<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" class=""><span style="font-size: 11pt; font-family: Arial; color: rgb(0, 0, 0); font-variant-ligatures: normal; font-variant-east-asian: normal; font-variant-position: normal; vertical-align: baseline; white-space: pre-wrap;" class="">Hello all,</span></div><br class=""><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" class=""><span style="font-size: 11pt; font-family: Arial; color: rgb(0, 0, 0); font-variant-ligatures: normal; font-variant-east-asian: normal; font-variant-position: normal; vertical-align: baseline; white-space: pre-wrap;" class="">Broadly speaking, I agree and support the messages sent by Google and Mozilla. I think SC31 should proceed as written and I hope that it can find strong support and backing from CAs.</span></div><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" class=""><span style="font-size: 11pt; font-family: Arial; color: rgb(0, 0, 0); font-variant-ligatures: normal; font-variant-east-asian: normal; font-variant-position: normal; vertical-align: baseline; white-space: pre-wrap;" class="">However, based on the feedback from CAs in this thread, I do have questions that I’m hoping will help me better understand the thoughts and opinions of CAs.</span></div><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" class=""><span style="font-size: 11pt; font-family: Arial; color: rgb(0, 0, 0); font-variant-ligatures: normal; font-variant-east-asian: normal; font-variant-position: normal; vertical-align: baseline; white-space: pre-wrap;" class="">I think we have come to agreement on a few things, but I want to restate them here to ensure I’m not overly assuming :)</span></div><ol style="margin-top:0;margin-bottom:0;" class=""><li dir="ltr" style="list-style-type: decimal; font-size: 11pt; font-family: Arial; color: rgb(0, 0, 0); font-variant-ligatures: normal; font-variant-east-asian: normal; font-variant-position: normal; vertical-align: baseline; white-space: pre;" class=""><p dir="ltr" style="line-height:1.38;margin-top:12pt;margin-bottom:0pt;" role="presentation" class=""><span style="font-size: 11pt; font-variant-ligatures: normal; font-variant-east-asian: normal; font-variant-position: normal; vertical-align: baseline; white-space: pre-wrap;" class="">The WebPKI is not perfect statically nor dynamically, necessitating changes to how it operates at times.</span></p></li><li dir="ltr" style="list-style-type: decimal; font-size: 11pt; font-family: Arial; color: rgb(0, 0, 0); font-variant-ligatures: normal; font-variant-east-asian: normal; font-variant-position: normal; vertical-align: baseline; white-space: pre;" class=""><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" class=""><span style="font-size: 11pt; font-variant-ligatures: normal; font-variant-east-asian: normal; font-variant-position: normal; vertical-align: baseline; white-space: pre-wrap;" class="">Changes to the WebPKI should be discussed openly, weighing input from the varied stakeholders (both directly and indirectly) affected by such changes.</span></div></li><li dir="ltr" style="list-style-type: decimal; font-size: 11pt; font-family: Arial; color: rgb(0, 0, 0); font-variant-ligatures: normal; font-variant-east-asian: normal; font-variant-position: normal; vertical-align: baseline; white-space: pre;" class=""><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" class=""><span style="font-size: 11pt; font-variant-ligatures: normal; font-variant-east-asian: normal; font-variant-position: normal; vertical-align: baseline; white-space: pre-wrap;" class="">The CA/B Forum is a very good place for such discussions to occur and achieving consensus through the ballot process of the CA/B Forum is a valuable way to implement changes to the WebPKI.</span></div></li><li dir="ltr" style="list-style-type: decimal; font-size: 11pt; font-family: Arial; color: rgb(0, 0, 0); font-variant-ligatures: normal; font-variant-east-asian: normal; font-variant-position: normal; vertical-align: baseline; white-space: pre;" class=""><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:12pt;" role="presentation" class=""><span style="font-size: 11pt; font-variant-ligatures: normal; font-variant-east-asian: normal; font-variant-position: normal; vertical-align: baseline; white-space: pre-wrap;" class="">In situations where a change is identified as profoundly important by a certificate consumer, but where initial consensus in the CA/B Forum is not achieved, it may be necessary for the certificate consumer to independently enforce that change through their root program.</span></p></li></ol><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" class=""><span style="font-size: 11pt; font-family: Arial; color: rgb(0, 0, 0); font-variant-ligatures: normal; font-variant-east-asian: normal; font-variant-position: normal; vertical-align: baseline; white-space: pre-wrap;" class="">A few of the things said here raise additional questions, to which I don’t have a clear understanding of the position of CAs. FWIW, I do have my own position, but at this point I’m more interested in where CAs stand.