[Servercert-wg] CANCEL Notice of Review Period – Ballot SC35

Wed Sep 16 10:52:03 MST 2020

On Wed, Sep 16, 2020 at 1:30 PM Dimitris Zacharopoulos (HARICA) <
dzacharo at harica.gr> wrote:

> You seem to be conflating my role, as Chair, with HARICA and how HARICA
> evaluates changes in ballots.
>

No, I'm trying to call out that you may be assuming that how HARICA
evaluates Ballots is how everyone evaluates Ballots. This is most obvious
in your follow-up, which is why I'm calling out the concern. How HARICA
does things should not necessarily influence how the Chair does things, and
that's the disconnect I'm trying to call out, because we have evidence that
it's not happening as described.

> I'd like to start off by clarifying that each Member (HARICA as one of the
> voting Members), reviews each ballot independently and votes after
> evaluating the changes of each individual ballots. When a ballot passes,
> this means that each Member must prepare for the changes to be effective as
> soon as the IPR period is over. This has nothing to do with having 2-3
> ballots being added in a single new version of the new Guideline, because
> the Member has already been aware of the upcoming changes because of the
> already voted ballot. This is my personal understanding of the situation,
> and I would even say that it's common sense.
>

There's several important flaws here in this assumption.

One, not every CA that makes use of the Baseline Requirements is a Member
of the Forum. So, at the outset, the process you describe doesn't apply to
them; they logically only see the final result.
Two, not every CA that participates as a Member of the Forum votes on the
Ballots, or even necessarily reviews. We've seen several CAs specifically
call out that the volume of activity in the Forum, versus their current
staffing availability, is often inadequate. As such, they only review the
final product, and otherwise abstain or don't participate in Ballots.
Three, everything you describe, in terms of individual Ballot review, is
precisely the property we're trying to make sure is preserved through the
IP review. The IP review, by aggregating, forces CAs that want to follow
the process you described to then go through the individual Ballots to
achieve the same end result.

At the core, the assumption here is that everyone is following at the time
of Balloting, and everyone knows how to obtain and review the individual
Ballots in isolation, from engineering, to compliance, to legal, but that's
not a fair assumption, and that's not how it's working out in practice.

> As the Chair, to the best of my ability I interpret the Bylaws, and with
> the help of the Vice Chairs (who have worked with me as officers for almost
> two years) I am ultimately responsible for producing the necessary
> documents and all other activities according to the Bylaws. Aggregating
> ballots to a single version of a Guideline is not prohibited, it has been
> used several times already, yet you found an opportunity to attack me
> personally and imply things for HARICA that are totally irrelevant with
> this issue.
>

I didn't imply things for HARICA. I pointed out how you're generalizing
HARICA's approach here and assuming it's the general workmode of everyone
affected by the Forum, while we have repeated evidence that this is not the
case. The most recent aggregation has lead to a compliance incident, for a
Member of the Forum, who voted on a Ballot. While that is just one example,
and we're still gathering details, an obvious systemic issue here is the
recent trend to aggregation makes it more difficult, and more work, for CAs
to ensure compliance, rather than less. The incredibly relevant context of
Ballots is lost through the aggregation.

As it applies to the legal risks that we spent two years trying to address,
it reintroduces the problems we've tried to address multiple times in the
Forum, from the introduction of the requirement to produce Final Guidelines
with Ballots, the shift to version-managed documents, and the adoption of
our updated Bylaws and IP policy. I wholly understand this was made in
good-faith as an attempt to reduce the time involved from being a Chair,
but it's had disastrous consequences, and leaves the door open for even
greater risks. It bears calling out precisely because we're seeing already
that the approach does not work. I started off by trying to understand the
problems you're trying to solve, so we can work and prioritize reasonable
alternative solutions for them, but the fact that there's a fundamental
misunderstanding about the problems being caused has taken the conversation
in a very different direction.

I realize you've provided further context, but my hope is that by laying
out the fundamentally wrong assumptions above, which your further replies
build on, we can make progress here in understanding why "Everyone already
reviewed the Ballot, what's the harm" is a deeply flawed assumption that
permeates the subsequent decision making.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20200916/6f74dbd5/attachment.html>