[cabfpub] Issuers in BR/EV/EVCS Guideline Scope

kirk_hall at trendmicro.com kirk_hall at trendmicro.com
Mon Apr 18 18:16:21 UTC 2016

No, Ryan, you misunderstand.  I wasn’t conflating anything, but the scope of the BRs and the scope of the Forum do overlap in many ways, and so it’s useful to discuss both in this context.

I don’t understand your comment about stalling – in fact, I don’t even understand why we need this ballot now.

Peter, is there some pressing need for us to consider your ballot at this time?  To be blunt, it’s pretty abstract, and I’m not sure I understand it all (or where it came from).  Why do we need this general statement?

From: Ryan Sleevi [mailto:sleevi at google.com]
Sent: Monday, April 18, 2016 10:37 AM
To: Kirk Hall (RD-US)
Cc: Peter Bowen; CABFPub
Subject: Re: [cabfpub] Issuers in BR/EV/EVCS Guideline Scope

On Mon, Apr 18, 2016 at 10:30 AM, kirk_hall at trendmicro.com<mailto:kirk_hall at trendmicro.com> <kirk_hall at trendmicro.com<mailto:kirk_hall at trendmicro.com>> wrote:
Ryan, while I certainly remember various discussions from time to time about the proper scope of the Forum’s work, my recollection is that typically one or two people have strong opinions one way, one or two have opinions the other way, and most people are silent.  So we have never had a comprehensive discussion, and have never reached consensus on how to change the BRs or our Bylaws on the Forum’s scope.  Perhaps this is the right time.


I think you're conflating the scope of the BRs with the scope of the Forum, whereas my reply was meant to indicate to you they are seperable conversations, one with very real and pressing relevance. I can appreciate your desire to solve all the problems at once, but given that we've had quite substantial debate on the more limited scope, it seems as if it would only prolong a much-needed conversation.

In my view, the best way to reach consensus and move forward is to start with the known use cases where this has come up as an issue – such as code signing, or certs from non-trusted roots, etc.  All the past use cases (and some additional use cases that might come up in the future) could be listed with the pros and cons of including them within the scope of the Forum’s work listed for each.  We can then discuss to see if there is consensus for each.  Once we reach consensus, drafting the BR changes should be easy, and a ballot will sell itself.  If there is no consensus, there’s probably no reason to move forward with a ballot.

I can appreciate this approach, but I would encourage you to revisit my reply, and you can see why such a suggestion seems like a stalling tactic, rather than a productive means forward.

Member CAs are already running into this with respect to root programs. This isn't a "pro/con" sort of thing. This is: "Is there a common enough understanding so that we can avoid root programs doing what they're doing today, and to make it clear to auditors and CAs the expectations already set forth"

Dean has asked for Agenda items for the face to face meeting next month, and this seems like a perfect one.  Between now and then, we can work up a list of use cases for consideration, with pros and cons, and then have a useful discussion in Bilbao.

While it is unquestionably certain that this conversation will continue at least to the F2F, due to the pace at which the Forum moves, perhaps it would be more useful if you might contribute insight to the questions Peter has proposed, with your perspective as a CA and its operations.

Rather than attempt to redefine what things mean, the first order is simply to understand what you, as a CA, see the scope as. That's what these questions set forth to understand, since it's clear some members have divergent views. The approach you propose presupposes there is a common understanding, where clearly there isn't, and thus would not lead to a fruitful or productive discussion.

<table class="TM_EMAIL_NOTICE"><tr><td><pre>
The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160418/efee40ef/attachment-0003.html>

More information about the Public mailing list