Re: [cabfpub] Public Digest, Vol 77, Issue 81

[Tim Hollebeek via Public]

seems like we're talking now
about concrete recommendations for changes, and it seems more relevant to
note what is in scope or out of scope.



I disagree that the deliverable affirmatively stating "will serve CA,
auditors, and browsers".



However, there's other, more fundamental problems. Most notable is that
Subcommittees aren't established to have Chairs - the point of the rework
of the Bylaws was to make it clearer what activities are done and how they
fit, and a SCWG subcommittee is just that - a subgroup of the SCWG. The
other is that the SCWG does not yet have a defined process for the
establishment of subcommittees.

___
Public mailing list
Public@cabforum.org <mailto:Public@cabforum.org> 
https://cabforum.org/mailman/listinfo/public

-- next part --
An HTML attachment was scrubbed...
URL: 
<http://cabforum.org/pipermail/public/attachments/20180914/7203cd81/attachment-0001.html>

--

Message: 2
Date: Fri, 14 Sep 2018 16:29:38 +
From: Tim Hollebeek mailto:tim.holleb...@digicert.com> >
To: Ryan Sleevi mailto:sle...@google.com> >
Cc: CABFPub mailto:public@cabforum.org> >
Subject: Re: [cabfpub] Ballot SC10 ? Establishing the Network Security
Subcommittee of the SCWG
Message-ID:
mailto:bn6pr14mb11066d38b44b3bf97d0857d883...@bn6pr14mb1106.namprd14.prod.outlook.com>
 >

Content-Type: text/plain; charset="utf-8"

My ballot that I didn?t get around to writing would have had something like:



?The current Bylaws lack clarity and precision about the functioning of 
subcommittees.  Until such a time as that is corrected, subcommittees created 
from LWGs shall operate in the same manner as pre-governance reform working 
groups.?



Would that help?



-Tim



P.S. I asked the Validation WG chair if the Validation Subcommittee would 
continue using the validation mailing list, and continue to produce agendas and 
minutes, and he said yes.



From: Ryan Sleevi mailto:sle...@google.com> > 
Sent: Friday, September 14, 2018 12:19 PM
To: Tim Hollebeek mailto:tim.holleb...@digicert.com> >
Cc: Wayne Thayer mailto:wtha...@mozilla.com> >; CABFPub 
mailto:public@cabforum.org> >
Subject: Re: [cabfpub] Ballot SC10 ? Establishing the Network Security 
Subcommittee of the SCWG



Subcommittees don't have requirements for minutes or publicly-available notes.



That's the point. All this thinking about subcommittees working "just like" 
LWGs is not the case. All of that was lost from the Bylaws. A subcommittee can 
just be two people having a chat, at least as written in the Bylaws today.



There's nothing stating subcommittees work with their own mailing lists, for 
example, in the way our old bylaws did. There's nothing establishing chairs or 
charters or deliverables. It's a one-off note.



That's the point.



On Fri, Sep 14, 2018 at 12:13 PM Tim Hollebeek mailto:tim.holleb...@digicert.com>  <mailto:tim.holleb...@digicert.com 
<mailto:tim.holleb...@digicert.com> > > wrote:

Collaborating outside of a subcommittee has a bunch of drawbacks, including a 
complete lack of public transparency and much weaker IPR protections.



In my opinion, there?s already way, way too much going on in private that would 
be better handled in subcommittees where everyone can participate and there are 
publicly available notes.



-Tim



From: Public mailto:public-boun...@cabforum.org>  
<mailto:public-boun...@cabforum.org <mailto:public-boun...@cabforum.org> > > On 
Behalf Of Wayne Thayer via Public
Sent: Thursday, September 13, 2018 7:11 PM
To: Ryan Sleevi mailto:sle...@google.com>  
<mailto:sle...@google.com <mailto:sle...@google.com> > >; CA/Browser Forum 
Public Discussion List mailto:public@cabforum.org>  
<mailto:public@cabforum.org <mailto:public@cabforum.org> > >
Subject: Re: [cabfpub] Ballot SC10 ? Establishing the Network Security 
Subcommittee of the SCWG



Would it be helpful to take a step back and propose an amendment to the Bylaws 
or SCWG charter that addresses Subcommittees in sufficient detail? I would be 
willing to work on that. Meanwhile, if the Network Security WG left some urgent 
work unfinished, nothing prevents SCWG members from collaborating outside of 
the Subcommittee structure.



