All, Listed below are some of the survey results and the top-scoring topics for Friday's roundtable discussion. It appears that Mozilla's expectations about CA compliance scored highly. Handling and prioritizing policy changes also scored high, as did improving the speed and quality of the root inclusion process.
We also received comments that: more community-driven technical support is needed to help end users meet shorter certificate validity periods; recurring CA compliance issues may be due to unclear guidance in the CA/B Forum Baseline Requirements or in root store policies, which should be fixed; alternative incident reporting should be allowed for incidents involving minor, non-security-related issues; and root store policies seem to be diverging from CA/B Forum Baseline Requirements. >From this feedback, I'll work up and circulate an agenda. However, given the limited time and discussion format, we'll also have to prioritize and select topics based on the best use of our time. Thanks, Ben *Score* *Topic* 4.14 Updating the Mozilla CA wiki’s list of problematic practices <https://wiki.mozilla.org/CA/Forbidden_or_Problematic_Practices> (Clarifying behaviors that could result in compliance concerns or distrust discussions) 4.00 Mozilla's compliance expectations for new MRSP v.3.0 requirements (Clarifying how CAs should interpret and comply with newly effective policy requirements) 3.75 Adding MRSP Issues <https://github.com/mozilla/pkipolicy/issues> in GitHub (Collecting and managing proposed policy changes using GitHub’s issue tracker for transparency and collaboration) 3.71 Improving the speed and quality of Mozilla's root inclusion process (Exploring ways to streamline reviews and have public discussion while maintaining security and public transparency) 3.71 Updating the Mozilla CA wiki’s list of recommended practices <https://wiki.mozilla.org/CA/Required_or_Recommended_Practices> (Reviewing and expanding best-practice examples for CA operations and disclosures) 3.71 Re-prioritization of Mozilla’s root store policy initiatives and general work conducted (Evaluating whether Mozilla's current focus areas still align with ecosystem) 3.57 Gather suggestions for improvements to incorporate into MRSP v.3.1 (Soliciting input to shape the next version of the Mozilla Root Store Policy) 3.57 Improving the quality of CAs’ Certification Practice Statements (Identifying common CPS issues and helping CAs meet expectations more effectively) 3.57 Improving CA compliance posture, sophistication, i.e. the CA maturity model (Discussing tools and benchmarks to measure and raise the maturity of CA operations) 3.57 Challenges that CAs face (Gathering CA pain points or systemic barriers to compliance or improvement) 3.57 Promoting and educating subscribers to help them implement automation of certificate lifecycle processes (Identifying ways to support and encourage automation among certificate users) On Thu, May 8, 2025 at 12:29 PM Ben Wilson <[email protected]> wrote: > Hi everyone, > > I’m really looking forward to our upcoming Mozilla CA Program roundtable > discussion — it's happening next Friday, May 16th, and it will be a great > opportunity > to connect, share ideas, and discuss the Mozilla root program. > > To make sure the agenda reflects your interests and priorities, I’d > greatly appreciate your taking a few minutes to fill out the survey: > https://forms.gle/Ks3rbQxdkjETR7uJ7. Even if you can’t attend the > teleconference, your input via the survey will help shape what we focus on > — and I’ll make meeting notes or a summary available afterward. > > Thanks in advance. > > Ben > > On Wed, Apr 23, 2025 at 4:24 PM Ben Wilson <[email protected]> wrote: > >> Greetings all, >> >> I have created a survey <https://forms.gle/Ks3rbQxdkjETR7uJ7> (pasted >> below) to help shape the agenda for the round-table discussion scheduled >> for Friday, May 16, 2025. >> >> The survey <https://forms.gle/Ks3rbQxdkjETR7uJ7> will help identify the >> topics you’re most interested in discussing. >> >> Please take a few minutes to review the list of potential topics and >> indicate your