<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>
</head>
<body dir="ltr">
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);" class="elementToProof">
Hi Ben,</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);" class="elementToProof">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);" class="elementToProof">
Here are some intial questions on your proposal.</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);" class="elementToProof">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);" class="elementToProof">
> <span style="display: inline !important; background-color: rgb(255, 255, 255);" class="ContentPasted2">That the Applicant develops and maintains its own code;</span></div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);" class="elementToProof">
<span style="display: inline !important; background-color: rgb(255, 255, 255);" class="ContentPasted2"><br>
</span></div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);" class="elementToProof ContentPasted0 ContentPasted1">
Can you explain what you mean with this, I suppose that this does not mean that Microsoft can no longer be a Certificate Consumer as their browser is based on Chromium? What would this say about the usage of Open-Source code, etc.?<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);" class="elementToProof ContentPasted0 ContentPasted1">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);" class="elementToProof ContentPasted0 ContentPasted1 ContentPasted14">
> That the Applicant provides a browser for both mobile and desktop platforms;</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);" class="elementToProof ContentPasted0 ContentPasted1 ContentPasted14">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);" class="elementToProof ContentPasted0 ContentPasted1 ContentPasted14 ContentPasted15 ContentPasted16 ContentPasted17 ContentPasted18">
Certificate Consumers are Application Software Suppliers, and these are not limited to browsers. Why would a Certificate Consumer be required to provide an application for both mobile and desktop platforms?</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);" class="elementToProof ContentPasted0 ContentPasted1 ContentPasted14">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);" class="elementToProof ContentPasted0 ContentPasted1 ContentPasted8">
> That the Applicant has an installed user base of at least one tenth of a percent of all browsers in use globally (or some other comparable objective measurement);</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);" class="elementToProof ContentPasted0 ContentPasted1 ContentPasted8">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);" class="elementToProof ContentPasted0 ContentPasted1 ContentPasted8 ContentPasted9 ContentPasted10 ContentPasted11">
This means that the CA/Browser Forum is excluding all browsers that would like to enter the market until they have a sufficient user base, which might take years for new browsers, or a browser might even choose to operate in a niche market, for example in a
specific demographic. While it is not required to be a Certificate Consumer Member to operate a browser or a root store, it feels like this is hindering new/niche browsers to participate on an equal level.</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);" class="elementToProof ContentPasted0 ContentPasted1">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);" class="elementToProof ContentPasted0 ContentPasted1 ContentPasted4">
> That the Applicant and its representatives have never been sanctioned for misconduct;</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);" class="elementToProof ContentPasted0 ContentPasted1 ContentPasted4">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);" class="elementToProof ContentPasted0 ContentPasted1 ContentPasted4 ContentPasted5 ContentPasted6">
Can you be more specific on "sanctioned for misconduct", for what and by who? This would currently mean that an employee of a certificate consumer would be sanctioned for life for any <span style="display: inline !important; background-color: rgb(255, 255, 255);" class="ContentPasted7">misconduct<span class="ContentPasted7 ContentPasted12 ContentPasted13"> of
any form, which can be irrelevant for the CA/Browser forum, we probably should provide a path to rehabilitation in the aftermath of misconduct in a way that recognizes the humanity of those involved.</span></span><br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);" class="elementToProof ContentPasted0 ContentPasted1">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);" class="elementToProof ContentPasted0 ContentPasted1 ContentPasted3">
> That the Applicant has actively participated in the CA/Browser Forum as a non-voting Associate Member for at least one year.</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);" class="elementToProof ContentPasted0 ContentPasted1 ContentPasted3">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);" class="elementToProof ContentPasted0 ContentPasted1 ContentPasted3">
What is the purpose of this requirement, we don't have this requirement for certificate issuers.</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);" class="elementToProof ContentPasted0 ContentPasted1 ContentPasted3">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);" class="elementToProof ContentPasted0 ContentPasted1 ContentPasted3">
Thanks,</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);" class="elementToProof ContentPasted0 ContentPasted1 ContentPasted3">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);" class="elementToProof ContentPasted0 ContentPasted1 ContentPasted3">
Paul</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);" class="elementToProof ContentPasted0 ContentPasted1 ContentPasted3">
<br>
</div>
<div id="appendonsend"></div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> Servercert-wg <servercert-wg-bounces@cabforum.org> on behalf of Ben Wilson via Servercert-wg <servercert-wg@cabforum.org><br>
<b>Sent:</b> Wednesday, April 5, 2023 18:30<br>
<b>To:</b> CA/B Forum Server Certificate WG Public Discussion List <servercert-wg@cabforum.org><br>
<b>Subject:</b> [EXTERNAL] [Servercert-wg] Request for a Moratorium on New Certificate Consumer Members</font>
<div> </div>
</div>
<div>WARNING: This email originated outside of Entrust.<br>
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.<br>
<hr>
<div dir="ltr">
<div><font size="2"><span style="font-family:arial,sans-serif">All,</span></font></div>
<div><font size="2"><span style="font-family:arial,sans-serif"><br>
</span></font></div>
<div>
<p dir="ltr" id="x_gmail-docs-internal-guid-04c649a2-7fff-64c7-f381-fd36ae34c53a" style="line-height:1.38; margin-top:0pt; margin-bottom:12pt">
<font size="2"><span style="color:rgb(0,0,0); background-color:transparent; font-weight:400; font-style:normal; font-variant:normal; text-decoration:none; vertical-align:baseline; white-space:pre-wrap; font-family:arial,sans-serif">I would like to request a
moratorium on admitting new Certificate Consumer members to the Server Certificate Working Group until we have updated the criteria for membership of Certificate Consumers.</span></font></p>
<p dir="ltr" style="line-height:1.38; margin-top:12pt; margin-bottom:12pt"><font size="2"><span style="color:rgb(0,0,0); background-color:transparent; font-weight:400; font-style:normal; font-variant:normal; text-decoration:none; vertical-align:baseline; white-space:pre-wrap; font-family:arial,sans-serif">The
basis for this request is that we are in the process of developing better criteria for membership of Certificate Consumers. As noted during Face-to-Face meeting #58, our current requirement of “produc[ing] a software product intended for use by the general
public for browsing the Web securely” lacks sufficient detail. Here are a few things we are considering that should be part of the membership criteria for Certificate Consumers:</span></font></p>
<p dir="ltr" style="line-height:1.38; margin-top:12pt; margin-bottom:12pt"><font size="2"><span style="color:rgb(0,0,0); background-color:transparent; font-weight:400; font-style:normal; font-variant:normal; text-decoration:none; vertical-align:baseline; white-space:pre-wrap; font-family:arial,sans-serif">That
the Applicant develops and maintains its own code;</span></font></p>
<p dir="ltr" style="line-height:1.38; margin-top:12pt; margin-bottom:12pt"><font size="2"><span style="color:rgb(0,0,0); background-color:transparent; font-weight:400; font-style:normal; font-variant:normal; text-decoration:none; vertical-align:baseline; white-space:pre-wrap; font-family:arial,sans-serif">That
