Thanks, Martijn and Aaron, Aaron, I don't think I can add a CT-support requirement for Certificate Consumers at this time, although we can take the issue up for further conversation.
Martijn, So that the duration of the probationary period is kept to six months, it might be better to eliminate the F2F attendance requirement. If we keep it, then a probationary member might have to wait until the next F2F (but certainly not a year). How do people feel about this? Also, I have received feedback regarding whether a Certificate Consumer should be required to "maintain" a full list of CAs. (I think I didn't have the term "maintain" in the GitHub draft of the charter, so I'm thinking that we might eliminate the term from the proposal.) Similarly, I'm concerned that a requirement to publish "how a CA can apply for inclusion in its root store" might make it less likely for a ballot to pass. So, instead of "maintaining" a (full) list, what if we left it just, "(4) its membership-qualifying software product uses a list of CA certificates to validate the chain of trust from a TLS certificate to a CA certificate in such list"? What are everyone's thoughts on this? Thanks, Ben On Thu, Sep 14, 2023 at 9:23 AM Aaron Gable <aa...@letsencrypt.org> wrote: > Hi all, > > I have a very different proposal for a Certificate Consumer membership > criterion. I have no objection to any of the currently-proposed criteria; > this could easily be in addition to them. What if we added: > > > (c) Applicants that qualify as Certificate Consumers must supply the > following additional information: > > - URL for its list of CA certificates that its membership-qualifying > software product uses to validate the chain of trust from a TLS certificate > to a CA certificate in such list; and > > *- URL for the Certificate Transparency log which it operates within > <uptime and latency constraints> and which accepts all submissions for TLS > certificates which chain up to any CA certificate in the list above*; and > > Frankly, the Certificate Transparency ecosystem is in peril at the moment. > With the recent shutdown of Sectigo's Mammoth > <https://groups.google.com/a/chromium.org/g/ct-policy/c/Ebj2hhe5QYA/m/Cl7IW33UAgAJ> > log and retirement of DigiCert's Yeti > <https://groups.google.com/a/chromium.org/g/ct-policy/c/PVbs0ZMVeCI/m/Hf8kwuuAAQAJ> > and Nessie > <https://groups.google.com/a/chromium.org/g/ct-policy/c/MXLJFHdHdFo> > logs, the already-tiny handful of organizations > <https://googlechrome.github.io/CertificateTransparency/log_list.html> > operating > usable CT logs is feeling even smaller. So what if Certificate Consumers -- > the organizations which benefit most from a diverse and robust ecosystem of > CT logs -- were required to bring their own to the table? Running a CT log > is clearly non-trivial, so such a requirement would effectively demonstrate > that potential Certificate Consumer members are serious about operating for > the good of the ecosystem in the long term. > > Thanks, > Aaron > > On Fri, Sep 1, 2023 at 1:42 AM Martijn Katerbarg via Servercert-wg < > servercert-wg@cabforum.org> wrote: > >> Ben, >> >> >> >> This seems like a good option. I’d say maybe we need to increase the 6 >> months period to 12, otherwise within a 6 months period there may only be 1 >> F2F. Requiring attendance (remote or in-person) if there’s only 1 F2F in >> the time-span, could be hard if there’s a case of bad timing. >> >> >> >> Additionally, I’d like to request the addition of an additional criteria >> (although it’s related to the “publish how it decides to add or remove a CA >> certificate from its list.” item. I’d like to request we add a requirement >> to: >> >> >> >> - Publish how a CA can apply for inclusion in its root store >> >> >> >> With this addition, I’d be happy to endorse >> >> >> >> Regards, >> >> Martijn >> >> >> >> *From:* Servercert-wg <servercert-wg-boun...