[Servercert-wg] Ballot SC23: Precertificates

Thu Oct 24 06:59:04 MST 2019

On Wed, Oct 23, 2019 at 10:59 PM Jeremy Rowley <jeremy.rowley at digicert.com>
wrote:

> Can you elaborate on this? What makes it bad?
>

Isn't this continuing the "Why not?" and trying to place the burden that
"Everything should be allowed, that which is not forbidden?"

This is the mindset that I think is detrimental, and why I suggested it's
productive if we can articulate why. Why is a localityName valuable in a CA
certificate? Why is an organizationIdentifier useful in a CA certificate?

In case it feels like deflecting, this is the same consistent posisition I
stated in
https://cabforum.org/pipermail/servercert-wg/2019-October/001154.html and
reiterated in
https://cabforum.org/pipermail/servercert-wg/2019-October/001178.html .
It's the thing that remains unanswered.

Yes, this means I'm not directly answering your question; I promise I will,
if folks advocating can explain the positive tradeoffs. What I'm trying to
avoid, and why I'm knowingly not answering this question, is because I
think it sets us up for the wrong discussion. An articulation about "why
not" means that we don't get any clearly articulated "Why" (and the
benefits), and that they're rather implicitly assumed to be a priori good.
It sets the discussion up for CAs saying "These tradeoffs aren't that bad",
but they're trade offs they don't have to bear, and so it's much harder to
meaningfully discuss. Knowing this pattern has been an issue to productive
discussion, for years, I'm more mindful of it and less willing to engage
here until we can get some of the positives clearly articulated.

Having a position in which it's articulated "Here's what is good, and
here's the thing that will be lost if we don't allow it" allows for a
clearer accounting of the tradeoffs, rather than ratholing on whether the
negatives are "all that bad", especially when they're (from a CA
perspective) negative externalities. While I have no doubt that CAs are
best positioned to understand their customer needs, we know and continue to
see issues understanding the expectations, the ecosystem impact of various
decisions, or the execution of requirements, and so I'd rather learn from
them the good than try and debate the misunderstood bad.

I realize how dissatisfying an answer this is, because it totally avoids
your question. I can commit that if folks can articulate the why, on a
field-by-field basis, I can and will engage. But I don't want to jump
forward into discussing the tradeoffs until at least a clear and cogent
case had been made. If we assume things are not zero-cost, what would the
case be for each of these fields? We don't have to debate what that cost
is, or the magnitude of it, until we actually know what the benefits are.

>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20191024/1695bb1c/attachment.html>