the Applicant maintains its own root store;</span></font></p>
<p dir="ltr" style="line-height:1.38; margin-top:12pt; margin-bottom:12pt"><font size="2"><span style="color:rgb(0,0,0); background-color:transparent; font-weight:400; font-style:normal; font-variant:normal; text-decoration:none; vertical-align:baseline; white-space:pre-wrap; font-family:arial,sans-serif">That
the Applicant provides a browser for both mobile and desktop platforms;</span></font></p>
<p dir="ltr" style="line-height:1.38; margin-top:12pt; margin-bottom:12pt"><font size="2"><span style="color:rgb(0,0,0); background-color:transparent; font-weight:400; font-style:normal; font-variant:normal; text-decoration:none; vertical-align:baseline; white-space:pre-wrap; font-family:arial,sans-serif">That
the Applicant patches and delivers automatic updates of its browser software and root store;</span></font></p>
<p dir="ltr" style="line-height:1.38; margin-top:12pt; margin-bottom:12pt"><font size="2"><span style="color:rgb(0,0,0); background-color:transparent; font-weight:400; font-style:normal; font-variant:normal; text-decoration:none; vertical-align:baseline; white-space:pre-wrap; font-family:arial,sans-serif">That
the Applicant has publicly disclosed and documented processes for its users to report problems and to receive updates on the resolution of those problems;</span></font></p>
<p dir="ltr" style="line-height:1.38; margin-top:12pt; margin-bottom:12pt"><font size="2"><span style="color:rgb(0,0,0); background-color:transparent; font-weight:400; font-style:normal; font-variant:normal; text-decoration:none; vertical-align:baseline; white-space:pre-wrap; font-family:arial,sans-serif">That
the Applicant has an installed user base of at least one tenth of a percent of all browsers in use globally (or some other comparable objective measurement);</span></font></p>
<p dir="ltr" style="line-height:1.38; margin-top:12pt; margin-bottom:12pt"><font size="2"><span style="color:rgb(0,0,0); background-color:transparent; font-weight:400; font-style:normal; font-variant:normal; text-decoration:none; vertical-align:baseline; white-space:pre-wrap; font-family:arial,sans-serif">That
the Applicant employs developers and infosec-trained professionals;</span></font></p>
<p dir="ltr" style="line-height:1.38; margin-top:12pt; margin-bottom:12pt"><font size="2"><span style="color:rgb(0,0,0); background-color:transparent; font-weight:400; font-style:normal; font-variant:normal; text-decoration:none; vertical-align:baseline; white-space:pre-wrap; font-family:arial,sans-serif">That
the Applicant’s representatives regularly, consistently, and actively participate in relevant standards bodies such as the W3C, IETF, WHATWG, and OWASP;</span></font></p>
<p dir="ltr" style="line-height:1.38; margin-top:12pt; margin-bottom:12pt"><font size="2"><span style="color:rgb(0,0,0); background-color:transparent; font-weight:400; font-style:normal; font-variant:normal; text-decoration:none; vertical-align:baseline; white-space:pre-wrap; font-family:arial,sans-serif">That
the Applicant and its representatives have never been sanctioned for misconduct;</span></font></p>
<p dir="ltr" style="line-height:1.38; margin-top:12pt; margin-bottom:12pt"><font size="2"><span style="color:rgb(0,0,0); background-color:transparent; font-weight:400; font-style:normal; font-variant:normal; text-decoration:none; vertical-align:baseline; white-space:pre-wrap; font-family:arial,sans-serif">That
the Applicant has a good history of compliance with industry standards, including but not limited to HTML (</span><a href="https://urldefense.com/v3/__https://platform.html5.org/__;!!FJ-Y8qCqXTj2!Ypa5WQHN2FbZUYE7Kjs1Lm1fL3oRd24UBjDyVngBxMiVnOxRmyqQtMzEv8h1TC7QxqctX2YlUpiW8WiW1vjLTb4ekfWZTPL5ytmb$" style="text-decoration:none; font-family:arial,sans-serif"><span style="color:rgb(17,85,204); background-color:transparent; font-weight:400; font-style:normal; font-variant:normal; text-decoration:underline; vertical-align:baseline; white-space:pre-wrap">https://platform.html5.org</span></a><span style="color:rgb(0,0,0); background-color:transparent; font-weight:400; font-style:normal; font-variant:normal; text-decoration:none; vertical-align:baseline; white-space:pre-wrap; font-family:arial,sans-serif">);
