CAB Forum Minutes of 21 July 2016
Attendees: Andrew Whalley (Google), Atsushi Inaba (Globalsign), Ben Wilson (Digicert), Bruce Morton (Entrust), Curt Spann (Apple), Dean Coclin (Symantec), Dimitris Zacharopoulos (Harica), Doug Beattie (Globalsign), Erwaan Abalea (Docusign), Francisco Arias (ICANN), Geoff Keating (Apple), Gerv Markham (Mozilla), Jeff Stapleton (Wells Fargo), Jody Cloutier (Microsoft), Josh Aas (Let’s Encrypt), Jos Purvis (Cisco), Ken Myers (FPKI), Kirk Hall (Entrust), Li-Chun Chen (Chunghwa Telecom), Patrick Tronnier (OATI), Peter Bowen (Amazon), Peter Miscovic (Disig), Phillip Hallam-Baker (Comodo), Rich Smith (Comodo), Rick Andrews (Symantec), Robin Alden (Comodo), Ryan Sleevi (Google), Sanjay Modi (Symantec), Saurabh (Symantec Research), Tim Hollebeek (Trustwave), Tim Shirley (Trustwave), Tyler Myers (GoDaddy), Virginia Fournier (Apple), Wayne Thayer (GoDaddy). Associate Members: Eli Spitzer, Zeev Shetach (ComSign)
- Roll Call completed.
- Antitrust Statement was inadvertently skipped on this call
- Agenda Reviewed – topic of SHA-1 exception procedure added by Dean
- Minutes of July 7th, 2016 call – Minutes were approved and will be posted to the public list.
- Ballot Status: Ballot 164 has passed. Ballot 173: Voting started today. No other ballots outstanding. Gerv is putting together a ballot reforming section 9.16.3 and is working with Kirk on that. No ballot number has been assigned yet.
6, 7. Quantum Computing: Phillip briefed the group on the status of Quantum Computing (QC) as it relates to cryptography. The quantum computers now out there are not large enough to break RSA keys but there exist ones of 5-qubit size. NIST has said it’s time to take QC seriously. Phill said there are 2 sets of concerns: one is that someone builds a QC that breaks RSA/ECC and the second is a reputation attack (i.e. people losing confidence in the web PKI which could affect $2Trillion of global trade). The consequences are things like Grover’s algorithm which can attack AES and SHA2 that harms the effective key size. The work factor is reduced (with a QC) to 2^64 (i.e. which would be breakable). The fix is to double the key size in symmetric algorithms. With public key, they are susceptible to an attack called Shor’s algorithm which in time would be a serious worry (if a QC could be built with the right number of qubits). However, every qubit added is a major difficulty for people producing these machines. In a binary computer each bit can only be in one state at a time, either a zero or one. With a quantum computer, a qubit can be in multiple states at the same time and the gates can also be in multiple states simultaneously. The problem with QC is that it has to be of sufficient size to solve the “problem”. Hence it’s not a robust technology at this point but they are getting better and we need to have a solution. Right now we are looking at two types of post-quantum crypto: (1) a search is underway to find mechanisms resistant to the quantum attack. These use lattice type algorithms; they have large keys and are slow. (2) Use hash signatures. One can use SHA-2 to create one. You would create 2 commitments, a zero and a one. Then you release one of the commitments depending on which you want to sign. You end up with signatures that are in the kilobytes. The problem is you can only use a particular public key once. There are another set of hash signatures called “stateless” which are claimed to be robust but may not be. What this comes down to is 2 styles of backup plan: (1) hope that a post-quantum PK algorithm is developed before someone comes up with a QC. (2) Build a backup infrastructure for the web PKI, putting assets in place now that could be used to bootstrap the deployment of that backup infrastructure. If we can’t do these, then we have to go back to Kerberos which means a CA (or some trusted party) would need to be online all the time and be participants in every transaction. In summary, we have a serious problem and we have some years to work on it, but we should start looking at this now. Saurabh from Symantec Research confirmed that we are very far away from QC, but it’s going to come. Some positive things: the Ring lattice problem. Breaking some of these problems is equivalent to finding the shortest vector on these lattices. This is believed to be a hard problem for QCs. These have been studied in detail and there is reasonable belief in the community that these problems would stand a quantum threat.
