[cabfpub] Future changes in the WebPKI
sleevi at google.com
Fri Feb 10 21:03:51 UTC 2017
So, I absolutely agree that it can hopefully be useful to share where
Browsers see the concerns are, and see the future of the ecosystem, I also
want to highlight that sometimes, changes aren't part of that roadmap,
because they're reactive to the ways in which CAs can and do fail the
ecosystem, rather than proactive.
I highlight this to make clear that the roadmap during Meeting 40 might
have to change by Meeting 41 in order to address the emergent insecurities
and risks in the system. Of course, if no CA manages to misissue between
those meetings, we're in a much better position.
And so I'm not exclusively singling out CAs, we ASSes are constantly
learning new things, and finding some ideas on the roadmap don't work when
deployed, or that tweaks are necessary. It's a fluid system, and we must be
mindful of that fluidity.
Given that I think some members have made clear that they believe change
should be measured in years, I agree, having a bit of vision mapping may
hopefully dispel that myth and provide more progressive movement forward.
On Fri, Feb 10, 2017 at 12:58 PM, Jeremy Rowley via Public <
public at cabforum.org> wrote:
> Agreed – I’d love to know where the browsers are/see themselves going.
> It’ll help us prepare users for changes better.
> *From:* Public [mailto:public-bounces at cabforum.org] *On Behalf Of *Peter
> Bowen via Public
> *Sent:* Friday, February 10, 2017 1:33 PM
> *To:* CA/Browser Forum Public Discussion List <public at cabforum.org>
> *Cc:* Peter Bowen <pzb at amzn.com>
> *Subject:* [cabfpub] Future changes in the WebPKI
> On Feb 10, 2017, at 11:51 AM, Dean Coclin via Public <public at cabforum.org>
> Building consensus in meetings is different than building consensus for a
> ballot. Discussions happen in meetings without concrete proposals, as was
> shown in the chart I posted earlier from the Zurich meeting. I can’t recall
> anyone coming out before this ballot seeking consensus for a 1 year
> validity effective in 4 months. So yes, I do think that now that a formal
> proposal (ballot) has been issued, a serious attempt to build consensus
> should be undertaken. This will likely take more than 2 weeks of online
> back and forth. We have a F2F coming up in 40 days, giving folks time to
> reach out and get more input. I do believe that everyone wants to improve
> security but as the scattering of input shows, this must be balanced with
> the user constituency needs which really haven’t been fully vetted for THIS
> particular proposal.
> My impression is that several different browsers (or ASSes if you want)
> have visions/roadmaps for what they want from contracted CAs long term. I
> don’t think these have been clearly shared with the Forum, probably because
> it would disclose product roadmaps. This is why I suggested the
> quasi-anonymous futures topic at the next F2F, but I would even like it
> better if they could just come straight out and say “our ideal state is X,
> help us get there”.
> Public mailing list
> Public at cabforum.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Public