[cabfpub] Meaning of BR 9.16.3
Ryan Sleevi
sleevi at google.com
Tue Mar 21 14:25:53 UTC 2017
Kirk,
I'm afraid you've misunderstood my argument. We're actually in agreement on
this point. However, if you recall the ample discussion during the
Scottsdale F2F, the arguments I presented here on the mailing list were
very much the topic of discussion then. The goal is to ensure there is
transparency when local jurisdictional law conflicts with what are intended
to be internationally-applicable guidelines, and to allow the Forum members
to consider whether to normalize this, and Browser members whether to
forbid this.
You will note 9.16.3 very much has security risks. We discussed those
several times. This is why we have a transparency requirement. When such
conflicts emerge - between local laws and the Baseline Requirements - the
Forum, and particularly the root store members, need to sort out whether
those conflicts allow CAs within that jurisdiction to continue to meet the
security standards and goals intended.
On Tue, Mar 21, 2017 at 10:19 AM, Kirk Hall <Kirk.Hall at entrustdatacard.com>
wrote:
> (Changing the Subject for this discussion)
>
>
>
> Ryan, I don’t think you are reading BR 9.16.3 correctly when you posted
> this:
>
>
>
> “The purpose of 9.16.3 is only to allow such a CA to operate until the
> Forum - or, more aptly, its Browser/Root Store members - have made a
> determination about the acceptability.”
>
>
>
> Look at the actual text of BR 9.16.3 below. The process (in abbreviated
> form) is as follows: If a CA finds a conflict between the BRs and a
> government “Law”, the CA may modify the BR requirement to the minimum
> extent necessary to make the BR requirements legal under the “Law”. The CA
> must then include notice of that modification of the BRs in Sec. 9.16.3 of
> its CPS, and must also notify the Forum, but the CA can then issue certs
> following the BR procedure as modified by the Law.
>
>
>
> A purpose of the notification requirement is “so that the CA/Browser
> Forum may consider possible revisions to these Requirements accordingly.”
> There is no time limit on how long the CA may continue to issue certs
> following the BRs as modified by the Law (the Forum may or may not make any
> changes to the BRs – that does not affect the CAs decision under BR
> 9.16.3), and BR 9.16.3 says nothing about the Forum being able to make a
> determination about the acceptability of the CA’s determination.
>
>
>
> It’s possible that the Forum or individual Forum members may say “we
> disagree about your decision that there is a conflict between the BRs and
> the Law, and so we don’t think you should make that modification to the
> BRs”, and a CA should carefully consider those arguments and decide if they
> are valid or not, but BR 9.16.3 is silent on that process.
>
>
>
>
>
> *BR 9.16.3. Severability*
>
>
>
> In the event of a conflict between these Requirements and a law,
> regulation or government order (hereinafter
>
> 'Law') of any jurisdiction in which a CA operates or issues certificates,
> a CA MAY modify any conflicting
>
> requirement to the minimum extent necessary to make the requirement valid
> and legal in the jurisdiction.
>
> This applies only to operations or certificate issuances that are subject
> to that Law. In such event, the CA
>
> SHALL immediately (and prior to issuing a certificate under the modified
> requirement) include in Section
>
> 9.16.3 of the CA’s CPS a detailed reference to the Law requiring a
> modification of these Requirements under
>
> this section, and the specific modification to these Requirements
> implemented by the CA.
>
>
>
> The CA MUST also (prior to issuing a certificate under the modified
> requirement) notify the CA/Browser
>
> Forum of the relevant information newly added to its CPS by sending a
> message to questions at cabforum.org
>
> and receiving confirmation that it has been posted to the Public Mailing
> List and is indexed in the Public Mail
>
> Archives available at https://cabforum.org/pipermail/public/ (or such
> other email addresses and links as the
>
> Forum may designate), so that the CA/Browser Forum may consider possible
> revisions to these
>
> Requirements accordingly.
>
>
>
> *From:* Public [mailto:public-bounces at cabforum.org] *On Behalf Of *Ryan
> Sleevi via Public
> *Sent:* Tuesday, March 21, 2017 8:34 AM
> *To:* Dimitris Zacharopoulos <jimmy at it.auth.gr>
> *Cc:* Ryan Sleevi <sleevi at google.com>; CA/Browser Forum Public Discussion
> List <public at cabforum.org>
> *Subject:* Re: [cabfpub] C=GR, C=UK exceptions in BRs
>
>
>
>
>
>
>
> On Tue, Mar 21, 2017 at 3:04 AM, Dimitris Zacharopoulos <jimmy at it.auth.gr>
> wrote:
>
>
>
> As mentioned elsewhere, these documents don't apply from a 9.16.3 or from
> a perspective of law. Further, I think you can agree that even if we accept
> such documents, their scope is to apply to a jurisdictional boundary,
> except you're proposing that these be adopted at an international level (as
> all certificates are inherently worldwide). So, in effect, you're proposing
> that the first country to pass a law gets to bypass any form of
> international agreement or consensus, and instead declare 'squatters'
> rights.
