[Servercert-wg] [EXTERNAL] Request for a Moratorium on New Certificate Consumer Members

Wed May 10 19:28:58 UTC 2023

Hello Ben,

Could you help me understand what is the initiator for this moratorium? What risk are we currently facing that will be mitigated by these detailed Certificate Consumers membership requirements?

Regards,
Curt

> On May 9, 2023, at 11:20 PM, Ben Wilson via Servercert-wg <servercert-wg at cabforum.org> wrote:
> 
> Here is a redlined version of the SCWG Charter with proposed new membership requirements for your review:
> 
>  <x-msg://35/goog_838507192>
> https://github.com/cabforum/forum/compare/d908a475e59e64fd9224e878864386ebc0b68808..cee99ea840388ad600ef38f4950beff7313defba
> 
> Ben
> 
> On Wed, May 10, 2023 at 7:45 AM Ben Wilson via Servercert-wg <servercert-wg at cabforum.org <mailto:servercert-wg at cabforum.org>> wrote:
>> Here is a draft ballot. I'm looking for one more endorser, preferably from a Certificate Issuer member.
>> 
>> Ballot SC-0XX:  Establish a Temporary Moratorium on New Certificate Consumer Memberships
>> 
>> Purpose of the Ballot
>> 
>> During discussions at Face-to-Face Meeting 58, it was noted that the membership criteria for Certificate Consumers in the Charter for the Server Certificate Working Group (SCWG) lacked sufficient detail. Since then, several members of the CA/Browser Forum have worked to develop better criteria for membership of Certificate Consumers in the SCWG. A moratorium is necessary to preserve the status quo and ensure impartiality while we re-evaluate and revise our membership criteria so that they are more clear, fair, and aligned with the goals of the Forum.
>> 
>> The following motion has been proposed by Ben Wilson of Mozilla and endorsed by Tobias Josefowitz of Opera and _____ of _____.
>> 
>> Motion Begins
>> 
>> Effective immediately, there is a temporary moratorium established on the acceptance of applications for membership as Certificate Consumer members in the Server Certificate Working Group. This moratorium will expire on XX, 2023, or prior to such date, upon publication of the Forum’s vote on a revised Charter for the Server Certificate Working Group.
>> 
>> During the moratorium, the Server Certificate Working Group will not accept or consider applications for membership as Certificate Consumers. Applications for other types of membership may be accepted and considered.
>> 
>> Motion Ends
>> 
>>  
>> This ballot does not propose a Final Guideline or Final Maintenance Guideline.  The procedure for approval of this ballot is as follows:
>> 
>> Discussion (7 days)
>> 
>>     Start Time: 2023-05-XX  xx:xx UTC
>> 
>>     End Time: Not before 2023-05-xx  xx:xx UTC
>> 
>>  
>> Vote for approval (7 days)
>> 
>>     Start Time: TBD
>> 
>>     End Time: TBD
>> 
>> 
>> 
>> 
>> On Mon, May 8, 2023 at 10:28 PM Ben Wilson <bwilson at mozilla.com <mailto:bwilson at mozilla.com>> wrote:
>>> All,
>>> 
>>> I reiterate my intent that we establish a moratorium on admitting new Certificate Consumer members  until we have updated the criteria for membership of Certificate Consumers. 
>>> 
>>> I think we've made good progress on refining a set of membership criteria, which I'll soon share, but the effort takes time. A moratorium will allow us to re-evaluate our criteria and revise them so that they are more clear, fair, and aligned with the goals of the Forum. 
>>> 
>>> I am looking for one more endorser so that I can propose a ballot that would formalize the moratorium.
>>> 
>>> Thanks,
>>> 
>>> Ben  
>>> 
>>> On Mon, Apr 10, 2023 at 6:39 PM Ben Wilson <bwilson at mozilla.com <mailto:bwilson at mozilla.com>> wrote:
>>>> I've set up a call for those interested in discussing this. It's on Wednesday, 12-April-2023, at 1400 UTC.
>>>> I'll send out the dial-in/Zoom information separately for those interested.
>>>> Ben
>>>> 
>>>> On Thu, Apr 6, 2023 at 3:22 PM Ben Wilson <bwilson at mozilla.com <mailto:bwilson at mozilla.com>> wrote:
>>>>> Hi Paul,
>>>>> These are all things that I would like to discuss with those of you who are interested in helping to work on the membership requirements for Certificate Consumers in the Server Certificate WG.  Those of you who are interested, please send me email, and I'll set up a discussion.
>>>>> 
>>>>> Thanks,
>>>>> 
>>>>> Ben
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> On Thu, Apr 6, 2023 at 2:44 AM Paul van Brouwershaven <Paul.vanBrouwershaven at entrust.com <mailto:Paul.vanBrouwershaven at entrust.com>> wrote:
>>>>>> Hi Ben,
>>>>>> 
>>>>>> Here are some intial questions on your proposal.
>>>>>> 
>>>>>> > That the Applicant develops and maintains its own code;
>>>>>> 
>>>>>> Can you explain what you mean with this, I suppose that this does not mean that Microsoft can no longer be a Certificate Consumer as their browser is based on Chromium? What would this say about the usage of Open-Source code, etc.?
>>>>>> 
>>>>>> > That the Applicant provides a browser for both mobile and desktop platforms;
>>>>>> 
>>>>>> Certificate Consumers are Application Software Suppliers, and these are not limited to browsers. Why would a Certificate Consumer be required to provide an application for both mobile and desktop platforms?
>>>>>> 
>>>>>> > That the Applicant has an installed user base of at least one tenth of a percent of all browsers in use globally (or some other comparable objective measurement);
