[cabfpub] Ballot 185 - Next steps

Dimitris Zacharopoulos jimmy at it.auth.gr
Fri Feb 24 06:41:26 UTC 2017

On 24/2/2017 4:39 πμ, Ryan Sleevi via Public wrote:
> For OATI and Harica, I appreciate and value the thoughtful 
> contributions and suggestions you made. For OATI, my hope is that we 
> can meaningfully address your concerns by addressing and clarifying 
> the scope of the Baseline Requirements, and that by better 
> understanding the concerns with client certificates, we can remedy 
> them and see your future support for a new ballot. For Harica, I 
> appreciate your suggestion of waiting for more feedback. 
> Unfortunately, I believe that given the three years of discussion this 
> matter has taken, it's unlikely that this will be actionable. Further, 
> given the above explanation of concerns, I do believe it may 
> misunderstand or undervalue the concern that some browsers may feel 
> about accurately representing a view of security and stability to end 
> users / relying parties, by over-valuing the concerns of site operators.

If it wasn't clear from our reply to the voting question, HARICA 
disagrees with the 1 year validity of certificates and suggested 27 
months, as it exists for Google's S/MIME policy. We believe that 1 year 
certificates will have high cost and very small security gain. 2-year 
certificates bring a better balance for cost vs security.  We can always 
ask for more security but every time we need to ask ourselves at what 
cost (in terms of money, effort and inconvenience).

As for the feedback, I didn't see any attempts from the CA/B Forum to 
organize something specific about this topic in order to get more 
feedback. Yes, we've been discussing it for three years but nobody did 
anything about it. I understand that each CA could create a 
questionnaire and send it to its customers, and browsers could have a 
public polls, etc. However, as we all know in such surveys, the way 
questions are formulated might "lead" people to specific answers. Even 
if that was the case, and CAs/Browsers had independent surveys, it would 
be very hard to compare the results. This is why we proposed agreeing on 
a "CA/B Forum questionnaire", roll it out in -say- a month, wait 2 
months (or even less) for feedback and evaluate the results. Is anyone 
opposed to this?


More information about the Public mailing list