Gerv asked how the CABF would fit into all of this, given that this role is normally played by standards-setting bodies (i.e. IETF). Ryan added that he wasn’t sure if this was a useful discussion for this group (although very interesting) given this group’s role in the ecosystem. Phillip said he is trying to get people on the same page to address the issue. IETF has not started working groups on this. He did not expect to be working on post-quantum computing in CABF but that members who don’t normally participate in IETF should be part of those discussions when they start. There may be things we can do now, like deploying hash signature roots, that may be of assistance later on.
Peter said he sent a mail to the list outlining what would be needed. He asked what Phillip is expecting this group to provide in IETF and how would we deploy anything without a standard. Phillip said as the work on post quantum gets underway, the effects will be known. There is a draft on hash signatures and he expects a standard within a year or so.
Gerv asked if this will cause people to push for more algorithm agility in the web PKI. For example, could we build certificates that use more than one algorithm in their construction? Phill said that would be helpful.
Saurabh said it’s important to understand the extent of Google’s experiment. What they are saying is with the key exchange currently using DH or ECDHE, this is vulnerable even in the future because someone could “look back” and decrypt those communications. But what we are focusing on is the authentication part. So breaking certificates issued in the past, in the future, doesn’t really matter. Hence this industry (CAs) have much more time than someone that is doing encryption.
Phill said that’s true, but there is one caveat: CAs sign certificates that are also used for confidentiality as well. Andrew said the response is to move everything to forward secrecy. Phil said that doesn’t help if it’s based on public key.
Peter thought this was a great discussion but overall sounded like there was not a direct call to action at this time other than possibly participating in any future IETF groups on this topic.
- Comsign membership application: Ryan sent some questions to CPA Canada to better understand licensing and WebTrust auditors as the audit report that was submitted mentioned an older version of the BRs. CPA Canada confirmed that licensed auditors should be using the current version (2.0). Zeev from ComSign said they had an audit done by Mr. Sheffler, an accredited WebTrust auditor in Israel, and would check to see if he made a mistake in the audit letter.
- Governance Change WG: A face-to-face meeting has been scheduled on August 9th in San Francisco (date was changed from prior announcement). There are 3 proposals for change which have been floated: do nothing, have working groups created below forum level while maintaining SSL at the forum level, and lastly, have the SSL group be one of the working groups while the Forum takes care of admin tasks.
- Validation Working Group: Kirk said the ballot (169) is ready now. It has been published to the public list. He expects the formal voting to be imminent.
- Call for Nominations: Dean said that elections for chair and vice chair would be coming up in the fall and that we will be starting the nomination process. Kirk has an automatic nomination for Chair, although others can be nominated. Kirk said we need to start this process by August 22nd and said we have to get nominations for chair first. Gerv suggested a specific timetable should be published for all to review. Ryan reminded that a mail must be sent to the management list to start nominations. Dean said he would do that and pick this up again on the next call.
- Policy Review WG: Still talking about naming and discussion on what is a CA and how intermediate CAs are handled in audit letters and the Mozilla database.
- SHA-1 exception process: Dean said 1 company is going through the process and asked what the expectations were from browsers on how the process will come to conclusion. Gerv said they are likely to approve the exception but wasn’t sure if they will require some strict construction of the serial number as the current certs contain some strange characters. Ryan echoed this and said they want better assurances (other than the counter cryptanalysis) and said the process might have been “less unsettling” without the strange characters in the OU. Gerv asked if the browsers came back and asked Symantec to change the certs (perhaps as Phill has outlined), could that be accommodated? Dean said Symantec could but would like to know quickly as some key folks will be out next week. He also said the applicant can go back and use the original certs without the strange OU characters but is looking for clarity from the browsers.
- Other Business: 28 people have signed up for the fall meeting so far. Jody said everything is booked and would like to get a final count soon. Guest speakers from Microsoft will be attending (Smart Screen engineer, Windows crypto stack engineer).
- The next call is on August 4th. Kirk will chair that call.