[Servercert-wg] [EXTERNAL] Request for a Moratorium on New Certificate Consumer Members

Ben Wilson bwilson at mozilla.com
Mon May 8 20:28:14 UTC 2023


All,

I reiterate my intent that we establish a moratorium on admitting new
Certificate Consumer members until we have updated the criteria for
membership of Certificate Consumers.

I think we've made good progress on refining a set of membership criteria,
which I'll soon share, but the effort takes time. A moratorium will allow
us to re-evaluate our criteria and revise them so that they are more clear,
fair, and aligned with the goals of the Forum.

I am looking for one more endorser so that I can propose a ballot that
would formalize the moratorium.

Thanks,

Ben

On Mon, Apr 10, 2023 at 6:39 PM Ben Wilson <bwilson at mozilla.com> wrote:

> I've set up a call for those interested in discussing this. It's on
> Wednesday, 12-April-2023, at 1400 UTC.
> I'll send out the dial-in/Zoom information separately for those interested.
> Ben
>
> On Thu, Apr 6, 2023 at 3:22 PM Ben Wilson <bwilson at mozilla.com> wrote:
>
>> Hi Paul,
>>
>> These are all things that I would like to discuss with those of you who
>> are interested in helping to work on the membership requirements for
>> Certificate Consumers in the Server Certificate WG.  Those of you who
>> are interested, please send me email, and I'll set up a discussion.
>>
>> Thanks,
>>
>> Ben
>>
>>
>>
>> On Thu, Apr 6, 2023 at 2:44 AM Paul van Brouwershaven <
>> Paul.vanBrouwershaven at entrust.com> wrote:
>>
>>> Hi Ben,
>>>
>>> Here are some intial questions on your proposal.
>>>
>>> > That the Applicant develops and maintains its own code;
>>>
>>> Can you explain what you mean with this, I suppose that this does not
>>> mean that Microsoft can no longer be a Certificate Consumer as their
>>> browser is based on Chromium? What would this say about the usage of
>>> Open-Source code, etc.?
>>>
>>> > That the Applicant provides a browser for both mobile and desktop
>>> platforms;
>>>
>>> Certificate Consumers are Application Software Suppliers, and these are
>>> not limited to browsers. Why would a Certificate Consumer be required to
>>> provide an application for both mobile and desktop platforms?
>>>
>>> > That the Applicant has an installed user base of at least one tenth of
>>> a percent of all browsers in use globally (or some other comparable
>>> objective measurement);
>>>
>>> This means that the CA/Browser Forum is excluding all browsers that
>>> would like to enter the market until they have a sufficient user base,
>>> which might take years for new browsers, or a browser might even choose to
>>> operate in a niche market, for example in a specific demographic. While it
>>> is not required to be a Certificate Consumer Member to operate a browser or
>>> a root store, it feels like this is hindering new/niche browsers to
>>> participate on an equal level.
>>>
>>> > That the Applicant and its representatives have never been sanctioned
>>> for misconduct;
>>>
>>> Can you be more specific on "sanctioned for misconduct", for what and by
>>> who? This would currently mean that an employee of a certificate consumer
>>> would be sanctioned for life for any misconduct of any form, which can
>>> be irrelevant for the CA/Browser forum, we probably should provide a path
>>> to rehabilitation in the aftermath of misconduct in a way that recognizes
>>> the humanity of those involved.
>>>
>>> > That the Applicant has actively participated in the CA/Browser Forum
>>> as a non-voting Associate Member for at least one year.
>>>
>>> What is the purpose of this requirement, we don't have this requirement
>>> for certificate issuers.
>>>
>>> Thanks,
>>>
>>> Paul
>>>
>>> ------------------------------
>>> *From:* Servercert-wg <servercert-wg-bounces at cabforum.org> on behalf of