On Thu, Sep 13, 2018 at 3:49 PM Ryan Sleevi via Public mailto:public@cabforum.org>  <mailto:public@cabforum.org 
<mailto:public@cabforum.org> > > wrote:

I think that, without incorporating or responding to feedback, we will be 
opposed to this ballot. I agree that it's unfortunate we have gotten nowhere - 
but it's equally unfortunate to have spent two months without responding to any 
of the substance of the issues. It's great to see progress, but making small 
steps doesn't excuse leaving glaring issues. It's better to let these fall down 
than to supp

[cabfpub] Results on Ballot SC6 – Revocation Timeline Extension

[Kirk Hall via Public]

The voting period for Ballot SC6 has ended and the ballot has passed.  Here are 
the results.

Voting by CAs – 23 votes total including abstentions

23 Yes votes: Actalis, Amazon, Buypass, Camerfirma, Certigna (DHIMYOTIS), 
Certinomis, certSIGN, Certum (Asseco), CFCA, Chunghwa Telecom, Comodo CA, 
Comsign, D-TRUST, Disig, Entrust Datacard, E-TUGRA, Firmaprofesional, GDCA, 
GlobalSign, Kamu Sertifikasyon Merkezi, Logius PKIoverheid, OATI, SECOM, SHECA, 
SK ID Solution, SSL.com, SSC, TWCA, TrustCor, Trustwave, TurkTrust, Visa
0 No votes:
0 Abstain:
100% of voting CAs voted in favor

Voting by browsers – 5 votes total including abstentions

5 Yes votes: Cisco, Google, Microsoft, Mozilla, 360
0 No votes:
0 Abstain:
100% of voting browsers voted in favor

Under Bylaw 2.2(g), a ballot result will be considered valid only when more 
than half of the number of currently active Members has participated. Votes to 
abstain are counted in determining a quorum.  Half of currently active Members 
as of the start of voting is 11, so quorum was 12 votes – quorum was met.

Bylaw 2.2(f) requires a yes vote by two-thirds of CA votes and 50%-plus-one 
browser votes for approval.  Votes to abstain are not counted for this purpose. 
 This requirement was met for both CAs and browsers.

At least one CA Member and one browser Member must vote in favor of a ballot 
for the ballot to be adopted.  This requirement was met

The ballot passes.


___
Public mailing list
Public@cabforum.org
https://cabforum.org/mailman/listinfo/public

Re: [cabfpub] Public Digest, Vol 77, Issue 81

[Ryan Sleevi via Public]

ittee of the SCWG
>>
>>
>>
>> On Thu, Sep 13, 2018 at 5:25 PM Kirk Hall via Public > >
>> wrote:
>>
>> *Scope: *Revising and improving the Network and Certificate Systems
>> Security Requirements (NCSSRs).
>>
>>
>> *Out of Scope: *No provision.
>>
>> *Deliverables: *The Network Security Subcommittee shall produce one or
>> more documents offering options to the Forum for establishing minimal
>> security standards within the scope defined above, which may be used to
>> modify the existing NCSSRs. These renewed NCSSR documents will serve CAs,
>> auditors and browsers in giving a state of the art set of rules for the
>> deployment and operation of CAs computing infrastructures.  The
>> Subcommittee may choose its own initial Chair.
>>
>>
>>
>> Is this Deliverable correct? Is that scope correct? The previous WG
>> produced (only after significant prodding) a statement about 'options' -
>> which was to modifying the existing NCSSRs. It seems like we're talking
>> now
>> about concrete recommendations for changes, and it seems more relevant to
>> note what is in scope or out of scope.
>>
>>
>>
>> I disagree that the deliverable affirmatively stating "will serve CA,
>> auditors, and browsers".
>>
>>
>>
>> However, there's other, more fundamental problems. Most notable is that
>> Subcommittees aren't established to have Chairs - the point of the rework
>> of the Bylaws was to make it clearer what activities are done and how they
>> fit, and a SCWG subcommittee is just that - a subgroup of the SCWG. The
>> other is that the SCWG does not yet have a defined process for the
>> establishment of subcommittees.
>>
>> ___
>> Public mailing list
>> Public@cabforum.org
>> https://cabforum.org/mailman/listinfo/public
>>
>> -- next part --
>> An HTML attachment was scrubbed...
>> URL: <
>> http://cabforum.org/pipermail/public/attachments/20180914/7203cd81/attachment-0001.html
>> >
>>
>> --
>>
>> Message: 2
>> Date: Fri, 14 Sep 2018 16:29:38 +
>> From: Tim Hollebeek 
>> To: Ryan Sleevi 
>> Cc: CABFPub 
>> Subject: Re: [cabfpub] Ballot SC10 ? Establishing the Network Security
>> Subcommittee of the SCWG
>> Message-ID:
>> <
>> bn6pr14mb11066d38b44b3bf97d0857d883...@bn6pr14mb1106.namprd14.prod.outlook.com
>> >
>>
>> Content-Type: text/plain; charset="utf-8"
>>
>> My ballot that I didn?t get around to writing would have had something
>> like:
>>
>>
>>
>> ?The current Bylaws lack clarity and precision about the functioning of
>> subcommittees.  Until such a time as that is corrected, subcommittees
>> created from LWGs shall operate in the same manner as pre-governance reform
>> working groups.?
>>
>>
>>
>> Would that help?
>>
>>
>>
>> -Tim
>>
>>
>>
>> P.S. I asked the Validation WG chair if the Validation Subcommittee would
>> continue using the validation mailing list, and continue to produce agendas
>> and minutes, and he said yes.
>>
>>
>>
>> From: Ryan Sleevi 
>> Sent: Friday, September 14, 2018 12:19 PM
>> To: Tim Hollebeek 
>> Cc: Wayne Thayer ; CABFPub 
>> Subject: Re: [cabfpub] Ballot SC10 ? Establishing the Network Security
>> Subcommittee of the SCWG
>>
>>
>>
>> Subcommittees don't have requirements for minutes or publicly-available
>> notes.
>>
>>
>>
>> That's the point. All this thinking about subcommittees working "just
>> like" LWGs is not the case. All of that was lost from the Bylaws. A
>> subcommittee can just be two people having a chat, at least as written in
>> the Bylaws today.
>>
>>
>>
>> There's nothing stating subcommittees work with their own mailing lists,
>> for example, in the way our old bylaws did. There's nothing establishing
>> chairs or charters or deliverables. It's a one-off note.
>>
>>
>>
>> That's the point.
>>
>>
>>
>> On Fri, Sep 14, 2018 at 12:13 PM Tim Hollebeek <
>> tim.holleb...@digicert.com <mailto:tim.holleb...@digicert.com> > wrote:
>>
>> Collaborating outside of a subcommittee has a bunch of drawbacks,
>> including a complete lack of public transparency and much weaker IPR
>> protections.
>>
>>
>>
>> In my opinion, there?s already way, way too much going on i