level of interest. Your input will help us prioritize the >> topics and ensure that the discussion is productive and relevant. You’re >> welcome to suggest additional topics at the bottom of the survey >> <https://forms.gle/Ks3rbQxdkjETR7uJ7>. I’ll share a draft agenda and >> event details here once I’ve reviewed the responses. >> >> Thanks, >> >> Ben >> *SURVEY* >> >> Respondent Information >> >> - >> >> Name (optional) >> >> - >> >> Organization (optional) >> >> - >> >> Email (optional) >> >> Mozilla Root Store Policy (MRSP) and Governance >> >> >> - >> >> Adding MRSP Issues in GitHub >> (Collecting and managing proposed policy changes using GitHub’s issue >> tracker for transparency and collaboration) >> >> - >> >> Gather suggestions for improvements to incorporate into MRSP v.3.1 >> (Soliciting input to shape the next version of the Mozilla Root Store >> Policy) >> >> - >> >> Triaging and prioritizing the MRSP Issues listed in GitHub >> (Deciding which proposed policy updates should be addressed first and >> how to resolve them) >> >> - >> >> Mozilla's compliance expectations for new MRSP v.3.0 requirements >> (Clarifying how CAs should interpret and comply with newly effective >> policy requirements) >> >> - >> >> Re-prioritization of Mozilla’s root store policy initiatives and >> general work conducted >> (Evaluating whether Mozilla's current focus areas still align with >> ecosystem needs) >> >> >> ------------------------------ >> >> Community Engagement and Communication >> >> - >> >> Improving community engagement during policy discussions >> (Exploring ways to increase participation and constructive input in >> dev-security-policy or GitHub threads) >> >> - >> >> Improving professionalism and civility and reducing friction during >> discussions >> (Establishing norms and tools that encourage respectful dialogue and >> reduce hostility) >> >> - >> >> Improving the clarity and effectiveness of dev-security-policy >> announcements >> (Making communications clearer and more actionable for stakeholders) >> >> >> ------------------------------ >> >> Mozilla CA Wiki and Documentation >> >> - >> >> Improving and updating information stored on the Mozilla CA wiki >> (Refreshing outdated content and improving the structure of CA >> guidance documentation) >> >> - >> >> Updating the Mozilla CA wiki’s list of recommended practices >> (Reviewing and expanding best-practice examples for CA operations and >> disclosures) >> >> - >> >> Updating the Mozilla CA wiki’s list of problematic practices >> (Clarifying behaviors that could result in compliance concerns or >> distrust discussions) >> >> >> ------------------------------ >> >> CA Compliance and Maturity >> >> - >> >> Improving the quality of CAs’ Certification Practice Statements >> (Identifying common CPS issues and helping CAs meet expectations more >> effectively) >> >> - >> >> Improving CA compliance posture, sophistication, i.e. the CA maturity >> model >> (Discussing tools and benchmarks to measure and raise the maturity of >> CA operations) >> >> - >> >> Challenges that CAs face >> (Gathering CA pain points or systemic barriers to compliance or >> improvement) >> >> >> ------------------------------ >> >> Root Inclusion and Incident Handling >> >> - >> >> Improving the speed and quality of Mozilla's root inclusion process >> (Exploring ways to streamline reviews and have public discussion >> while maintaining security and public transparency) >> >> - >> >> Improving Bugzilla's usefulness for tracking incidents and root >> inclusion requests >> (Considering structured fields, labels, and templates to make >> Bugzilla more useful and efficient) >> >> >> ------------------------------ >> >> CCADB Feedback >> >> - >> >> Gather feedback on CCADB usability, usefulness, and public reports >> (Collecting insights on how to improve the CCADB’s workflows, and >> reporting) >> >> >> ------------------------------ >> >> Certificate Lifecycle and Automation >> >> - >> >> Revising and improving revocation reason codes to match real-world >> revocation scenarios and to improve CRLite >> (Ensuring revocation codes better