<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
:-)<br>
<br>
As a few of the CAB old boys know, I spent several<br>
years running the cybersecurity group in ITU-T where<br>
I evangelized the Forum's work, rewrote the original<br>
spec to meet international standards formatting requirements<br>
and even included the EVcert spec as a significant component <br>
of the cybersecurity framework in X.1500. Part of that<br>
evangelization included the Forum doing what is now <br>
being discussed.<br>
<br>
So it's commendable the the Forum is proceeding, and it<br>
should just do it. It is the right international body for any<br>
number of reasons, and will be widely recognized. No one<br>
is going to do the job for you.<br>
<br>
The only comparable effort I've seen is the Traffic<br>
Light Protocol as a cybersecurity information sensitivity<br>
indicator. That was originally advanced by the UK<br>
government and has now been picked up by most<br>
of the national CERTs.<br>
<br>
<br>
<div class="moz-cite-prefix">On 2015-01-26 2:05 PM, Dean Coclin
wrote:<br>
</div>
<blockquote
cite="mid:14D026C7F297AD44AC82578DD818CDD037FFF38D8D@TUS1XCHEVSPIN35.SYMC.SYMANTEC.COM"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<meta name="Generator" content="Microsoft Word 14 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">I
don’t think Ben meant to be literal in his comment, but
rather was pointing out that it would be useful for
consumers and end users to be able to use different browsers
and see similar and consistent warning information, similar
to international traffic signs. We all know what a red
octagon means even though in Puerto Rico it says, “Pare”.
When we see it, we put our foot on the brake. Could similar
behavior be ingrained in end users if all browsers had
consistent security signs? Perhaps more study is necessary.
<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">As
some of you know, the forum has never been able to place
requirements on browsers, yet the opposite is true. <o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Dean<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">
Tony Rutkowski [<a class="moz-txt-link-freetext" href="mailto:tony@yaanatech.com">mailto:tony@yaanatech.com</a>] <br>
<b>Sent:</b> Monday, January 26, 2015 10:58 AM<br>
<b>To:</b> Ben Wilson; Stephen Davidson; Dean Coclin;
CABFPub (<a class="moz-txt-link-abbreviated" href="mailto:public@cabforum.org">public@cabforum.org</a>)<br>
<b>Subject:</b> Re: [cabfpub] Chrome security warning
discrepancy?<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt">No!<br>
<br>
You want a widely accepted industry specification,<br>
and this is exactly what the CA/B Forum exists for.<br>
<br>
If you look at the RSS Convention, it was done in<br>
1968. There appear to be only a few dozen signatories<br>
with many notable omissions. Similarly, few nations<br>
even participate in the related body.<br>
<br>
For a browser security indicator, you couldn't even<br>
begin to get Nation States to discuss a subject <br>
that plainly is not properly a subject of public<br>
international law.<br>
<br>
The Forum should be pursuing and evangelizing <br>
its own work here rather than fantasizing over<br>
treaties.<br>
<br>
--tony, esq.<br>
<br>
<o:p></o:p></p>
<div>
<p class="MsoNormal">On 2015-01-25 10:25 AM, Ben Wilson wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="color:#1F497D">Time for an international treaty on
browser security indicators?</span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">See
<a moz-do-not-send="true"
href="http://en.wikipedia.org/wiki/Vienna_Convention_on_Road_Signs_and_Signals#Traffic_lights"
target="_blank">http://en.wikipedia.org/wiki/Vienna_Convention_on_Road_Signs_and_Signals#Traffic_lights</a>.<o:p></o:p></p>
</blockquote>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</blockquote>
<br>
</body>
</html>