[Servercert-wg] Displaying secure sites to Internet users

[Ryan Sleevi]

On Mon, Nov 18, 2019 at 11:01 AM Christian Heutger <ch at psw.net> wrote:

> Hi Ryan,
>
>
>
> you’re welcome to provide input and suggestions on how to get the
> fundamentals running and then we can also talk about UI indicators. You
> point out, that you believe, they are not working and there are incidents,
> which show, there is room for improvement. But I haven’t read yet anything
> on about what to do exactly.
>

I agree, it's a real problem, and a real opportunity where security-minded
CAs can and should be bringing their knowledge and understanding to bear.

I see two possibilities:
- CAs unaffected by this issue view it as simply exceptional cases, and
that they are unaffected by these issues. In which case, the CAs unaffected
by this can/should be proposing stronger requirements based on their own
industry knowledge and experience
- CAs affected by this recognize it as a systemic issue, and that these
were honest mistakes to make. In which case, the CAs affected by this
can/should be proposing stronger requirements based on their own lessons
from where things went wrong.

The point of constantly referencing these incidents is not to shame CAs for
having the incidents, but to show how systematically weak the requirements
are and how they don't provide a consistent level of assurance as written.
It's left up to CAs' interpretations, with some ending up with stronger
requirements and some ending up with weaker requirements. However, for
Relying Parties, we *have* to assume and design around the weakest
requirements. So if there are CAs thinking they're "doing it right", they
can and should be putting them into requirements. And the requirements can
and should be something that any CA - whether a start-up a year ago or a
long-existing CA of two decades - can get the same result, for the same
applicants, with the same level of assurance.

CAs are the ones that need to step up, as it's one of the few areas where
they truly have unique expertise here.


> You see pain points at CA interpration of the requirements, so then work
> on getting them more clear, you see baseline requirements are too loose,
> then provide better requirements, you see audits as been unreliable, then
> provide an audit scheme and model, which is working better, etc.
>

I agree with this as well. We do need better requirements before we can
meet the level that folks assume exists today. This is real and hard work,
and excellent work for the Forum to tackle.


> You see UI indicator of EV doesn’t work, then provide thoughts on how to
> improve. Maybe there could be an extra step, seeing DV as currently
> reliable but lowest validation level (beside for sure no validation at
> all), current EV as a mid way and work on the best way, EV 2.0
>

This is where we disagree. You're shifting the burden of proof here, and
falling back into the assumptions we dismantled earlier. Setting aside any
discussion of UI, we have to do things right, at the base level. Only then
can we begin to discuss the right technological approach (again, with the
knowledge TLS certificates create a number of problems), discuss the right
validation approach, and discuss how this information can be used. There's
zero data to support the assertion that it's necessary for UI, and folks
advocating that are often relying on demonstrably false conclusions or
specious data. We shouldn't set discussing UI on the same level of
discussing validation - UI is simply a means to an end, while validation is
essential, fundamental, and presently, deeply flawed.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20191118/39f104c4/attachment.html>