[cabfpub] Ballot 213 - Revocation Timeline Extension

Jeremy Rowley jeremy.rowley at digicert.com
Wed Oct 11 17:52:35 UTC 2017 

I don’t understand why we are mixing creation of separate mailing list discussion for reporting BR violations with the revocation timeline change. The two aren’t closely related, at least, no more than any other BR violation and public disclosure requirement. Because certificate problem reporters are free to publish the problem report wherever they would like, I see a benefit in a publicly open list where people can post certificate problem reports and violations of policy to the CAB Forum.  I’d even support/endorse a separate ballot on creating a public mailing list where interested parties (or even non-interested parties) can discuss and report violations of the BRs and reasons for the violations. What I don’t understand is the tie to certificate revocation timelines ballot.

 

 

From: Ryan Sleevi [mailto:sleevi at google.com] 
Sent: Wednesday, October 11, 2017 11:40 AM
To: Jeremy Rowley <jeremy.rowley at digicert.com>
Cc: Dean Coclin <Dean_Coclin at symantec.com>; CA/Browser Forum Public Discussion List <public at cabforum.org>; Wayne Thayer <wthayer at godaddy.com>; Gervase Markham <gerv at mozilla.org>
Subject: Re: [cabfpub] Ballot 213 - Revocation Timeline Extension

 

Jeremy,

 

To be clear: The suggestion is to simply setup an additional mailing list for this.

 

Advantages:

- No vendor dependency (the Mozilla list is, of course, simply one root store member)

- An auditable criteria (whether or not a message was posted is something that can be quantified without an external dependency)

- Objective transparency without a vendor dependence

- Avoids requiring the high-volume subscription to the Mozilla list to understand the challenges there are with processing revocations in a timely fashion, so that the Forum can best review and update its expectations

 

Given that this is an exceptional process, it's one we can expect to be extremely low volume, but when there is volume, it will hopefully be of substantive quality.

 

The objections I've heard are:

- Objections to the notion of transparency itself

- Concerns about messages requiring moderation (not an issue for the questions@ list, AIUI, so one would similarly expect the same)

- Concerns about administrative overhead (Mailman supports self-service subscription - as evidenced by the public@ list - and allows public posting - as evidenced by the questions@ list)

- Concerns about spam (not an issue for the questions@ list, AIUI, so one would similarly expect the same)

- Concerns about vendor dependence (having this be a Forum list resolves this)

- Concerns about "The Forum" running a list ("The Forum" already runs several lists, as per our bylaws)

 

I am earnestly surprised by the degree of concern here, and am trying to make a good faith understanding of the concerns, which do not seem to be well-founded, but I may simply be misunderstanding the concerns.

 

On Wed, Oct 11, 2017 at 1:31 PM, Jeremy Rowley <jeremy.rowley at digicert.com <mailto:jeremy.rowley at digicert.com> > wrote:

I still don’t see the value of bastardizing the CAB Forum questions list to do something that the Mozilla mailing list already does perfectly.  Why use a brand new process when a good one already exists?  Unless, there’s a good reason for double transparency (Mozilla plus a new mailing list) I’d like to keep the ballot as already proposed if people are willing to endorse.

 

From: Public [mailto:public-bounces at cabforum.org <mailto:public-bounces at cabforum.org> ] On Behalf Of Dean Coclin via Public
Sent: Wednesday, October 11, 2017 11:18 AM
To: Wayne Thayer <wthayer at godaddy.com <mailto:wthayer at godaddy.com> >; CA/Browser Forum Public Discussion List <public at cabforum.org <mailto:public at cabforum.org> >; Ryan Sleevi <sleevi at google.com <mailto:sleevi at google.com> >; Gervase Markham <gerv at mozilla.org <mailto:gerv at mozilla.org> >


Subject: Re: [cabfpub] Ballot 213 - Revocation Timeline Extension

 

I’m currently responding to questions as best I can. We haven’t had much volume on that list though.


Dean

 

From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Wayne Thayer via Public
Sent: Wednesday, October 11, 2017 1:16 PM
To: Ryan Sleevi <sleevi at google.com <mailto:sleevi at google.com> >; CA/Browser Forum Public Discussion List <public at cabforum.org <mailto:public at cabforum.org> >; Gervase Markham <gerv at mozilla.org <mailto:gerv at mozilla.org> >
Subject: Re: [cabfpub] Ballot 213 - Revocation Timeline Extension

 

>>I do not believe that's not been a concern of any Forum mailing list to date, because that's now how the Forum has operated its mailing lists.

 

This is precisely how the Forum operates its lists – questions@ in particular, but all the others as well. And while Eddy Nigg was the long-time questions@ list admin, there is currently no one who really owns the task of monitoring the questions list in a timely fashion (and I suspect that timely moderation is quite important for this new list that’s being proposed). I am currently doing a lot of the moderation but am transitioning the work to Ben, which I believe supports the point that Gerv is making.

 

Thanks,

 

Wayne

 

From: Public <public-bounces at cabforum.org <mailto:public-bounces at cabforum.org> > on behalf of Ryan Sleevi via Public <public at cabforum.org <mailto:public at cabforum.org> >
Reply-To: Ryan Sleevi <sleevi at google.com <mailto:sleevi at google.com> >, CA/Browser Forum Public Discussion List <public at cabforum.org <mailto:public at cabforum.org> >
Date: Wednesday, October 11, 2017 at 9:54 AM
To: Gervase Markham <gerv at mozilla.org <mailto:gerv at mozilla.org> >
Cc: CA/Browser Forum Public Discussion List <public at cabforum.org <mailto:public at cabforum.org> >
Subject: Re: [cabfpub] Ballot 213 - Revocation Timeline Extension

 

 

 

On Wed, Oct 11, 2017 at 12:42 PM, Gervase Markham <gerv at mozilla.org <mailto:gerv at mozilla.org> > wrote:

On 11/10/17 17:39, Ryan Sleevi wrote:
> What do you believe requires looking after? Spam? Substance? Access?

Mailing lists don't manage themselves. Says someone who manages six and
has to clear the spam queues daily.

 

So your concern is a message being held for moderation and requiring manual review?

 

I do not believe that's not been a concern of any Forum mailing list to date, because that's now how the Forum has operated its mailing lists.

 

Would that address your concern? 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20171011/cc422f36/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4984 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20171011/cc422f36/attachment-0003.p7s>

More information about the Public mailing list