[cabfpub] CA/Browser Face to Face Meeting 41 Agenda – Berlin

Kirk Hall Kirk.Hall at entrustdatacard.com
Fri Jun 16 23:19:13 UTC 2017 

Ryan, Chris was asked by some major enterprise certificate users if they could present their perspective and experiences to Forum members relating to recent changes to SSL certificate requirements and I said yes, as the topic seemed interesting and relevant.  Other people have asked to add topics to various F2F and teleconference agendas, sometimes with outside parties presenting their points of view, and I have always said yes when asked.

So you have the opportunity to assemble your own panel of certificate users to make a presentation to the Forum if you think they have useful information to share, and I will say yes to that as a separate panel that you can chair if you wish.  The same is true for every other Forum member – if you want to propose a speaker or panel on a relevant subject and present to the Forum, please do and I will say yes to you as well.

As it turns out, we could not work out the logistics issues with the enterprises who wanted to present at the F2F (time zones, etc.), so I’m taking the topic off the Agenda for this F2F meeting.  But we will likely reschedule the presentation for an upcoming teleconference call, where the time zone issues will be easier.

From: Ryan Sleevi [mailto:sleevi at google.com]
Sent: Friday, June 16, 2017 8:58 AM
To: Rich Smith <richard.smith at comodo.com>
Cc: CA/Browser Forum Public Discussion List <public at cabforum.org>; Kirk Hall <Kirk.Hall at entrustdatacard.com>
Subject: Re: [cabfpub] [EXTERNAL]Re: CA/Browser Face to Face Meeting 41 Agenda – Berlin

Rich,

I'm sorry I wasn't clearer, but it appears you've misunderstood what I was suggesting. I was suggesting that we should not limit it simply to "large enterprises" - as has been suggested - since if our goal is to obtain valuable feedback from the ecosystem, we should value all feedback.

It sounds like you have a particular objective or agenda in mind, which so far hasn't been communicated, and certainly not as part of a public invitation for comment, so I'm hoping we can use this time to make such a proper invitation. I do think it may be an undesirable result if the Chair exclusively invited participants to further a particular agenda, since the Chair is supposed to be a neutral party, so I'm sure you can understand the desire for greater transparency.

However, even to your specific point - which, to be clear, was not a position I was advocating and not representative of what I was suggesting - if our goal is to understand the impact of Forum Timetables, then surely you would agree that it would be valuable to hear from those who view our timetables as too slow as much as it would be to hear from those who believe our timetables are too fast. Certainly, it would not be difficult to find a number of organizations and contributors - both small and large - who would share their concerns that the Forum is particularly slow in enacting necessary and valuable security changes.

On Thu, Jun 15, 2017 at 12:03 PM, Rich Smith <richard.smith at comodo.com<mailto:richard.smith at comodo.com>> wrote:
Ryan,
I’m not sure I see the point of hearing from those who have had no difficulty with our past timetables.  If they had no difficulties, then it seems, for them, our processes and timetables were perfectly acceptable, so what is it that we might learn from them, at least at this stage?  I think their feedback might be far more useful once we are all better informed as to the specific issues those who have had problems have faced.  At that point those who did not have a problem meeting our timetables might be able to look at the details and say, “Yes, we had a similar issue, but here’s how we solved it,” which would certainly be of benefit.  I just don’t see a lot of benefit of having someone come in at this point to say, “Everything is great for us, carry on.”

Regards,
Rich

From: Public [mailto:public-bounces at cabforum.org<mailto:public-bounces at cabforum.org>] On Behalf Of Ryan Sleevi via Public
Sent: Wednesday, June 14, 2017 2:50 PM
To: Kirk Hall <Kirk.Hall at entrustdatacard.com<mailto:Kirk.Hall at entrustdatacard.com>>
Cc: Ryan Sleevi <sleevi at google.com<mailto:sleevi at google.com>>; CA/Browser Forum Public Discussion List <public at cabforum.org<mailto:public at cabforum.org>>

Subject: Re: [cabfpub] [EXTERNAL]Re: CA/Browser Face to Face Meeting 41 Agenda – Berlin

Kirk,

While as you know, we are thrilled to see a proposal for greater participation of the public, a point that Google has supported for a number of years, but which TrendMicro and several other members of the Forum at the time opposed, it does bear highlighting that there's a selection bias being exercised. My hope is that by correcting for that selection bias, we might receive more useful, earnest, and valuable feedback for the Forum, if we are admitting that the Forum benefits from participation of more than just the CAs and browsers.

