[cabf_validation] [EXTERNAL]Re: Ballot Proposal: Validation Method in certificatePolicies

Ryan Sleevi sleevi at google.com
Thu Aug 9 10:16:13 MST 2018

On Thu, Aug 9, 2018 at 1:01 PM Tim Hollebeek <tim.hollebeek at digicert.com>

> James,
> This is actually a good suggestion and I’ve suggested it before, including
> this several times this spring.  I am very concerned about the fact that
> just within the last year, there have been a number of proposals that would
> significantly expand certificate size by including information that does
> not actually need to be in the certificate.

Can you provide links for what you believe at proposals that would
"significantly expand certificate size"?

I can find one such reference in
https://cabforum.org/pipermail/validation/2018-August/001001.html , which
hasn't been expanded on.

> I’ve actually suggested several times that Certificate Metadata
> Transparency should be a thing.  CAs could securely assert all sorts of
> rich metadata information about validation or issuance of certificates,
> including validation methods, problem report addresses, CAA lookup
> information that was retrieved, and so on.

Yes, and several times, it's been pointed out that sticking the suffix
"Transparency" on something does not magically make it reliable, much in
the same way that sticking "Blockchain" in your marketing can easily net
you ample funding, but no real credibility or technology. These suggestions
have, to date, ignored the significant (6+ years, now) set of design
discussions and considerations gone into making this information usable and
deployable. There are plenty of unsound technologies with cute names that
capture whatever word was en vogue, like 'mesh', but aren't technically
sound nor address the problem at hand.

To be clear, I'm all in favor of CAs improving the transparency of their
operations - as has been clearly demonstrated by the need to improve the
current state of audits and disclosures - but the notion of "securely
assert" has a whole host of devils in the details, and we should not ignore
good and necessary work on the promise that we're only "an email away" from
a solution.

> The unfortunate thing is such logs don’t exist yet.  However DigiCert
> might set them up in the future, and start allowing other CAs to log
> metadata information about their issued certificates to our logs.  It’s
> something we’re seriously considering doing.

If DigiCert has meaningful, technically sound proposals to put forward,
we'd be happy to review. That said, it should not be unreasonable to expect
that it will be far more difficult to do than to say it will be done.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20180809/9ea7a5db/attachment.html>

More information about the Validation mailing list