[Servercert-wg] Ballot SC31 - Browser Alignment

Clint Wilson clintw at apple.com
Sat Jun 27 09:48:15 MST 2020

Hello all,

Broadly speaking, I agree and support the messages sent by Google and Mozilla. I think SC31 should proceed as written and I hope that it can find strong support and backing from CAs.
However, based on the feedback from CAs in this thread, I do have questions that I’m hoping will help me better understand the thoughts and opinions of CAs.
I think we have come to agreement on a few things, but I want to restate them here to ensure I’m not overly assuming :)
The WebPKI is not perfect statically nor dynamically, necessitating changes to how it operates at times.
Changes to the WebPKI should be discussed openly, weighing input from the varied stakeholders (both directly and indirectly) affected by such changes.
The CA/B Forum is a very good place for such discussions to occur and achieving consensus through the ballot process of the CA/B Forum is a valuable way to implement changes to the WebPKI.
In situations where a change is identified as profoundly important by a certificate consumer, but where initial consensus in the CA/B Forum is not achieved, it may be necessary for the certificate consumer to independently enforce that change through their root program.

A few of the things said here raise additional questions, to which I don’t have a clear understanding of the position of CAs. FWIW, I do have my own position, but at this point I’m more interested in where CAs stand.
If a change is requested within the CA/B Forum, but fails to pass during the ballot process, in what way(s) should that change be brought up in future CA/B Forum discussions or ballots? What, if any, are appropriate ways of revisiting changes represented in failed ballots?
In situations like described in #4 above, except instead of a single certificate consumer enforcing the identified change, it’s a majority or unanimous show of support reflected in independent changes to multiple root programs, what role does the CA/B Forum play in ensuring those root programs can rely upon participating CAs to adhere to their individual root program policies?

Thank you!

> On Jun 22, 2020, at 7:57 AM, Doug Beattie via Servercert-wg <servercert-wg at cabforum.org> wrote:
> Hi Chris,
> Yes, I agree.  There are some things that CAs and Browsers don’t always agree on.  CAs can document these in their CPS and the root programs can define them in their root policies.  This is one that should remain in the root policies for those programs that endorse this change.
> I like all of the other changes in this ballot and don’t want to see them held up unnecessarily. 
> Doug
> From: Servercert-wg <servercert-wg-bounces at cabforum.org> On Behalf Of Chris Bailey via Servercert-wg
> Sent: Monday, June 22, 2020 10:44 AM
> To: servercert-wg at cabforum.org
> Subject: [Servercert-wg] Ballot SC31 - Browser Alignment
> There has been discussion for some time in the SCWG of a “browser alignment ballot” that would import certain rules from browser root programs to the Forum’s Baseline Requirements.  Entrust Datacard is generally in favor of such a ballot, but with certain limitations.
> The CA/Browser Forum was created in 2005 so that CAs and browsers could work together and agree on industry “best practices” by consensus.  We measure “best practices” consensus by our voting rules – no modification can be made to the Baseline Requirements unless it is approved by a majority of browser members and also by 2/3 of CA members.  
> Over the years, some browsers have modified their root program rules in ways that affects the ecosystem. We believe root program changes should work their way through the forum first so there is no need for later alignment of these rule changes with the BRs.
> With that introduction, we believe there are two limitations that should apply to any draft browser alignment ballot amending the BRs.
> 1. We should not include any browser root program rule in the ballot if it conflicts with policy of another browser root program. 
> 2.  In addition, an alignment ballot should not introduce controversial issues that have already been rejected in the Forum, but should only include non-controversial changes.  For this reason, we believe Ballot SC31 should not include Apple’s recent root program rule change reducing maximum certificate lifetimes from the present 825 days (as currently allowed by the BRs) to 398 days.  As you all remember, this same change to the BRs was proposed in late 2019 in Ballot SC22 and was highly controversial.  The ballot was unanimously approved by those browsers who voted, but failed by a large margin among CAs.
> In addition, at the time of Ballot SC22 it did not appear that the browsers gave any consideration to the concerns of an equally important part of the internet security ecosystem which would also be necessary to establish industry consensus on best practices – the website owners themselves, who are also important customers of the browsers.  Poll results from 3,850 website owners (including many enterprise website owners) conducted by three CAs showed that 82% of website owners oppose the reduction in the maximum certificate validity period to 398 days.  Many website owners asked at the time what security problems existed with two-year certificates that were solved by moving to one-year certificates and also asked for a cost-benefit analysis from the browsers, but no clear answer was ever provided to them.  
> In our opinion, browsers should not ignore the results of an unsuccessful ballot in the Forum, add the rejected provision to their root programs anyway, and then ask the Forum members to reverse their prior votes and add the rejected provision to the Forum’s best practices documents.  This would be setting a very bad precedent for collective decision-making for the future.
> For this reason, Ballot SC31’s proposed change to a 398-day maximum validity period does not represent consensus among CAs, website owners, and browsers.  This part of Ballot SC31 is not the type of browser root program rule change that should be included in a browser root program alignment ballot.  
> Entrust Datacard will not support Ballot SC31 if it includes this change to the maximum certificate validity period, and we respectfully ask the proposer and endorsers to remove that part of Ballot SC31 so we can vote for it.
> --                  
> Chris Bailey
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/servercert-wg

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20200627/1a540359/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3621 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20200627/1a540359/attachment-0001.p7s>

More information about the Servercert-wg mailing list