[cabfpub] CAB Forum Draft Code of Conduct

Ryan Sleevi sleevi at google.com
Wed Apr 26 19:11:00 UTC 2017

On Wed, Apr 26, 2017 at 2:21 PM, Virginia Fournier via Public <
public at cabforum.org> wrote:
> While this may be true, I'm not Mozilla's representative to those
> organizations :-) And anyway, if "someone else does it" were a
> concluding argument, we would not be having any discussion at all about
> what's best for us.
> **VMF 4/26:  As mentioned above, Mozilla Foundation is the member of CAB
> Forum, W3C, and WhatWG, and not any individual person.  So, hopefully
> Mozilla would be able to agree to the same code of conduct terms it has
> already agreed to in the other groups.

I totally appreciate where you're coming from - but I think it may not be
clear that the operation of the CA/Browser Forum is very much different
than that of, say, the W3C or WHATWG. There is very much a different
dynamic at play here, most obviously through things like our Antitrust

We have CAs, which are organizations that, whether through explicit legal
contracts or through community agreements and committments, are trusted to
provide services for the Browser members. The Browser members can and do
take the steps necessary to protect their users from security incidents,
and the Forum serves largely as a way to both solicit feedback in a
transparent manner and to ensure that these changes don't meaningfully
conflict with other Browsers' security goals.

I think it may help to think of other organizations, like PCI SSC, in which
the core firms - whether it be Visa, MasterCard, etc or Google, Apple,
Microsoft, etc - are responsible for enforcing compliance, and the goal is
to ensure a common-baseline.

I suppose put differently - the goal of the CA/Browser Forum is not to
determine what is the best security for the industry, or for a given
browser member, or for the Web. It's goal is to define and deconflict
individual Browser members' expectations of the companies they contract
with or delegate keys to the Internet to, and to leave enforcement to the

And so understandably, I think both Robin and Gerv have captured one aspect
of that dynamic for which the policy highlights some issues - is that
Browser Members may _enforce_ their expectations (contractual or otherwise)
upon a CA member, and so there is not an equality among members or a shared
and common purpose for which we all agree on. This is very different from
both the W3C and the WHATWG, which aim to collaboratively produce new
documents, but have zero enforcement arm, particularly around compliance.
Browsers can, and do, so this creates a dimension to a lot of the
discussions that cannot be ignored.

For example, the documents the Forum produces are the Baselines. Every
Browser Member here has additional requirements, specific to their product,
that go above and beyond these Baselines, and there is no intent (or
necessity) to incorporate them in to the Baseline, because it reflects the
different Members' needs and objectives.

My own take of the zeitgeist of some of these comments is that, while the
spirit of a code of conduct is absolutely welcome and appreciated, we want
to recognize this dynamic - and the challenges it produces - and the
asymmetric nature of the relationships, as otherwise, we're simply
exacerbating some already strained relationships. Put differently, there
are no neutral or equal parties here in the Forum :)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170426/8666152f/attachment-0003.html>

More information about the Public mailing list