[cabfpub] CAB Forum Draft Code of Conduct

Virginia Fournier vfournier at apple.com
Wed Apr 26 19:41:38 UTC 2017

Hi Ryan,

I’m glad to see that you’re supportive of a code of conduct.  Thanks for reviewing the differences between CAs and browsers.  I just don’t see anything in those differences that would prevent the adoption of the proposed Code of Conduct.  I don’t think there’s anything inherent in the asymmetrical relationship between CAs and browsers that would prevent either category of members from being polite, professional, and respectful to the other.   

It would be extremely helpful if you would please point out the specific language in the proposed Code of Conduct that you believe would prevent browsers from enforcing their expectations with CAs?  Does that require unreasonable conduct?  

Best regards,

Virginia Fournier
Senior Standards Counsel
 Apple Inc.
☏ 669-227-9595
✉︎ vmf at apple.com <mailto:vmf at apple.com>

On Apr 26, 2017, at 12:11 PM, Ryan Sleevi <sleevi at google.com> wrote:

On Wed, Apr 26, 2017 at 2:21 PM, Virginia Fournier via Public <public at cabforum.org <mailto:public at cabforum.org>> wrote:
While this may be true, I'm not Mozilla's representative to those
organizations :-) And anyway, if "someone else does it" were a
concluding argument, we would not be having any discussion at all about
what's best for us.

**VMF 4/26:  As mentioned above, Mozilla Foundation is the member of CAB Forum, W3C, and WhatWG, and not any individual person.  So, hopefully Mozilla would be able to agree to the same code of conduct terms it has already agreed to in the other groups.   

I totally appreciate where you're coming from - but I think it may not be clear that the operation of the CA/Browser Forum is very much different than that of, say, the W3C or WHATWG. There is very much a different dynamic at play here, most obviously through things like our Antitrust Statement.

We have CAs, which are organizations that, whether through explicit legal contracts or through community agreements and committments, are trusted to provide services for the Browser members. The Browser members can and do take the steps necessary to protect their users from security incidents, and the Forum serves largely as a way to both solicit feedback in a transparent manner and to ensure that these changes don't meaningfully conflict with other Browsers' security goals.

I think it may help to think of other organizations, like PCI SSC, in which the core firms - whether it be Visa, MasterCard, etc or Google, Apple, Microsoft, etc - are responsible for enforcing compliance, and the goal is to ensure a common-baseline.

I suppose put differently - the goal of the CA/Browser Forum is not to determine what is the best security for the industry, or for a given browser member, or for the Web. It's goal is to define and deconflict individual Browser members' expectations of the companies they contract with or delegate keys to the Internet to, and to leave enforcement to the Browsers.

And so understandably, I think both Robin and Gerv have captured one aspect of that dynamic for which the policy highlights some issues - is that Browser Members may _enforce_ their expectations (contractual or otherwise) upon a CA member, and so there is not an equality among members or a shared and common purpose for which we all agree on. This is very different from both the W3C and the WHATWG, which aim to collaboratively produce new documents, but have zero enforcement arm, particularly around compliance. Browsers can, and do, so this creates a dimension to a lot of the discussions that cannot be ignored.

For example, the documents the Forum produces are the Baselines. Every Browser Member here has additional requirements, specific to their product, that go above and beyond these Baselines, and there is no intent (or necessity) to incorporate them in to the Baseline, because it reflects the different Members' needs and objectives. 

My own take of the zeitgeist of some of these comments is that, while the spirit of a code of conduct is absolutely welcome and appreciated, we want to recognize this dynamic - and the challenges it produces - and the asymmetric nature of the relationships, as otherwise, we're simply exacerbating some already strained relationships. Put differently, there are no neutral or equal parties here in the Forum :)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170426/f63cc31b/attachment-0003.html>

More information about the Public mailing list