On 30/12/08 04:22, Nelson B Bolyard wrote:
Ian G wrote, On 2008-12-29 16:59:
As far as I heard, the CABForum was also formed or inspired from a
similar group of vendors (browsers) that got together at the invite of
the Konqueror guy to talk about phishing one day ...
I think Mozilla's own Mr. Gervase Markham had something to do with the
transformation of the CA Forum into the CAB Forum. Maybe he can tell us
something of that history.
(Could be! We should be careful of the history, thought. It is really
only mildly interesting for serious students of how things came to pass.
Such things tend to be a distraction to how things are, now, today. I
am guilty of that same mistake...)
Question for now: is the CABForum still a closed group?
My understanding is that CAB Forum is a membership organization, with
specific qualifications for members. The qualifications are published
http://cabforum.org/forum.html (bottom of page). There is no membership
fee (AFAIK), but members seem to be expected to take turns hosting the
Forum's periodic face-to-face meetings.
Ah, thanks for posting that link. CABForum has 33 CAs and 5 vendors.
================
* Issuing CA:- The member organization operates a certification
authority that has a current and successful WebTrust for CAs audit, or
ETSI 102042 or ETSI 101456 audit report prepared by a properly-qualified
auditor, and that actively issues certificates to Web servers that are
openly accessible from the Internet using any one of the mainstream
browsers.
* Root CA:- The member organization operates a certification
authority that has a current and successful WebTrust for CAs, or ETSI
102042 or ETSI 101456 audit report prepared by a properly-qualified
auditor, and that actively issues certificates to subordinate CAs that,
in turn, actively issue certificates to Web servers that are openly
accessible from the Internet using any one of the mainstream browsers.
* Browser:- The member organization produces a software product
intended for use by the general public for browsing the Web securely.
================
AND
================
In addition to the above entities, members of the Information Security
Committee of the American Bar Association Section of Science &
Technology Law and the Canadian Institute of Chartered Accountants have
participated in developing the standards for Extended Validation SSL
certificate procedures and standards.
================
My thoughts only (but note that as I am part of the excluded peoples,
these words should be treated as potentially biased):
A tightly closed membership, oriented to CAs in their chosen segment.
As CAs, they incline towards including two other groups, being the
upstream audit organisations who provide the WebTrust, and the
downstream browsers who consume the WebTrust.
However, they include no other stakeholder groups. Of especial concern,
nobody who speaks for the end-user, even though they clearly intend as a
group to sell to these end-users.
Given such a structure, it is hard to see how they can avoid the fate of
protecting the franchise. Although I'm sure they do careful work in
documenting the current thinking, it is not reasonable to expect them to
do new thinking and to think about the new threat environment, nor to
resist the trap of increasing work loads and complexity, and reducing
availability and delivered security.
Relying parties should not look to them for that. Old chinese curse:
be careful what you wish for.
iang
[1] For further info, check their mission and their mailing lists for
open discussion and open subscription.
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto