<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal>I don’t understand why we are mixing creation of separate mailing list discussion for reporting BR violations with the revocation timeline change. The two aren’t closely related, at least, no more than any other BR violation and public disclosure requirement. Because certificate problem reporters are free to publish the problem report wherever they would like, I see a benefit in a publicly open list where people can post certificate problem reports and violations of policy to the CAB Forum. I’d even support/endorse a separate ballot on creating a public mailing list where interested parties (or even non-interested parties) can discuss and report violations of the BRs and reasons for the violations. What I don’t understand is the tie to certificate revocation timelines ballot.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><a name="_MailEndCompose"><o:p> </o:p></a></p><span style='mso-bookmark:_MailEndCompose'></span><p class=MsoNormal><b>From:</b> Ryan Sleevi [mailto:sleevi@google.com] <br><b>Sent:</b> Wednesday, October 11, 2017 11:40 AM<br><b>To:</b> Jeremy Rowley <jeremy.rowley@digicert.com><br><b>Cc:</b> Dean Coclin <Dean_Coclin@symantec.com>; CA/Browser Forum Public Discussion List <public@cabforum.org>; Wayne Thayer <wthayer@godaddy.com>; Gervase Markham <gerv@mozilla.org><br><b>Subject:</b> Re: [cabfpub] Ballot 213 - Revocation Timeline Extension<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>Jeremy,<o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>To be clear: The suggestion is to simply setup an additional mailing list for this.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Advantages:<o:p></o:p></p></div><div><p class=MsoNormal>- No vendor dependency (the Mozilla list is, of course, simply one root store member)<o:p></o:p></p></div><div><p class=MsoNormal>- An auditable criteria (whether or not a message was posted is something that can be quantified without an external dependency)<o:p></o:p></p></div><div><p class=MsoNormal>- Objective transparency without a vendor dependence<o:p></o:p></p></div><div><p class=MsoNormal>- Avoids requiring the high-volume subscription to the Mozilla list to understand the challenges there are with processing revocations in a timely fashion, so that the Forum can best review and update its expectations<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Given that this is an exceptional process, it's one we can expect to be extremely low volume, but when there is volume, it will hopefully be of substantive quality.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>The objections I've heard are:<o:p></o:p></p></div><div><p class=MsoNormal>- Objections to the notion of transparency itself<o:p></o:p></p></div><div><p class=MsoNormal>- Concerns about messages requiring moderation (not an issue for the questions@ list, AIUI, so one would similarly expect the same)<o:p></o:p></p></div><div><p class=MsoNormal>- Concerns about administrative overhead (Mailman supports self-service subscription - as evidenced by the public@ list - and allows public posting - as evidenced by the questions@ list)<o:p></o:p></p></div><div><p class=MsoNormal>- Concerns about spam (not an issue for the questions@ list, AIUI, so one would similarly expect the same)<o:p></o:p></p></div><div><p class=MsoNormal>- Concerns about vendor dependence (having this be a Forum list resolves this)<o:p></o:p></p></div><div><p class=MsoNormal>- Concerns about "The Forum" running a list ("The Forum" already runs several lists, as per our bylaws)<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>I am earnestly surprised by the degree of concern here, and am trying to make a good faith understanding of the concerns, which do not seem to be well-founded, but I may simply be misunderstanding the concerns.<o:p></o:p></p></div></div><div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>On Wed, Oct 11, 2017 at 1:31 PM, Jeremy Rowley <<a href="mailto:jeremy.rowley@digicert.com" target="_blank">jeremy.rowley@digicert.com</a>> wrote:<o:p></o:p></p><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in'><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>I still don’t see the value of bastardizing the CAB Forum questions list to do something that the Mozilla mailing list already does perfectly. Why use a brand new process when a good one already exists? Unless, there’s a good reason for double transparency (Mozilla plus a new mailing list) I’d like to keep the ballot as already proposed if people are willing to endorse.