</span></div><ol style="margin-top:0;margin-bottom:0;" class=""><li dir="ltr" style="list-style-type: decimal; font-size: 11pt; font-family: Arial; color: rgb(0, 0, 0); font-variant-ligatures: normal; font-variant-east-asian: normal; font-variant-position: normal; vertical-align: baseline; white-space: pre;" class=""><p dir="ltr" style="line-height:1.38;margin-top:12pt;margin-bottom:0pt;" role="presentation" class=""><span style="font-size: 11pt; font-variant-ligatures: normal; font-variant-east-asian: normal; font-variant-position: normal; vertical-align: baseline; white-space: pre-wrap;" class="">If a change is requested within the CA/B Forum, but fails to pass during the ballot process, in what way(s) should that change be brought up in future CA/B Forum discussions or ballots? What, if any, are appropriate ways of revisiting changes represented in failed ballots?</span></p></li><li dir="ltr" style="list-style-type: decimal; font-size: 11pt; font-family: Arial; color: rgb(0, 0, 0); font-variant-ligatures: normal; font-variant-east-asian: normal; font-variant-position: normal; vertical-align: baseline; white-space: pre;" class=""><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:12pt;" role="presentation" class=""><span style="font-size: 11pt; font-variant-ligatures: normal; font-variant-east-asian: normal; font-variant-position: normal; vertical-align: baseline; white-space: pre-wrap;" class="">In situations like described in #4 above, except instead of a single certificate consumer enforcing the identified change, it’s a majority or unanimous show of support reflected in independent changes to multiple root programs, what role does the CA/B Forum play in ensuring those root programs can rely upon participating CAs to adhere to their individual root program policies?</span></p></li></ol><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" class=""><span style="font-size: 11pt; font-family: Arial; color: rgb(0, 0, 0); font-variant-ligatures: normal; font-variant-east-asian: normal; font-variant-position: normal; vertical-align: baseline; white-space: pre-wrap;" class="">Thank you!</span></div><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" class=""><span style="font-size: 11pt; font-family: Arial; color: rgb(0, 0, 0); font-variant-ligatures: normal; font-variant-east-asian: normal; font-variant-position: normal; vertical-align: baseline; white-space: pre-wrap;" class="">-Clint</span></div><div><br class=""><blockquote type="cite" class=""><div class="">On Jun 22, 2020, at 7:57 AM, Doug Beattie via Servercert-wg <<a href="mailto:servercert-wg@cabforum.org" class="">servercert-wg@cabforum.org</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div class="WordSection1" style="page: WordSection1; caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;"><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: Calibri, sans-serif;" class=""><span style="font-size: 11pt;" class="">Hi Chris,<o:p class=""></o:p></span></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: Calibri, sans-serif;" class=""><span style="font-size: 11pt;" class=""><o:p class=""> </o:p></span></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: Calibri, sans-serif;" class=""><span style="font-size: 11pt;" class="">Yes, I agree. There are some things that CAs and Browsers don’t always agree on. CAs can document these in their CPS and the root programs can define them in their root policies. This is one that should remain in the root policies for those programs that endorse this change.<o:p class=""></o:p></span></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: Calibri, sans-serif;" class=""><span style="font-size: 11pt;" class=""><o:p class=""> </o:p></span></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: Calibri, sans-serif;" class=""><span style="font-size: 11pt;" class="">I like all of the other changes in this ballot and don’t want to see them held up unnecessarily.<span class="Apple-converted-space"> </span><o:p class=""></o:p></span></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: Calibri, sans-serif;" class=""><span style="font-size: 11pt;" class=""><o:p class=""> </o:p></span></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: Calibri, sans-serif;" class=""><span style="font-size: 11pt;" class="">Doug<o:p class=""></o:p></span></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: Calibri, sans-serif;" class=""><span style="font-size: 11pt;" class=""><o:p class=""> </o:p></span></div><div class=""><div style="border-style: solid none none; border-top-width: 1pt; border-top-color: rgb(225, 225, 225); padding: 3pt 0in 0in;" class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: Calibri, sans-serif;" class=""><b class=""><span style="font-size: 11pt;" class="">From:</span></b><span style="font-size: 11pt;" class=""><span class="Apple-converted-space"> </span>Servercert-wg <<a href="mailto:servercert-wg-bounces@cabforum.org" class="">servercert-wg-bounces@cabforum.org</a>><span class="Apple-converted-space"> </span><b class="">On Behalf Of<span class="Apple-converted-space"> </span></b>Chris Bailey via Servercert-wg<br class=""><b class="">Sent:</b><span class="Apple-converted-space"> </span>Monday, June 22, 2020 10:44 AM<br class=""><b class="">To:</b><span class="Apple-converted-space"> </span><a href="mailto:servercert-wg@cabforum.org" class="">servercert-wg@cabforum.org</a><br class=""><b class="">Subject:</b><span class="Apple-converted-space"> </span>[Servercert-wg] Ballot SC31 - Browser Alignment<o:p class=""></o:p></span></div></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: Calibri, sans-serif;" class=""><span style="" class="">There has been discussion for some time in the SCWG of a “browser alignment ballot” that would import certain rules from browser root programs to the Forum’s Baseline Requirements. Entrust Datacard is generally in favor of such a ballot, but with certain limitations.</span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: Calibri, sans-serif;" class=""><span style="" class=""> </span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: Calibri, sans-serif;" class=""><span style="" class="">The CA/Browser Forum was created in 2005 so that CAs and browsers could work together and agree on industry “best practices” by consensus. We measure “best practices” consensus by our voting rules – no modification can be made to the Baseline Requirements unless it is approved by a majority of browser members and also by 2/3 of CA members. <span class="apple-converted-space"> </span></span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: Calibri, sans-serif; font-variant-caps: normal; text-align: start; -webkit-text-stroke-width: 0px; word-spacing: 0px;" class=""><span style="" class=""> </span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: Calibri, sans-serif; font-variant-caps: normal; text-align: start; -webkit-text-stroke-width: 0px; word-spacing: 0px;" class=""><span style="" class="">Over the years, some browsers have modified</span><span class="Apple-converted-space"> </span>their root program<span style="" class=""><span class="Apple-converted-space"> </span>rules<span class="Apple-converted-space"> </span></span>in ways that affects<span class="Apple-converted-space"> </span><span style="" class="">the ecosystem. We believe<span class="Apple-converted-space"> </span></span>root program changes should work their way through the forum first<span class="Apple-converted-space"> </span><span style="" class="">so there is no need for later alignment of<span class="Apple-converted-space"> </span></span>these<span style="" class=""><span class="Apple-converted-space"> </span>rule</span><span class="Apple-converted-space"> </span>changes<span style="" class=""><span class="Apple-converted-space"> </span>with the BRs.</span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: Calibri, sans-serif; font-variant-caps: normal; text-align: start; -webkit-text-stroke-width: 0px; word-spacing: 0px;" class=""><span style="" class=""> </span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: Calibri, sans-serif; font-variant-caps: normal; text-align: start; -webkit-text-stroke-width: 0px; word-spacing: 0px;" class=""><span style="" class="">With that introduction, we believe there are two limitations that should apply to any draft browser alignment ballot amending the BRs.</span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: Calibri, sans-serif; font-variant-caps: normal; text-align: start; -webkit-text-stroke-width: 0px; word-spacing: 0px;" class=""><span style="" class=""> </span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: Calibri, sans-serif; font-variant-caps: normal; text-align: start; -webkit-text-stroke-width: 0px; word-spacing: 0px;" class=""><span style="" class="">1. We should not include any browser root program rule in the ballot if it conflicts with policy of another browser root program.<span class="apple-converted-space"> </span></span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: Calibri, sans-serif; font-variant-caps: normal; text-align: start; -webkit-text-stroke-width: 0px; word-spacing: 0px;" class=""><span style="" class=""> </span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: Calibri, sans-serif; font-variant-caps: normal; text-align: start; -webkit-text-stroke-width: 0px; word-spacing: 0px;" class=""><span style="" class="">2. In addition, an alignment ballot should not introduce controversial issues that have already been rejected in the Forum, but should only include non-controversial changes. For this reason, we believe Ballot SC31 should not include Apple’s recent root program rule change reducing maximum certificate lifetimes from the present 825 days (as currently allowed by the BRs) to 398 days. As you all remember, this same change to the BRs was proposed in late 2019 in Ballot SC22 and was highly controversial. The ballot was unanimously approved by those browsers who voted, but failed by a large margin among CAs.