[cabfpub] Ballot 185 - Next steps

Ryan Sleevi sleevi at google.com
Fri Feb 24 17:48:54 UTC 2017 

Hi Dimitris,

I don't think this is a productive line of discussion, but I've tried to
faithfully respond to explain why. I do not support the method you propose,
nor do I think it has any possibility of getting us the feedback we need to
make an informed decision. I'm sorry if that is unsatisfactory.

On Fri, Feb 24, 2017 at 1:35 AM, Dimitris Zacharopoulos <jimmy at it.auth.gr>
wrote:

> Easy. CA's would send it to their Subscribers and Browsers to the Relying
> Parties (basically, using any publicity tool/method they see best).
>

> Having the same questionnaire for everyone, mitigates/limits the bias
> issue. CAs, Browsers and Interested parties should participate
> (constructively) to produce a fair and balanced questionnaire.
>

As an employee of an academic institution, I'm sure you can appreciate that
meaningful research is not anywhere near as easy as you describe. You have
the modality of the questionare: For example, how is Chrome going to reach
out to its BillionS of users? Do we develop an in-app survey? Do we only
ask signed-in users?

How do you word the survey for over 63 languages? How do you account for
various levels of reading comprehension and understanding? Ensuring a
survey is not biased is not simply a matter of saying "Yeah, that looks
good to me".

I don't believe you intend it to be, and reducing it as you're doing here
vastly understates the challenges in designing even a 'basic' survey to
gather feedback. There's a reason it's a science.

I'm also not trying to suggest these are the _only_ issues - rather, these
are just a few issues you immediately run into that show that it's an
unrealistic simplification with a far greater timeline, or else simply a
feel-good exercise without the rigor necessary to make informed decisions.


> 2) How do you collect the results? If it goes through any member, they can
> easily skew results?
>
>
> Each member that decides to participate, will bring in the results to the
> forum (through the public list I suppose). As for the second question, we
> need to start from somewhere. If we can't trust each other to provide
> un-skewed and honest results to a simple survey, then I think we have more
> serious problems to address than the validity time of certificates.
>

For the record, I've seen the surveys and customer notices for a number of
CAs, so I must unfortunately suggest that we already have more serious
problems to address than the validity time of certificates. I think this is
a repeated theme, which is why I'm insistent that CAs who have concerns
about this change, and how a browser like Chrome should roll it out,
provide clear and actionable feedback, as that is the easiest to validate
as honest and correct, and thus actionable.


> I believe this is not exactly our view, nobody is arguing that 13 months
> is not more secure than 39 or 27 months.
>

Quite a few members are. It's unclear, at this point, whether Phillip is
talking on behalf of Comodo or personally, but certainly, you can see a
number of responses that believe otherwise.

I appreciate your attempt to build a better understanding, and were there
years of opportunity here, we might consider doing proper research.
Similarly, I think the topic at hand is one which is useful to continue
thinking about and resolving - how do we, as a Forum, make informed
decisions given the affect to both site operators and replying parties,
while also recognizing the perverse incentives in the ecosystem for CAs
(who benefit from more liberal issuance policies, rather than restrictive)
and site operators (who personally benefit from less change and more
stability).

I'm hesitant to enter politics into the discussion, but as the CA/Browser
Forum work is fundamentally a question of politics and policies.
Approaching some of these decisions with a survey bent - whether
scientifically accurate or not - tends to gather responses about individual
incentives, while failing to consider the macroeconomic effect. The best
example I can think about this is a thought experiment that was sent to
every Relying Party that asked "Would you like a million dollars?" - no
doubt, most participants, acting in their own self interest, will heartily
say yes. However, if we took that as the policy decision - all participants
should receive a million dollars - then we quickly get into the realm of
economics and the fact that the currency would instantly become so devalued
that those who received a million dollars will have far less than they
expected, and those who said no to the question will find that whatever
remaining currency they have will be so devalued that they'll likely be
paupers.

I do hope you might consider thinking about how the Forum can better inform
its decisions - and participation model - and we can continue exploring the
solution space for other problems. But again, I don't think it's possible
nor reasonable to do what you suggest, and perhaps you just haven't
realized the scope of the issues yet :)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170224/fc531078/attachment-0003.html>

More information about the Public mailing list