>
>
>
> I don't believe you intended to put it like that, but I want to highlight
> that is effectively what this justification is, so that you can understand
> why it's undesirable.
>
>
> Indeed I never intended to put it like that but I think 9.16.3 allows for
> exactly what you just described as undesirable (for better or worse). To
> the minimum, it is unclear what the boundaries are. That is, if a country
> passes a law that conflicts with the BRs and the CA has to abide with it,
> it must abide with it. To better understand this and possibly make it clear
> for others let me give a theoretical example. If there was a Greek law that
> said "you need to be able to issue publicly trusted SSL Certificates with
> C=EL for such and such cases", 9.16.3 would allow a CA (not necessarily a
> CA operated in Greece) to issue and inform the CA/B Forum's public list
> about this conflict.
>
> Do you agree with this interpretation? I think this is a key issue that
> the forum should try to explain and clarify as soon as possible. I also
> welcome other members that wish to offer their perspective on this.
>
>
>
> No, I actively disagree with this interpretation.
>
>
>
> The purpose of 9.16.3 is only to allow such a CA to operate until the
> Forum - or, more aptly, its Browser/Root Store members - have made a
> determination about the acceptability.
>
>
>
> For example, if a jurisdiction were to impose a law that all CAs within
> their country must issue a certificate for any domain on the request of Law
> Enforcement, then
>
> 1) That CA will have to notify the Forum before doing so
>
> 2) That CA will do so
>
> 3) That CA will promptly be distrusted in at least one browser, if not more
>
>
>
> 9.16.3 should not be used as a "get out of jail free" card (as in, from
> the boardgame Monopoly). That it could have been used by such is precisely
> why I raised attention to the matter and the need for notification and
> reform.
>
>
>
> If a Greek law said you must use C=EL, then it will be up to browser
> members to determine whether or not that's acceptable. If not, they can and
> should remove trust in CAs from that country, because the law in that
> country is incompatible with the security needs.
>
>
>
> But now you've introduced an ambiguity and overload whose "source of
> truth" can no longer be discerned.
>
>
> I am not sure I understand this comment or where you see ambiguity. There
> would be a well-defined exception for two countries to be represented with
> two different identifiers each. This makes it clear, at least to me, that
> when I see a certificate with either C=GR or C=EL, the Subject's Country is
> Greece :)
>
>
>
> The ambiguity of course is that ISO 3166-1 is no longer the authoritative
> version. It's whatever the CA/Browser Forum has made up, which looks like
> ISO 3166-1. The Forum making up its own rules has already lead to actively
> exploited security issues in the past (such as the reserved e-mail
> addresses).
>
>
>
> Being unable to see an ambiguity, I fail to see a security threat here.
> The source of information is still ISO3166-1 but we are discussing the "UK"
> and "EL" extra identifiers for two specific jurisdictions. If "EL" was
> listed as exceptionally reserved just as the "UK" label is, would you agree
> with Gerv that this would make things clearer and easier to allow for these
> exceptions?
>
>
>
> It would be easier to follow the exceptions, but it no less makes them
> undesirable.
>
>
>
> IMHO, by questioning these reason, you evidently become political. I
> understand the fact that it is merely impossible to avoid some political
> discussions, sooner or later, when it comes to building policy documents.
> In order to achieve the goal to "stay apolitical to the extent possible",
> IMO the forum should try to resolve policy conflicts with minimal or no
> impact to the ecosystem based on standards and specific processes like the
> one we are following now (allowed thanks to the last paragraph of 9.16.3).
> I fully understand the argument of building on top of International
> standards, agreements, treaties and such ("giants" as you elegantly
> described). My somewhat similar thought was that the European Union's
> decisions look like they are coming from a "giant" as well :)
>
>
>
> I disagree strongly, and perhaps this is the subject of our disconnect.
> You're using one single jurisdiction - the EU - though made up of several
> member states - to justify ignoring an international consensus approach.
>
>
>
> I think it's useful to have this discussion, but I fail to see any
> compelling reason to deviate from the process of ISO 3166-1. At best, it
> seems to be a question of Greece wanting to do its own thing. While some
> members may be quite happy to let every country do its own thing and set
> its own standards, I disagree strongly with that cavalier approach that
> ignores consensus.
>
>
>
> I think we're in agreement that the absolute minimum necessary is a
> reservation that ensures no conflicts for C=UK or C=EL. However, even with
> such an exceptional reservation, I fail to see the compelling case for
> permitting two jurisdictions to be identified by multiple identifiers.
> Everyone who relies on this identity information will need to know that
> C=GR and C=EL are the same, despite ISO 3166-1 not actually assigning the
> latter to GR (just "exceptionally reserved").
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170321/f4087bfb/attachment-0003.html>
More information about the Public
mailing list