Re: [cabfpub] Public Digest, Vol 77, Issue 81

[Tim Hollebeek via Public]

 concrete recommendations for changes, and it seems more relevant to
note what is in scope or out of scope.



I disagree that the deliverable affirmatively stating "will serve CA,
auditors, and browsers".



However, there's other, more fundamental problems. Most notable is that
Subcommittees aren't established to have Chairs - the point of the rework
of the Bylaws was to make it clearer what activities are done and how they
fit, and a SCWG subcommittee is just that - a subgroup of the SCWG. The
other is that the SCWG does not yet have a defined process for the
establishment of subcommittees.

___
Public mailing list
Public@cabforum.org <mailto:Public@cabforum.org> 
https://cabforum.org/mailman/listinfo/public

-- next part --
An HTML attachment was scrubbed...
URL: 
<http://cabforum.org/pipermail/public/attachments/20180914/7203cd81/attachment-0001.html>

--

Message: 2
Date: Fri, 14 Sep 2018 16:29:38 +
From: Tim Hollebeek mailto:tim.holleb...@digicert.com> >
To: Ryan Sleevi mailto:sle...@google.com> >
Cc: CABFPub mailto:public@cabforum.org> >
Subject: Re: [cabfpub] Ballot SC10 ? Establishing the Network Security
Subcommittee of the SCWG
Message-ID:
mailto:bn6pr14mb11066d38b44b3bf97d0857d883...@bn6pr14mb1106.namprd14.prod.outlook.com>
 >

Content-Type: text/plain; charset="utf-8"

My ballot that I didn?t get around to writing would have had something like:



?The current Bylaws lack clarity and precision about the functioning of 
subcommittees.  Until such a time as that is corrected, subcommittees created 
from LWGs shall operate in the same manner as pre-governance reform working 
groups.?



Would that help?



-Tim



P.S. I asked the Validation WG chair if the Validation Subcommittee would 
continue using the validation mailing list, and continue to produce agendas and 
minutes, and he said yes.



From: Ryan Sleevi mailto:sle...@google.com> > 
Sent: Friday, September 14, 2018 12:19 PM
To: Tim Hollebeek mailto:tim.holleb...@digicert.com> >
Cc: Wayne Thayer mailto:wtha...@mozilla.com> >; CABFPub 
mailto:public@cabforum.org> >
Subject: Re: [cabfpub] Ballot SC10 ? Establishing the Network Security 
Subcommittee of the SCWG



Subcommittees don't have requirements for minutes or publicly-available notes.



That's the point. All this thinking about subcommittees working "just like" 
LWGs is not the case. All of that was lost from the Bylaws. A subcommittee can 
just be two people having a chat, at least as written in the Bylaws today.



