[Servercert-wg] Ballot SC31 - Browser Alignment

Paul Walsh paul at metacert.com
Thu Jul 2 16:03:20 MST 2020 

In line…

[lots of snipping throughout]

Irrespective of any responses that my email might attract, I won’t reply because I don’t want to take oxygen out of the conversation. I’m just an interested party. I typically get private messages, which are always welcome and appreciated.

I have dyslexia so I apologize for spelling mistakes. And I have a moderate ADHD, so I apologize for not focusing on my spelling mistakes. 


> CAs are like factories that produce physical goods. They contract with a customer (the Browser), to produce a good according to the customer's specifications. The customer wants to supervise production, because it's their reputation and their customers that are harmed if, say, the factory uses lead-based paint or produces shoddy products. The customer wants to make sure that all of the raw materials they supply to that factory are used to producing their goods, and aren't siphoned off to produce knock-offs or to produce other customers' goods.

[PW] This is not correct. And I’d like to explain why because I think it gets to the heart of the problem we see in regards to our communications and the lack of appreciation for opposing opinions. It’s all about mindset and how we perceive intent.
Without consumers, there’s no work for anyone here - we could all go home, oh wait… :)
Website owners want their consumers to be safe, so they buy a product (DV) and/or a service (EV) from CAs. Some will buy them because they don’t want to be shamed with “Not Secure”, but I digress.
Browsers do one thing - they facilitate access to the web for consumers. They are a “broker” between consumers, website owners and search engines. The only customers that browsers have, are search engines that pay for product placement. This might explain the close relationship between Google and Mozilla. 
CAs *gift* their certificate info to browsers, so they can keep consumers safe. Lucky for Browsers, they don’t have to pay CAs for this important service. Either CAs charge site owners and give Browser vendors a free service, or they offer website owners a free service and charge Browser vendors. Nothing in this world is free, unless you have an ad business model.
DV is all about consumer privacy. Right? CAs are the ones making DV possible. Interestingly, browsers don't agree when it comes to actual privacy that really impacts internet safety - they all compete with their privacy/tracking related settings as the only differentiator. I love it because it benefits consumers. But the irony is shocking.

Browsers are extremely important to CAs for obvious reasons. And browsers have the right, obviously, to mandate requirements of CAs. 

I’m talking about a mindset of respect and appreciation for each others part in this movie. Some will agree and some will disagree. The fact is, I’m neither right nor wrong. Each of us can either have this mindset or not. Imagine if we conversed with each other with this mindset though. It couldn’t do any harm.

Everyone has selfish motivates, so the trick is to help each other succeed with their selfish motives so everyone benefits. 

“You're the supplier and I’m the customer” are words that respectful customers never use in my experience.

> Put differently: If certificates were only valid for 7 days, then the full and prompt replacement of every one of those intermediates posing security risk would be completed, on time, and without any issues. Every day longer that a certificate is valid for only serves to increase the impact of that revocation, thus incentivizing the CA to fail to meet their contractual obligations, and thus worsening or exacerbating the security impact to browsers and end users. This should be trivial to scratch out on paper and see how it works out.

[PW] We can install speed bumps every 5 feet on a busy street to reduce the risk of speeding cars knocking down pedestrians. But the goal is to find a balance between cost vs reward. The same is true for cybersecurity. Until the cost vs reward is measured, you can’t possibly know if you’re making the right decisions or not.

I have a whacky suggestion...

Why don’t all the mainstream browser vendors start a private group where they can discuss and agree on a list of things that all CAs must do and not do, as well as a list of things that are important but not mandated. Then, furnish all CAs with finalized requirements in a single cohesive way. This private group could invite “industry experts” that include some CA reps if they are interested in their input. You could call it the “Browser Forum”.

Alternatively, each browser vendor could do this internally and then articulate their requirements to CAs so there’s no ambiguity. Some browser vendors do this already. Telling people that the requirements are straightforward doesn’t make them straightforward. And if many people say they are not, it means they are not. 

Separately, everyone can come together in a forum (for arguments sake, let’s call it the CA/Browser Forum) where Browser vendors are invited to discuss industry best practices while also facilitating help and support for what is mandated via their group initiative. This would mean that the CA/Browser forum would never be a place for anything that is mandated. There would be zero power play. 

The single biggest hurdle to collaboration that I see here is the power that one party holds over the other - whether intentional or not - it’s here. 

Just a thought ;)

- Paul



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20200702/08b3e933/attachment-0001.html>

More information about the Servercert-wg mailing list