</span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: Calibri, sans-serif; font-variant-caps: normal; text-align: start; -webkit-text-stroke-width: 0px; word-spacing: 0px;" class=""><span style="" class=""> </span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: Calibri, sans-serif; font-variant-caps: normal; text-align: start; -webkit-text-stroke-width: 0px; word-spacing: 0px;" class=""><span style="" class="">In addition, at the time of Ballot SC22 it did not appear that the browsers gave any consideration to the concerns of an equally important part of the internet security ecosystem which would also be necessary to establish industry consensus on best practices – the website owners themselves, who are also important customers of the browsers. Poll results from 3,850 website owners (including many enterprise website owners) conducted by three CAs showed that 82% of website owners oppose the reduction in the maximum certificate validity period to 398 days. Many website owners asked at the time what security problems existed with two-year certificates that were solved by moving to one-year certificates and<span class="Apple-converted-space"> </span></span>also asked<span class="Apple-converted-space"> </span><span style="" class="">for a cost-benefit analysis from the browsers, but no clear answer was ever provided to them. <span class="apple-converted-space"> </span></span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: Calibri, sans-serif; font-variant-caps: normal; text-align: start; -webkit-text-stroke-width: 0px; word-spacing: 0px;" class=""><span style="" class=""> </span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: Calibri, sans-serif;" class=""><span style="" class="">In our opinion, browsers should not ignore the results of an unsuccessful ballot in the Forum, add the rejected provision to their root programs anyway, and then ask the Forum members to reverse their prior votes and add the rejected provision to the Forum’s best practices documents. This would be setting a very bad precedent for collective decision-making for the future.</span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: Calibri, sans-serif; font-variant-caps: normal; text-align: start; -webkit-text-stroke-width: 0px; word-spacing: 0px;" class=""><span style="" class=""> </span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: Calibri, sans-serif; font-variant-caps: normal; text-align: start; -webkit-text-stroke-width: 0px; word-spacing: 0px;" class=""><span style="" class="">For this reason, Ballot SC31’s proposed change to a 398-day maximum validity period does not represent consensus among CAs, website owners, and browsers. This part of Ballot SC31 is not the type of browser root program rule change that should be included in a browser root program alignment ballot. <span class="apple-converted-space"> </span></span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: Calibri, sans-serif; font-variant-caps: normal; text-align: start; -webkit-text-stroke-width: 0px; word-spacing: 0px;" class=""><span style="" class=""> </span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: Calibri, sans-serif; font-variant-caps: normal; text-align: start; -webkit-text-stroke-width: 0px; word-spacing: 0px;" class=""><span style="" class="">Entrust Datacard will not support Ballot SC31 if it includes this change to the maximum certificate validity period, and we respectfully ask the proposer and endorsers to remove that part of Ballot SC31 so we can vote for it.</span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: Calibri, sans-serif; font-variant-caps: normal; text-align: start; -webkit-text-stroke-width: 0px; word-spacing: 0px;" class=""><span style="" class=""> </span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: Calibri, sans-serif;" class=""><span style="font-size: 11pt;" class="">-- <span class="Apple-converted-space"> </span></span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: Calibri, sans-serif;" class=""><span style="font-size: 11pt;" class="">Chris Bailey</span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: Calibri, sans-serif;" class=""> <o:p class=""></o:p></div></div><span style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;" class="">_______________________________________________</span><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><span style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;" class="">Servercert-wg mailing list</span><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><span style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;" class=""><a href="mailto:Servercert-wg@cabforum.org" class="">Servercert-wg@cabforum.org</a></span><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><span style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;" class=""><a href="https://lists.cabforum.org/mailman/listinfo/servercert-wg" class="">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a></span></div></blockquote></div><br class=""></body></html>