There's nothing stating subcommittees work with their own mailing lists, for 
example, in the way our old bylaws did. There's nothing establishing chairs or 
charters or deliverables. It's a one-off note.



That's the point.



On Fri, Sep 14, 2018 at 12:13 PM Tim Hollebeek mailto:tim.holleb...@digicert.com>  <mailto:tim.holleb...@digicert.com 
<mailto:tim.holleb...@digicert.com> > > wrote:

Collaborating outside of a subcommittee has a bunch of drawbacks, including a 
complete lack of public transparency and much weaker IPR protections.



In my opinion, there?s already way, way too much going on in private that would 
be better handled in subcommittees where everyone can participate and there are 
publicly available notes.



-Tim



From: Public mailto:public-boun...@cabforum.org>  
<mailto:public-boun...@cabforum.org <mailto:public-boun...@cabforum.org> > > On 
Behalf Of Wayne Thayer via Public
Sent: Thursday, September 13, 2018 7:11 PM
To: Ryan Sleevi mailto:sle...@google.com>  
<mailto:sle...@google.com <mailto:sle...@google.com> > >; CA/Browser Forum 
Public Discussion List mailto:public@cabforum.org>  
<mailto:public@cabforum.org <mailto:public@cabforum.org> > >
Subject: Re: [cabfpub] Ballot SC10 ? Establishing the Network Security 
Subcommittee of the SCWG



Would it be helpful to take a step back and propose an amendment to the Bylaws 
or SCWG charter that addresses Subcommittees in sufficient detail? I would be 
willing to work on that. Meanwhile, if the Network Security WG left some urgent 
work unfinished, nothing prevents SCWG members from collaborating outside of 
the Subcommittee structure.



On Thu, Sep 13, 2018 at 3:49 PM Ryan Sleevi via Public mailto:public@cabforum.org>  <mailto:public@cabforum.org 
<mailto:public@cabforum.org> > > wrote:

I think that, without incorporating or responding to feedback, we will be 
opposed to this ballot. I agree that it's unfortunate we have gotten nowhere - 
but it's equally unfortunate to have spent two months without responding to any 
of the substance of the issues. It's great to see progress, but making small 
steps doesn't excuse leaving glaring issues. It's better to let these fall down 
than to support them with fundamental flaws.

Re: [cabfpub] Public Digest, Vol 77, Issue 81

[Geoff Keating via Public]

erables: *The Network Security Subcommittee shall produce one or
> more documents offering options to the Forum for establishing minimal
> security standards within the scope defined above, which may be used to
> modify the existing NCSSRs. These renewed NCSSR documents will serve CAs,
> auditors and browsers in giving a state of the art set of rules for the
> deployment and operation of CAs computing infrastructures.  The
> Subcommittee may choose its own initial Chair.
> 
> 
> 
> Is this Deliverable correct? Is that scope correct? The previous WG
> produced (only after significant prodding) a statement about 'options' -
> which was to modifying the existing NCSSRs. It seems like we're talking now
> about concrete recommendations for changes, and it seems more relevant to
> note what is in scope or out of scope.
> 
> 
> 
> I disagree that the deliverable affirmatively stating "will serve CA,
> auditors, and browsers".
> 
> 
> 
> However, there's other, more fundamental problems. Most notable is that
> Subcommittees aren't established to have Chairs - the point of the rework
> of the Bylaws was to make it clearer what activities are done and how they
> fit, and a SCWG subcommittee is just that - a subgroup of the SCWG. The
> other is that the SCWG does not yet have a defined process for the
> establishment of subcommittees.
> 
> ___
> Public mailing list
> Public@cabforum.org <mailto:Public@cabforum.org>
> https://cabforum.org/mailman/listinfo/public 
> <https://cabforum.org/mailman/listinfo/public>
> 
> -- next part --
> An HTML attachment was scrubbed...
> URL: 
> <http://cabforum.org/pipermail/public/attachments/20180914/7203cd81/attachment-0001.html
>  
> <http://cabforum.org/pipermail/public/attachments/20180914/7203cd81/attachment-0001.html>>
> 
> --
> 
> Message: 2
> Date: Fri, 14 Sep 2018 16:29:38 +
> From: Tim Hollebeek  <mailto:tim.holleb...@digicert.com>>
> To: Ryan Sleevi mailto:sle...@google.com>>
> Cc: CABFPub mailto:public@cabforum.org>>
> Subject: Re: [cabfpub] Ballot SC10 ? Establishing the Network Security
> Subcommittee of the SCWG
> Message-ID:
>   
> <mailto:bn6pr14mb11066d38b44b3bf97d0857d883...@bn6pr14mb1106.namprd14.prod.outlook.com>>
> 
> Content-Type: text/plain; charset="utf-8"
> 
> My ballot that I didn?t get around to writing would have had something like:
> 
> 
> 
> ?The current Bylaws lack clarity and precision about the functioning of 
> subcommittees.  Until such a time as that is corrected, subcommittees created 
> from LWGs shall operate in the same manner as pre-governance reform working 
> groups.?
> 
> 
> 
> Would that help?
> 
> 
> 
> -Tim
> 
> 
> 
> P.S. I asked the Validation WG chair if the Validation Subcommittee would 
> continue using the validation mailing list, and continue to produce agendas 
> and minutes, and he said yes.
> 
> 
> 
> From: Ryan Sleevi mailto:sle...@google.com>> 
> Sent: Friday, September 14, 2018 12:19 PM
> To: Tim Hollebeek  <mailto:tim.holleb...@digicert.com>>
> Cc: Wayne Thayer mailto:wtha...@mozilla.com>>; CABFPub 
> mailto:public@cabforum.org>>
> Subject: Re: [cabfpub] Ballot SC10 ? Establishing the Network Security 
> Subcommittee of the SCWG
> 
> 
> 
> Subcommittees don't have requirements for minutes or publicly-available notes.
> 
> 
> 
> That's the point. All this thinking about subcommittees working "just like" 
> LWGs is not the case. All of that was lost from the Bylaws. A subcommittee 
> can just be two people having a chat, at least as written in the Bylaws today.
> 
> 
> 
> There's nothing stating subcommittees work with their own mailing lists, for 
> example, in the way our old bylaws did. There's nothing establishing chairs 
> or charters or deliverables. It's a one-off note.
> 
> 
> 
> That's the point.
> 
> 
> 
> On Fri, Sep 14, 2018 at 12:13 PM Tim Hollebeek  <mailto:tim.holleb...@digicert.com> <mailto:tim.holleb...@digicert.com 
> <mailto:tim.holleb...@digicert.com>> > wrote:
> 
> Collaborating outside of a subcommittee has a bunch of drawbacks, including a 
> complete lack of public transparency and much weaker IPR protections.
> 
> 
> 
> In my opinion, there?s already way, way too much going on in private that 
> would be better handled in subcommittees where everyone can participate and 
> there are publicly available notes.
> 
> 
> 
> -Tim
> 
> 
> 
> From: Public  <mailto:public-boun...@cabforum.org&

