<div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Sep 16, 2020 at 2:12 AM Dimitris Zacharopoulos (HARICA) <<a href="mailto:dzacharo@harica.gr">dzacharo@harica.gr</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<br>
<br>
<div>On 2020-09-16 2:43 π.μ., Ryan Sleevi
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div dir="ltr"><br>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Tue, Sep 15, 2020 at 4:18
PM Dimitris Zacharopoulos (HARICA) <<a href="mailto:dzacharo@harica.gr" target="_blank">dzacharo@harica.gr</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div> <br>
<br>
<div>On 2020-09-15 9:34 μ.μ., Ryan Sleevi wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr"><br>
</div>
</blockquote>
<br>
Sure, I can do that but in any case I forwarded it the
argument on the list. I also support this argument that
aggregating new versions of the documents saves time.<br>
</div>
</blockquote>
<div><br>
</div>
<div>While you're the only one qualified to measure whether it
saves time, as a browser, this raises a host of questions
for understanding how CAs are staying abreast of changes and
reviewing them. This is actually critical, given that I've
seen multiple CA incidents where CAs have reported that they
have trouble staying abreast of changes, even for ballots
they voted for! So it suggests to me that some of the
current ways that CAs are keeping up to date are flawed, or
lend themselves to easy mistakes.</div>
<div><br>
</div>
</div>
</div>
</blockquote>
<br>
I hope you realize that this is not related with Forum's activities.
The Forum produces standards/Guidelines. Whether CAs, Relying
Parties adhere to those standards/Guidelines and update their
processes/products is a different issue.<br></div></blockquote><div><br></div><div>I hope you realize that questions about the working mode of the Forum impacting the ability to make reliable use of the Forum's work product is, of course, essential to the continued value and participation in the Forum.</div><div><br></div><div>If the view of the Chair of the Forum is that the Forum should not consider how usable its work product is, which is voluntary standards that can be used by Browsers, then I think it raises deep concerns about the value of the Forum.</div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div>
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_quote">
<div>Naturally, if we had the specific member, we could ask
them to describe their process for staying aware of changes,
and why one document makes that easier. For example, I'd be
deeply concerned if a CA was looking at an aggregated
SC28+SC35, since they might mistake a meaningful normative
change as a cleanup or clarification, or similarly, mistake
or overlook an important clarification because they're
distracted by logging changes.</div>
</div>
</div>
</blockquote>
<br>
I don't think that's necessary. It seems very reasonable to me that
reviewing one redline document that introduces changes from two or
three ballots, is more convenient and simpler than having to review
two or three redline documents to reach the same result.<br>
<br>
If there are questions about a new requirement or an introduced
change, the discussion of the specific ballot that introduced the
change is there for anyone to review and get a better understanding
on the rationale and get clarifications. In some cases, even that is
not enough, and we encourage people to submit questions to the
<a href="mailto:questions@cabforum.org" target="_blank">questions@cabforum.org</a>, or if these questions come from Members,
they can post questions directly to the WG public mailing list.<br></div></blockquote><div><br></div><div>I am concerned that you're allowing your personal judgement, which unfortunately is seemingly clouded by confusion of the issues, to impair your ability to effectively and respectfully Chair, by selectively picking and choosing which viewpoints are respected.</div><div><br></div><div>I realize you believe it's very reasonable, but that appears to be a lack of familiarity with the issues we, as browsers, are seeing. As a Forum CA Member, that's concerning for HARICA, but as a Chair, that's even more inexcusable. Ballots are specifically produced to group their logical related changes within a single ballot, to make it clear the many related things that need to change in order to accomplish a particular goal, as stated in the Ballot. The aggregation approach destroys that contextually relevant information.</div><div><br></div><div>Your further suggestion that it's confusion that a CA is actively aware of, and thus can and should avail themselves of questions, when that cannot be further from what I stated. It is the lack of awareness that causes the issue, and this lack of awareness is heightened by the increasing number of changes that come in aggregation.</div><div><br></div><div>As a member, HARICA represented that it was overloaded with reviewing changes, and concerned about the quality of results at the continued cadence in light of COVID. I would expect that you (HARICA), of all organizations, should thus be familiar with the risk of many changes causing important changes to be <b>overlooked</b>, rather than misunderstood.</div><div><br></div><div>Ultimately, I understand that you, individually, have a workmode that works for you. However, that workmode is demonstrably not working in industry. As Chair, I'm requesting you do not impose your preferences on the Forum, particularly when doing so impairs and impacts the ability for CAs to adhere to these Guidelines, and thus greatly diminishes the value of the Forum as a producer of such documents. Again, the relevance of the Forum is how well it serves industry, and that has to be acknowledged as being how well its voluntary Guidelines, such as the Baseline Requirements, provide value to browser members as an alternative to direct vendor auditing, as practiced in many other ISMS-vendor relationships.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div>
