[cabfpub] What is identity anyway? Was: C=GR, C=UK exceptions in BRs

Ryan Sleevi sleevi at google.com
Tue Mar 21 13:48:27 UTC 2017


Phillip,

I must confess, it's hard to see what point you're attempting to make, so
I'm hoping you might take time to summarize into what you believe is an
actionable next step, rather than a discussion of the history, particularly
one which I would be happy to demonstrate as historically inaccurate.

On Tue, Mar 21, 2017 at 9:28 AM, philliph at comodo.com <philliph at comodo.com>
wrote:

> There are very few things that are as intrinsically political than the
> names of states. So complaining about the naming of states being political
> is to miss the point entirely.
>
> From a technical point of view, there are two concerns when considering an
> identifier.
>
> 1) Is the identifier unambiguous? Could the identifier correspond to more
> than one distinct entity?
> 2) Is the identifier resolvable? Can a party attempting to resolve the
> identifier determine what it means?
>
> For the purposes of the WebPKI, we are also interested in two particular
> aspects of identity:
>
> 1) To establish accountability through legal consequences should a subject
> make a material misrepresentation in a transaction.
> 2) To enable binding of a physical world identity to an online identity.
>
> When I first started doing PKI, I thought that the use of the X.500 names
> in addition to the DNS names was a mistake. Since then, I have come to
> understand that it is actually very important. Because there are offline
> identities that pre-existed the cyber world and there are reputations bound
> to them that people wish to make use of online.
>
> If we wish to engage the services of nation state law enforcement and
> nation state courts, then we have to be willing to meet whatever criteria
> the nation states apply to provide them.
>
> The topic of ‘identity’ is something that I really try to avoid. The
> objective of the WebPKI is not to establish identity, it is designed to
> establish an expectation of consequences and to enable the use of an
> offline reputation. Both of which are bound to an identity.
>
>
> When the WebPKI was first developed, the only objective was to establish
> consequences and provide access to offline reputation. Today we use it for
> much more. In particular we use it for entities whose only existence is
> online. For these organizations, offline reputation is irrelevant and
> consequences may not be relevant. Hence the need for EV and DV as distinct
> quanta of trust.
>
> The proposals to move the Web to encrypted by default and beyond that to
> mandate encryption create a third category of WebPKI use. Or maybe they
> should be outside the WebPKI entirely.
>
> The big fight in the early development of the WebPKI was whether it would
> be ‘open’ or ‘closed’. In particular, would anybody be able to get a
> certificate to engage in Internet commerce from a range of competing
> providers on flat rate terms or would the infrastructure be closed like a
> game console platform with the platform provider taking a cut of every
> sale. One of the reasons we have the model we do is because of a man called
> Michael Baum who showed how an open PKI was in fact practical at a time
> when most people thought it wasn’t.
>
> If we are going to go to mandate use of encryption, the access issue is
> raised again unless we create a third category of certificate that is below
> DV and provides no degree of assurance whatsoever and does not result in an
> an affirmative security signal in the browser. (And why would you need a
> signal if everything is always encrypted).
>
> In retrospect, I think I probably made a mistake in not recognizing that
> DV and EV were in fact meeting two different but legitimate needs earlier.
> I think we might be making the same mistake again with DV and whatever it
> is that meets the ubiquitous encryption need.
>
>
>
> On Mar 21, 2017, at 3:04 AM, Dimitris Zacharopoulos via Public <
> public at cabforum.org> wrote:
>
>
>
> On 21/3/2017 5:44 πμ, Ryan Sleevi wrote:
>
> Dimitris,
>
> Thanks for providing concrete reasons to support such a change. Replies
> inline.
>
> On Mon, Mar 20, 2017 at 4:03 AM, Dimitris Zacharopoulos <jimmy at it.auth.gr>
> wrote:
>>
>> Let me try to provide some reasons in favor of allowing these two
>> exceptions.
>>
>>    1. For reasons unrelated to the CA/B Forum (political or whatever
>>    non-technical reasons), two EU Countries have been using different
>>    two-letter Country Identifiers in addition to the ones listed in ISO3166-1.
>>    These exceptions have been well-defined in legal EU documents, like the
>>    1505/2015
>>    <http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32015D1505>
>>    implementing decision. Since these exceptions are used Internationally, are
>>    well-defined and globally recognized, it makes sense to allow them to be
>>    used in the webPKI as well.
>>
>> So I object to this reasoning because it's unclear what the justification
> is for this change. As mentioned, there are clearly international political
> issues at play here, and while I think Phillip's examples are actively
> unhelpful to making productive discussion, the fact that he feels they're
> relevant and on-topic to this discussion - or the remarks Geoff have made -
> actively highlight this.
>
>
> I guess we disagree on the fact that you need justification for a
> political decision made by the European Union, while I take it for granted.
> The fact that "off-topic" (at least some people would characterize them as
> such) comments were made, with political tone, isn't something that should
> be used to dismiss the rest of the "on-topic" and valuable feedback and
> shouldn't be a reason, alone, to dismiss a subject being discussed (or any
> issue for that matter). Off-topic comments have been posted in the past and
> will certainly be posted in the future :)
