[Servercert-wg] Ballot SC31 - Browser Alignment

Mon Jun 22 07:44:22 MST 2020

There has been discussion for some time in the SCWG of a “browser alignment ballot” that would import certain rules from browser root programs to the Forum’s Baseline Requirements.  Entrust Datacard is generally in favor of such a ballot, but with certain limitations.

The CA/Browser Forum was created in 2005 so that CAs and browsers could work together and agree on industry “best practices” by consensus.  We measure “best practices” consensus by our voting rules – no modification can be made to the Baseline Requirements unless it is approved by a majority of browser members and also by 2/3 of CA members.

Over the years, some browsers have modified their root program rules in ways that affects the ecosystem. We believe root program changes should work their way through the forum first so there is no need for later alignment of these rule changes with the BRs.

With that introduction, we believe there are two limitations that should apply to any draft browser alignment ballot amending the BRs.

1. We should not include any browser root program rule in the ballot if it conflicts with policy of another browser root program.

2.  In addition, an alignment ballot should not introduce controversial issues that have already been rejected in the Forum, but should only include non-controversial changes.  For this reason, we believe Ballot SC31 should not include Apple’s recent root program rule change reducing maximum certificate lifetimes from the present 825 days (as currently allowed by the BRs) to 398 days.  As you all remember, this same change to the BRs was proposed in late 2019 in Ballot SC22 and was highly controversial.  The ballot was unanimously approved by those browsers who voted, but failed by a large margin among CAs.

In addition, at the time of Ballot SC22 it did not appear that the browsers gave any consideration to the concerns of an equally important part of the internet security ecosystem which would also be necessary to establish industry consensus on best practices – the website owners themselves, who are also important customers of the browsers.  Poll results from 3,850 website owners (including many enterprise website owners) conducted by three CAs showed that 82% of website owners oppose the reduction in the maximum certificate validity period to 398 days.  Many website owners asked at the time what security problems existed with two-year certificates that were solved by moving to one-year certificates and also asked for a cost-benefit analysis from the browsers, but no clear answer was ever provided to them.

In our opinion, browsers should not ignore the results of an unsuccessful ballot in the Forum, add the rejected provision to their root programs anyway, and then ask the Forum members to reverse their prior votes and add the rejected provision to the Forum’s best practices documents.  This would be setting a very bad precedent for collective decision-making for the future.

For this reason, Ballot SC31’s proposed change to a 398-day maximum validity period does not represent consensus among CAs, website owners, and browsers.  This part of Ballot SC31 is not the type of browser root program rule change that should be included in a browser root program alignment ballot.

Entrust Datacard will not support Ballot SC31 if it includes this change to the maximum certificate validity period, and we respectfully ask the proposer and endorsers to remove that part of Ballot SC31 so we can vote for it.

--
Chris Bailey

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20200622/ea26afad/attachment-0001.html>