[cabfpub] Browser eligibility in CABF in general (and Comodo specifically)

Eric Mill eric at konklone.com
Mon Dec 11 04:21:56 UTC 2017

Does no one have thoughts on this?

I can understand how CAs and Browsers both might find it difficult to
discuss this aspect of the Forum in their official capacities. Perhaps
there are other Interested Parties on the list with an opinion?

-- Eric

On Sun, Dec 3, 2017 at 8:52 PM, Eric Mill <eric at konklone.com> wrote:

> I saw on the draft agenda, sent around on the 27th for last week's call,
> included "Membership Application of Comodo Security Solutions, Inc. (as a
> browser)".
> I know it will take some time for the minutes of the call to be posted
> with the result of Comodo's application, but this seemed like a significant
> application that merits public discussion.
> The Bylaws don't apply any rules about market share or other indicators of
> significance to the marketplace:
> https://cabforum.org/wp-content/uploads/CA-Browser-Forum-Bylaws-v.-1.7.pdf
> The entirety of the eligibility clause for Browsers states: "The member
> organization produces a software product intended for use by the general
> public for browsing the Web securely."
> The CA eligibility clause is significantly more constrained, in particular
> in that the certificates have to be recognized by Browser members. However,
> this makes the set of Browser members even more important in determining
> eligibility of CAs.
> Comodo appears to publish two browsers, Dragon and IceDragon, based on
> Chromium and Firefox, respectively: https://www.comodo.com/home/
> browsers-toolbars/internet-products.php
> They don't appear to operate a root program or exercise independent
> discretion about what CAs are trusted on their platform in any visible way,
> they've never participated as a browser in any significant public
> conversations about the Web PKI that I've seen, and their market share
> appears to be negligible from all available public data.
> But the Bylaws would seem to allow Comodo to join as a browser, which I
> think would significantly undermine the entire point of the Forum -- as
> well as potentially open a floodgate of applications from more marginal or
> almost-fictional browsers.
> For a quick glance at how many browsers theoretically could join the Forum
> under the current bylaws, a long list of them can be in these daily-updated
> feeds of browsers (as their user agent appears in Google Analytics) that
> have at least 10 visits over 90 days to government properties:
> https://analytics.usa.gov/data/live/browsers.csv
> https://analytics.usa.gov/data/live/browsers.json
> Market share may or may not be the right threshold, and I don't have some
> specific text to suggest off the top of my head -- but it does feel like a
> discussion is merited about whether the Bylaws around browser eligibility
> adequately capture the intent of the Forum.
> -- Eric
> --
> konklone.com | @konklone <https://twitter.com/konklone>

konklone.com | @konklone <https://twitter.com/konklone>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20171210/02fddc07/attachment-0003.html>

More information about the Public mailing list