[Servercert-wg] [EXTERNAL] Request for a Moratorium on New Certificate Consumer Members
Ben Wilson
bwilson at mozilla.com
Mon Apr 10 16:39:49 UTC 2023
I've set up a call for those interested in discussing this. It's on
Wednesday, 12-April-2023, at 1400 UTC.
I'll send out the dial-in/Zoom information separately for those interested.
Ben
On Thu, Apr 6, 2023 at 3:22 PM Ben Wilson <bwilson at mozilla.com> wrote:
> Hi Paul,
>
> These are all things that I would like to discuss with those of you who
> are interested in helping to work on the membership requirements for
> Certificate Consumers in the Server Certificate WG. Those of you who are
> interested, please send me email, and I'll set up a discussion.
>
> Thanks,
>
> Ben
>
>
>
> On Thu, Apr 6, 2023 at 2:44 AM Paul van Brouwershaven <
> Paul.vanBrouwershaven at entrust.com> wrote:
>
>> Hi Ben,
>>
>> Here are some intial questions on your proposal.
>>
>> > That the Applicant develops and maintains its own code;
>>
>> Can you explain what you mean with this, I suppose that this does not
>> mean that Microsoft can no longer be a Certificate Consumer as their
>> browser is based on Chromium? What would this say about the usage of
>> Open-Source code, etc.?
>>
>> > That the Applicant provides a browser for both mobile and desktop
>> platforms;
>>
>> Certificate Consumers are Application Software Suppliers, and these are
>> not limited to browsers. Why would a Certificate Consumer be required to
>> provide an application for both mobile and desktop platforms?
>>
>> > That the Applicant has an installed user base of at least one tenth of
>> a percent of all browsers in use globally (or some other comparable
>> objective measurement);
>>
>> This means that the CA/Browser Forum is excluding all browsers that would
>> like to enter the market until they have a sufficient user base, which
>> might take years for new browsers, or a browser might even choose to
>> operate in a niche market, for example in a specific demographic. While it
>> is not required to be a Certificate Consumer Member to operate a browser or
>> a root store, it feels like this is hindering new/niche browsers to
>> participate on an equal level.
>>
>> > That the Applicant and its representatives have never been sanctioned
>> for misconduct;
>>
>> Can you be more specific on "sanctioned for misconduct", for what and by
>> who? This would currently mean that an employee of a certificate consumer
>> would be sanctioned for life for any misconduct of any form, which can
>> be irrelevant for the CA/Browser forum, we probably should provide a path
>> to rehabilitation in the aftermath of misconduct in a way that recognizes
>> the humanity of those involved.
>>
>> > That the Applicant has actively participated in the CA/Browser Forum as
>> a non-voting Associate Member for at least one year.
>>
>> What is the purpose of this requirement, we don't have this requirement
>> for certificate issuers.
>>
>> Thanks,
>>
>> Paul
>>
>> ------------------------------
>> *From:* Servercert-wg <servercert-wg-bounces at cabforum.org> on behalf of
>> Ben Wilson via Servercert-wg <servercert-wg at cabforum.org>
>> *Sent:* Wednesday, April 5, 2023 18:30
>> *To:* CA/B Forum Server Certificate WG Public Discussion List <
>> servercert-wg at cabforum.org>
>> *Subject:* [EXTERNAL] [Servercert-wg] Request for a Moratorium on New
>> Certificate Consumer Members
>>
>> WARNING: This email originated outside of Entrust.
>> DO NOT CLICK links or attachments unless you trust the sender and know
>> the content is safe.
>> ------------------------------
>> All,
>>
>> I would like to request a moratorium on admitting new Certificate
>> Consumer members to the Server Certificate Working Group until we have
>> updated the criteria for membership of Certificate Consumers.
>>
>> The basis for this request is that we are in the process of developing
>> better criteria for membership of Certificate Consumers. As noted during
>> Face-to-Face meeting #58, our current requirement of “produc[ing] a
>> software product intended for use by the general public for browsing the
>> Web securely” lacks sufficient detail. Here are a few things we are
>> considering that should be part of the membership criteria for Certificate
>> Consumers:
>>
>> That the Applicant develops and maintains its own code;
>>
>> That the Applicant maintains its own root store;
>>
>> That the Applicant provides a browser for both mobile and desktop
>> platforms;
>>
>> That the Applicant patches and delivers automatic updates of its browser
>> software and root store;
>>
>> That the Applicant has publicly disclosed and documented processes for
>> its users to report problems and to receive updates on the resolution of
>> those problems;
>>
>> That the Applicant has an installed user base of at least one tenth of a
>> percent of all browsers in use globally (or some other comparable objective
>> measurement);
>>
>> That the Applicant employs developers and infosec-trained professionals;
>>
>> That the Applicant’s representatives regularly, consistently, and
>> actively participate in relevant standards bodies such as the W3C, IETF,
>> WHATWG, and OWASP;
>>
>> That the Applicant and its representatives have never been sanctioned for
>> misconduct;
>>
>> That the Applicant has a good history of compliance with industry
>> standards, including but not limited to HTML (https://platform.html5.org
>> <https://urldefense.com/v3/__https://platform.html5.org/__;!!FJ-Y8qCqXTj2!Ypa5WQHN2FbZUYE7Kjs1Lm1fL3oRd24UBjDyVngBxMiVnOxRmyqQtMzEv8h1TC7QxqctX2YlUpiW8WiW1vjLTb4ekfWZTPL5ytmb$>);
>> CSS (https://www.w3.org/TR/css-2023/
>> <https://urldefense.com/v3/__https://www.w3.org/TR/css-2023/__;!!FJ-Y8qCqXTj2!Ypa5WQHN2FbZUYE7Kjs1Lm1fL3oRd24UBjDyVngBxMiVnOxRmyqQtMzEv8h1TC7QxqctX2YlUpiW8WiW1vjLTb4ekfWZTE2pxyS5$>);
>> JavaScript, HTTPS/TLS, and the IETF RFCs, such as RFC 5280;
>>
>> That the Applicant’s browser passes at least certain percentages of
>> various test suites (Acid Tests, Test 262 and web-platform-tests);
>>
>> That the Applicant has a published commitment to user security and
>> privacy; and
>>
>> That the Applicant has actively participated in the CA/Browser Forum as a
>> non-voting Associate Member for at least one year.
>>
>>
>> Thanks,
>>
>>
>> Ben
>>
>>
>> *Any email and files/attachments transmitted with it are confidential and
>> are intended solely for the use of the individual or entity to whom they
>> are addressed. If this message has been sent to you in error, you must not
>> copy, distribute or disclose of the information it contains. Please notify
>> Entrust immediately and delete the message from your system.*
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20230410/84f012bd/attachment-0001.html>
More information about the Servercert-wg
mailing list