sit down and define a problem.
>    - It should be noted that defining a problem is not about saying "You
>    don't use my solution". For example, saying "Corporate identity is not
>    displayed by browsers" is not a statement of a problem, it's a statement
>    that a preferred solution is not adopted. By being thoughtful, clear, and
>    concise about the problem to solve, we can then discuss the appropriate
>    approaches and technologies. It's important to remember that certificates
>    are not the only means of expressing identity, and TLS is not the only
>    means of delivering certificates, so we know that any discussion of
>    identity well exceeds what this Forum is qualified to discuss.
> Problem description is easy. The internet by design is an anonymous place.
> But if you like to do transactions via the anonymous internet (online
> shopping, online banking, providing privacy concerned data, …), identity
> would help to increase trust (and security as well, information security is
> been based on confidentiality, integrity and availability, but also
> authenticity, reliability, non-repudiation and accountability) to be sure,
> to whom you transfer your data, where you place your orders, where you try
> to login etc. Phishing is one of the strongest factor here, but also to
> prevent from cybercrime, e.g. being on a valid website of a valid company,
> public organization etc., which may be trustful to work with (or could use
> the information to check, if it’s trustful in your point of view). As e.g.
> whois data is now been hidden because of GDPR and similar privacy
> regulations (although you couldn’t rely on, as the data is not validated),
> it’s getting harder and harder to differentiate valid and trustful sites
> from phishing, scam and other ways of cybercrime. Phishing sites and
> cybercrime increase and look to be reliable by being encrypted and
> “secure”. Recent education of companies, organisations, … based on “look
> for https” which recently was a trust factor, time ago before DV, now it
> isn’t any more, as it lost validation (authenticity) factor. That’s the
> problem description. You need to look at noobs, not at internet
> professionals. You won’t be able to educate them on how to check the
> involving quality of phishing, scam (e.g. piracy sites) and cybercrime
> (e.g. “copied” valid webshops), check the website for any evidence of
> possible curiosities. It must be a solution, which can be adopted by many
> and trained with ease. Browser and platform independent.

This is an interesting essay, about a wide variety of topics unrelated to
certificates and the CA/Browser Forum, but it's unclear what you believe
the "problem statement" to be. I'm hopin you might be able to refine it

It might also be helpful to make sure it's historically accurate. For
example, "look for https" was never a trust factor, and the Forum's
archives make it clear that any suggestion of that was due to CAs
misleading and confusing their users.

In any event, hopefully that will encourage you to actually define the
problem to solve, which you can then discuss how your preferred solution

>    - Additionally, do you have any suggestions on how to ensure the
>    identities expressed in certificates today are reliable? We have ample
>    evidence that the information presently expressed in EV certificates cannot
>    be relied upon, and that the standards (such as the EV Guidelines) do not
>    provide the necessary or sufficient guidance to ensure the information is
>    reliable. It would be interesting to see proposals on that, based on the
>    lessons from the many CA misissuance events. If you're not familiar with
>    them, https://wiki.mozilla.org/CA/Incident_Dashboard is an excellent
>    collection of systemic issues, which have affected the majority of EV
>    certificate issuers (by volume and by reliance), and it'd be essential that
>    prior to any continued discussion of certificates, these issues be
>    comprehensively addressed. This seems like it will take multiple years, and
>    given that few (if any) CAs are stepping forward to systemically ensure
>    there's a consistent level of validation, so that relying parties can have
>    confidence, so it might be more productive to focus on that first. After
>    all, what's the point of discussing identity here in the Forum, if, as is
>    obviously demonstrated, the EV Guidelines does not provide any assurance
>    that CAs can be relied upon to validate it consistently and correctly
> Issues are from different point of view.

This is a very long response, but it's not clear to me you read the related
issues. I'm afraid much of what you said was unrelated, and so it's unclear
to find out how this relates. It sounds like you may not have any
suggestions for how CAs might better validate identity, which may further
the idea that CAs are poorly placed to validate identity, and that the EV
guidelines are woefully inadequate. There's always opportunities to discuss
something new, but that seems to further emphasize that the CA/Browser
Forum is hardly the place to do it, if many of the members don't have the
necessary technological skills to articulate a clear and consistent
identity validation process.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20191115/59828eff/attachment.html>

More information about the Servercert-wg mailing list