[cabfpub] Ballot 105 Technical Constraints for Subordinate Certificate Authorities yielding broader and safer PKI adoption.

Steve Roylance steve.roylance at globalsign.com
Fri Jul 19 07:08:00 UTC 2013


Hi Man Ho.

Please see ballot 100 discussions for details and replies. 

I reached out to 18 months ago on this subject to ask people to liaise with other parties and was stopped so not it seems strange to have people suggest we do this on the back of a vote to help a proportion of the community who have taken so actions.

I suggest we approve the wording and then discuss the issues in the next call as there will be some CAs that did not make the 1st August deadline for OVSP but they should have spoken up when Ballot 100 was discussed.

Sent from my iPhone

On 19 Jul 2013, at 03:08, "Man Ho (Certizen)" <manho at certizen.com> wrote:

> [I am operating a public CA in Hong Kong.]
> 
> Tom and Kelvin have a point. We rely very much on third-party software products such as Microsoft to run our services. If this ballot is rushed to vote only for benefits of CAB Forum member CAs who had implemented proprietary OCSP responders, will it in fact cause some other publicly trusted root CAs removed from the trust list of     browsers?
> 
> Will CAB Forum do a study on how many trusted root CAs can support it?
> 
> 
> Man Ho
> 
> 
> On 7/19/2013 9:32 AM, Kelvin Yiu wrote:
>> [I am filling in for Tom while he is enjoying some well-deserved time off.]
>>  
>> It is unfortunate that ballot 105 combined the OCSP issue with the clarification of audit requirements for subCAs. If one of the goals of ballot 105 is to provide some “breathing space” to the August deadline on the OCSP issue, then it must address the OCSP problem for all CAs, not just those who are able to take advantage of name constraints.
>>  
>> I think it is great that the CAB Forum is driving the use of name constraints to reduce the burden for many customers who             manages a stable set of domains and reduce the risks for the entire PKI eco-system. It is even more important for the CAB Forum to produce guidelines that can be fairly applied to all CAs, even when there is an arbitrary self-imposed deadline looming over us.  
>>  
>> Kelvin
>>  
>>  
>>  
>> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Steve Roylance
>> Sent: Thursday, July 18, 2013 2:39 PM
>> To: Stephen Davidson
>> Cc: Rick Andrews; public at cabforum.org
>> Subject: Re: [cabfpub] Ballot 105 Technical Constraints for Subordinate Certificate Authorities yielding broader and safer PKI adoption.
>>  
>> Hi Tom. 
>>  
>> I agree with Stephen that we need to let 105 run its course and amend the wording now, as a number of  enterprise CAs will immediately fail to deliver on the BR requirements (fully) come August 1st, yet they've been willing to limit their domain exposure through name constraints.  
>>  
>> I'm fully behind additional language tweaks above and beyond this ballot to help, and as you recall I was an advocate of reaching out to CA platform  and OCSP providers, 18 months ago as all these companies have a vested interest to be members of the CABForum.
>>  
>> Lets get this Ballot implemented and then discuss at length what makes sense for the industry at large.  There are so many moving parts with CRLs, OSCP stapling etc that we need to consider all but we need to consider in a timely fashion and the ballot was written to allow us some breathing space...... as August is here now.
>> 
>> Sent from my iPhone
>> 
>> On 18 Jul 2013, at 22:01, Stephen Davidson <S.Davidson at quovadisglobal.com> wrote:
>> 
>> I agree that section 13.2.6 is a problem and am happy to focus attention on that.  The top CAs can readily adapt their own inhouse software – but this section created a significant cost and obstacle for CAs that use commercial software, and we may find in Q4 there are a lot of SSL small players that don’t meet the requirement.
>>  
>> However, the intent of this ballot is to clarify the Mozilla options for technical constraints in the context of the BR, and to fill in some of the gaps on how to use them.  The link in with OCSP is a simply rattle-on from that, and I would hope not to derail the overall ballot.
>>  
>> The fact is that today all Enterprise CAs that are root signed must comply with 13.2.6.  With this ballot, if they are audited, they will still need to comply with 13.2.6.  If they are constrained, they will not. 
>>  
>> I understand that the same conditions would also apply with Certificate Transparency …
>>  
>>  
>>  
>>  
>> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Rick Andrews
>> Sent: Thursday, July 18, 2013 3:53 PM
>> To: Tom Albertson; public at cabforum.org
>> Subject: Re: [cabfpub] Ballot 105 Technical Constraints for Subordinate Certificate Authorities yielding broader and safer PKI adoption.
>>  
>> I tend to agree with Tom that the complexity and risk might outweigh the potential benefit. And I’m not saying that because I want the status quo – Symantec has moved all its certs to our OCSP system that returns “unknown” for unknown cert serial numbers.
>>  
>> The intent of this ballot is to allow relying parties to detect a certificate created by an attacker which has a valid signature by virtue of hash collisions (the attacker creates a fake cert that hashes to the same value as a legitimate cert, and simply copies the good
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130719/39fff005/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4041 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130719/39fff005/attachment-0001.p7s>


More information about the Public mailing list