[cabfpub] Send us you list of current problems with the Network Security Guidelines

Ryan Sleevi sleevi at google.com
Tue Jun 13 21:26:00 UTC 2017

On Tue, Jun 13, 2017 at 4:41 PM, Kirk Hall <Kirk.Hall at entrustdatacard.com>

> I'm still uncertain what the logic is behind objections to collecting
> NetSec comments from people (can be CAs, auditors, even browsers) in a
> master list, as opposed to making people post their concerns directly in
> their own names - that has not been spelled out.


You haven't spelled out why you're deviating from the traditional operation
of the CA/Browser Forum as to the participation - and attribution - of
members. If you have compelling reasons, those would be great to share. As
of yet, you have not shared any reasons - you have simply proposed
anonymous attribution. I do hope you consider the courtesy of explaining to
members why you believe anonymity to be desirable and/or necessary, giving
the operation of the Forum.

> And I would note that both Google and Mozilla allow people to post
> materials, including detailed proposals and criticisms, etc., using
> pseudonyms - if that form of anonymity is acceptable on Google and Mozilla
> lists for important matters, it would seem collecting comments in a
> combined document for this project would be acceptable here as well,
> especially for a sensitive topic.  I would think "good ideas" would be
> welcome, however the ideas are provided.

That's a false equivalency, and I do hope you realize it. That's not how
the Forum operates, and in particular, is significant enough a deviation
from the Forum's operation to deserve an explanation. If you cannot provide
such an explanation, then your proposal - for anonymity - unquestionably
does more harm than good.

> Peter touched on the main reasons why I have offered to combine suggested
> changes to the NetSec guidelines - after which they would be posted
> immediately to the Public list, not the private Management list.  In
> addition, some CAs might feel that in the process of describing why a
> particular requirement is difficult (and unneeded) for them, they may
> simultaneously be telling the world about their internal security
> configurations, etc.

I'm sorry, but this is a very tenuous argument, at best, but which has also
been proposed that, if such a thing is necessary, CAs can work with their
auditors to ask questions and, should the auditors be unable to ask, work
through our WebTrust or ETSI Liasons to bring the question to the Forum at

The fact that there have been no such contributions arguably demonstrates
that this argument is specious. However, since it's unlikely to convince
you that the proposed anonymity - in which no further details can be
gathered, no clarifications be sought, no understanding obtained - is
detrimental to the Forum, I would simply point out that there are far more
appropriate parties than the Chair, who represents a competitor to these
CAs, to provide such feedback.

> So to be clear - the compilation, once complete, will go up first on the
> Public list.  And anyone who wants to post suggested changes directly to
> the public list in their own name is welcome to do so.  I'm simply offering
> an alternative for those who want it.  The ideas will all be in the public
> domain immediately thereafter.

And unattributed, and so they will linger as FUD, like so many things do,
without actionable feedback. I do hope you reconsider how to make
productive progress here.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170613/121cb158/attachment-0003.html>

More information about the Public mailing list