My priority here is to serve the SCWG and the Forum in a compliant
and productive manner. If the SCWG Members have no objection to the
current practice of aggregating Final Guidelines when we have
timelines that permit this aggregation, I will continue with this
practice.<br></div></blockquote><div><br></div><div>Our concern is with aggregation, and while we recognize the value it brings to making the Chair's role easier, our belief is that it actively harms compliance and comprehension, and thus request you stop.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><blockquote type="cite"><div dir="ltr"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div>
Can you point me to where you believe this practice is
forbidden?</div>
</blockquote>
<div><br>
</div>
<div>
<div>Can you mention where I said it was forbidden? I'm not
sure how best to answer your question, and so I think this
might require disentangling what you think I said versus
what I said.</div>
</div>
</div>
</div>
</blockquote>
<br>
Perhaps I misunderstood this particular statement:<br>
<ul>
<li>"The IP review necessitates the production of the Final
document, so that sounds like more work, rather than less, and
it seems to run in the same problem of commingling outputs."</li>
</ul>
<p>I'm glad we are in agreement that this practice is not forbidden
and, of course, not required.<br></p></div></blockquote><div>I hope you can recognize the logical fallacy in your statement, which I hope we can chalk to ignorance rather than malice.</div><div><br></div><div>You indeed misunderstood the statement, which is discussing Section 4.1 of the IPR policy.</div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><blockquote type="cite">
<div dir="ltr">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>I honestly don't mind the extra work of creating more
Guidelines but it seems pointless to create a document
that nobody will ever read because it will be valid for
just a few seconds.</div>
</blockquote>
<div><br>
</div>
<div>I described, at length, why it was meaningful, from both
an IP perspective and from a document versioning
perspective. It sounded like you agreed with, or at least
understood, those challenges, so I'm not sure I understand
what you're trying to say here.</div>
</div>
</div>
</blockquote>
<br>
What I'm trying to say is that creating a document with version
1.2.2 and 5 minutes later another with version 1.2.3, makes 1.2.2
valid for just 5 minutes because everyone will just download and
read 1.2.3 that incorporates the changes introduced in 1.2.2. It
seems meaningless (from a practical standpoint) to create 1.2.2
since it will not be of use by almost anyone.<br></div></blockquote><div><br></div><div>I've repeatedly described to you how it's used, and you repeatedly appear to be dismissive of this. At this point, it's unclear to me whether this is deliberate, but I would encourage you that if something isn't clear to you, perhaps forming questions rather than stating absolutes would be useful.</div><div><br></div><div>This goes back to the questions you dismissed as outside the remit of the Forum at the outset, so perhaps by not being so dismissive, we can find common ground. Understanding the value of 1.2.2 vs 1.2.3 necessitates understanding how CAs are reviewing and integrating changes, and working to identify what good practices are to ensure good compliance. What we unambiguously know is that present practices are failing, and most recently, related to an aggregated version you produced. I'm sure it's easy to dismiss this as the "problem of the CA", but the very purpose of incident reports is to help effect systemic change. One of the systemic issues involves understanding how the work product is consumed, and that's absolutely in the realm of a Forum designed to help encourage good practices.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><blockquote type="cite">
<div dir="ltr">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div> Documents with the <b>same effective date</b> would
create a lot of confusion to CAs and Relying Parties.<br>
</div>
</blockquote>
<div><br>
</div>
<div>I'm also not really sure I understand this. It appears
you're saying here that CAs ignore the version, and focus on
the date, while in the past, you've specifically objected to
changes in versioning, because you've argued that CAs focus
on the version.<br>
</div>
<div><br>
</div>
<div>Are you saying that having a BRs 1.2.0, 1.2.1, and 1.2.2,
and 1.2.3 creates a lot of confusion to CAs and Relying
Parties? Because that's /four/ versions within the 3 day
window of the Bylaws. (14 Oct - 16 Oct). </div>
</div>
</div>
</blockquote>
But if the review periods end Oct 14 - 16, I will prefer to spend
one day working with the final guidelines and post the results. I
probably don't want to spend one day producing 1.2.1, publish the
resulting document to the mailing lists, update the web site, then
do the same the next day for 1.2.2. This means that all these
Guidelines will be sent (and thus become effective) on -say- 16 Oct.<br></blockquote><div><br></div><div>OK, so don't run for Chair then?</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div>
From a compliance perspective, all 4 documents (with 4 distinct
versions) would be effective on 16 Oct which might create challenges
and confusion. I would like to avoid that an either aggregate or
ensure we have different effective dates so that at every single day
there is one and only one normative version of the Guideline in
effect. Hope this makes more sense then the previous attempt.<br></div></blockquote><div><br></div><div>Thanks. Then it is clear that your argument has limited basis in demonstrated reality, as you appear to be unaware of it being harmful, and appear to be shutting down discussion about improving it. </div></div></div>