[Servercert-wg] Ballot SC31 - Browser Alignment

Dimitris Zacharopoulos (HARICA) dzacharo at harica.gr
Thu Jul 2 12:21:28 MST 2020

On 2020-07-02 9:44 μ.μ., Ryan Sleevi wrote:
> On Thu, Jul 2, 2020 at 12:12 AM Dimitris Zacharopoulos (HARICA) 
> <dzacharo at harica.gr <mailto:dzacharo at harica.gr>> wrote:
>     Your response to GlobalSign was written very elegantly but the
>     word "GlobalSign" was used 15 times in your response to Doug which
>     is indicative of putting a Member "on the spot".
> Would it have been better to say "the right honorable Gentleman"? At 
> some point, we need to discuss views that are being presented and 
> their merits. Our code of conduct is, in many ways, designed to 
> discourage attacks against individuals, the people we deal with on an 
> everyday basis, not the companies they represent. If our code of 
> conduct is to be extended to brand protection, which is what you are 
> suggesting and have suggested in the past, then this is deeply 
> misunderstanding what a Code of Conduct is for.
> What is the better way to represent an individual's views and 
> arguments? "You" is almost certainly seen as an attack on the 
> individual worth, and is problematic. The abstract idea is one worth 
> engaging in, but there still needs to be a reference to what the 
> framing of the argument is, and its surrounding assumptions and 
> logical consequences. Unless and until we have some better way to 
> express these abstractions, without the risk of personally impugning 
> the right honorable reputation of the gentleman from GlobalSign, then 
> to avoid the personal pronouns is to necessitate the proper nouns.

Putting a Member "on the spot" seems to be equally troubling as putting 
an individual because an individual IS representing a Member at that 
time and will feel offended and intimidated. We have had great 
conversations in the past by being a bit more abstract "a CA" or "CA 
foo", "CA bar". We've also had several conversations where examples 
involving several existing CAs were given (like you did by calling out 
several existing CAs at once). People seem to be ok with that.

>     Threatening to leave the Forum could be seen by some Members as
>     another form of intimidation.
> I am having trouble squaring this, especially with any basis with the 
> behaviour and intent of our Code of Conduct.

Some Members certainly do not want to see Google or you leaving the 
Forum so the risk of leaving may be seen intimidating by these Members. 
Perhaps I did not express it accurately so I apologize and withdraw it.

> Respectfully, this seems like an abuse by the Chair of a Code of 
> Conduct, especially in the context of a thread which began by 
> suggesting that Root Programs should do nothing outside of the Forum, 
> followed by a suggestion that Root Programs should do all things 
> outside of the Forum. This is further deeply problematic with your 
> statement below.

I never said that Root Programs should do nothing outside of the Forum. 
I cannot speak for Members who did say that. My preference would be to 
try to resolve things in the Forum (this attempt happened via SC22 but 
failed), but this is far from saying Root Programs should not do 
anything outside the Forum. This is clearly different.

>     The CA/Browser Forum is a voluntary group
> Yet the very thread begins with a suggestion that it should be 
> involuntary (for browsers), and your invocation of the Code of Conduct 
> is to suggest that any rejection of that would be intimidation.
>     This is the Forum's added value and how this Forum works, without
>     preventing any Root Program setting its own rules and policies
>     independently, outside the Forum. These are the rules we all accepted.
> This is, frankly, a deeply troubling statement. I cannot help but 
> suggest it borderlines dishonest, in that the very proposal that 
> started this thread, and which was being discussed, was exactly such a 
> prohibition, as you can clearly read in 
> https://archive.cabforum.org/pipermail/servercert-wg/2020-June/001993.html 

I can't connect this with the prohibition you claim. Entrust made a 
statement about their desire not to see requirements included in SC31 
unless they are agreed in all Browser Root Programs, and then made a 
special reference to the 398 days validity period which did not pass in 
SC22. They even made a reference to Certificate Subscribers which was 
missing from most of these discussions. Overall, I didn't find a 
statement that discourages or prevents Root Programs from setting policy 
independently of the SCWG.

It is quite possible I overlooked something, so apologies in advance. 
Bottom line is that Browsers remain independent to make independent 
policy decisions via their Root Programs, this is reality and I think 
everyone excepts that. If these policies need to go into the BRs or 
other Guidelines, then they need to get consensus from both Voting 
Member categories.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20200702/1495d3ce/attachment-0001.html>

More information about the Servercert-wg mailing list