[Servercert-wg] [EXTERNAL] Request for a Moratorium on New Certificate Consumer Members

Ben Wilson bwilson at mozilla.com
Wed May 10 06:20:00 UTC 2023


Here is a redlined version of the SCWG Charter with proposed new membership
requirements for your review:

<goog_838507192>
https://github.com/cabforum/forum/compare/d908a475e59e64fd9224e878864386ebc0b68808..cee99ea840388ad600ef38f4950beff7313defba

Ben

On Wed, May 10, 2023 at 7:45 AM Ben Wilson via Servercert-wg <
servercert-wg at cabforum.org> wrote:

> Here is a draft ballot. I'm looking for one more endorser, preferably from
> a Certificate Issuer member.
>
> *Ballot SC-0XX:  Establish a Temporary Moratorium on New Certificate
> Consumer Memberships*
>
> *Purpose of the Ballot*
>
> During discussions at Face-to-Face Meeting 58, it was noted that the
> membership criteria for Certificate Consumers in the Charter for the Server
> Certificate Working Group (SCWG) lacked sufficient detail. Since then,
> several members of the CA/Browser Forum have worked to develop better
> criteria for membership of Certificate Consumers in the SCWG. A moratorium
> is necessary to preserve the status quo and ensure impartiality while we
> re-evaluate and revise our membership criteria so that they are more clear,
> fair, and aligned with the goals of the Forum.
>
> The following motion has been proposed by Ben Wilson of Mozilla and
> endorsed by Tobias Josefowitz of Opera and _____ of _____.
>
> *Motion Begins*
>
> Effective immediately, there is a temporary moratorium established on the
> acceptance of applications for membership as Certificate Consumer members
> in the Server Certificate Working Group. This moratorium will expire on XX,
> 2023, or prior to such date, upon publication of the Forum’s vote on a
> revised Charter for the Server Certificate Working Group.
>
> During the moratorium, the Server Certificate Working Group will not
> accept or consider applications for membership as Certificate Consumers.
> Applications for other types of membership may be accepted and considered.
>
> *Motion Ends*
>
>
>
> This ballot does not propose a Final Guideline or Final Maintenance
> Guideline.  The procedure for approval of this ballot is as follows:
>
> Discussion (7 days)
>
>     Start Time: 2023-05-XX  xx:xx UTC
>
>     End Time: Not before 2023-05-xx  xx:xx UTC
>
>
>
> Vote for approval (7 days)
>
>     Start Time: TBD
>
>     End Time: TBD
>
>
>
> On Mon, May 8, 2023 at 10:28 PM Ben Wilson <bwilson at mozilla.com> wrote:
>
>> All,
>>
>> I reiterate my intent that we establish a moratorium on admitting new
>> Certificate Consumer members until we have updated the criteria for
>> membership of Certificate Consumers.
>>
>> I think we've made good progress on refining a set of membership
>> criteria, which I'll soon share, but the effort takes time. A moratorium
>> will allow us to re-evaluate our criteria and revise them so that they are
>> more clear, fair, and aligned with the goals of the Forum.
>>
>> I am looking for one more endorser so that I can propose a ballot that
>> would formalize the moratorium.
>>
>> Thanks,
>>
>> Ben
>>
>> On Mon, Apr 10, 2023 at 6:39 PM Ben Wilson <bwilson at mozilla.com> wrote:
>>
>>> I've set up a call for those interested in discussing this. It's on
>>> Wednesday, 12-April-2023, at 1400 UTC.
>>> I'll send out the dial-in/Zoom information separately for those
>>> interested.
>>> Ben
>>>
>>> On Thu, Apr 6, 2023 at 3:22 PM Ben Wilson <bwilson at mozilla.com> wrote:
>>>
>>>> Hi Paul,
>>>>
>>>> These are all things that I would like to discuss with those of you who
>>>> are interested in helping to work on the membership requirements for
>>>> Certificate Consumers in the Server Certificate WG.  Those of you who
>>>> are interested, please send me email, and I'll set up a discussion.
>>>>
>>>> Thanks,
>>>>
>>>> Ben
>>>>
>>>>
>>>>
>>>> On Thu, Apr 6, 2023 at 2:44 AM Paul van Brouwershaven <
>>>> Paul.vanBrouwershaven at entrust.com> wrote:
>>>>
>>>>> Hi Ben,
>>>>>
>>>>> Here are some intial questions on your proposal.
>>>>>
>>>>> > That the Applicant develops and maintains its own code;
>>>>>
>>>>> Can you explain what you mean with this, I suppose that this does not
>>>>> mean that Microsoft can no longer be a Certificate Consumer as their
>>>>> browser is based on Chromium? What would this say about the usage of
>>>>> Open-Source code, etc.?
>>>>>
>>>>> > That the Applicant provides a browser for both mobile and desktop
>>>>> platforms;
>>>>>
>>>>> Certificate Consumers are Application Software Suppliers, and these
>>>>> are not limited to browsers. Why would a Certificate Consumer be required
>>>>> to provide an application for both mobile and desktop platforms?
>>>>>
>>>>> > That the Applicant has an installed user base of at least one tenth
>>>>> of a percent of all browsers in use globally (or some other comparable
>>>>> objective measurement);
>>>>>
>>>>> This means that the CA/Browser Forum is excluding all browsers that
>>>>> would like to enter the market until they have a sufficient user base,
>>>>> which might take years for new browsers, or a browser might even choose to
>>>>> operate in a niche market, for example in a specific demographic. While it