@cabforum.org> *On Behalf Of >> *Ben Wilson via Servercert-wg >> *Sent:* Thursday, 31 August 2023 00:50 >> *To:* CA/B Forum Server Certificate WG Public Discussion List < >> servercert-wg@cabforum.org> >> *Subject:* [Servercert-wg] Proposed Revision of SCWG Charter >> >> >> >> CAUTION: This email originated from outside of the organization. Do not >> click links or open attachments unless you recognize the sender and know >> the content is safe. >> >> >> >> All, >> >> >> >> Thanks for your suggestions and recommendations. I think we are much >> closer to an acceptable revision of the Server Certificate Working Group >> Charter. Here is the current draft: >> https://github.com/cabforum/forum/blob/BenWilson-SCWG-charter-1.3/SCWG-charter.md >> <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fforum%2Fblob%2FBenWilson-SCWG-charter-1.3%2FSCWG-charter.md&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7C8b9a53bc77c6445114a808dba9ab7821%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638290326178847047%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=v5YGnqCdwBXA4fa4h%2FMaUTSLaGOOXxUdcP5mwUYbRRA%3D&reserved=0> >> >> >> >> We have decided that a participation/attendance requirement for ongoing >> membership is currently too complicated to manage, but we believe it is >> important that there be a probationary period of six months during which >> all new CABF-voting applicants must attend at least 30% of the >> teleconferences and at least the SCWG portion of one F2F (virtually or >> in-person). See section 4(d) in the draft cited above. We believe that with >> this limited scope, we can and should measure attendance to ensure that >> prospective members are serious about participating in the Forum. >> >> >> >> We no longer seek to require that a Certificate Consumer have any >> particular size or user base (or that they meet other criteria that were >> floated in recent emails). Those criteria were also currently too >> complicated. However, in addition to those Certificate Consumer >> requirements that are in the existing charter, we want a Certificate >> Consumer to: >> >> - have public documentation stating that it requires Certificate >> Issuers to comply with the TLS Baseline Requirements; >> - maintain a list of CA certificates used to validate the chain of >> trust from a TLS certificate to a CA certificate in such list; and >> - publish how it decides to add or remove a CA certificate from its >> list. >> >> I am looking for two endorsers of a FORUM ballot, so if the >> above-referenced draft is generally acceptable, please contact me, and we >> can work out any remaining details. >> >> >> >> Thanks, >> >> >> >> Ben >> >> >> >> >> >> On Tue, Jul 25, 2023 at 11:07 PM Roman Fischer via Servercert-wg < >> servercert-wg@cabforum.org> wrote: >> >> Dear Ben, >> >> >> >> I like your two new suggestions as they offer more lightweight mechanisms. >> >> >> >> One other idea (completely ad hoc and not really thought through) would >> be to change the charter to allow suspension of members from the SCWG by >> ballot. That way a ballot could be proposed, discussed, endorsed and voted >> on. And since the state of “suspended membership” is well defined >> (including the way back to full membership), this might offer the “accused” >> member enough possibility to counter the “allegations” made in the ballot. >> It would also make transparent who wants to suspend whom for what reasons… >> >> >> >> Kind regards >> Roman >> >> >> >> *From:* Ben Wilson <bwil...@mozilla.com> >> *Sent:* Dienstag, 25. Juli 2023 17:40 >> *To:* Roman Fischer <roman.fisc...@swisssign.com> >> *Cc:* CA/B Forum Server Certificate WG Public Discussion List < >> servercert-wg@cabforum.org> >> *Subject:* Re: [Servercert-wg] Participation Proposal for Revised SCWG >> Charter >> >> >> >> Thanks for your insights, Roman. >> >> >> >> I'm not yet convinced that the attendance approach would not be >> effective. Nevertheless, here are some other potential alternatives to >> discuss: >> >> >> >> 1 - require that a Certificate Consumer have a certain size userbase, or >> alternatively, that they be a Root Store member of the Common CA Database >> <https://www.ccadb.org/rootstores/how>, or >> >> 2 - require that a Certificate Consumer pay a membership fee to the >> CA/Browser Forum. >> >> >> >> Does anyone have any other ideas, proposals, or suggestions that we can >> discuss? >> >> >> >> The approaches listed above would be in addition to the following other >> requirements already proposed: >> >> >> >> The Certificate Consumer has public documentation stating that it >> requires Certification Authorities to comply with the CA/Browser Forum’s >> Baseline Requirements for the issuance and maintenance of TLS server >> certificates; its membership-qualifying software product uses a list of CA >> certificates to validate the chain of trust from a TLS certificate to a CA >> certificate in such list; and it publishes how it decides to add or remove >> a CA certificate from the root store used in its membership-qualifying >> software product. >> >> >> >> Thanks, >> >> >> >> Ben >> >> >> >> On Mon, Jul 24, 2023 at 10:48 PM Roman Fischer < >> roman.fisc...