[cabfpub] Ballot 213 - Revocation Timeline Extension
sleevi at google.com
Wed Oct 11 07:42:02 MST 2017
On Wed, Oct 11, 2017 at 6:03 AM, Gervase Markham <gerv at mozilla.org> wrote:
> On 10/10/17 17:53, Ryan Sleevi wrote:
> > Do you see a problem with the BRs requiring it be posted to a CABF list?
> > That is, could you elaborate on what the advantages are of having
> > multiple root programs require disclosure versus providing a central
> > clearing house?
> Well, from our perspective, we'll want it posted where we want it
> anyway. Making the CAB Forum maintain a list (which can be posted to by
> any CA, not just members, and so has to be spam-proofed, moderated etc.)
> just seems like work that someone would have to do that would be of no
> value to us.
The questions@ list doesn't suffer any of these problems. What makes you
believe this is a reasonable conclusion to reach for a new list?
> > Would you agree that there is separate value from having a root store
> > disclosure (which can affect how the root program itself behaves with
> > respect to a particular member) versus having an open, public disclosure
> > in a vendor-neutral way (which can allow for improvements to the BRs and
> > identifying problematic scenarios in a vendor-neutral way)?
> I think improvements to the BRs will be driven by the root programs
> anyway, so I'm not seeing significant value (and I do see significant
> work for someone) in a vendor-neutral list. But if you can find someone
> to run it, I wouldn't vote against a ballot which required it.
I think this is a fairly misguided view of the value of the CA/Browser
Forum, then. While it's certainly true that requirements are driven by the
browsers, CAs have provided valuable feedback for ways in which language
can be improved or requirements clarified. It seems harshly dismissive to
suggest that no such value can be driven from the transparent involvement
and awareness of the challenges faced in the ecosystem, which may not rise
to the level of what a root store deems a security-relevant incident, but
which highlights potentially unreasonable expectations.
Your further reply again suggests there's some new set of requirements you
feel are necessary and critical - that is, "if you can find someone to run
it" - when the Forum itself has shown quite capable of running the
questions@ list for such a purpose.
I do hope you can recognize the inherent value in having such a
vendor-neutral list, one which can allow the discovery of trends and
patterns of issues in which the BRs may be either overly restrictive or
insufficiently clear, in a way that the Forum itself can resolve those
matters, rather than suggesting they must be 'laundered' to the Forum by
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Public