CSS (</span><a href="https://urldefense.com/v3/__https://www.w3.org/TR/css-2023/__;!!FJ-Y8qCqXTj2!Ypa5WQHN2FbZUYE7Kjs1Lm1fL3oRd24UBjDyVngBxMiVnOxRmyqQtMzEv8h1TC7QxqctX2YlUpiW8WiW1vjLTb4ekfWZTE2pxyS5$" style="text-decoration:none; font-family:arial,sans-serif"><span style="color:rgb(17,85,204); background-color:transparent; font-weight:400; font-style:normal; font-variant:normal; text-decoration:underline; vertical-align:baseline; white-space:pre-wrap">https://www.w3.org/TR/css-2023/</span></a><span style="color:rgb(0,0,0); background-color:transparent; font-weight:400; font-style:normal; font-variant:normal; text-decoration:none; vertical-align:baseline; white-space:pre-wrap; font-family:arial,sans-serif">);
JavaScript, HTTPS/TLS, and the IETF RFCs, such as RFC 5280;</span></font></p>
<p dir="ltr" style="line-height:1.38; margin-top:12pt; margin-bottom:12pt"><font size="2"><span style="color:rgb(0,0,0); background-color:transparent; font-weight:400; font-style:normal; font-variant:normal; text-decoration:none; vertical-align:baseline; white-space:pre-wrap; font-family:arial,sans-serif">That
the Applicant’s browser passes at least certain percentages of various test suites (Acid Tests, Test 262 and web-platform-tests);</span></font></p>
<p dir="ltr" style="line-height:1.38; margin-top:12pt; margin-bottom:12pt"><font size="2"><span style="color:rgb(0,0,0); background-color:transparent; font-weight:400; font-style:normal; font-variant:normal; text-decoration:none; vertical-align:baseline; white-space:pre-wrap; font-family:arial,sans-serif">That
the Applicant has a published commitment to user security and privacy; and</span></font></p>
<p dir="ltr" style="line-height:1.38; margin-top:0pt; margin-bottom:0pt"><font size="2"><span style="color:rgb(0,0,0); background-color:transparent; font-weight:400; font-style:normal; font-variant:normal; text-decoration:none; vertical-align:baseline; white-space:pre-wrap; font-family:arial,sans-serif">That
the Applicant has actively participated in the CA/Browser Forum as a non-voting Associate Member for at least one year.</span></font></p>
<p dir="ltr" style="line-height:1.38; margin-top:0pt; margin-bottom:0pt"><font size="2"><span style="color:rgb(0,0,0); background-color:transparent; font-weight:400; font-style:normal; font-variant:normal; text-decoration:none; vertical-align:baseline; white-space:pre-wrap; font-family:arial,sans-serif"><br>
</span></font></p>
<p style="line-height:1.38; margin-top:0pt; margin-bottom:0pt"><font size="2"><span style="color:rgb(0,0,0); background-color:transparent; font-weight:400; font-style:normal; font-variant:normal; text-decoration:none; vertical-align:baseline; white-space:pre-wrap; font-family:arial,sans-serif">Thanks,</span></font></p>
<p style="line-height:1.38; margin-top:0pt; margin-bottom:0pt"><font size="2"><span style="color:rgb(0,0,0); background-color:transparent; font-weight:400; font-style:normal; font-variant:normal; text-decoration:none; vertical-align:baseline; white-space:pre-wrap; font-family:arial,sans-serif"><br>
</span></font></p>
<p style="line-height:1.38; margin-top:0pt; margin-bottom:0pt"><font size="2"><span style="color:rgb(0,0,0); background-color:transparent; font-weight:400; font-style:normal; font-variant:normal; text-decoration:none; vertical-align:baseline; white-space:pre-wrap; font-family:arial,sans-serif">Ben</span><span style="color:rgb(0,0,0); background-color:transparent; font-weight:400; font-style:normal; font-variant:normal; text-decoration:none; vertical-align:baseline; white-space:pre-wrap; font-family:arial,sans-serif"><br>
</span></font></p>
<p style="line-height:1.38; margin-top:0pt; margin-bottom:0pt"><font size="2"><span style="color:rgb(0,0,0); background-color:transparent; font-weight:400; font-style:normal; font-variant:normal; text-decoration:none; vertical-align:baseline; white-space:pre-wrap; font-family:arial,sans-serif"><br>
</span></font></p>
</div>
</div>
</div>
<i>Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the
information it contains. <u>Please notify Entrust immediately</u> and delete the message from your system.</i>
</body>
</html>