@swisssign.com> wrote: >> >> Dear Ben, >> >> >> >> As stated before, I’m against minimal attendance (or even participation – >> however you would measure that, numbers of words spoken or written?) >> requirements. I’ve seen in university, in private associations, policitcs… >> that this simply doesn’t solve the problem. I totally agree with Tim: It >> will create administrative overhead and not solve the problem. >> >> >> >> IMHO non-particpants taking part in the democratic process (i.e. voting) >> is just something we have to accept and factor in. It’s one end of the >> extreme spectrum. There might be over-active participants that overwhelm >> the group by pushing their own agenda… If we have minimum participation >> requirements, then we maybe should also have maximum participation rules? >> 😉 >> >> >> >> Rgds >> Roman >> >> >> >> *From:* Servercert-wg <servercert-wg-boun...@cabforum.org> *On Behalf Of >> *Ben Wilson via Servercert-wg >> *Sent:* Montag, 24. Juli 2023 21:40 >> *To:* Tim Hollebeek <tim.holleb...@digicert.com>; CA/B Forum Server >> Certificate WG Public Discussion List <servercert-wg@cabforum.org> >> *Subject:* Re: [Servercert-wg] Participation Proposal for Revised SCWG >> Charter >> >> >> >> Tim, >> >> One problem we're trying to address is the potential for a great number >> of “submarine voters”. Such members may remain inactive for extended >> periods of time and then surface only to vote for or against something they >> suddenly are urged to support or oppose, without being aware of the >> issues. This will skew and damage the decision-making process. >> >> Another problem, that I don't think has been mentioned before, is the >> reliability of the CA/Browser Forum to adopt well-informed standards going >> forward. In other words, if something like I suggest happens, then I can >> see Certificate Consumers leaving the Forum and unilaterally setting very >> separate and distinct rules. This will result in fragmentation, >> inconsistency, and much more management overhead for CAs than the effort >> needed to keep track of attendance, which is already being done by the >> Forum. (If you'd like, I can share with everyone the list of members who >> have not voted or attended meetings in over two years.) >> >> Ben >> >> >> >> On Mon, Jul 24, 2023 at 11:41 AM Tim Hollebeek < >> tim.holleb...@digicert.com> wrote: >> >> What is your argument in response to the point that any potential bad >> actors will be trivially able to satisfy the participation metrics? >> >> >> >> I’m very worried we’ll end up doing a lot of management and tracking >> work, without actually solving the problem. >> >> >> >> -Tim >> >> >> >> *From:* Ben Wilson <bwil...@mozilla.com> >> *Sent:* Monday, July 24, 2023 10:21 AM >> *To:* Ben Wilson <bwil...@mozilla.com>; CA/B Forum Server Certificate WG >> Public Discussion List <servercert-wg@cabforum.org> >> *Cc:* Tim Hollebeek <tim.holleb...@digicert.com> >> *Subject:* Re: [Servercert-wg] Participation Proposal for Revised SCWG >> Charter >> >> >> >> All, >> >> I have thought a lot about this, including various other formulas (e.g. >> market share) to come up with something reasonable, but I've come back to >> attendance as the key metric that we need to focus on. I just think that an >> attendance metric provides the only workable, measurable, and sound >> solution for determining the right to vote as a Certificate Consumer >> because it offers the following three elements: >> >> - Informed Decision-Making: Voting requires a comprehensive >> understanding of ongoing discussions and developments. Regular attendance >> provides members with the necessary context and knowledge to make >> well-informed decisions. >> - Commitment: Attendance is a tangible and measurable representation >> of a member's commitment to the Server Certificate WG and its objectives. >> It demonstrates a genuine interest in contributing to the development and >> improvement of the requirements. >> - Active Involvement: By prioritizing attendance, we encourage active >> involvement and discourage passive membership. Voting rights should be >> earned through consistent engagement, as this ensures that decisions are >> made by those