[cabf_governance] Ballot 206 comments

[Dean Coclin]

Regarding your comment on system security, working groups talk about a lot of things, not necessarily directly related to the design of a system. Especially with regard to code signing, there is discussion on list of threats, potential threats, ways to subvert things, etc. Does that really need to be public?

-----Original Message-----
From: Gervase Markham [mailto:gerv at mozilla.org] 
Sent: Wednesday, November 1, 2017 4:11 PM
To: Dean Coclin <Dean_Coclin at symantec.com>; CA/Browser Forum Governance WG List <govreform at cabforum.org>; Virginia Fournier <vfournier at apple.com>
Subject: Re: [cabf_governance] Ballot 206 comments

On 01/11/17 18:00, Dean Coclin wrote:
> A working group has to be approved by the Forum members. This is what 
> would stop a WG from doing what you suggest.

Well, not necessarily. It depends how strongly the commitment to transparency is among the particular members involved. But transparency should not be optional for a standards-setting body. The current transparency rules were the result of a long push to ensure transparency of Forum operations several years ago, and I do not want to see that rolled back.

> Also, there may be legitimate reasons to have a closed mailing list.
> I recall when we did code signing that we were discussing items that 
> would be of interest to people that would want to hack the system.
> Hence an open list was not in the best interest of the group.

If the security of a system depends on aspects of its operation being secret, then it's not secure.

Gerv