[cabfpub] Draft Ballot 185 - Limiting the Lifetime of Certificates: User input

Dean Coclin Dean_Coclin at symantec.com
Fri Feb 10 19:51:33 UTC 2017

Building consensus in meetings is different than building consensus for a ballot. Discussions happen in meetings without concrete proposals, as was shown in the chart I posted earlier from the Zurich meeting. I can’t recall anyone coming out before this ballot seeking consensus for a 1 year validity effective in 4 months.  So yes, I do think that now that a formal proposal (ballot) has been issued, a serious attempt to build consensus should be undertaken. This will likely take more than 2 weeks of online back and forth. We have a F2F coming up in 40 days, giving folks time to reach out and get more input.  I do believe that everyone wants to improve security but as the scattering of input shows, this must be balanced with the user constituency needs which really haven’t been fully vetted for THIS particular proposal. You’re right, I’m not saying we can reach consensus on this ballot but perhaps an alternative compromise can be reached which balances the needs of all constituencies.

Regarding the motive, all I’m saying is that there is no consensus, therefore, it seems a ballot failure is a foregone conclusion and you must know that, but you want it to go forward anyway.  Call me crazy?

From: Ryan Sleevi [mailto:sleevi at google.com]
Sent: Friday, February 10, 2017 1:12 PM
To: Dean Coclin <Dean_Coclin at symantec.com>
Cc: CA/Browser Forum Public Discussion List <public at cabforum.org>; Eric Mill <eric at konklone.com>
Subject: Re: [cabfpub] Draft Ballot 185 - Limiting the Lifetime of Certificates: User input

On Fri, Feb 10, 2017 at 10:03 AM, Dean Coclin <Dean_Coclin at symantec.com<mailto:Dean_Coclin at symantec.com>> wrote:
We’ve always allowed minor changes in ballots after being proposed and this would fall into that category.

However, I strongly believe time spent gathering consensus would be of value. I disagree that the forum is not a consensus driven organization. Sure there have been disagreements on some issues in the past but for the most part, ballots pass with a large percentage voting yes. Consensus has been a goal since the first meeting in NYC. It seems there is an ulterior motive at play in rushing this to a vote.

Can you perhaps expand on your belief of an ulterior motive? That suggests a bad faith attempt, and it would be helpful to understand that accusation or confusion, so it can be addressed.

Given the three years of attempts to build consensus on this matter, do you believe that we're likely to achieve consensus with an additional week or month of deliberation?

For example, do you believe that new information has been shared by the Browser members that hasn't been clear for years, such as Gerv's arguments in https://cabforum.org/pipermail/public/2013-November/002493.html<https://clicktime.symantec.com/a/1/kHyfVNLdHrVzICacNRs7YQhFl-tns0pP1OdK7JkyjZY=?d=F5L_7thI-b0RnB4A_J8k-e5GiG1kwRSD7qnjjCY4hvLE7fBnWy4OGG3PoYk5ccUwBBkx8jK7Ox00Vz78GIrFAZxo_p9Ekc-zDM1awxSsGNNyWgrV2qhGFQtNt7PBev48KfJeEbXFmPnpXmCXkv5A2BMijIy83BbPS_r7phLYEfkyrB4yeuftVljoaUb3M5xViy6RqPtVbafTs_8EjuIfdcAmjBqxDVJ4gnijiESVcJgx_IQ2wjbugu9vbLsJQJ8BZVG5yVQHjWp42md9kUEO4yXEi7U-GaBJcp9BwJT-bg6z_fuWM0p1fQI1-PLk3-kwu01bnlgvzKDdyJjaBPQR_30UmlQaExMo0hz179Ld9lSL6ROaqTgzeswd677HQQyCZsve-iOrPeE7mNxRI7zCfmTdliXIqmIxl2tk39ZCV4y5d8wCRV4cVztIG2MAWSk4HYKMkWz5aj6jwXXw&u=https%3A%2F%2Fcabforum.org%2Fpipermail%2Fpublic%2F2013-November%2F002493.html> , which I've simply repeated here.

Alternatively, do you believe that an additional week or month of time is necessary for CAs to provide new data, given that they've already had years to do so, but have not?

I highlight this to suggest that the issue is one which, despite years of trying, we've not been able to drive consensus towards. At this point, most appropriate for the broader community, is to understand what those challenges are, and who specifically is objecting to improving security. It's also useful to understand whether or not there is consensus among browsers that this is a necessary and required step to ensure the security of their users when interacting online.

I simply highlighted that the end state is that Root Stores / Application Software Suppliers need to take the steps to protect their users. Ideally, ASSes such as myself can help CAs understand our concerns and desires, and the risks and challenges, and find a solution that the community can reach. However, when CAs ignore the concerns of ASSes such as myself, or do not take them seriously, it sometimes requires taking the role of being an ASS serious, and taking the steps directly as part of program policy and implementation.

Such is the nature of the ecosystem - as much as we all try to ensure we're a community pushing forward, sometimes we get stalled on a roadblock, and we unfortunately have to let CAs be CAs and ASSes be ASSes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170210/4b3a12df/attachment-0003.html>

More information about the Public mailing list