[cabfpub] Discussion Draft for Revisions to Bylaws

[Ben Wilson]

What about this?

 

(3)       Browser/OS Producer: The member organization is a major global
provider of certificate-using software that depends upon certificates issued
by multiple public CAs to support the secure use of its product by the
general public.  Examples of certificate-using software includes web
browsers, cryptolibraries, root stores, operating systems, computing
platforms, software distribution systems, and products for digital document
signing and publication.  [Expressly eligible for membership under this
category are: Apple, Microsoft, Oracle, Google, Mozilla Foundation, Opera,
Adobe, .]

 

 

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Ryan Sleevi
Sent: Tuesday, October 15, 2013 5:46 PM
To: ben at digicert.com
Cc: CABFPub
Subject: Re: [cabfpub] Discussion Draft for Revisions to Bylaws

 

As expressed previously, I do have concerns about the definition of browser.

 

For example, if I write a popular mobile application for Android and iOS
that is downloaded by 10 million users, and which uses SSL/TLS to update an
online leaderboard, it would appear that under the current definition of
browser, I would qualify (and, presumably, as a voting-eligible member).

 

I realize that this is, perhaps, a challenging definition. For instance, we
have organizations like Opera who have long participated and helped steer
towards a more secure Internet, but which are in the process of
transitioning away from operating a Root Store directly. Likewise, Google's
participation has largely been made up of members from the Google Chrome
team, even though the primary Root Programs are through Android and ChromeOS
(as noted in the past, Chrome on Windows / Mac / Linux attempts to defer to
a notion of a 'system' trust store). And on the other end, we have
organizations like Oracle, for which operate a Root Program (for Java),
which indirectly may be used towards the construction of either a Web
Browser or any other number of applications.

 

However, I think it's best we balance the desire to be inclusive with the
recognition of where the primary strength of this group lies in - the
development of baseline policies that can reduce both the complexity of
compliance to AND (hopefully) avoid any contradictory guidance between
Browser Root Programs.

 

My fear is that an overly broad definition will destablize some of these
efforts, bringing the industry back to a place it was 5 - 10 years ago -
where each Root Program has an independent set of guidelines with limited
commonality, and even weaker auditing frameworks.

 

Just food for thought, as I don't yet have particular language to propose to
enhance this, but am left with a general unease at the current wording.

 

On Tue, Oct 15, 2013 at 4:23 PM, Ben Wilson <ben at digicert.com> wrote:

Here is a discussion draft for changes to the bylaws.  You'll notice I
haven't edited any of the provisions related to Interested Parties because
there are a few things to iron out there and maybe somebody else has some
good suggestions.  I'll post the Word version on the wiki in case anyone
needs it.

Thanks,

Ben


_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20131016/1a0e801c/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5453 bytes
Desc: not available
Url : https://cabforum.org/pipermail/public/attachments/20131016/1a0e801c/attachment.bin