[cabfpub] Browser eligibility in CABF in general (and Comodo specifically)

Mon Dec 4 01:52:22 UTC 2017

I saw on the draft agenda, sent around on the 27th for last week's call,
included "Membership Application of Comodo Security Solutions, Inc. (as a
browser)".

I know it will take some time for the minutes of the call to be posted with
the result of Comodo's application, but this seemed like a significant
application that merits public discussion.

The Bylaws don't apply any rules about market share or other indicators of
significance to the marketplace:
https://cabforum.org/wp-content/uploads/CA-Browser-Forum-Bylaws-v.-1.7.pdf

The entirety of the eligibility clause for Browsers states: "The member
organization produces a software product intended for use by the general
public for browsing the Web securely."

The CA eligibility clause is significantly more constrained, in particular
in that the certificates have to be recognized by Browser members. However,
this makes the set of Browser members even more important in determining
eligibility of CAs.

Comodo appears to publish two browsers, Dragon and IceDragon, based on
Chromium and Firefox, respectively:
https://www.comodo.com/home/browsers-toolbars/internet-products.php

They don't appear to operate a root program or exercise independent
discretion about what CAs are trusted on their platform in any visible way,
they've never participated as a browser in any significant public
conversations about the Web PKI that I've seen, and their market share
appears to be negligible from all available public data.

But the Bylaws would seem to allow Comodo to join as a browser, which I
think would significantly undermine the entire point of the Forum -- as
well as potentially open a floodgate of applications from more marginal or
almost-fictional browsers.

For a quick glance at how many browsers theoretically could join the Forum
under the current bylaws, a long list of them can be in these daily-updated
feeds of browsers (as their user agent appears in Google Analytics) that
have at least 10 visits over 90 days to government properties:

https://analytics.usa.gov/data/live/browsers.csv
https://analytics.usa.gov/data/live/browsers.json

Market share may or may not be the right threshold, and I don't have some
specific text to suggest off the top of my head -- but it does feel like a
discussion is merited about whether the Bylaws around browser eligibility
adequately capture the intent of the Forum.

-- Eric

-- 
konklone.com | @konklone <https://twitter.com/konklone>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20171203/7110b551/attachment-0002.html>