[cabfpub] C=GR, C=UK exceptions in BRs

Ryan Sleevi sleevi at google.com
Tue Mar 21 03:44:35 UTC 2017 

Dimitris,

Thanks for providing concrete reasons to support such a change. Replies
inline.

On Mon, Mar 20, 2017 at 4:03 AM, Dimitris Zacharopoulos <jimmy at it.auth.gr>
wrote:
>
> Let me try to provide some reasons in favor of allowing these two
> exceptions.
>
>    1. For reasons unrelated to the CA/B Forum (political or whatever
>    non-technical reasons), two EU Countries have been using different
>    two-letter Country Identifiers in addition to the ones listed in ISO3166-1.
>    These exceptions have been well-defined in legal EU documents, like the
>    1505/2015
>    <http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32015D1505>
>    implementing decision. Since these exceptions are used Internationally, are
>    well-defined and globally recognized, it makes sense to allow them to be
>    used in the webPKI as well.
>
> So I object to this reasoning because it's unclear what the justification
is for this change. As mentioned, there are clearly international political
issues at play here, and while I think Phillip's examples are actively
unhelpful to making productive discussion, the fact that he feels they're
relevant and on-topic to this discussion - or the remarks Geoff have made -
actively highlight this.

As mentioned elsewhere, these documents don't apply from a 9.16.3 or from a
perspective of law. Further, I think you can agree that even if we accept
such documents, their scope is to apply to a jurisdictional boundary,
except you're proposing that these be adopted at an international level (as
all certificates are inherently worldwide). So, in effect, you're proposing
that the first country to pass a law gets to bypass any form of
international agreement or consensus, and instead declare 'squatters'
rights.

I don't believe you intended to put it like that, but I want to highlight
that is effectively what this justification is, so that you can understand
why it's undesirable.


>
>    1. Introducing these well-defined exceptions pose no security threat
>    because these identifiers are already known for so long. AFAIU, by adding
>    these two exceptions, no significant problems have been identified so far
>    in the discussion. Please note that I am not suggesting "replacing C=GR
>    with C=EL and C=GB with C=UK" but allowing all of them to be acceptable.
>
> But now you've introduced an ambiguity and overload whose "source of
truth" can no longer be discerned.

For example, the conflicting examples Rob and Phillip have given - only the
former of which I'm inclined to trust in this case - do create ambiguities.
If the purpose of the Baseline Requirements is to agree upon unambiguous
representations to the extent possible, by including full jurisdictional
information (as the discussion with Li-Chun related to the X.500 DIT has
shown), then introducing this change introduces unnecessary ambiguity, and
through it, undermines the goal of including identity information in
certificates.

Put differently, this poses a thread to the value and usefulness of the
identity information. Since a number of CAs have asserted identity
information is security relevant (hence why they revoke certificates whose
identity information is incorrect or misleading), we must naturally
conclude that this either _does_ represent a security threat, or that
identity information in certificates is not security relevant, and we
should update our documents accordingly.


>    1. There may be legal reasons for some official government agencies to
>    be represented by using C=EL or C=UK in the subject field. Should the Forum
>    prevent that? Should the Forum question these reasons?
>
> Yes. Because the Forum should strive to stay apolitical to the extent
possible, and we achieve that by standing on the shoulder of the giants who
have gone before us, seeking out international consensus through an
assemblage of experts, and when we find reason to deviate, to do so in a
manner that is a consistent application of principles rather than of
en-vogue politics.

In this case, as has been mentioned, the appropriate discussion point would
minimally be within the realm of ISO, as Gerv has highlighted.

If it helps, you can think of this much like the .onion discussion, for
which Google was opposed to support for such certificates without an
appropriate IANA-reservation of the '.onion' TLD. Without that, the Forum
would have been squatting on a domain without the consensus process. And
while it might have been argued then, much like here, that .onion wouldn't
produce a security risk, we can actually see that the principle applied
(that it's appropriate for the Forum to squat on TLDs) _did_ create a
significant security risk when applied as a rule ("Internal Server Names").
And if our principles and justifications are unsafe as general rules, then
they are likely unsafe as exceptions as well, since an exception that is
inconsistently applied is simply exclusionary politics.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170320/589b10fc/attachment-0003.html>

More information about the Public mailing list