reflect root program needs and help >> optimize revocation checking) >> >> - >> >> Promoting and educating subscribers to help them implement automation >> of certificate lifecycle processes >> (Identifying ways to support and encourage automation among >> certificate users) >> >> >> Open Comments >> >> - >> >> Revisions / tweaks to topic(s) listed above >> - >> >> Additional topics to discuss >> - >> >> Interested in leading the discussion of one of the topics? And if so, >> which one(s)? >> >> >> >> On Wed, Apr 23, 2025 at 2:14 PM 'Ben Wilson' via >> [email protected] <[email protected]> wrote: >> >>> Hi Matt, >>> >>> Thanks for your feedback and for sharing your concerns. >>> >>> To clarify, this meeting is not intended to replace or diminish any of >>> the existing asynchronous channels for discussion about the Mozilla root >>> program, such as this list, Bugzilla, and GitHub. They all remain the >>> primary forums for open, transparent, and inclusive input regarding the >>> root program. The round-table discussion is meant only to supplement these >>> by specifically focusing attention toward improving the root program. >>> >>> While I understand, respect, and agree with your points that >>> accessibility and transparency are important, I plan to move forward, but I >>> commit to making the outcomes of the meeting available to the greatest >>> extent possible with notes and follow-up discussions here to ensure that >>> all interested parties can stay informed and contribute. >>> >>> Again, we appreciate your participation and involvement in our ongoing >>> discussions, in which your insights are always highly valued. >>> >>> Thanks again, >>> >>> Ben >>> >>> >>> >>> On Wednesday, April 9, 2025 at 5:09:23 PM UTC-6 Matt Palmer wrote: >>> >>>> On Mon, Apr 07, 2025 at 11:13:04AM -0600, 'Ben Wilson' via >>>> [email protected] wrote: >>>> > I’d like to announce that the Mozilla CA Program will hold a >>>> roundtable >>>> > discussion on Zoom to gather feedback and ideas to improve our root >>>> program. >>>> >>>> I would like to express my strong disapproval of this approach to >>>> discussing the Mozilla root program. It disadvantages those in >>>> timezones which do not align with the chosen one, and also anyone who >>>> is >>>> unable for whatever reason to be available at the specified time. >>>> Further, there is already far too many instances of (variations of) the >>>> phrase "that was discussed at the F2F" in various places, seemingly >>>> used >>>> in an attempt to shut down discussion, and the addition of the phrase >>>> "that was discussed in the Zoom" will not improve the situation. >>>> >>>> It would be far more inclusive for all discussion to take place on >>>> async-friendly mediums, in forms that are amenable to archiving and >>>> straightforward referencing. >>>> >>>> > The roundtable will be scheduled for 90 minutes >>>> >>>> [...] >>>> >>>> > The purpose of the meeting would be to engage in open, constructive >>>> > dialogue regarding: >>>> > >>>> > - Suggested improvements to the Mozilla Root Store Policy >>>> > - Updates or enhancements to CA-related wiki pages >>>> > - Efficiency and effectiveness during the root inclusion process or >>>> with >>>> > CA incident handling >>>> > - Clarity and consistency of Mozilla program communications >>>> > - Broader discussions re: paths forward for the Web PKI >>>> >>>> I could talk, single-handedly, for 90 minutes on each of those topics, >>>> and I'm not even particularly deeply involved in the minutiae of the >>>> WebPKI. >>>> >>>> - Matt >>>> >>>> -- >>> You received this message because you are subscribed to the Google >>> Groups "[email protected]" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion visit >>> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/893fdc14-8032-4ac5-afd2-6fac96f8c93cn%40mozilla.org >>> <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/893fdc14-8032-4ac5-afd2-6fac96f8c93cn%40mozilla.org?utm_medium=email&utm_source=footer> >>> . >>> >> -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtab6Vja_JrFAtcPBiH%2B5Gd7tmqTv7xNipA59HJ4nNNkRUw%40mail.gmail.com.
