[cabfpub] Draft Ballot 185 - Limiting the Lifetime of Certificates: User input
eric at konklone.com
Fri Feb 10 20:11:12 UTC 2017
How about creating some dedicated time for it at the F2F, now that there's
a concrete ballot and even some data, and see where the Forum can get to
The written version of this debate is starting to really spin its wheels,
especially if even Dean is starting to use phrases like "ulterior motives"
(which I don't think is called for). And despite Ryan's links to past
discussions, the ballot proposal process seemed like a sudden escalation
that didn't offer the same opportunity for discussion or consensus building
as past successful ballots.
It seems like an ideal candidate for a F2F session.
On Fri, Feb 10, 2017 at 2:51 PM, Dean Coclin <Dean_Coclin at symantec.com>
> Building consensus in meetings is different than building consensus for a
> ballot. Discussions happen in meetings without concrete proposals, as was
> shown in the chart I posted earlier from the Zurich meeting. I can’t recall
> anyone coming out before this ballot seeking consensus for a 1 year
> validity effective in 4 months. So yes, I do think that now that a formal
> proposal (ballot) has been issued, a serious attempt to build consensus
> should be undertaken. This will likely take more than 2 weeks of online
> back and forth. We have a F2F coming up in 40 days, giving folks time to
> reach out and get more input. I do believe that everyone wants to improve
> security but as the scattering of input shows, this must be balanced with
> the user constituency needs which really haven’t been fully vetted for THIS
> particular proposal. You’re right, I’m not saying we can reach consensus on
> this ballot but perhaps an alternative compromise can be reached which
> balances the needs of all constituencies.
> Regarding the motive, all I’m saying is that there is no consensus,
> therefore, it seems a ballot failure is a foregone conclusion and you must
> know that, but you want it to go forward anyway. Call me crazy?
> *From:* Ryan Sleevi [mailto:sleevi at google.com]
> *Sent:* Friday, February 10, 2017 1:12 PM
> *To:* Dean Coclin <Dean_Coclin at symantec.com>
> *Cc:* CA/Browser Forum Public Discussion List <public at cabforum.org>; Eric
> Mill <eric at konklone.com>
> *Subject:* Re: [cabfpub] Draft Ballot 185 - Limiting the Lifetime of
> Certificates: User input
> On Fri, Feb 10, 2017 at 10:03 AM, Dean Coclin <Dean_Coclin at symantec.com>
> We’ve always allowed minor changes in ballots after being proposed and
> this would fall into that category.
> However, I strongly believe time spent gathering consensus *would* be of
> value. I disagree that the forum is not a consensus driven organization.
> Sure there have been disagreements on some issues in the past but for the
> most part, ballots pass with a large percentage voting yes. Consensus has
> been a goal since the first meeting in NYC. It seems there is an ulterior
> motive at play in rushing this to a vote.
> Can you perhaps expand on your belief of an ulterior motive? That suggests
> a bad faith attempt, and it would be helpful to understand that accusation
> or confusion, so it can be addressed.
> Given the three years of attempts to build consensus on this matter, do
> you believe that we're likely to achieve consensus with an additional week
> or month of deliberation?
> For example, do you believe that new information has been shared by the
> Browser members that hasn't been clear for years, such as Gerv's arguments
> in https://cabforum.org/pipermail/public/2013-November/002493.html
> , which I've simply repeated here.
> Alternatively, do you believe that an additional week or month of time is
> necessary for CAs to provide new data, given that they've already had years
> to do so, but have not?
> I highlight this to suggest that the issue is one which, despite years of
> trying, we've not been able to drive consensus towards. At this point, most
> appropriate for the broader community, is to understand what those
> challenges are, and who specifically is objecting to improving security.
> It's also useful to understand whether or not there is consensus among
> browsers that this is a necessary and required step to ensure the security
> of their users when interacting online.
> I simply highlighted that the end state is that Root Stores / Application
> Software Suppliers need to take the steps to protect their users. Ideally,
> ASSes such as myself can help CAs understand our concerns and desires, and
> the risks and challenges, and find a solution that the community can reach.
> However, when CAs ignore the concerns of ASSes such as myself, or do not
> take them seriously, it sometimes requires taking the role of being an ASS
> serious, and taking the steps directly as part of program policy and
> Such is the nature of the ecosystem - as much as we all try to ensure
> we're a community pushing forward, sometimes we get stalled on a roadblock,
> and we unfortunately have to let CAs be CAs and ASSes be ASSes.
konklone.com | @konklone <https://twitter.com/konklone>
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Public