[cabfpub] Posted on behalf of customer

Ryan Sleevi sleevi at google.com
Thu Dec 15 23:24:58 UTC 2016 

On Thu, Dec 15, 2016 at 3:18 PM, Eric Mill <eric at konklone.com> wrote:

> I don't think First Data's suggestion is all that misleading.
>
> The process explicitly asks for the subscriber's CA to post to the CABF
> public list, a CABF-members-only forum:
>
> https://github.com/awhalley/docs-for-comment/blob/master/SHA
> 1RequestProcedure.MD#step-one-request
>
> The Forum has consented to host this discussion process in its closed
> environment, initiated by CAs that are Forum members. While individual
> decisions are made by individual root stores, the decision making *process*
> is clearly, to me, a Forum process. And while perhaps reasonable members of
> the Forum may disagree that it is a Forum process, it is definitely going
> to be *perceived* as a Forum process by everyone outside the Forum, and
> that perception matters.
>

I think it's crucially important to dispell - every time it occurs or is
represented as so - the suggestion it's a Forum process. The choice of the
Forum of the venue was solely predicated on the basis of a pre-existing
public mailing list for which some (more active) root stores participate on.

Would it be a Google process if it was a public group hosted on Google
groups? Would it be a Giganews process if it had been hosted on an NNTP
newsgroup? Would it be a Github process if we simply created a Github
project with pull requests for SHA-1 issuance? The Forum is not the
responsible party, the public list simply serves as a technical means of
public visibility.

So yes, the Forum doesn't make the final decision, and indeed there is not
> one final decision. But from an applicant's perspective, they are
> approaching the Forum and asking for an answer, and then the answer affects
> their business. The Forum and its members should be sensitive to the
> overall impact and perception of their actions.
>

>From an applicant's perspective, they are approaching their CA.
Their CA is acting on their behalf, in a publicly transparent manner, for a
series of questions.
The choice of a public list is to provide both transparency and
accountability - for the CA and for the root stores - and in doing so,
reduces the work for the CA.

This is why it's critical to correct any misunderstandings that would
otherwise suggest it's a Forum process. It is not.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20161215/8fedc613/attachment-0003.html>

More information about the Public mailing list