>>> Ben Wilson via Servercert-wg <servercert-wg at cabforum.org>
>>> *Sent:* Wednesday, April 5, 2023 18:30
>>> *To:* CA/B Forum Server Certificate WG Public Discussion List <
>>> servercert-wg at cabforum.org>
>>> *Subject:* [EXTERNAL] [Servercert-wg] Request for a Moratorium on New
>>> Certificate Consumer Members
>>>
>>> WARNING: This email originated outside of Entrust.
>>> DO NOT CLICK links or attachments unless you trust the sender and know
>>> the content is safe.
>>> ------------------------------
>>> All,
>>>
>>> I would like to request a moratorium on admitting new Certificate
>>> Consumer members to the Server Certificate Working Group until we have
>>> updated the criteria for membership of Certificate Consumers.
>>>
>>> The basis for this request is that we are in the process of developing
>>> better criteria for membership of Certificate Consumers. As noted during
>>> Face-to-Face meeting #58, our current requirement of “produc[ing] a
>>> software product intended for use by the general public for browsing the
>>> Web securely” lacks sufficient detail. Here are a few things we are
>>> considering that should be part of the membership criteria for Certificate
>>> Consumers:
>>>
>>> That the Applicant develops and maintains its own code;
>>>
>>> That the Applicant maintains its own root store;
>>>
>>> That the Applicant provides a browser for both mobile and desktop
>>> platforms;
>>>
>>> That the Applicant patches and delivers automatic updates of its browser
>>> software and root store;
>>>
>>> That the Applicant has publicly disclosed and documented processes for
>>> its users to report problems and to receive updates on the resolution of
>>> those problems;
>>>
>>> That the Applicant has an installed user base of at least one tenth of a
>>> percent of all browsers in use globally (or some other comparable objective
>>> measurement);
>>>
>>> That the Applicant employs developers and infosec-trained professionals;
>>>
>>> That the Applicant’s representatives regularly, consistently, and
>>> actively participate in relevant standards bodies such as the W3C, IETF,
>>> WHATWG, and OWASP;
>>>
>>> That the Applicant and its representatives have never been sanctioned
>>> for misconduct;
>>>
>>> That the Applicant has a good history of compliance with industry
>>> standards, including but not limited to HTML (https://platform.html5.org
>>> <https://urldefense.com/v3/__https://platform.html5.org/__;!!FJ-Y8qCqXTj2!Ypa5WQHN2FbZUYE7Kjs1Lm1fL3oRd24UBjDyVngBxMiVnOxRmyqQtMzEv8h1TC7QxqctX2YlUpiW8WiW1vjLTb4ekfWZTPL5ytmb$>);
>>> CSS (https://www.w3.org/TR/css-2023/
>>> <https://urldefense.com/v3/__https://www.w3.org/TR/css-2023/__;!!FJ-Y8qCqXTj2!Ypa5WQHN2FbZUYE7Kjs1Lm1fL3oRd24UBjDyVngBxMiVnOxRmyqQtMzEv8h1TC7QxqctX2YlUpiW8WiW1vjLTb4ekfWZTE2pxyS5$>);
>>> JavaScript, HTTPS/TLS, and the IETF RFCs, such as RFC 5280;
>>>
>>> That the Applicant’s browser passes at least certain percentages of
>>> various test suites (Acid Tests, Test 262 and web-platform-tests);
>>>
>>> That the Applicant has a published commitment to user security and
>>> privacy; and
>>>
>>> That the Applicant has actively participated in the CA/Browser Forum as
>>> a non-voting Associate Member for at least one year.
>>>
>>>
>>> Thanks,
>>>
>>>
>>> Ben
>>>
>>>
>>> *Any email and files/attachments transmitted with it are confidential
>>> and are intended solely for the use of the individual or entity to whom
>>> they are addressed. If this message has been sent to you in error, you must
>>> not copy, distribute or disclose of the information it contains. Please
>>> notify Entrust immediately and delete the message from your system.*
>>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20230508/81cc18e5/attachment-0001.html>


More information about the Servercert-wg mailing list