>>>>>> 
>>>>>> This means that the CA/Browser Forum is excluding all browsers that would like to enter the market until they have a sufficient user base, which might take years for new browsers, or a browser might even choose to operate in a niche market, for example in a specific demographic. While it is not required to be a Certificate Consumer Member to operate a browser or a root store, it feels like this is hindering new/niche browsers to participate on an equal level.
>>>>>> 
>>>>>> > That the Applicant and its representatives have never been sanctioned for misconduct;
>>>>>> 
>>>>>> Can you be more specific on "sanctioned for misconduct", for what and by who? This would currently mean that an employee of a certificate consumer would be sanctioned for life for any misconduct of any form, which can be irrelevant for the CA/Browser forum, we probably should provide a path to rehabilitation in the aftermath of misconduct in a way that recognizes the humanity of those involved.
>>>>>> 
>>>>>> > That the Applicant has actively participated in the CA/Browser Forum as a non-voting Associate Member for at least one year.
>>>>>> 
>>>>>> What is the purpose of this requirement, we don't have this requirement for certificate issuers.
>>>>>> 
>>>>>> Thanks,
>>>>>> 
>>>>>> Paul
>>>>>> 
>>>>>> From: Servercert-wg <servercert-wg-bounces at cabforum.org <mailto:servercert-wg-bounces at cabforum.org>> on behalf of Ben Wilson via Servercert-wg <servercert-wg at cabforum.org <mailto:servercert-wg at cabforum.org>>
>>>>>> Sent: Wednesday, April 5, 2023 18:30
>>>>>> To: CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org <mailto:servercert-wg at cabforum.org>>
>>>>>> Subject: [EXTERNAL] [Servercert-wg] Request for a Moratorium on New Certificate Consumer Members
>>>>>>  
>>>>>> WARNING: This email originated outside of Entrust.
>>>>>> DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.
>>>>>> All,
>>>>>> 
>>>>>> I would like to request a
>>>>>>  moratorium on admitting new Certificate Consumer members to the Server Certificate Working Group until we have updated the criteria for membership of Certificate Consumers.
>>>>>> 
>>>>>> The
>>>>>>  basis for this request is that we are in the process of developing better criteria for membership of Certificate Consumers. As noted during Face-to-Face meeting #58, our current requirement of “produc[ing] a software product intended for use by the general
>>>>>>  public for browsing the Web securely” lacks sufficient detail. Here are a few things we are considering that should be part of the membership criteria for Certificate Consumers:
>>>>>> 
>>>>>> That
>>>>>>  the Applicant develops and maintains its own code;
>>>>>> 
>>>>>> That
>>>>>>  the Applicant maintains its own root store;
>>>>>> 
>>>>>> That
>>>>>>  the Applicant provides a browser for both mobile and desktop platforms;
>>>>>> 
>>>>>> That
>>>>>>  the Applicant patches and delivers automatic updates of its browser software and root store;
>>>>>> 
>>>>>> That
>>>>>>  the Applicant has publicly disclosed and documented processes for its users to report problems and to receive updates on the resolution of those problems;
>>>>>> 
>>>>>> That
>>>>>>  the Applicant has an installed user base of at least one tenth of a percent of all browsers in use globally (or some other comparable objective measurement);
>>>>>> 
>>>>>> That
>>>>>>  the Applicant employs developers and infosec-trained professionals;
>>>>>> 
>>>>>> That
>>>>>>  the Applicant’s representatives regularly, consistently, and actively participate in relevant standards bodies such as the W3C, IETF, WHATWG, and OWASP;
>>>>>> 
>>>>>> That
>>>>>>  the Applicant and its representatives have never been sanctioned for misconduct;
>>>>>> 
>>>>>> That
>>>>>>  the Applicant has a good history of compliance with industry standards, including but not limited to HTML (https://platform.html5.org <https://urldefense.com/v3/__https://platform.html5.org/__;!!FJ-Y8qCqXTj2!Ypa5WQHN2FbZUYE7Kjs1Lm1fL3oRd24UBjDyVngBxMiVnOxRmyqQtMzEv8h1TC7QxqctX2YlUpiW8WiW1vjLTb4ekfWZTPL5ytmb$>);
>>>>>>  CSS (https://www.w3.org/TR/css-2023/ <https://urldefense.com/v3/__https://www.w3.org/TR/css-2023/__;!!FJ-Y8qCqXTj2!Ypa5WQHN2FbZUYE7Kjs1Lm1fL3oRd24UBjDyVngBxMiVnOxRmyqQtMzEv8h1TC7QxqctX2YlUpiW8WiW1vjLTb4ekfWZTE2pxyS5$>);
>>>>>>  JavaScript, HTTPS/TLS, and the IETF RFCs, such as RFC 5280;
>>>>>> 
>>>>>> That
>>>>>>  the Applicant’s browser passes at least certain percentages of various test suites (Acid Tests, Test 262 and web-platform-tests);
>>>>>> 
>>>>>> That
>>>>>>  the Applicant has a published commitment to user security and privacy; and
>>>>>> 
>>>>>> That
>>>>>>  the Applicant has actively participated in the CA/Browser Forum as a non-voting Associate Member for at least one year.
>>>>>> 
>>>>>> 
>>>>>> Thanks,
>>>>>> 
>>>>>> 
>>>>>> Ben
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.
>> _______________________________________________
>> Servercert-wg mailing list
>> Servercert-wg at cabforum.org <mailto:Servercert-wg at cabforum.org>
>> https://lists.cabforum.org/mailman/listinfo/servercert-wg
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/servercert-wg

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20230510/f9bacf01/attachment-0001.html>