[cabfpub] Ballot SC10 – Establishing the Network Security Subcommittee of the SCWG

[Kirk Hall via Public]

Good analysis, Wayne, but…  I think you left one factor out.

Yes, Bylaw 5.3.1(e) says a Chartered Working Group may create subcommittees 
“according to the approval process set forth in the CWG charter”.  The SCWG 
Charter does authorize ballots, and includes a voting structure for ballots.  
Ballots SC9 and SC10 will follow that part of the SCWG Charter, and so in my 
opinion is compliant with Bylaw 5.3.1(e).  I don’t think we are required to 
have a provision in the SCWG Charter that says “Here is how the SCWG will 
approve new Subcommittees…”.

I suppose we could add one sentence to the SCWG Charter “Subcommittees may be 
approved by SCWG ballot”, but is that really necessary?  The Forum always used 
ballots in the past to approve new WGs of the Forum, so the precedent is clear. 
 (If you feel strongly on this point, you can propose a ballot to add that 
sentence to the SCWG Charter for clarity, but it seems unnecessary to me.)

The old Bylaws had a Section 5.3 on Working Groups (now, Subcommittees) – see 
below - and it might be a good idea to add most of these provisions to the 
Bylaws in the future to apply to all new Subcommittees.  But notice how old 
Working Groups were approved - by Ballot.  That’s the procedure Ballots SC9 and 
SC10 are following to create the Subcommittees of the SCWG.  I think we are in 
compliance with our Bylaws.  We will be including Scope, Deliverables, a Chair, 
posting all messages and documents on a public list, and posting of Minutes in 
each Ballot, so we are covered.

*


5.3 Working Groups (from Bylaws v1.8 – no longer in effect)

Members may propose by ballot the appointment of Working Groups open to 
participation by Members and Interested Parties. The ballot shall outline the 
scope of the Working Group’s activities, including deliverables, any 
limitations, and Working Group expiration date. Upon approval of the Working 
Group, the Chair will call for a show of interest in participation by Members, 
and shall appoint a Working Group Chair from among the interested Members.

Upon creation of a Working Group, the Forum will post an invitation to all 
Interested Parties to participate, and will solicit others with expertise and 
interest in the Working Group subject matter to become Interested Parties and 
participate in the Working Group. With the approval of the Chair, Working 
Groups may establish separate list-servs, wikis, and web pages for their 
communications, but all such separate list-servs must be managed in the same 
fashion as the Public Mail List. Working Groups may meet by teleconference or 
face-to-face meetings upon approval by the Chair and the Working Group Chair, 
but the Forum shall not be responsible for the expenses of any such 
teleconferences or meetings.

