On Fri, May 01, 2020 at 04:48:28PM +0000, Corey Bonnell via dev-security-policy wrote: > I have briefly reviewed and would like to ask what is the intent of Item 4 > and the associated sub-items? The Browser Alignment draft ballot is under > discussion in the CAB Forum, so the intent behind the shift of the > location of discourse to the Mozilla forum is unclear.
I also had a similar "hmm, that seems odd" reaction to point 4 of the draft CA communication. At first glance, it does seem somewhat redundant to ask CAs to tell Mozilla about their concerns rather than tell the CA/B Forum directly. However, when I reflected on it at some length, I came to the conclusion that it is a good thing for Mozilla to survey the CAs in its root program in this manner, for several reasons: 1. It is my understanding that not all CAs in Mozilla's root store are members of the CA/B Forum. You could wonder why that is, you can even think that those CAs that aren't members of the Forum are being various forms of irresponsible, however the fact remains, and Mozilla reaching out to gather the opinions of all CAs in its root store helps to surface the opinions of those CAs that do not have a voice in the CA/B Forum directly. 2. There are multiple examples of CA members of the CA/B Forum failing to express their objections to a ballot until the voting period, which has on at least one occasion let to the failure of a ballot. As there is no mechanism within the CA/B Forum to "force" members to express their objections to a draft ballot in a timely manner, it seems likely that this will occur again in the future. Mozilla's CA communication and survey, being mandatory for all CAs in Mozilla's trust store to complete, requires those CAs to carefully consider the issues and voice their objections, which reduces the chances of objectionable draft ballots making it to the voting stage only to fail at that hurdle. Thus, despite having initial reservations about Mozilla's action here, I've come to the conclusion that it is a Good Thing(TM) that Mozilla is doing this, and it can only be to the benefit of Mozilla, relying parties, and the Web PKI for Section 4 of the draft May CA Communication to go out to CAs as-is. - Matt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
