[Servercert-wg] Ballot SC31 - Browser Alignment

Ryan Sleevi sleevi at google.com
Thu Jul 2 16:19:47 MST 2020

On Thu, Jul 2, 2020 at 7:03 PM Paul Walsh <paul at metacert.com> wrote:

> [PW] This is not correct. And I’d like to explain why because I think it
> gets to the heart of the problem we see in regards to our communications
> and the lack of appreciation for opposing opinions. It’s all about mindset
> and how we perceive intent.

The framing you offer isn't correct either, and that's easily demonstrated
by support for alternative means of delivering keys (e.g. DANE) that don't
require the use of CAs. CAs exist as service providers for browsers, the
same way they exist as service providers for, say, the USB-IF, or for Drone
PKI, or for eIDAS, or countless others.

I'm not sure how to simplify this any further, other than you can see
plenty of uses of PKI that don't require the use of third parties.
Consider, for example, what a CA is: a certification authority. Their
responsibility is to act as an RA, to validate some information, and to
issue a certificate that certifies this information. "Anyone" can do this,
and from the very first introduction of X.509v3, it was all about
establishing relationships between parties to delegate to them the
responsibility to certify these things. I am, admittedly, ignoring the ITU
DAP, because everyone rightfully does.

“You're the supplier and I’m the customer” are words that respectful
> customers never use in my experience.

I don't know what your experiences are, but businesses every day remind
their suppliers of the contractual obligations. It's the same with any RFP
from multiple suppliers: the supplier doesn't get to dictate what the terms
are for the RFP. The answer is "Thanks for your feedback, this is useful"
and either it's incorporated or the answer is "We respect your position,
but we won't be going forward with you as a supplier at this time".

> Why don’t all the mainstream browser vendors start a private group where
> they can discuss and agree on a list of things that all CAs must do and not
> do, as well as a list of things that are important but not mandated. Then,
> furnish all CAs with finalized requirements in a single cohesive way. This
> private group could invite “industry experts” that include some CA reps if
> they are interested in their input. You could call it the “Browser Forum”.

That's just Option 1, at

> Alternatively, each browser vendor could do this internally and then
> articulate their requirements to CAs so there’s no ambiguity. Some browser
> vendors do this already. Telling people that the requirements are
> straightforward doesn’t make them straightforward. And if many people say
> they are not, it means they are not.

That's just Option 4, at

> The single biggest hurdle to collaboration that I see here is the power
> that one party holds over the other - whether intentional or not - it’s
> here.

This has been true of the Forum since its existence, and CAs have continued
to chafe through their own misguided assumptions about the value of the
Forum, and the attempt to impose requirements on the browsers.

The Forum has, to date, been hugely valuable for collaborating and
improving things. No one is dismissing that CAs play a vital role in
providing useful feedback and detailed review for well-intentioned, but
sometimes poorly worded, requirements. That's not disputed at all. But
ultimately, the relationship is what it is, and it can be replaced through
a myriad of ways. Again, look at DANE as a viable alternative that obviates
the need entirely for CAs. Or look at Code Signing, where the vast majority
of Code Signing certificates in use are first-party issued (whether for
protecting hardware or for protecting software). Look at models like USB-IF
or the Wireless Power Alliance or Drone ID, in which a single CA is chosen
to act as supplier for certificates. Or, for that matter, look at Tor, in
which the name and the key are linked.

The Web is not meaningfully distinct from any of these solutions, they're
all viable. We have the system we have because of convenience, but when the
cost of progress exceeds that convenience, of course technology moves on.
It's no different than if a manufacturer starts manufacturing shoddy or
counterfeit products: they lose customers. And manufacturers that refuse to
invest in improvements, to improve the safety of the products and to stop
using, say, the lead-based paint that is a 2y cert, folks find other
suppliers that won't tarnish the brand, the reputation, and the safety of
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20200702/8f911d5e/attachment.html>

More information about the Servercert-wg mailing list