Working Groups may draft recommendations to be forwarded to the Forum for its 
consideration, but no recommendations will be considered the product of the 
Working Group unless approved by two-thirds of all Working Group members who 
vote on the recommendations. All substantial initial and final drafts of the 
Working Group product will be posted on the Public Mail List.

The Forum shall review the final recommendations from a Working Groups and may 
approve and implement some or all of the recommendations as appropriate in the 
Forum’s judgment following the Forum’s regular voting rules. The Forum shall 
retain the right to amend a Working Group recommendation before approval, but 
in most cases should first return the proposed amended recommendation to the 
Working Group for its review and response before voting.
The Forum shall not be required to submit any matter to a Working Group, but 
may itself draft requirements and guidelines without a Working Group in its 
discretion.

From: Public [mailto:public-boun...@cabforum.org] On Behalf Of Wayne Thayer via 
Public
Sent: Friday, September 14, 2018 12:21 PM
To: Tim Hollebeek ; CA/Browser Forum Public 
Discussion List 
Subject: Re: [cabfpub] [EXTERNAL]Re: Ballot SC10 – Establishing the Network 
Security Subcommittee of the SCWG

On Fri, Sep 14, 2018 at 11:40 AM Tim Hollebeek via Public 
mailto:public@cabforum.org>> wrote:
Ryan,

I am not Ryan, but...

Unfortunately, as a native Californian, I am a very non-violent person, and the 
Code of Conduct explicitly forbids violence, so can we be in utterly 
non-violent agreement about the fact that the Validation WG is already an SCWG 
subcommittee?   That will make it clear we have time to discuss rules about 
how subcommittees function and come to a consensus about what the right 
solution is.

I partially agree with you. The bylaws section 5.3.1(e) says in part that "A 
CWG-created Subcommittee needs to be approved by the CWG itself according to 
the approval process set forth in the CWG charter..." Since there is no 
approval process defined in the SCWG charter, one could argue that any form of 
approval is acceptable. However, I don't consider the LWG Chair's declaration 
that the LWG 

Re: [cabfpub] Ballot Forum-2 - Chair and Vice-Chair Term Extensions

[Wayne Thayer via Public]

Mozilla votes Yes on ballot Forum-2.

- Wayne

On Wed, Sep 5, 2018 at 9:35 PM Ben Wilson via Public 
wrote:

> *Ballot Forum-2 - Chair and Vice-Chair Term Extensions*
>
>
>
> Ben Wilson of DigiCert calls the following proposed ballot to be published
> for discussion and comment by the CABF membership.
>
>
>
> Dimitris Zacharopoulos of HARICA and Jos Purvis of Cisco have endorsed the
> proposed ballot.
>
>
>
> *Explanation of Ballot: *
>
>
>
> Kirk Hall was elected to a two-year term as Chair of the Forum by Ballot
> 177, and Ben Wilson was elected to a two-year term as Vice Chair of the
> Forum by Ballot 178.  Their terms run from October 22, 2016 through October
> 21, 2018.  The Forum wishes to extend these terms by 10 days, to run
> through October 31, 2018, in order that their successors can be elected to
> new two-year terms starting on November 1, 2018, by separate ballots and so
> that there will be no gap in leadership.
>
>
>
> *---Ballot Begins --- *
>
>
>
> Kirk Hall’s term as Chair of the CA/Browser Forum is hereby extended from
> October 21, 2018 through October 31, 2018, and Ben Wilson’s term as Vice
> Chair of the CA/Browser Forum is hereby extended from October 21, 2018
> through October 31, 2018.
>
>
>
> *---Ballot Ends ---*
>
>
>
> The procedure for approval of this ballot is as follows:
>
>
>
> Discussion Period (7 days)Start Time: 6-Sept-2018 16:00:00 UTC
>   End Time: 13-Sept-2018 16:00:00 UTC
>
>
>
> Voting Period (7 days)   Start Time: 13-Sept-2018 16:00:00
> UTC End Time: 20-Sept-2018 16:00:00 UTC
>
>
>
>
> ___
> Public mailing list
> Public@cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
___
Public mailing list
Public@cabforum.org
https://cabforum.org/mailman/listinfo/public

Re: [cabfpub] [EXTERNAL]Re: Ballot SC10 – Establishing the Network Security Subcommittee of the SCWG

[Ryan Sleevi via Public]

On Fri, Sep 14, 2018 at 4:50 PM Tim Hollebeek 
wrote:

