[Servercert-wg] Participation Proposal for Revised SCWG Charter
Ben Wilson
bwilson at mozilla.com
Tue Jul 25 15:39:46 UTC 2023
Thanks for your insights, Roman.
I'm not yet convinced that the attendance approach would not be effective.
Nevertheless, here are some other potential alternatives to discuss:
1 - require that a Certificate Consumer have a certain size userbase, or
alternatively, that they be a Root Store member of the Common CA Database
<https://www.ccadb.org/rootstores/how>, or
2 - require that a Certificate Consumer pay a membership fee to the
CA/Browser Forum.
Does anyone have any other ideas, proposals, or suggestions that we can
discuss?
The approaches listed above would be in addition to the following other
requirements already proposed:
The Certificate Consumer has public documentation stating that it requires
Certification Authorities to comply with the CA/Browser Forum’s Baseline
Requirements for the issuance and maintenance of TLS server certificates; its
membership-qualifying software product uses a list of CA certificates to
validate the chain of trust from a TLS certificate to a CA certificate in
such list; and it publishes how it decides to add or remove a CA
certificate from the root store used in its membership-qualifying software
product.
Thanks,
Ben
On Mon, Jul 24, 2023 at 10:48 PM Roman Fischer <roman.fischer at swisssign.com>
wrote:
> Dear Ben,
>
>
>
> As stated before, I’m against minimal attendance (or even participation –
> however you would measure that, numbers of words spoken or written?)
> requirements. I’ve seen in university, in private associations, policitcs…
> that this simply doesn’t solve the problem. I totally agree with Tim: It
> will create administrative overhead and not solve the problem.
>
>
>
> IMHO non-particpants taking part in the democratic process (i.e. voting)
> is just something we have to accept and factor in. It’s one end of the
> extreme spectrum. There might be over-active participants that overwhelm
> the group by pushing their own agenda… If we have minimum participation
> requirements, then we maybe should also have maximum participation rules?
> 😉
>
>
>
> Rgds
> Roman
>
>
>
> *From:* Servercert-wg <servercert-wg-bounces at cabforum.org> *On Behalf Of *Ben
> Wilson via Servercert-wg
> *Sent:* Montag, 24. Juli 2023 21:40
> *To:* Tim Hollebeek <tim.hollebeek at digicert.com>; CA/B Forum Server
> Certificate WG Public Discussion List <servercert-wg at cabforum.org>
> *Subject:* Re: [Servercert-wg] Participation Proposal for Revised SCWG
> Charter
>
>
>
> Tim,
>
> One problem we're trying to address is the potential for a great number of
> “submarine voters”. Such members may remain inactive for extended periods
> of time and then surface only to vote for or against something they
> suddenly are urged to support or oppose, without being aware of the
> issues. This will skew and damage the decision-making process.
>
> Another problem, that I don't think has been mentioned before, is the
> reliability of the CA/Browser Forum to adopt well-informed standards going
> forward. In other words, if something like I suggest happens, then I can
> see Certificate Consumers leaving the Forum and unilaterally setting very
> separate and distinct rules. This will result in fragmentation,
> inconsistency, and much more management overhead for CAs than the effort
> needed to keep track of attendance, which is already being done by the
> Forum. (If you'd like, I can share with everyone the list of members who
> have not voted or attended meetings in over two years.)
>
> Ben
>
>
>
> On Mon, Jul 24, 2023 at 11:41 AM Tim Hollebeek <tim.hollebeek at digicert.com>
> wrote:
>
> What is your argument in response to the point that any potential bad
> actors will be trivially able to satisfy the participation metrics?
>
>
>
> I’m very worried we’ll end up doing a lot of management and tracking work,
> without actually solving the problem.
>
>
>
> -Tim
>
>
>
> *From:* Ben Wilson <bwilson at mozilla.com>
> *Sent:* Monday, July 24, 2023 10:21 AM
> *To:* Ben Wilson <bwilson at mozilla.com>; CA/B Forum Server Certificate WG
> Public Discussion List <servercert-wg at cabforum.org>
> *Cc:* Tim Hollebeek <tim.hollebeek at digicert.com>
> *Subject:* Re: [Servercert-wg] Participation Proposal for Revised SCWG
> Charter
>
>
>
> All,
>
> I have thought a lot about this, including various other formulas (e.g.
> market share) to come up with something reasonable, but I've come back to
> attendance as the key metric that we need to focus on. I just think that an
> attendance metric provides the only workable, measurable, and sound
> solution for determining the right to vote as a Certificate Consumer
> because it offers the following three elements:
>
> - Informed Decision-Making: Voting requires a comprehensive
> understanding of ongoing discussions and developments. Regular attendance
> provides members with the necessary context and knowledge to make
> well-informed decisions.
> - Commitment: Attendance is a tangible and measurable representation
> of a member's commitment to the Server Certificate WG and its objectives.
> It demonstrates a genuine interest in contributing to the development and
> improvement of the requirements.
> - Active Involvement: By prioritizing attendance, we encourage active
> involvement and discourage passive membership. Voting rights should be
> earned through consistent engagement, as this ensures that decisions are
> made by those who are genuinely invested in the outcomes.
>
> At this point, I'm going to re-draft a proposal for a revision to the
> Server Certificate WG Charter and present it on the public list (because an
> eventual revision of the Charter will have to take place at the Forum
> level).
>
> Thanks,
>
> Ben
>
>
>
> On Thu, Jul 13, 2023 at 9:45 AM Ben Wilson via Servercert-wg <
> servercert-wg at cabforum.org> wrote:
>
> Thanks, Tim.
