[cabfpub] Draft Ballot 185 - Limiting the Lifetime of Certificates: User input

Ryan Sleevi sleevi at google.com
Fri Feb 10 18:12:00 UTC 2017


On Fri, Feb 10, 2017 at 10:03 AM, Dean Coclin <Dean_Coclin at symantec.com>
wrote:

> We’ve always allowed minor changes in ballots after being proposed and
> this would fall into that category.
>
>
>
> However, I strongly believe time spent gathering consensus *would* be of
> value. I disagree that the forum is not a consensus driven organization.
> Sure there have been disagreements on some issues in the past but for the
> most part, ballots pass with a large percentage voting yes. Consensus has
> been a goal since the first meeting in NYC. It seems there is an ulterior
> motive at play in rushing this to a vote.
>

Can you perhaps expand on your belief of an ulterior motive? That suggests
a bad faith attempt, and it would be helpful to understand that accusation
or confusion, so it can be addressed.

Given the three years of attempts to build consensus on this matter, do you
believe that we're likely to achieve consensus with an additional week or
month of deliberation?

For example, do you believe that new information has been shared by the
Browser members that hasn't been clear for years, such as Gerv's arguments
in https://cabforum.org/pipermail/public/2013-November/002493.html , which
I've simply repeated here.

Alternatively, do you believe that an additional week or month of time is
necessary for CAs to provide new data, given that they've already had years
to do so, but have not?

I highlight this to suggest that the issue is one which, despite years of
trying, we've not been able to drive consensus towards. At this point, most
appropriate for the broader community, is to understand what those
challenges are, and who specifically is objecting to improving security.
It's also useful to understand whether or not there is consensus among
browsers that this is a necessary and required step to ensure the security
of their users when interacting online.

I simply highlighted that the end state is that Root Stores / Application
Software Suppliers need to take the steps to protect their users. Ideally,
ASSes such as myself can help CAs understand our concerns and desires, and
the risks and challenges, and find a solution that the community can reach.
However, when CAs ignore the concerns of ASSes such as myself, or do not
take them seriously, it sometimes requires taking the role of being an ASS
serious, and taking the steps directly as part of program policy and
implementation.

Such is the nature of the ecosystem - as much as we all try to ensure we're
a community pushing forward, sometimes we get stalled on a roadblock, and
we unfortunately have to let CAs be CAs and ASSes be ASSes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170210/418745f7/attachment-0003.html>


More information about the Public mailing list