> Wayne,
>
>
>
> My position is that LWGs are handled via the process in 5.3.4, and not
> 5.3.1(e), and as such, the Validation WG is somewhat special.  This was
> actually the intent of the Governance Reform effort; it was intended that
> the Governance Reform effort would not be used to obstruct or impede the
> functioning of existing working groups (I’ll note that obstructing the work
> of the Forum is explicitly called out in the Code of Conduct as a Code of
> Conduct violation).  As I’ve stated repeatedly, I will probably support any
> and/or all attempts to improve clarity in this area, as long as it doesn’t
> impede the important work of the Validation WG.  Though the suggestion that
> it is unclear whether Subcommittees have chairs is completely bizarre.
> I’ve never been a member of a standards working group or committee that
> didn’t, and I’ve been on **WAY** too many of them.  Extraordinary claims
> require extraordinary evidence.
>

Can you point to where the Bylaws describe how Subcommittees operate? Can
you point to where Ballot 206 describes how subcommittees operate? Can you
point to a list during or prior to this discussion that describes how
subcommittees operate?

The point is that these elements are not defined, anywhere. It sounds like
multiple members unsurprisingly arose at different definitions and
understandings, some reasonable, some not, and now it's an effort of the
SCWG to sort out what the definition "should" be and to adopt a process to
memorialize that in a way that isn't "Well, I threatened a Code of Conduct
complaint, so I must be right"

Here's a simple path forward:
- The SCWG has not defined how Subcommittees are formed. One interpretation
suggests that means nothing is required - not even to the degree of
consensus. Another interpretation suggests that means in the absence of
definition, a ballot is required.
- The SCWG has not defined how Subcommittees are operated, nor do the
Bylaws. A subcommittee is clearly a part of a CWG, but the obligations and
expectations of that subcommittee - does it use a public mail list, does it
produce minutes, does it permit calls - is not defined. The Bylaws allow
CWGs to define that, but the SCWG has not. One interpretation suggests that
means that subcommittees can do whatever they want. Another suggests that
until the SCWG defines that, it's inadvisable to form subcommittees.

The easiest solution is to resolve both of these with ballots, even if
other interpretations may have value.

The issue(s) with SC9 and SC10 is that they (presently) are missing that
second half that the Bylaws indicate the SCWG's charter should address, but
the current SCWG's charter does not, nor do the Bylaws. In the absence of
that, or a change in the charter, simply addressing these via SC9/SC10 to
clarify what will happen and how it will happen will resolve (temporarily)
the fundamental issue, and then subsequent work can be done to clarify for
the SCWG going forward how Subcommittees will operate.
___
Public mailing list
Public@cabforum.org
https://cabforum.org/mailman/listinfo/public

Re: [cabfpub] VOTING HAS STARTED Ballot Forum-2 - Chair and Vice-Chair Term Extensions

[Devon O'Brien via Public]

Google votes YES on Ballot Forum-2 - Chair and Vice-Chair Term Extensions.

On Fri, Sep 14, 2018 at 12:12 PM Ben Wilson via Public 
wrote:

> VOTING HAS STARTED.
>
>
>
> DigiCert votes “YES”
>
>
>
> *From:* Public [mailto:public-boun...@cabforum.org
> ] *On Behalf Of *Ben Wilson via Public
> *Sent:* Wednesday, September 5, 2018 9:35 PM
> *To:* CABFPub 
> *Subject:* [EXTERNAL][cabfpub] Ballot Forum-2 - Chair and Vice-Chair Term
> Extensions
>
>
>
> *Ballot Forum-2 - Chair and Vice-Chair Term Extensions*
>
>
>
> Ben Wilson of DigiCert calls the following proposed ballot to be published
> for discussion and comment by the CABF membership.
>
>
>
> Dimitris Zacharopoulos of HARICA and Jos Purvis of Cisco have endorsed the
> proposed ballot.
>
>
>
> *Explanation of Ballot: *
>
>
>
> Kirk Hall was elected to a two-year term as Chair of the Forum by Ballot
> 177, and Ben Wilson was elected to a two-year term as Vice Chair of the
> Forum by Ballot 178.  Their terms run from October 22, 2016 through October
> 21, 2018.  The Forum wishes to extend these terms by 10 days, to run
> through October 31, 2018, in order that their successors can be elected to
> new two-year terms starting on November 1, 2018, by separate ballots and so
> that there will be no gap in leadership.
>
>
>
> *---Ballot Begins --- *
>
>
>
> Kirk Hall’s term as Chair of the CA/Browser Forum is hereby extended from
> October 21, 2018 through October 31, 2018, and Ben Wilson’s term as Vice
> Chair of the CA/Browser Forum is hereby extended from October 21, 2018
> through October 31, 2018.
>
>
>
> *---Ballot Ends ---*
>
>
>
> The procedure for approval of this ballot is as follows:
>
>
>
> Discussion Period (7 days)Start Time: 6-Sept-2018 16:00:00 UTC
>   End Time: 13-Sept-2018 16:00:00 UTC
>
>
>
> Voting Period (7 days)   Start Time: 13-Sept-2018 16:00:00
> UTC End Time: 20-Sept-2018 16:00:00 UTC
>
>
>
>
> ___
> Public mailing list
> Public@cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
___
Public mailing list
Public@cabforum.org
https://cabforum.org/mailman/listinfo/public