>
>
>
> All,
>
>
>
> I will look closer at the distribution and use of software for browsing
> the internet securely, instead of participation metrics. There is at least
> one source, StatCounter (https://gs.statcounter.com/browser-market-share),
> that purports to measure use of browsing software, both globally and
> regionally. Would it be worthwhile to explore distribution by region and
> come up with a reasonable threshold? Can we rely on StatCounter, or should
> we look elsewhere?
>
>
>
> Thanks,
>
>
>
> Ben
>
>
>
> On Wed, Jul 12, 2023 at 9:30 AM Tim Hollebeek via Servercert-wg <
> servercert-wg at cabforum.org> wrote:
>
> I have a meaningful comment.
>
>
>
> I don’t want to ever have to discuss or judge whether someone’s comment is
> “meaningful” or not, and I don’t think incentivizing people to post more
> comments than they otherwise would is helpful.
>
>
>
> I also think getting the chairs involved in any way in discussing whether
> a member representative did or did not have a medical condition during a
> particular time period is an extremely bad idea.
>
>
>
> Given that the original issue was trying to determine whether a
> certificate consumer is in fact a legitimate player in the ecosystem or
> not, I would suggest that exploring metrics like market share might be far
> more useful. Metrics like participation are rather intrusive and onerous,
> except to those who are trying to game them, and those trying to game such
> metrics will succeed with little or no effort.
>
>
>
> -Tim
>
>
>
> *From:* Servercert-wg <servercert-wg-bounces at cabforum.org> *On Behalf Of *Roman
> Fischer via Servercert-wg
> *Sent:* Wednesday, July 12, 2023 7:23 AM
> *To:* CA/B Forum Server Certificate WG Public Discussion List <
> servercert-wg at cabforum.org>
> *Subject:* Re: [Servercert-wg] Participation Proposal for Revised SCWG
> Charter
>
>
>
> Dear Ben,
>
>
>
> Mandatory participation has in my experience never resulted in more or
> better discussions. People will dial into the telco and let it run in the
> background to “earn the credits”.
>
>
>
> Also, what would happen after the 90 day suspension? Would the
> organization be removed as a CA/B member?
>
>
>
> Rgds
> Roman
>
>
>
> *From:* Servercert-wg <servercert-wg-bounces at cabforum.org> *On Behalf Of *Ben
> Wilson via Servercert-wg
> *Sent:* Freitag, 7. Juli 2023 21:59
> *To:* CA/B Forum Server Certificate WG Public Discussion List <
> servercert-wg at cabforum.org>
> *Subject:* [Servercert-wg] Participation Proposal for Revised SCWG Charter
>
>
>
> All,
>
>
>
> Here is a draft participation proposal for the SCWG to consider and
> discuss for inclusion in a revised SCWG Charter.
>
>
>
> #. Participation Requirements to Maintain Voting Privileges
>
>
>
> (a) Attendance. The privilege to vote “Yes” or “No” on ballots is
> suspended for 90 days if a Voting Member fails to meet the following
> attendance requirement over any 365-day period:
>
> - 10% of SCWG meetings for Voting Members located in time zones offset
> by UTC +5 through UTC +12
> - 30% of SCWG meetings for Voting Members located in all other time
> zones
>
> (b) Meaningful Comments. Posting a Meaningful Comment is an alternative
> means of meeting the attendance requirement in subsection (a). A Voting
> Member can earn an attendance credit to make up for each missed meeting by
> posting a Meaningful Comment to the SCWG Public Mail List. Each Meaningful
> Comment is equal to attending one (1) meeting.
>
>
>
> A Meaningful Comment is one that follows the Code of Conduct and provides
> relevant information to the SCWG, such as new information, an insight,
> suggestion, or perspective related to the Scope of the SCWG, or that
> proposes an improvement to the TLS Baseline Requirements or EV Guidelines.
> It can also be something that responds to or builds on the comments of
> others in a meaningful way, or that offers feedback, suggestions, or
> solutions to the issues or challenges raised by the topic of discussion.
>
>
>
> A Meaningful Comment should be both relevant (within the Scope of the
> SCWG or related to the discussion that is taking place on the mailing
> list) and well-supported (clear reasons why the Voting Representative
> believes what they believe and supported by facts, data, or other
> information.)
>
>
>
> (c) A Voting Member that has failed to meet the attendance requirement in
> subsection (a) above is considered an "Inactive Member". Any Member who
> believes that any other Member is an Inactive Member may report that Member
> on the Forum's Management List by providing specific information about that
> Member's non-participation, and the SCWG Chair shall send written notice
> to the Inactive Member by email within seven (7) calendar days. The notice
> will include a reminder of the requirement to participate and inform the
> Inactive Member of the consequences of not participating.
>
>
>
> (d) Suspension of Voting Privileges. The Inactive Member's privilege to
> vote “Yes” or “No” on any ballot shall be temporarily suspended for a
> period of 90 days from the date of the notice. During the suspension
> period, the Inactive Member may vote “Abstain” on ballots.
>
>
>
> (e) Restoration of Voting Privilege. Voting privileges will be
> automatically restored to the Inactive Member upon attending three
> consecutive meetings. The restoration of voting privileges will be
> effective on the next ballot that enters the voting period after the
> Inactive Member meets the reactivation criteria.
>
>
>
> (f) Exceptional Circumstances. In cases where an Inactive Member can
> demonstrate justifiable reasons for their inability to participate, such as
> medical conditions or other extenuating circumstances affecting their
> Voting Representative(s), the SCWG Chair may review and consider
> reinstating voting privileges on a case-by-case basis.
>
>
>
> Thanks,
>
>
>
> Ben
>
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/servercert-wg
>
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/servercert-wg
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20230725/dcc56dc3/attachment-0001.html>
More information about the Servercert-wg
mailing list