[cabfpub] [EXTERNAL]Re: ]RE: Ballot 194 - Effective Date of Ballot 193 Provisions is in the VOTING period (ends April 16)

Jeremy Rowley jeremy.rowley at digicert.com
Tue Apr 18 19:21:33 UTC 2017

Refusing to count multiple votes from one organization is not the same issue as counting a vote received on the public list after the voting period closed. They are not analogous as the two scenarios present two different risks.


The vote was received via the public mailing list (thanks to Kirk forwarding the vote), but after the voting period expired. The bylaws don’t dictate that the member must make the vote via the public mailing list, just that all voting will occur there. 


From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Ryan Sleevi via Public
Sent: Tuesday, April 18, 2017 1:12 PM
To: Geoff Keating <geoffk at apple.com>
Cc: Ryan Sleevi <sleevi at google.com>; CA/Browser Forum Public Discussion List <public at cabforum.org>
Subject: Re: [cabfpub] [EXTERNAL]Re: ]RE: Ballot 194 - Effective Date of Ballot 193 Provisions is in the VOTING period (ends April 16)




On Tue, Apr 18, 2017 at 2:48 PM, Geoff Keating <geoffk at apple.com <mailto:geoffk at apple.com> > wrote:

I’m really not sure what the issue is here.  Microsoft sent their vote to the public mailing list before the deadline.  The message was posted on the public mailing list (by Kirk) in a reasonably timely manner.  I don’t see any conflict with the bylaws.


It's unclear if your "really not sure" reflects an uncertainty of the concerns, or a disagreement with it. The Bylaws don't permit the process you described.


I agree it would have been better if the vote had appeared on the list at the time it was sent.

I also see no point in litigating this.  If this ballot fails solely for this reason it will surely be submitted again and will pass.  In fact I would lobby for Apple to support the re-ballot instead of abstaining, purely to discourage rules lawyering.


I think if the result is that a subsequent Ballot was held, then the concerns would be meaningfully addressed and the result would be unambiguous and uncontested. Further, there would be no uncertainty that our Bylaws, and the protections afforded by them, are meaningful, and the ability of the Forum to self-regulate is not questioned. Surely that's a clear and desirable goal, regardless of the position of rules lawyering.


I would suggest that had this not been a 'tiebreaker' vote, the concern about accepting Microsoft's vote would not be an issue. The Forum, via the Chair, has already demonstrated several times that it's willing to abide by the timeliness of the votes, regardless of how well-intentioned the delayed votes may be. The Forum has also demonstrated that it's willing to discard votes in situations where multiple organizations represent the same Member (in the Qihoo 360/WoSign/StartCom case). In these past cases, there was no issue with discarding these votes that did not adhere to the bylaws, because they did not have any meaningful impact on the result.


The issue we're presented now is whether we value our Bylaws - and the protections afforded by them, for all members - over the results. A position that suggests it's acceptable to accept this vote, because a revote "will pass", suggests that the results are more important. And in valuing such results, we undermine the protections, and thus undermine the ability of members to participate and of the Forum to self-regulate.


The fact that Google voted "No" against this and that Microsoft voted "Yes" is not the issue at play. The issue at play is whether or not we adhered to our process for adoption.


Were it not for Section 2 of Ballot 194, which is entirely improper, if other browser members, which use the Baseline Requirements and their audits as part of their root program, agree with Ballot 194's goals, then it does seem reasonable to incorporate into the BRs. I don't think anyone has suggested the BRs represent the best security, or the necessary security, just the minimum consistent among all browsers. If some browsers feel that reuse of information is acceptable, and others do not, then it's perfectly reasonable to suggest that it can be imposed as a root program requirement, unless and until there is consensus that the security improvements are worthwhile. This is no different than, for example, Mozilla requiring disclosure of subordinate CAs (which the BRs do not require), or of Google requiring Certificate Transparency for EV certficates (which the EVGs do not require), or of Microsoft requiring disclosure of security incidents to them and the ability to revoke certificates (with the BRs equally do not require).


So I think Apple voting in favor of a reformed Ballot 194, excluding Section 2, if it so agrees, would be fine. But let's not confuse the result with the concerns about the process and the propriety of it. 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170418/8dd87985/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4964 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170418/8dd87985/attachment-0001.p7s>

More information about the Public mailing list