[cabfpub] Future changes in the WebPKI

Dean Coclin Dean_Coclin at symantec.com
Sat Feb 11 20:01:00 UTC 2017

I thought it might be prudent to point out for the clarity of the general public following these discussions, the reference to “ASSes” specifically means “Application Software Suppliers”

From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Ryan Sleevi via Public
Sent: Friday, February 10, 2017 4:04 PM
To: CA/Browser Forum Public Discussion List <public at cabforum.org>
Cc: Ryan Sleevi <sleevi at google.com>
Subject: Re: [cabfpub] Future changes in the WebPKI

So, I absolutely agree that it can hopefully be useful to share where Browsers see the concerns are, and see the future of the ecosystem, I also want to highlight that sometimes, changes aren't part of that roadmap, because they're reactive to the ways in which CAs can and do fail the ecosystem, rather than proactive.

I highlight this to make clear that the roadmap during Meeting 40 might have to change by Meeting 41 in order to address the emergent insecurities and risks in the system. Of course, if no CA manages to misissue between those meetings, we're in a much better position.

And so I'm not exclusively singling out CAs, we ASSes are constantly learning new things, and finding some ideas on the roadmap don't work when deployed, or that tweaks are necessary. It's a fluid system, and we must be mindful of that fluidity.

Given that I think some members have made clear that they believe change should be measured in years, I agree, having a bit of vision mapping may hopefully dispel that myth and provide more progressive movement forward.

On Fri, Feb 10, 2017 at 12:58 PM, Jeremy Rowley via Public <public at cabforum.org<mailto:public at cabforum.org>> wrote:
Agreed – I’d love to know where the browsers are/see themselves going. It’ll help us prepare users for changes better.

From: Public [mailto:public-bounces at cabforum.org<mailto:public-bounces at cabforum.org>] On Behalf Of Peter Bowen via Public
Sent: Friday, February 10, 2017 1:33 PM
To: CA/Browser Forum Public Discussion List <public at cabforum.org<mailto:public at cabforum.org>>
Cc: Peter Bowen <pzb at amzn.com<mailto:pzb at amzn.com>>
Subject: [cabfpub] Future changes in the WebPKI

On Feb 10, 2017, at 11:51 AM, Dean Coclin via Public <public at cabforum.org<mailto:public at cabforum.org>> wrote:

Building consensus in meetings is different than building consensus for a ballot. Discussions happen in meetings without concrete proposals, as was shown in the chart I posted earlier from the Zurich meeting. I can’t recall anyone coming out before this ballot seeking consensus for a 1 year validity effective in 4 months.  So yes, I do think that now that a formal proposal (ballot) has been issued, a serious attempt to build consensus should be undertaken. This will likely take more than 2 weeks of online back and forth. We have a F2F coming up in 40 days, giving folks time to reach out and get more input.  I do believe that everyone wants to improve security but as the scattering of input shows, this must be balanced with the user constituency needs which really haven’t been fully vetted for THIS particular proposal.

My impression is that several different browsers (or ASSes if you want) have visions/roadmaps for what they want from contracted CAs long term.  I don’t think these have been clearly shared with the Forum, probably because it would disclose product roadmaps.  This is why I suggested the quasi-anonymous futures topic at the next F2F, but I would even like it better if they could just come straight out and say “our ideal state is X, help us get there”.


Public mailing list
Public at cabforum.org<mailto:Public at cabforum.org>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170211/065f5e07/attachment-0003.html>

More information about the Public mailing list