If you'd like to continue this conversation, might I respectfully ask you
take it elsewhere from this thread? It does not seem you're interested in
finding solutions for the issues, and you've continued to shift your
message, so perhaps it might be better to continue that discussion


On Tue, Oct 8, 2019 at 3:21 PM Paul Walsh <> wrote:

> Ryan,
> You just proved me right by saying I’m confused because I hold an opinion
> about how you conduct yourself when collaborating with industry
> stakeholders. My observations are the same across the board. I don’t think
> I’m confused. But you’re welcome to disagree with me. And, it’s not
> off-topic. We should be respectful when communicating in forums like this.
> I think your communication is sometimes disrespectful.
> You also tell people they are confused about bylaws and other documents
> when they’re in disagreement with you. It’s possible for someone to fully
> understand and appreciate specific guidelines and disagree with you at the
> same time.
> I’ve contributed to many W3C specifications over the years - I co-founded
> two, including the Mobile Web Initiative. I was also Chair of
> for three years. My point is this, when contributing to industry
> initiatives, I learned that there will always be instances where
> individuals need to be reminded to show respect to others when
> communicating differences of opinion - especially when there is a strong
> chance of culture differences. I don’t mind being reminded from time to
> time. Nobody is perfect.
> You can take this feedback, or leave it. Your call.
> - Paul
> On Oct 8, 2019, at 12:09 PM, Ryan Sleevi <> wrote:
> On Tue, Oct 8, 2019 at 2:44 PM Paul Walsh <> wrote:
>> Dear Ryan,
>> It would help a great deal, if you tone down your constant insults
>> towards the entire CA world. Questioning whether you should trust any CA is
>> a bridge too far.
>> Instead, why don’t you try to focus on specific issues with specific CAs,
>> or specific issues with most CAs. I don’t think you have a specific issue
>> with every CA in the world.
>> If specific CAs fail to do what you think is appropriate for browser
>> vendors, perhaps you need to implement new, or improve existing audits?
>> Propose solutions, implement checks and execute better reviews. Then
>> iterate until everyone gets it right.
> Paul,
> I appreciate your response, even if I believe it's largely off-topic,
> deeply confused, and personally insulting.
> This thread is acknowledging there are systemic issues, that it's not with
> specific CAs, and that the solutions being put forward aren't working, and
> so we need better solutions. It's also being willing to acknowledge that if
> we can't find systemic fixes, it may be that we have a broken system, and
> we should not be afraid of looking to improve or replace the system.
> Perhaps you (incorrectly) read "CAs" to mean "Every CA in the world", when
> it's just a plurality of "more than one CA". That's a bias on the reader's
> part, and suggesting that every plurality be accompanied by a qualified
> ("Some", "most") is just tone policing rather than engaging on substance.
> That said, it's entirely inappropriate to chastise me for highlighting
> issues of non-compliance, and attempt to identify the systemic issue
> underneath it. It's also entirely inappropriate to insist that I personally
> solve the issue, especially when significant effort has been expended to do
> address these issues so far, which continue to fail without much
> explanation as to why they're failing. Suggesting that we should accept
> regular failures and just deal with it, unfortunately, has no place in
> reasonable or rational conversation about how to improve things. That's
> because such a position is not interested in finding solutions, or
> improving, but in accepting the status quo.
> If you have suggestions on why these systemic issues are still happening,
> despite years of effort to improve them, I welcome them. However, there's
> no place for reasonable discussion if you don't believe we should have open
> and frank conversations about issues, about the misaligned incentives, or
> about how existing efforts to prevent these incidents by Browsers are
> falling flat.
dev-security-policy mailing list

Reply via email to