>>>>> is not required to be a Certificate Consumer Member to operate a browser or
>>>>> a root store, it feels like this is hindering new/niche browsers to
>>>>> participate on an equal level.
>>>>>
>>>>> > That the Applicant and its representatives have never been
>>>>> sanctioned for misconduct;
>>>>>
>>>>> Can you be more specific on "sanctioned for misconduct", for what and
>>>>> by who? This would currently mean that an employee of a certificate
>>>>> consumer would be sanctioned for life for any misconduct of any form,
>>>>> which can be irrelevant for the CA/Browser forum, we probably should
>>>>> provide a path to rehabilitation in the aftermath of misconduct in a way
>>>>> that recognizes the humanity of those involved.
>>>>>
>>>>> > That the Applicant has actively participated in the CA/Browser Forum
>>>>> as a non-voting Associate Member for at least one year.
>>>>>
>>>>> What is the purpose of this requirement, we don't have this
>>>>> requirement for certificate issuers.
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Paul
>>>>>
>>>>> ------------------------------
>>>>> *From:* Servercert-wg <servercert-wg-bounces at cabforum.org> on behalf
>>>>> of Ben Wilson via Servercert-wg <servercert-wg at cabforum.org>
>>>>> *Sent:* Wednesday, April 5, 2023 18:30
>>>>> *To:* CA/B Forum Server Certificate WG Public Discussion List <
>>>>> servercert-wg at cabforum.org>
>>>>> *Subject:* [EXTERNAL] [Servercert-wg] Request for a Moratorium on New
>>>>> Certificate Consumer Members
>>>>>
>>>>> WARNING: This email originated outside of Entrust.
>>>>> DO NOT CLICK links or attachments unless you trust the sender and know
>>>>> the content is safe.
>>>>> ------------------------------
>>>>> All,
>>>>>
>>>>> I would like to request a moratorium on admitting new Certificate
>>>>> Consumer members to the Server Certificate Working Group until we have
>>>>> updated the criteria for membership of Certificate Consumers.
>>>>>
>>>>> The basis for this request is that we are in the process of developing
>>>>> better criteria for membership of Certificate Consumers. As noted during
>>>>> Face-to-Face meeting #58, our current requirement of “produc[ing] a
>>>>> software product intended for use by the general public for browsing the
>>>>> Web securely” lacks sufficient detail. Here are a few things we are
>>>>> considering that should be part of the membership criteria for Certificate
>>>>> Consumers:
>>>>>
>>>>> That the Applicant develops and maintains its own code;
>>>>>
>>>>> That the Applicant maintains its own root store;
>>>>>
>>>>> That the Applicant provides a browser for both mobile and desktop
>>>>> platforms;
>>>>>
>>>>> That the Applicant patches and delivers automatic updates of its
>>>>> browser software and root store;
>>>>>
>>>>> That the Applicant has publicly disclosed and documented processes for
>>>>> its users to report problems and to receive updates on the resolution of
>>>>> those problems;
>>>>>
>>>>> That the Applicant has an installed user base of at least one tenth of
>>>>> a percent of all browsers in use globally (or some other comparable
>>>>> objective measurement);
>>>>>
>>>>> That the Applicant employs developers and infosec-trained
>>>>> professionals;
>>>>>
>>>>> That the Applicant’s representatives regularly, consistently, and
>>>>> actively participate in relevant standards bodies such as the W3C, IETF,
>>>>> WHATWG, and OWASP;
>>>>>
>>>>> That the Applicant and its representatives have never been sanctioned
>>>>> for misconduct;
>>>>>
>>>>> That the Applicant has a good history of compliance with industry
>>>>> standards, including but not limited to HTML (
>>>>> https://platform.html5.org
>>>>> <https://urldefense.com/v3/__https://platform.html5.org/__;!!FJ-Y8qCqXTj2!Ypa5WQHN2FbZUYE7Kjs1Lm1fL3oRd24UBjDyVngBxMiVnOxRmyqQtMzEv8h1TC7QxqctX2YlUpiW8WiW1vjLTb4ekfWZTPL5ytmb$>);
>>>>> CSS (https://www.w3.org/TR/css-2023/
>>>>> <https://urldefense.com/v3/__https://www.w3.org/TR/css-2023/__;!!FJ-Y8qCqXTj2!Ypa5WQHN2FbZUYE7Kjs1Lm1fL3oRd24UBjDyVngBxMiVnOxRmyqQtMzEv8h1TC7QxqctX2YlUpiW8WiW1vjLTb4ekfWZTE2pxyS5$>);
>>>>> JavaScript, HTTPS/TLS, and the IETF RFCs, such as RFC 5280;
>>>>>
>>>>> That the Applicant’s browser passes at least certain percentages of
>>>>> various test suites (Acid Tests, Test 262 and web-platform-tests);
>>>>>
>>>>> That the Applicant has a published commitment to user security and
>>>>> privacy; and
>>>>>
>>>>> That the Applicant has actively participated in the CA/Browser Forum
>>>>> as a non-voting Associate Member for at least one year.
>>>>>
>>>>>
>>>>> Thanks,
>>>>>
>>>>>
>>>>> Ben
>>>>>
>>>>>
>>>>> *Any email and files/attachments transmitted with it are confidential
>>>>> and are intended solely for the use of the individual or entity to whom
>>>>> they are addressed. If this message has been sent to you in error, you must
>>>>> not copy, distribute or disclose of the information it contains. Please
>>>>> notify Entrust immediately and delete the message from your system.*
>>>>>
>>>> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/servercert-wg
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20230510/017618ff/attachment-0001.html>


More information about the Servercert-wg mailing list