[cabf_validation] [EXTERNAL] Draft Ballot SCXX: Improve OU validation requirements

Ryan Sleevi sleevi at google.com
Wed Nov 4 07:44:26 MST 2020


On Wed, Nov 4, 2020 at 6:21 AM Paul van Brouwershaven via Validation <
validation at cabforum.org> wrote:

> We got a lot of positive feedback using private channels, with the large
> majority of CA's indicating that they want to retain the OU field and
> willing to support this proposal.
>

That's great for you, I'm sure, but there's been zero progress on
addressing the security risks. I want to make sure we're aligned in
understanding here, in that this isn't a popularity contest, and that just
because bad ideas that harm users also make money or allow CAs to keep
doing the status quo doesn't somehow make them good ideas.

Unless, and until, there is meaningful, actionable progress on addressing
the concrete issues raised here, I think the plan to forbid the OU needs to
continue, and I believe it would be deeply irresponsible for Entrust to
ignore these issues and present it as somehow CAs agreeing to keep the
status quo.

As mentioned during the F2F, at length, every aspect of this proposal fails
to improve the status quo, or meaningfully degrades it. While I'm
encouraged to see Entrust thinking about risks, it should be abundantly
clear to Entrust, and to those participants, that the proposed mitigation
and scoring is unacceptable and failing to achieve the goal. Whether or not
something is mitigated ultimately is determined by the browsers whose users
are at risk, and CAs advocating for keeping the OU bear the burden of proof
to actually demonstrate the goals are achieved, rather than, as taken in
this approach, simply state.

Without qualification, we disagree with the conclusions presented here,
believe that they are arbitrary or demonstrably false, and meaningfully
harm the security of users and reliability of certificates by allowing
arbitrary values that fundamentally cannot be validated, and which nothing
of this latest round addresses. Statements like "Well, the Subscriber will
be liable if something goes wrong" are, without question, nonsense, even
though as a CA, I'm sure the appeal is great to make your responsibility
and failing to uphold it somehow someone else's fault. Sorry, that's simply
not how this works.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20201104/7ecb0947/attachment.html>


More information about the Validation mailing list