From: Eric Mill
Re: [cabfpub] Ballot 152 - Issuance of SHA-1 certificates through 2016
(Please feel free to re-post to the public list, if you think it's merited.)
Sigbjørn touched on this point, but I think it bears some elaboration -- the CA/Browser Forum has a few crucial audiences with which it needs to maintain credibility. The browsers and CAs that make it up are the most obvious and important ones.
Large enterprises/customers are also important, and they have a clear voice in this process, which they can express to members of this forum privately and publicly. While they may not always get their way, I would say their interests are well-represented.
But another crucial audience, just as important or perhaps more so, is the public. By "the public", I don't just mean scattered humanity, but also their more direct representatives -- civil society groups, elected and appointed government officials, the press, and civil servants in agencies, libraries, and universities the world over.
The credibility of the CA/B Forum to that audience is vitally important today, in a way that it wasn't in 2007 or 2011 or even 2013. The CA/B Forum isn't "mainstream", but it has passed a critical threshold of visibility among the public and the public sector -- people get that the world has placed a lot of trust in this Forum, and that the decisions here matter a lot.
If the Fortune 50 companies that have put certs in hard-to-reach places lose confidence in the CA/B Forum as a result of this process, the only practical negative consequences I can imagine are that they stop using public roots for those kinds of applications. Perhaps they even feel enough spite to switch CAs who they feel didn't represent them in the Forum. This might result in some loss of business for individual CAs, but is consistent with what everyone on this thread has been saying so far: don't use public roots for enterprise applications where they are not necessary. The less that happens, the stronger the public ecosystem is.
If the public loses confidence that the CA/B Forum is an institution where the public interest is well-represented, the consequences -- while much slower and more subtle -- could be much more sweeping.
While this ballot and discussion is just about the deprecation of one algorithm, it's also a very helpful symbol and predictor of how the CA/B Forum's politics are likely to work in the future, and whether diffuse interests are as well-represented as concentrated interests.
Dean is ably making sure that the concerns and specific questions of enterprises having trouble with this deadline are well-represented, and that is good for everyone. To the extent it reveals that some of these enterprises may not really understand the threat model of certificate issuance -- and perhaps have never really had to, until this year -- that is also good for everyone.
In 2017, we'll be in a better place, not just in having killed SHA-1, but having made publicly clear that the CA/B Forum is an institution that can balance the interests of everyone that has placed their trust in them.
-- Eric