[Servercert-wg] Request for a Moratorium on New Certificate Consumer Members
Ben Wilson
bwilson at mozilla.com
Wed Apr 5 16:30:16 UTC 2023
All,
I would like to request a moratorium on admitting new Certificate Consumer
members to the Server Certificate Working Group until we have updated the
criteria for membership of Certificate Consumers.
The basis for this request is that we are in the process of developing
better criteria for membership of Certificate Consumers. As noted during
Face-to-Face meeting #58, our current requirement of “produc[ing] a
software product intended for use by the general public for browsing the
Web securely” lacks sufficient detail. Here are a few things we are
considering that should be part of the membership criteria for Certificate
Consumers:
That the Applicant develops and maintains its own code;
That the Applicant maintains its own root store;
That the Applicant provides a browser for both mobile and desktop platforms;
That the Applicant patches and delivers automatic updates of its browser
software and root store;
That the Applicant has publicly disclosed and documented processes for its
users to report problems and to receive updates on the resolution of those
problems;
That the Applicant has an installed user base of at least one tenth of a
percent of all browsers in use globally (or some other comparable objective
measurement);
That the Applicant employs developers and infosec-trained professionals;
That the Applicant’s representatives regularly, consistently, and actively
participate in relevant standards bodies such as the W3C, IETF, WHATWG, and
OWASP;
That the Applicant and its representatives have never been sanctioned for
misconduct;
That the Applicant has a good history of compliance with industry
standards, including but not limited to HTML (https://platform.html5.org);
CSS (https://www.w3.org/TR/css-2023/); JavaScript, HTTPS/TLS, and the IETF
RFCs, such as RFC 5280;
That the Applicant’s browser passes at least certain percentages of various
test suites (Acid Tests, Test 262 and web-platform-tests);
That the Applicant has a published commitment to user security and privacy;
and
That the Applicant has actively participated in the CA/Browser Forum as a
non-voting Associate Member for at least one year.
Thanks,
Ben
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20230405/cb3c0441/attachment.html>
More information about the Servercert-wg
mailing list