For example, you've proposed "major website users of certificates with complex infrastructures". We've previously heard from organizations who had difficulty replacing their SHA-1 certificates with SHA-256 certificates, but we did not afford much time for the many millions of users - and certificate holders - who either did not have such difficulty or who were put at risk from such difficulties.

My hope is that by being open in a way that is truly meaningful, we might have a more robust picture of the ecosystem. While I realize that major website users may represent CAs largest customers, either by volume or by cost, and thus there is a predisposition to those opinions, considering that we collectively are managing a global shared resource whose security is critical for the Internet, we should take into consideration a fullness of views.

As much as I appreciate your suggestion of a separate section, might I suggest that it might be more useful to focus on a single section, with open participation? That is, preselecting ontologies would only serve to alienate users, but it would seem your goal is a more robust participatory model.

On Wed, Jun 14, 2017 at 9:53 AM, Kirk Hall <Kirk.Hall at entrustdatacard.com<mailto:Kirk.Hall at entrustdatacard.com>> wrote:
My intent is to allow major website users of certificates with complex infrastructures to tell us about their experiences with and comments on rule changes, and how they are implemented.  Right now, I’m not sure whether or not the enterprises will be available during our meeting, but if not we can schedule during a late teleconference call.

You can certainly approach this from another angle as well, and bring in users in general who have interesting and useful things to say to the Forum.  I think we still have some time slots available if you want to organize that as a separate session.  Let me know if you want to do that, and how much time you would like.

From: Ryan Sleevi [mailto:sleevi at google.com<mailto:sleevi at google.com>]
Sent: Wednesday, June 14, 2017 3:04 AM
To: CA/Browser Forum Public Discussion List <public at cabforum.org<mailto:public at cabforum.org>>
Cc: Kirk Hall <Kirk.Hall at entrustdatacard.com<mailto:Kirk.Hall at entrustdatacard.com>>

Subject: Re: [cabfpub] [EXTERNAL]Re: CA/Browser Face to Face Meeting 41 Agenda – Berlin

Kirk,

Could you clarify your intent? You mentioned "any other enterprise users" - but I believe the goal is certificate users in general (i.e. more broadly than just enterprise).

Is that correct?

On Tue, Jun 13, 2017 at 6:03 PM, Kirk Hall via Public <public at cabforum.org<mailto:public at cabforum.org>> wrote:
I will present names and companies once their participation is confirmed.  Yes, at the Chair’s invitation, but I will additionally “invite” any other enterprise users others may propose to tell their stories.

I’d point out that over the years we have heard from many people and organizations at our meetings.  It’s been very useful.

From: Public [mailto:public-bounces at cabforum.org<mailto:public-bounces at cabforum.org>] On Behalf Of Peter Bowen via Public
Sent: Tuesday, June 13, 2017 2:35 PM
To: CA/Browser Forum Public Discussion List <public at cabforum.org<mailto:public at cabforum.org>>
Cc: Peter Bowen <pzb at amzn.com<mailto:pzb at amzn.com>>
Subject: Re: [cabfpub] [EXTERNAL]Re: CA/Browser Face to Face Meeting 41 Agenda – Berlin


On Jun 13, 2017, at 2:28 PM, Ryan Sleevi via Public <public at cabforum.org<mailto:public at cabforum.org>> wrote:



On Tue, Jun 13, 2017 at 5:00 PM, Kirk Hall via Public <public at cabforum.org<mailto:public at cabforum.org>> wrote:
On your first question - some major enterprise users would like to present their ideas and concerns about SSL certificate rules, changes, etc. from their perspective, which I know the browsers have wanted (rather than hearing it reported by the CAs who provide the certs to enterprise customers).

To be clear: Several browsers have wanted open participation. I would suggest that having CA-selected participants, without explanation (as Gerv had to seek) is perhaps detrimental to the productive dialog, in as much as it allows the Chair - and CA members - to favour particular viewpoints to the detriment of the overall ecosystem.

Might I suggest that it might not be appropriate?

I think we should welcome hearing from certificate users directly.

Kirk: Can you provide a list of certificate users who will be presenting, including their affiliation?  I’m assuming they are attending the F2F at the invitation of the Chair.

Thanks,
Peter

_______________________________________________
Public mailing list
Public at cabforum.org<mailto:Public at cabforum.org>
https://cabforum.org/mailman/listinfo/public



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170616/34297f71/attachment-0003.html>

More information about the Public mailing list