[cabfpub] eIDAS meeting presentations

Peter Bowen pzb at amzn.com
Fri Apr 1 22:27:12 UTC 2016


From the slides it looks like the presenter was more requesting that browsers use SCVP or support Authorization Validation Lists.  This would mean the browser “outsources” validation of certificates to another entity which returns the validation result. The result could possibly include an image to show the user in addition to a boolean valid/not valid.

> On Apr 1, 2016, at 3:19 PM, Dean_Coclin <Dean_Coclin at symantec.com> wrote:
> 
> I think what the presenter had in mind were “hooks” into the trust store such that an alternate trust source (i.e. eIDAS Trust List) could be selected by a user. I believe Ryan said this type of “hook” exposes the browser to potential malicious intent.  One question I had (and I really don’t know how this works) is that I know Microsoft provides the capabilities for Enterprises to add or push roots out to users in their groups. Perhaps Dr. Poesch had that in mind when he was brainstorming his hook idea.
>  
> Dean
>  
> From: public-bounces at cabforum.org <mailto:public-bounces at cabforum.org> [mailto:public-bounces at cabforum.org <mailto:public-bounces at cabforum.org>] On Behalf Of Ryan Sleevi
> Sent: Friday, April 01, 2016 2:29 PM
> To: Gervase Markham <gerv at mozilla.org <mailto:gerv at mozilla.org>>
> Cc: CABFPub <public at cabforum.org <mailto:public at cabforum.org>>
> Subject: Re: [cabfpub] eIDAS meeting presentations
>  
>  
>  
> On Fri, Apr 1, 2016 at 2:17 PM, Gervase Markham <gerv at mozilla.org <mailto:gerv at mozilla.org>> wrote:
> On 30/03/16 01:03, Adriano Santoni wrote:
> > Especially, I would like to understand whether browsers are
> > willing/planning to integrate the EU trust lists....
> 
> We remain to be convinced of the value of doing so. We see direct
> control of our own trust list as an important factor in our ability to
> drive positive change in the CA industry and the security of the web.
>  
> And how do you feel about exposing programattic access to modify or affect certificate validation, certificate UI, or certificate trust lists, as proposed during the meeting (and as captured in the Summary and in the slides by Reinhard Posch)
>  
> I will echo on list what I had previously stated during the meeting, as it was not captured in the summary, which is on the balance, we see a far greater incidence of malware abusing such APIs compared to legitimate uses, and have no intent or desire to support such programatic access. We've seen malware campaigns extensively abuse command-line flags intended for debugging and diagnostics, and we've seen malware and malvertising campaigns significantly abuse both sanctioned and unsanctioned APIs, such that the use of such APIs is a strong indicator of Potentially Unwanted Software, and will be blocked through means such as Google SafeBrowsing and the Chrome Cleanup Tool. We believe other vendors have seen similar results.
>  
> Further, we remain deeply concerned about proposals that it would be beneficial to have other countries and legal entities provide or require similar Trust Lists, as also captured on Dr. Posch's slides, for many of the same reasons that Gerv spoke of.
> _______________________________________________
> Public mailing list
> Public at cabforum.org <mailto:Public at cabforum.org>
> https://cabforum.org/mailman/listinfo/public <https://cabforum.org/mailman/listinfo/public>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160401/fa4328d6/attachment-0003.html>


More information about the Public mailing list