[cabfpub] Send us you list of current problems with the Network Security Guidelines

Kirk Hall Kirk.Hall at entrustdatacard.com
Tue Jun 13 20:41:26 UTC 2017

I'm still uncertain what the logic is behind objections to collecting NetSec comments from people (can be CAs, auditors, even browsers) in a master list, as opposed to making people post their concerns directly in their own names - that has not been spelled out.  And I would note that both Google and Mozilla allow people to post materials, including detailed proposals and criticisms, etc., using pseudonyms - if that form of anonymity is acceptable on Google and Mozilla lists for important matters, it would seem collecting comments in a combined document for this project would be acceptable here as well, especially for a sensitive topic.  I would think "good ideas" would be welcome, however the ideas are provided.

Peter touched on the main reasons why I have offered to combine suggested changes to the NetSec guidelines - after which they would be posted immediately to the Public list, not the private Management list.  In addition, some CAs might feel that in the process of describing why a particular requirement is difficult (and unneeded) for them, they may simultaneously be telling the world about their internal security configurations, etc.

So to be clear - the compilation, once complete, will go up first on the Public list.  And anyone who wants to post suggested changes directly to the public list in their own name is welcome to do so.  I'm simply offering an alternative for those who want it.  The ideas will all be in the public domain immediately thereafter.

-----Original Message-----
From: Gervase Markham [mailto:gerv at mozilla.org] 
Sent: Monday, June 12, 2017 8:42 AM
To: CA/Browser Forum Public Discussion List <public at cabforum.org>; Ryan Sleevi <sleevi at google.com>
Cc: Kirk Hall <Kirk.Hall at entrustdatacard.com>
Subject: Re: [cabfpub] [EXTERNAL]Re: Send us you list of current problems with the Network Security Guidelines

On 10/06/17 05:54, Kirk Hall via Public wrote:
> Why do you think it’s detrimental to discussion – I don’t follow your logic?

<elide back and forth>

Is this a question of whether we should default to public or default to private? If so, I think that CAB Forum practice is clear - we should default to public, and those wanting to keep things concealed have the burden of proof.

As well as the principle, in this case anonymous reports are practically less helpful because you can't ask someone "so, what did you mean by that exactly?".


More information about the Public mailing list