[cabf_validation] Validation WG meeting minutes 2019-10-10

Sun Oct 13 09:50:37 MST 2019

Ryan, in your response below to Stephan Wolf of GLEIF, you said “many people have engaged, publicly and privately, with GLEIF to express and explain these concerns” that including LEIs in server certificates could cause security issues for Chrome and its users.

I certainly am aware of your statements on this point – but I do not recall ever seeing similar statements of concern from anyone else.

It would be useful to Forum members if you could point us to statements of concern over including LEIs in certificates from other people so we can evaluate them.

Thanks.

From: Validation <validation-bounces at cabforum.org> On Behalf Of Ryan Sleevi via Validation
Sent: Sunday, October 13, 2019 9:12 AM
To: Stephan Wolf <Stephan.Wolf at gleif.org>
Cc: CA/Browser Forum Validation WG List <validation at cabforum.org>
Subject: Re: [cabf_validation] Validation WG meeting minutes 2019-10-10

On Sun, Oct 13, 2019 at 10:25 AM Stephan Wolf <Stephan.Wolf at gleif.org<mailto:Stephan.Wolf at gleif.org>> wrote:
Ryan,

I leave it with the minute taker to go back to the recording.

Thanks.

This is somewhat unfortunate, since it means the proposed edits create significantly more work, as you're insisting that you said these things, but such is life.

We'll need someone to go over the recording to see if you said these things and if they're accurately represented. I had hoped the explanation and context might have avoided this, or led to corrections or clarifications which might not require going back to the recording to confirm, but if you feel that these views were captured on the call and not the minutes, despite the concerns raised, then we can go and evaluate if that was the case.

I am still of the opinion that you have not answered my question why the inclusion of an LEI could cause security issues for the browser and its users.

While I don't want to conflate the minutes with a continuing discussion, I can understand you're not satisfied with the answer, despite the many attempts, from many people, publicly and privately, to explain to you the concerns. Given how many people have engaged, publicly and privately, with GLEIF to express and explain these concerns, I do agree that it's unlikely that we'll make further progress with here, and that ultimately, it will be up to browser root programs as to whether to accept the risk posed and to permit that CAs within their respective programs to issue such certificates. It does seem that we've likely exhausted the insight GLEIF can provide, relative to the question of "why" in certificates, and it seems we should continue that discussion to resolution. It also seems that GLEIF does not have opinions on the validation aspect, which is essential should they be allowed, and so if they are allowed, that will remain something for the Forum to independently set.

Again, I think there's great benefit in LEIs, but that benefit does not exactly transcribe to certificates, particularly when they cause real, meaningful, and lasting harm to a more secure, more agile, more robust Web PKI.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20191013/d82e6864/attachment.html>