[cabfpub] Issuers in BR/EV/EVCS Guideline Scope

Ryan Sleevi sleevi at google.com
Mon Apr 18 10:36:38 MST 2016


On Mon, Apr 18, 2016 at 10:30 AM, kirk_hall at trendmicro.com <
kirk_hall at trendmicro.com> wrote:

> Ryan, while I certainly remember various discussions from time to time
> about the proper scope of the Forum’s work, my recollection is that
> typically one or two people have strong opinions one way, one or two have
> opinions the other way, and most people are silent.  So we have never had a
> comprehensive discussion, and have never reached consensus on how to change
> the BRs or our Bylaws on the Forum’s scope.  Perhaps this is the right time.
>

Kirk,

I think you're conflating the scope of the BRs with the scope of the Forum,
whereas my reply was meant to indicate to you they are seperable
conversations, one with very real and pressing relevance. I can appreciate
your desire to solve all the problems at once, but given that we've had
quite substantial debate on the more limited scope, it seems as if it would
only prolong a much-needed conversation.


> In my view, the best way to reach consensus and move forward is to start
> with the known use cases where this has come up as an issue – such as code
> signing, or certs from non-trusted roots, etc.  All the past use cases (and
> some additional use cases that might come up in the future) could be listed
> with the pros and cons of including them within the scope of the Forum’s
> work listed for each.  We can then discuss to see if there is consensus for
> each.  Once we reach consensus, drafting the BR changes should be easy, and
> a ballot will sell itself.  If there is no consensus, there’s probably no
> reason to move forward with a ballot.
>

I can appreciate this approach, but I would encourage you to revisit my
reply, and you can see why such a suggestion seems like a stalling tactic,
rather than a productive means forward.

Member CAs are already running into this with respect to root programs.
This isn't a "pro/con" sort of thing. This is: "Is there a common enough
understanding so that we can avoid root programs doing what they're doing
today, and to make it clear to auditors and CAs the expectations already
set forth"


> Dean has asked for Agenda items for the face to face meeting next month,
> and this seems like a perfect one.  Between now and then, we can work up a
> list of use cases for consideration, with pros and cons, and then have a
> useful discussion in Bilbao.
>
>
>
While it is unquestionably certain that this conversation will continue at
least to the F2F, due to the pace at which the Forum moves, perhaps it
would be more useful if you might contribute insight to the questions Peter
has proposed, with your perspective as a CA and its operations.

Rather than attempt to redefine what things mean, the first order is simply
to understand what you, as a CA, see the scope as. That's what these
questions set forth to understand, since it's clear some members have
divergent views. The approach you propose presupposes there is a common
understanding, where clearly there isn't, and thus would not lead to a
fruitful or productive discussion.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20160418/8a2ad5b6/attachment-0001.html 


More information about the Public mailing list