[Servercert-wg] Displaying secure sites to Internet users

Kirk Hall Kirk.Hall at entrustdatacard.com
Thu Nov 14 17:08:27 MST 2019

Paul - +1.  Please do start drafting a problem statement.

One half of the Forum’s stated Purpose at Bylaw 1.1 is “creating a more intuitive method of displaying secure sites to Internet users”.  Obviously, “secure sites” means more than simple encryption – otherwise, all the encrypted phishing sites would be considered “secure”.

It doesn’t sound like any of these other groups are working on identity issues and the UI, so I’m not sure what the point would be of moving the Forum’s own discussions there.  And there is no reason why we can’t have multiple expert groups working on similar issues at the same time – perhaps there can be cross-collaboration over time.  Plus, I’m not keen on moving Forum discussions to any group that charges to be a member, and the Forum is already set up with bi-weekly teleconferences and three F2F meetings a year.  So it’s better for the Forum to work on one of our two stated Purposes right here.

Finally, if the browsers are working together on URL UI issues outside of the Forum, it would be great (and much appreciated) if you all would update CAs in the Forum from time to time – we worked together collaboratively on UI issues in our early years, and could do so again.

From: Servercert-wg <servercert-wg-bounces at cabforum.org> On Behalf Of Paul Walsh via Servercert-wg
Sent: Wednesday, November 13, 2019 9:04 PM
To: Ryan Sleevi <sleevi at google.com>; CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org>
Subject: [EXTERNAL]Re: [Servercert-wg] Displaying secure sites to Internet users

On Nov 13, 2019, at 7:03 PM, Ryan Sleevi via Servercert-wg <servercert-wg at cabforum.org<mailto:servercert-wg at cabforum.org>> wrote:

During our most recent F2F, there was a presentation about ways to display secure sites to Internet users. Despite the stated topic, most of the discussion focused solely on identity expressed in certificates, which is only part of the picture.
This limited view overlooked a number of the considerations involved in establishing and communicating secure connections. This prompted my questions of whether the proposers had examined other Standards Developing Organizations ("SDO"s), and if the CA/Browser Forum was the appropriate venue.

[PW] I acknowledge what you say about other forums and the benefits you attribute to them, but can you please explain why you think this can’t happen inside this forum?

Browsers are already collaborating in other SDOs with domain experts across industry on topics, including the display of secure sites to Internet users. Given the complexities of modern web security, and the difficulty of presenting understandable and actionable information to users, new work would be most usefully presented in such forums, which can be done without being an existing member or needing to apply to be one.

[PW] Encryption and UI for website identity are very different. They require people with different skills. Identity UI requires product people and UX designers. We don’t need more engineers for this problem/solution. Right now we mostly have plumbers telling us why people are walking past our house without looking at it. They’re great plumbers, so they’re great at plumbing. They’re probably not the best people to tell us how to decorate our home though.

The primary venue for this collaboration are within the W3C’s Web Incubator Community Group ("WICG"). It is through efforts like WICG, which are used to house and build interest in nascent ideas for the Web that solve real problems for users and developers, that mature specifications are created and adopted.

[PW] I co-instigated the first ever W3C Incubator Group in 2006 [1] with Phil Archer. The WICG sounds extremely similar. Following a year of incubation, our project went onto a Full Recommendation Track, formally replacing PICS in 2009 [2]. Our Recommendation was never adopted, for numerous reasons, even though it had support from some browser vendors and other major potential implementors. Some browser vendors still use PICS today.

An example of where browsers are already actively collaborating is on the WHATWG URL standard<https://url.spec.whatwg.org/>, which similarly provides the necessary IP protections while providing opportunities for open collaboration. It has already developed a number of guidelines on the more intuitive display of secure sites to Internet users. These guidelines, which have evolved through rigorous and peer-reviewed usability research, and combined with the deep technical expertise involved in how modern Web security works, reflect a number of the industry best practices.

Proponents advocating for the Forum to charter a new Working Group should be able to articulate and explain the problem they are seeking to solve, and then communicate how their proposed solution fits to solve that problem. This approach, where the problem to be solved is clearly explained first<https://www.w3.org/blog/2015/07/wicg/#what-s-the-process->, has been highly successful for collaborations on evolving the Web, and is the core approach for most modern Web standards work. This process helps ensure the problem is well understood and can bring to light any faulty assumptions or premises, which is key to assessing how well different options addressing them might work.

[PW] I’m pretty confident that almost everyone who needs to be involved, knows what the problem is.

I’m happy to write a problem statement and a proposed solution to get something started. I’ve contributed to a lot of W3C initiatives and specifications and I still think this forum is the most suitable place for this particular work. This forum was started and built to address Internet Security from the perspective of encryption and identity.

As a side note, how do you feel about the lack of privacy for visitors of the W3C Incubator Community Group Charter URI? [3]

Given the flexibility and open-access provided, along with strong IP protections in place with the organizational support of the W3C, the WICG does seem like an excellent starting point for any specific problem statements and abstract proposals, as a natural evolution for long-standing collaborations and discussions within the Web security community. You can learn more about the process of making and evolving proposals with the WICG here<https://www.w3.org/blog/2015/07/wicg/>.

[PW] We could easily put together a small team of respected independent industry experts from various stakeholders to help manage the project.

[1] https://www.w3.org/2005/Incubator/
[2] https://www.w3.org/2005/Incubator/wcl/XGR-wcl-20070220/#appendix1
[3] http://wicg.github.io/admin/charter.html


- Paul

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20191115/239b8dfc/attachment.html>

More information about the Servercert-wg mailing list