<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><a name="m_-3140789375581256352__MailEndCompose"> </a><o:p></o:p></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b>From:</b> Public [mailto:<a href="mailto:public-bounces@cabforum.org" target="_blank">public-bounces@cabforum.org</a>] <b>On Behalf Of </b>Dean Coclin via Public<br><b>Sent:</b> Wednesday, October 11, 2017 11:18 AM<br><b>To:</b> Wayne Thayer <<a href="mailto:wthayer@godaddy.com" target="_blank">wthayer@godaddy.com</a>>; CA/Browser Forum Public Discussion List <<a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a>>; Ryan Sleevi <<a href="mailto:sleevi@google.com" target="_blank">sleevi@google.com</a>>; Gervase Markham <<a href="mailto:gerv@mozilla.org" target="_blank">gerv@mozilla.org</a>><o:p></o:p></p><div><div><p class=MsoNormal><br><b>Subject:</b> Re: [cabfpub] Ballot 213 - Revocation Timeline Extension<o:p></o:p></p></div></div></div></div><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='color:#1F497D'>I’m currently responding to questions as best I can. We haven’t had much volume on that list though.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='color:#1F497D'><br>Dean</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='color:#1F497D'> </span><o:p></o:p></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b>From:</b> Public [<a href="mailto:public-bounces@cabforum.org" target="_blank">mailto:public-bounces@cabforum.org</a>] <b>On Behalf Of </b>Wayne Thayer via Public<br><b>Sent:</b> Wednesday, October 11, 2017 1:16 PM<br><b>To:</b> Ryan Sleevi <<a href="mailto:sleevi@google.com" target="_blank">sleevi@google.com</a>>; CA/Browser Forum Public Discussion List <<a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a>>; Gervase Markham <<a href="mailto:gerv@mozilla.org" target="_blank">gerv@mozilla.org</a>><br><b>Subject:</b> Re: [cabfpub] Ballot 213 - Revocation Timeline Extension<o:p></o:p></p></div></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>>>I do not believe that's not been a concern of any Forum mailing list to date, because that's now how the Forum has operated its mailing lists.<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>This is precisely how the Forum operates its lists – questions@ in particular, but all the others as well. And while Eddy Nigg was the long-time questions@ list admin, there is currently no one who really owns the task of monitoring the questions list in a timely fashion (and I suspect that timely moderation is quite important for this new list that’s being proposed). I am currently doing a lot of the moderation but am transitioning the work to Ben, which I believe supports the point that Gerv is making.<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Thanks,<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Wayne<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span style='font-size:12.0pt;color:black'>From: </span></b><span style='font-size:12.0pt;color:black'>Public <<a href="mailto:public-bounces@cabforum.org" target="_blank">public-bounces@cabforum.org</a>> on behalf of Ryan Sleevi via Public <<a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a>><br><b>Reply-To: </b>Ryan Sleevi <<a href="mailto:sleevi@google.com" target="_blank">sleevi@google.com</a>>, CA/Browser Forum Public Discussion List <<a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a>><br><b>Date: </b>Wednesday, October 11, 2017 at 9:54 AM<br><b>To: </b>Gervase Markham <<a href="mailto:gerv@mozilla.org" target="_blank">gerv@mozilla.org</a>><br><b>Cc: </b>CA/Browser Forum Public Discussion List <<a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a>><br><b>Subject: </b>Re: [cabfpub] Ballot 213 - Revocation Timeline Extension</span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>On Wed, Oct 11, 2017 at 12:42 PM, Gervase Markham <<a href="mailto:gerv@mozilla.org" target="_blank">gerv@mozilla.org</a>> wrote:<o:p></o:p></p><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt'><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>On 11/10/17 17:39, Ryan Sleevi wrote:<br>> What do you believe requires looking after? Spam? Substance? Access?<br><br>Mailing lists don't manage themselves. Says someone who manages six and<br>has to clear the spam queues daily.<o:p></o:p></p></blockquote><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>So your concern is a message being held for moderation and requiring manual review?<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>I do not believe that's not been a concern of any Forum mailing list to date, because that's now how the Forum has operated its mailing lists.<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Would that address your concern? <o:p></o:p></p></div></div></div></div></div></div></div></div></blockquote></div><p class=MsoNormal><o:p> </o:p></p></div></div></body></html>