who are genuinely invested in the outcomes. >> >> At this point, I'm going to re-draft a proposal for a revision to the >> Server Certificate WG Charter and present it on the public list (because an >> eventual revision of the Charter will have to take place at the Forum >> level). >> >> Thanks, >> >> Ben >> >> >> >> On Thu, Jul 13, 2023 at 9:45 AM Ben Wilson via Servercert-wg < >> servercert-wg@cabforum.org> wrote: >> >> Thanks, Tim. >> >> >> >> All, >> >> >> >> I will look closer at the distribution and use of software for browsing >> the internet securely, instead of participation metrics. There is at least >> one source, StatCounter (https://gs.statcounter.com/browser-market-share >> <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgs.statcounter.com%2Fbrowser-market-share&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7C8b9a53bc77c6445114a808dba9ab7821%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638290326179003260%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=ydD0D6sfKEJ6o2wTujCNQ%2BdatbbJCovHalOjQM9heHA%3D&reserved=0>), >> that purports to measure use of browsing software, both globally and >> regionally. Would it be worthwhile to explore distribution by region and >> come up with a reasonable threshold? Can we rely on StatCounter, or should >> we look elsewhere? >> >> >> >> Thanks, >> >> >> >> Ben >> >> >> >> On Wed, Jul 12, 2023 at 9:30 AM Tim Hollebeek via Servercert-wg < >> servercert-wg@cabforum.org> wrote: >> >> I have a meaningful comment. >> >> >> >> I don’t want to ever have to discuss or judge whether someone’s comment >> is “meaningful” or not, and I don’t think incentivizing people to post more >> comments than they otherwise would is helpful. >> >> >> >> I also think getting the chairs involved in any way in discussing whether >> a member representative did or did not have a medical condition during a >> particular time period is an extremely bad idea. >> >> >> >> Given that the original issue was trying to determine whether a >> certificate consumer is in fact a legitimate player in the ecosystem or >> not, I would suggest that exploring metrics like market share might be far >> more useful. Metrics like participation are rather intrusive and onerous, >> except to those who are trying to game them, and those trying to game such >> metrics will succeed with little or no effort. >> >> >> >> -Tim >> >> >> >> *From:* Servercert-wg <servercert-wg-boun...@cabforum.org> *On Behalf Of >> *Roman Fischer via Servercert-wg >> *Sent:* Wednesday, July 12, 2023 7:23 AM >> *To:* CA/B Forum Server Certificate WG Public Discussion List < >> servercert-wg@cabforum.org> >> *Subject:* Re: [Servercert-wg] Participation Proposal for Revised SCWG >> Charter >> >> >> >> Dear Ben, >> >> >> >> Mandatory participation has in my experience never resulted in more or >> better discussions. People will dial into the telco and let it run in the >> background to “earn the credits”. >> >> >> >> Also, what would happen after the 90 day suspension? Would the >> organization be removed as a CA/B member? >> >> >> >> Rgds >> Roman >> >> >> >> *From:* Servercert-wg <servercert-wg-boun...@cabforum.org> *On Behalf Of >> *Ben Wilson via Servercert-wg >> *Sent:* Freitag, 7. Juli 2023 21:59 >> *To:* CA/B Forum Server Certificate WG Public Discussion List < >> servercert-wg@cabforum.org> >> *Subject:* [Servercert-wg] Participation Proposal for Revised SCWG >> Charter >> >> >> >> All, >> >> >> >> Here is a draft participation proposal for the SCWG to consider and >> discuss for inclusion in a revised SCWG Charter. >> >> >> >> #. Participation Requirements to Maintain Voting Privileges >> >> >> >> (a) Attendance. The privilege to vote “Yes” or “No” on ballots is >> suspended for 90 days if a Voting Member fails to meet the following >> attendance requirement over any 365-day period: >> >> - 10% of SCWG meetings for Voting Members located in time zones >> offset by UTC +5 through UTC +12 >> - 30% of SCWG meetings for Voting Members located in all other time >> zones >> >> (b) Meaningful Comments. Posting a Meaningful Comment is an alternative >> means of meeting the attendance requirement in subsection (a). A Voting >> Member can earn an attendance credit to make up for each missed meeting by >> posting a Meaningful Comment to the SCWG Public Mail List. Each Meaningful >> Comment is equal to attending one (1) meeting. >> >> >> >> A Meaningful Comment is one that