[Servercert-wg] Displaying secure sites to Internet users

[Ryan Sleevi]

During our most recent F2F, there was a presentation about ways to display
secure sites to Internet users. Despite the stated topic, most of the
discussion focused solely on identity expressed in certificates, which is
only part of the picture. This limited view overlooked a number of the
considerations involved in establishing and communicating secure
connections. This prompted my questions of whether the proposers had
examined other Standards Developing Organizations ("SDO"s), and if the
CA/Browser Forum was the appropriate venue.

Browsers are already collaborating in other SDOs with domain experts across
industry on topics, including the display of secure sites to Internet
users. Given the complexities of modern web security, and the difficulty of
presenting understandable and actionable information to users, new work
would be most usefully presented in such forums, which can be done without
being an existing member or needing to apply to be one.

The primary venue for this collaboration are within the W3C’s Web Incubator
Community Group ("WICG"). It is through efforts like WICG, which are used
to house and build interest in nascent ideas for the Web that solve real
problems for users and developers, that mature specifications are created
and adopted.

An example of where browsers are already actively collaborating is on
the WHATWG
URL standard <https://url.spec.whatwg.org/>, which similarly provides the
necessary IP protections while providing opportunities for open
collaboration. It has already developed a number of guidelines on the more
intuitive display of secure sites to Internet users. These guidelines,
which have evolved through rigorous and peer-reviewed usability research,
and combined with the deep technical expertise involved in how modern Web
security works, reflect a number of the industry best practices.

Proponents advocating for the Forum to charter a new Working Group should
be able to articulate and explain the problem they are seeking to solve,
and then communicate how their proposed solution fits to solve that
problem. This approach, where the problem to be solved is clearly explained
first <https://www.w3.org/blog/2015/07/wicg/#what-s-the-process->, has been
highly successful for collaborations on evolving the Web, and is the core
approach for most modern Web standards work. This process helps ensure the
problem is well understood and can bring to light any faulty assumptions or
premises, which is key to assessing how well different options addressing
them might work.

Given the flexibility and open-access provided, along with strong IP
protections in place with the organizational support of the W3C, the WICG
does seem like an excellent starting point for any specific problem
statements and abstract proposals, as a natural evolution for long-standing
collaborations and discussions within the Web security community. You can
learn more about the process of making and evolving proposals with the WICG
here <https://www.w3.org/blog/2015/07/wicg/>.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20191113/75f7fca7/attachment.html>