[cabfpub] Baseline Requirements as part of browers programs

Ryan Sleevi sleevi at google.com
Thu Apr 3 21:01:42 UTC 2014


Jeremy,

I don't think "Just ignore it" is really a viable or appropriate response,
especially in light of the IPR policy.

Further, if such work didn't "bleed in" to the forums' general activities -
such as the bylaw discussions about supporting additional members - then I
think the argument that "it's harmless" might stand. However, it imposes a
non-trivial cost to the Forum members to review ballots and bylaw
revisions, having to be ever careful about how such work impacts important
activities like the ongoing maintenance of the Baseline SSL requirements.


On Thu, Apr 3, 2014 at 1:38 PM, Jeremy Rowley <jeremy.rowley at digicert.com>wrote:

> Again, I strongly disagree.  Implementers are free to adopt the standards
> produced as they see fit.  For example, Mozilla chose to implement
> different standards than the Forum’s audit requirements.  That’s great.
> I’m just happy they are using the standard.
>
>
>
> Work in the forum is on an entirely a voluntary basis. If Comodo feels
> that the Forum’s code signing work is unproductive, a better approach would
> be to simply stop following the working group rather than trying to
> eliminate the entire project.  The attendance on the working group calls
> indicates that many CAs find that  these guidelines have significant
> potential to improve the security of the Internet as a whole.
>
>
>
> Jeremy
>
>
>
> *From:* public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] *On
> Behalf Of *Rich Smith
> *Sent:* Thursday, April 3, 2014 2:10 PM
> *To:* 'Jeremy Rowley'; 'Robin Alden'
> *Cc:* 'CABFPub'
> *Subject:* Re: [cabfpub] Baseline Requirements as part of browers programs
>
>
>
> It's not any kind of success to those who contributed substantial time and
> resources to a work product that was only ever created in the first place
> at the request of that single adopter, only to have that single adopter
> take the resulting work product and create a closed program which only
> allows a very small minority of those who gave their time and effort to
> benefit from it.
>
>
>
> For one in that minority, I guess it's a resounding success, for the rest
> it was and continues to be a complete waste of time and resources, and a
> distraction from matters this Forum SHOULD be engaged in which benefit the
> entire ecosystem.
>
>
>
> Down the road should there either be additional adopters of the
> specification, or should the single adopter choose to open their program,
> then it may be in this Forum's wider interest to engage in further activity
> to revise and improve the specification.  At present, it is not, and it is
> IMO in contravention of the Forum bylaws to continue ongoing work unless
> and until one of the above conditions is met.
>
>
>
> Don't get me wrong, if a vendor wants to run a closed program, that is
> their prerogative, but it is not the Forum's job, nor in the interests of
> the Forum to do the work to design it for them without some benefit to the
> wider Forum.
>
>
>
> Regards,
>
> Rich
>
>
>
> *From:* public-bounces at cabforum.org [mailto:public-bounces at cabforum.org<public-bounces at cabforum.org>]
> *On Behalf Of *Jeremy Rowley
>
> *Sent:* Thursday, April 03, 2014 3:37 PM
> *To:* 'Robin Alden'
> *Cc:* 'CABFPub'
> *Subject:* Re: [cabfpub] Baseline Requirements as part of browers programs
>
>
>
> Thanks Robin.  I missed that.
>
>
>
> Still, my underlying point remains the same – a single adopter in a space
> where there are only 3-4 major players is a huge success.  The fact that
> Microsoft is using the CAB Forum’s EV Guidelines, and choosing to improve
> them through that same venue, is a huge success and a tribute to the
> Forum’s ability to product relevant and quality work product.
>
>
>
> Jeremy
>
>
>
> *From:* Robin Alden [mailto:robin at comodo.com <robin at comodo.com>]
> *Sent:* Thursday, April 3, 2014 11:07 AM
> *To:* Jeremy Rowley
> *Cc:* CABFPub
> *Subject:* Baseline Requirements as part of browers programs
>
>
>
> Hi Jeremy,
>
>                 You mentioned on today’s call that you thought only
> Mozilla had adopted the BRs as part of their CA program.
>
>
>
> After refreshing my memory, I believe Microsoft also require compliance
> with the BRs – at least for CAs following the WebTrust audit route.
>
>
> http://social.technet.microsoft.com/wiki/contents/articles/1760.windows-root-certificate-program-technical-requirements-version-2-0.aspx
>
> Search for “Qualified Audit Regime”.
>
>
>
> They are also replacing the current standard for government CAs with a BR
> audit equivalency standard.
>
>
>
> There are a number of other references to the BRs on that page, too.
>
>
>
> Regards
>
>
>
> Robin
>
>
>
>
>
> Robin Alden  M.Sc.  FRI  MIET
>
> CTO -- Comodo
>
> Invent ² Secure
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140403/6152d377/attachment-0003.html>


More information about the Public mailing list