>
>
> As mentioned elsewhere, these documents don't apply from a 9.16.3 or from
> a perspective of law. Further, I think you can agree that even if we accept
> such documents, their scope is to apply to a jurisdictional boundary,
> except you're proposing that these be adopted at an international level (as
> all certificates are inherently worldwide). So, in effect, you're proposing
> that the first country to pass a law gets to bypass any form of
> international agreement or consensus, and instead declare 'squatters'
> rights.
>
> I don't believe you intended to put it like that, but I want to highlight
> that is effectively what this justification is, so that you can understand
> why it's undesirable.
>
>
> Indeed I never intended to put it like that but I think 9.16.3 allows for
> exactly what you just described as undesirable (for better or worse). To
> the minimum, it is unclear what the boundaries are. That is, if a country
> passes a law that conflicts with the BRs and the CA has to abide with it,
> it must abide with it. To better understand this and possibly make it clear
> for others let me give a theoretical example. If there was a Greek law that
> said "you need to be able to issue publicly trusted SSL Certificates with
> C=EL for such and such cases", 9.16.3 would allow a CA (not necessarily a
> CA operated in Greece) to issue and inform the CA/B Forum's public list
> about this conflict.
>
> Do you agree with this interpretation? I think this is a key issue that
> the forum should try to explain and clarify as soon as possible. I also
> welcome other members that wish to offer their perspective on this.
>
>
>
>
>>
>>    1. Introducing these well-defined exceptions pose no security threat
>>    because these identifiers are already known for so long. AFAIU, by adding
>>    these two exceptions, no significant problems have been identified so far
>>    in the discussion. Please note that I am not suggesting "replacing C=GR
>>    with C=EL and C=GB with C=UK" but allowing all of them to be acceptable.
>>
>> But now you've introduced an ambiguity and overload whose "source of
> truth" can no longer be discerned.
>
>
> I am not sure I understand this comment or where you see ambiguity. There
> would be a well-defined exception for two countries to be represented with
> two different identifiers each. This makes it clear, at least to me, that
> when I see a certificate with either C=GR or C=EL, the Subject's Country is
> Greece :)
>
>
> For example, the conflicting examples Rob and Phillip have given - only
> the former of which I'm inclined to trust in this case - do create
> ambiguities. If the purpose of the Baseline Requirements is to agree upon
> unambiguous representations to the extent possible, by including full
> jurisdictional information (as the discussion with Li-Chun related to the
> X.500 DIT has shown), then introducing this change introduces unnecessary
> ambiguity, and through it, undermines the goal of including identity
> information in certificates.
>
> Put differently, this poses a thread to the value and usefulness of the
> identity information. Since a number of CAs have asserted identity
> information is security relevant (hence why they revoke certificates whose
> identity information is incorrect or misleading), we must naturally
> conclude that this either _does_ represent a security threat, or that
> identity information in certificates is not security relevant, and we
> should update our documents accordingly.
>
>
> Being unable to see an ambiguity, I fail to see a security threat here.
> The source of information is still ISO3166-1 but we are discussing the "UK"
> and "EL" extra identifiers for two specific jurisdictions. If "EL" was
> listed as exceptionally reserved just as the "UK" label is, would you agree
> with Gerv that this would make things clearer and easier to allow for these
> exceptions?
>
>
>
>>    1. There may be legal reasons for some official government agencies
>>    to be represented by using C=EL or C=UK in the subject field. Should the
>>    Forum prevent that? Should the Forum question these reasons?
>>
>> Yes. Because the Forum should strive to stay apolitical to the extent
> possible, and we achieve that by standing on the shoulder of the giants who
> have gone before us, seeking out international consensus through an
> assemblage of experts, and when we find reason to deviate, to do so in a
> manner that is a consistent application of principles rather than of
> en-vogue politics.
>
>
> IMHO, by questioning these reason, you evidently become political. I
> understand the fact that it is merely impossible to avoid some political
> discussions, sooner or later, when it comes to building policy documents.
> In order to achieve the goal to "stay apolitical to the extent possible",
> IMO the forum should try to resolve policy conflicts with minimal or no
> impact to the ecosystem based on standards and specific processes like the
> one we are following now (allowed thanks to the last paragraph of 9.16.3).
> I fully understand the argument of building on top of International
> standards, agreements, treaties and such ("giants" as you elegantly
> described). My somewhat similar thought was that the European Union's
> decisions look like they are coming from a "giant" as well :)
>
>
> In this case, as has been mentioned, the appropriate discussion point
> would minimally be within the realm of ISO, as Gerv has highlighted.
>
>
> This makes perfect sense and I plan on contacting our ISO representatives
> to see if there is more than meets the eye.
>
> Overall, I think this was (is) a useful conversation, at least to "test"
> the limits and boundaries of 9.16.3 so that members have a better
> understanding.
>
>
> Dimitris.
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170321/96100027/attachment-0003.html>


More information about the Public mailing list