<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Jun 13, 2017 at 4:41 PM, Kirk Hall <span dir="ltr"><<a href="mailto:Kirk.Hall@entrustdatacard.com" target="_blank">Kirk.Hall@entrustdatacard.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I'm still uncertain what the logic is behind objections to collecting NetSec comments from people (can be CAs, auditors, even browsers) in a master list, as opposed to making people post their concerns directly in their own names - that has not been spelled out. </blockquote><div><br></div><div>Kirk,</div><div><br></div><div>You haven't spelled out why you're deviating from the traditional operation of the CA/Browser Forum as to the participation - and attribution - of members. If you have compelling reasons, those would be great to share. As of yet, you have not shared any reasons - you have simply proposed anonymous attribution. I do hope you consider the courtesy of explaining to members why you believe anonymity to be desirable and/or necessary, giving the operation of the Forum.</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">And I would note that both Google and Mozilla allow people to post materials, including detailed proposals and criticisms, etc., using pseudonyms - if that form of anonymity is acceptable on Google and Mozilla lists for important matters, it would seem collecting comments in a combined document for this project would be acceptable here as well, especially for a sensitive topic. I would think "good ideas" would be welcome, however the ideas are provided.<br></blockquote><div><br></div><div>That's a false equivalency, and I do hope you realize it. That's not how the Forum operates, and in particular, is significant enough a deviation from the Forum's operation to deserve an explanation. If you cannot provide such an explanation, then your proposal - for anonymity - unquestionably does more harm than good.</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
Peter touched on the main reasons why I have offered to combine suggested changes to the NetSec guidelines - after which they would be posted immediately to the Public list, not the private Management list. In addition, some CAs might feel that in the process of describing why a particular requirement is difficult (and unneeded) for them, they may simultaneously be telling the world about their internal security configurations, etc.<br></blockquote><div><br></div><div>I'm sorry, but this is a very tenuous argument, at best, but which has also been proposed that, if such a thing is necessary, CAs can work with their auditors to ask questions and, should the auditors be unable to ask, work through our WebTrust or ETSI Liasons to bring the question to the Forum at large.</div><div><br></div><div>The fact that there have been no such contributions arguably demonstrates that this argument is specious. However, since it's unlikely to convince you that the proposed anonymity - in which no further details can be gathered, no clarifications be sought, no understanding obtained - is detrimental to the Forum, I would simply point out that there are far more appropriate parties than the Chair, who represents a competitor to these CAs, to provide such feedback.</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
So to be clear - the compilation, once complete, will go up first on the Public list. And anyone who wants to post suggested changes directly to the public list in their own name is welcome to do so. I'm simply offering an alternative for those who want it. The ideas will all be in the public domain immediately thereafter.<br></blockquote><div><br></div><div>And unattributed, and so they will linger as FUD, like so many things do, without actionable feedback. I do hope you reconsider how to make productive progress here. </div></div></div></div>