follows the Code of Conduct and provides >> relevant information to the SCWG, such as new information, an insight, >> suggestion, or perspective related to the Scope of the SCWG, or that >> proposes an improvement to the TLS Baseline Requirements or EV Guidelines. >> It can also be something that responds to or builds on the comments of >> others in a meaningful way, or that offers feedback, suggestions, or >> solutions to the issues or challenges raised by the topic of discussion. >> >> >> >> A Meaningful Comment should be both relevant (within the Scope of the >> SCWG or related to the discussion that is taking place on the mailing >> list) and well-supported (clear reasons why the Voting Representative >> believes what they believe and supported by facts, data, or other >> information.) >> >> >> >> (c) A Voting Member that has failed to meet the attendance requirement in >> subsection (a) above is considered an "Inactive Member". Any Member who >> believes that any other Member is an Inactive Member may report that Member >> on the Forum's Management List by providing specific information about that >> Member's non-participation, and the SCWG Chair shall send written notice >> to the Inactive Member by email within seven (7) calendar days. The notice >> will include a reminder of the requirement to participate and inform the >> Inactive Member of the consequences of not participating. >> >> >> >> (d) Suspension of Voting Privileges. The Inactive Member's privilege to >> vote “Yes” or “No” on any ballot shall be temporarily suspended for a >> period of 90 days from the date of the notice. During the suspension >> period, the Inactive Member may vote “Abstain” on ballots. >> >> >> >> (e) Restoration of Voting Privilege. Voting privileges will be >> automatically restored to the Inactive Member upon attending three >> consecutive meetings. The restoration of voting privileges will be >> effective on the next ballot that enters the voting period after the >> Inactive Member meets the reactivation criteria. >> >> >> >> (f) Exceptional Circumstances. In cases where an Inactive Member can >> demonstrate justifiable reasons for their inability to participate, such as >> medical conditions or other extenuating circumstances affecting their >> Voting Representative(s), the SCWG Chair may review and consider >> reinstating voting privileges on a case-by-case basis. >> >> >> >> Thanks, >> >> >> >> Ben >> >> _______________________________________________ >> Servercert-wg mailing list >> Servercert-wg@cabforum.org >> https://lists.cabforum.org/mailman/listinfo/servercert-wg >> <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cabforum.org%2Fmailman%2Flistinfo%2Fservercert-wg&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7C8b9a53bc77c6445114a808dba9ab7821%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638290326179003260%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=mtCK0NJkw5hpj930sutPJm39JGzqRirYiQH7YIL2XEo%3D&reserved=0> >> >> _______________________________________________ >> Servercert-wg mailing list >> Servercert-wg@cabforum.org >> https://lists.cabforum.org/mailman/listinfo/servercert-wg >> <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cabforum.org%2Fmailman%2Flistinfo%2Fservercert-wg&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7C8b9a53bc77c6445114a808dba9ab7821%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638290326179003260%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=mtCK0NJkw5hpj930sutPJm39JGzqRirYiQH7YIL2XEo%3D&reserved=0> >> >> _______________________________________________ >> Servercert-wg mailing list >> Servercert-wg@cabforum.org >> https://lists.cabforum.org/mailman/listinfo/servercert-wg >> <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cabforum.org%2Fmailman%2Flistinfo%2Fservercert-wg&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7C8b9a53bc77c6445114a808dba9ab7821%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638290326179003260%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=mtCK0NJkw5hpj930sutPJm39JGzqRirYiQH7YIL2XEo%3D&reserved=0> >> >> _______________________________________________ >> Servercert-wg mailing list >> Servercert-wg@cabforum.org >> https://lists.cabforum.org/mailman/listinfo/servercert-wg >> >
_______________________________________________ Servercert-wg mailing list Servercert-wg@cabforum.org https://lists.cabforum.org/mailman/listinfo/servercert-wg
