[cabfpub] Browser eligibility in CABF in general (and Comodo specifically)

[Ryan Sleevi]

Hi Eric,

I really appreciate you raising this point. I, too, am torn about this
issue, and have been on the record expressing concerns going back for
several years. To the extent the CA/Browser Forum serves to facilitate open
communication between CAs and the Root Stores they participate in, there is
ostensibly some benefit in having as many root stores present. Google,
representing ChromeOS and Android, Apple representing macOS, iOS and
watchOS, Microsoft representing Windows (and all the various products
running Windows kernel or CryptoAPI, such as XBox), and Mozilla
representing Firefox all represent potential points of friction for a CA
that wishes to be ubiquitously trusted and ensure that there are no
conflicting requirements.

Yet, at the same time, it's questionable whether or not Comodo runs a root
store, it's questionable whether there has ever been friction in CAs
communicating with Comodo for purposes of trust in their browser-based
products, and it's questionable whether the bar should be such that any
Chromium-derived or Firefox-derived browser should qualify, for the reasons
you mention. I think a natural consequence of both Comodo's participation
specifically and the potential membership under the Bylaws is that we will
increasingly see the Forum become less relevant as the place for agreeing
upon common baselines, and more as a place purely for discussion around
trends in the industry. That's not to say I don't anticipate there being
some updates to the Forum's documents - when it aligns with both browsers
and CAs interests - but I suspect that increasingly, the forward-thinking
moves towards security will happen outside the Forum, through the
respective root programs.

I, too, don't have good suggestions on how to solve the membership problem.
On the one hand, having a Forum for discussion, with the IP protections
some members desire, serves as a great benefit for the community. It allows
browsers to solicit CAs' feedback about upcoming or planned policy changes,
and allows for collaboration among browsers to avoid conflicting
requirements. Having an open membership - including that of interested
parties - helps provide robust discussion. Yet on the other hand, the
voting structure of the Forum, coupled with the misguided notion that the
Forum 'leads' rather than follows the browser/root store members' program
changes, lead to the situation you point out. Attempting to resolve that
via excluding participation may not be ideal - although notably, Comodo
could have joined as an Interested Party. Proportional voting might be more
reflective of the dynamic and purpose of the Forum, if we want to still
maintain documents going forward, but in order to achieve that, one must
have a good definition of the issue.

For example, one could measure by end-user browser share, but finding an
appropriate measure of that can vary (for example, installations). Further,
it can incentivize certain OS vendors to restrict and/or block competition
from other browsers on their platforms, whether through outright policies
or through making it exceptionally difficult to change the browser, even
more than they do today. Alternatives, such as measuring on 'number of
pages loaded' or 'connections made' are complicated - after all, cURL, as
the most popular library on billions of devices, may want to be
represented, although they alternatively use the OS store (if the
SecureTransport/SChannel backend), a user-supplied store (most frequently,
the Mozilla store), or a vendor-specific store (in the case of the Wii U,
Switch, PS3 or PS4, for example). How to defer that representation?

I note I didn't really offer any solutions - Comodo's joining as a browser
may very well herald the start of the decline of the Forum's relevance as
an SDO, and more into what it originally served as - a Forum for browser
members to explore changes and deconflict them, but without waiting for or
needing the approval of CA members or other browsers. And I don't think
that's necessarily a bad thing, especially for users that care about
security and benefit from browsers that are able to do the right thing.

On Sun, Dec 10, 2017 at 11:21 PM, Eric Mill via Public <public at cabforum.org>
wrote:

> Does no one have thoughts on this?
>
> I can understand how CAs and Browsers both might find it difficult to
> discuss this aspect of the Forum in their official capacities. Perhaps
> there are other Interested Parties on the list with an opinion?
>
> -- Eric
>
> On Sun, Dec 3, 2017 at 8:52 PM, Eric Mill <eric at konklone.com> wrote:
>
>> I saw on the draft agenda, sent around on the 27th for last week's call,
>> included "Membership Application of Comodo Security Solutions, Inc. (as a
>> browser)".
>>
>> I know it will take some time for the minutes of the call to be posted
>> with the result of Comodo's application, but this seemed like a significant
>> application that merits public discussion.
>>
>> The Bylaws don't apply any rules about market share or other indicators
>> of significance to the marketplace:
>> https://cabforum.org/wp-content/uploads/CA-Browser-Forum-
>> Bylaws-v.-1.7.pdf
>>
>> The entirety of the eligibility clause for Browsers states: "The member
>> organization produces a software product intended for use by the general
>> public for browsing the Web securely."
>>
>> The CA eligibility clause is significantly more constrained, in
>> particular in that the certificates have to be recognized by Browser
>> members. However, this makes the set of Browser members even more important
>> in determining eligibility of CAs.
>>
>> Comodo appears to publish two browsers, Dragon and IceDragon, based on
>> Chromium and Firefox, respectively: https://www.comodo.com/home/br
>> owsers-toolbars/internet-products.php
>>
>> They don't appear to operate a root program or exercise independent
>> discretion about what CAs are trusted on their platform in any visible way,
>> they've never participated as a browser in any significant public
>> conversations about the Web PKI that I've seen, and their market share
>> appears to be negligible from all available public data.
>>
>> But the Bylaws would seem to allow Comodo to join as a browser, which I
>> think would significantly undermine the entire point of the Forum -- as
>> well as potentially open a floodgate of applications from more marginal or
>> almost-fictional browsers.
>>
>> For a quick glance at how many browsers theoretically could join the
>> Forum under the current bylaws, a long list of them can be in these
>> daily-updated feeds of browsers (as their user agent appears in Google
>> Analytics) that have at least 10 visits over 90 days to government
>> properties:
>>
>> https://analytics.usa.gov/data/live/browsers.csv
>> https://analytics.usa.gov/data/live/browsers.json
>>
>> Market share may or may not be the right threshold, and I don't have some
>> specific text to suggest off the top of my head -- but it does feel like a
>> discussion is merited about whether the Bylaws around browser eligibility
>> adequately capture the intent of the Forum.
>>
>> -- Eric
>>
>> --
>> konklone.com | @konklone <https://twitter.com/konklone>
>>
>
>
>
> --
> konklone.com | @konklone <https://twitter.com/konklone>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20171211/83fb5073/attachment-0003.html>