Re: [cabfpub] [EXTERNAL]Re: Ballot SC10 – Establishing the Network Security Subcommittee of the SCWG

[Tim Hollebeek via Public]

Hmm.  Thanks for pointing out my error about 5.3.4.

 

Let’s all vote in favor of SC9 and be done with it.

 

-Tim

 

From: Wayne Thayer  
Sent: Friday, September 14, 2018 5:11 PM
To: Tim Hollebeek 
Cc: CA/Browser Forum Public Discussion List ; Ryan Sleevi 

Subject: Re: [cabfpub] [EXTERNAL]Re: Ballot SC10 – Establishing the Network 
Security Subcommittee of the SCWG

 

On Fri, Sep 14, 2018 at 1:50 PM Tim Hollebeek mailto:tim.holleb...@digicert.com> > wrote:

Wayne,

 

My position is that LWGs are handled via the process in 5.3.4, and not 
5.3.1(e), and as such, the Validation WG is somewhat special.  

 

5.3.4 says "...converting to a Subcommittee under a CWG pursuant to Section 
5.3.1(e).", so I don't understand how you can argue that 5.3.1(e) does not 
apply to a 5.3.4 conversion.

 

This was actually the intent of the Governance Reform effort; it was intended 
that the Governance Reform effort would not be used to obstruct or impede the 
functioning of existing working groups (I’ll note that obstructing the work of 
the Forum is explicitly called out in the Code of Conduct as a Code of Conduct 
violation).  As I’ve stated repeatedly, I will probably support any and/or all 
attempts to improve clarity in this area, as long as it doesn’t impede the 
important work of the Validation WG.  Though the suggestion that it is unclear 
whether Subcommittees have chairs is completely bizarre.  I’ve never been a 
member of a standards working group or committee that didn’t, and I’ve been on 
*WAY* too many of them.  Extraordinary claims require extraordinary evidence.

 

We are in peaceful agreement here. I suspect there are vast differences of 
opinion on what a Subcommittee actually is, ranging from "that thing we used to 
call a Working Group" to "some members who want to informally work together on 
a project".

 

I will note that my recollection is that you were on both the VWG call before 
July 3rd when the proposal to exercise option (a) was discussed, and the VWG 
call immediately after July 3rd when the proposal to choose option (a) was 
discussed again, and didn’t object to that course of action at that time.  It’s 
not just a declaration of the Chair, it was the unanimous consensus of the WG, 
twice discussed.

 

Correct, and I am not objecting to the VWG making the declaration. If I am 
objecting to anything now, it's that the Bylaws say that the SCWG must somehow 
"approve" the formation of a Subcommittee.

 

I actually agree that the process for new Subcommittees (like the Network 
Security Subcommittee) leaves a lot to be desired, and should be improved by a 
ballot to improve the clarity of the Bylaws and/or SCWG charter with respect to 
creation of new Subcommittees.  However I agree with Virginia that the SCWG has 
the right to create subcommittees.  In the absence of explicit rules in the 
charter, the SCWG ballot rules seems to be the right way to create new SCWG 
Subcommittees.  Members are free to vote as they chose on such ballots.  But 
they are not free to obstruct the business of the Forum on procedural grounds 
that are unsupported by the Bylaws, and they are not free to deny members or 
working groups the rights and options they have that are clearly expressed in 
the Bylaws.

 

Sounds like we are in agreement that ballot SC9 should proceed. 

 

I will file Code of Conduct complaints if I have to, but would prefer not to.

 

-Tim

 

From: Wayne Thayer mailto:wtha...@mozilla.com> > 
Sent: Friday, September 14, 2018 3:21 PM
To: Tim Hollebeek mailto:tim.holleb...@digicert.com> >; CA/Browser Forum Public Discussion List 
mailto:public@cabforum.org> >
Cc: Ryan Sleevi mailto:sle...@google.com> >
Subject: Re: [cabfpub] [EXTERNAL]Re: Ballot SC10 – Establishing the Network 
Security Subcommittee of the SCWG

 

On Fri, Sep 14, 2018 at 11:40 AM Tim Hollebeek via Public mailto:public@cabforum.org> > wrote:

Ryan,

 

I am not Ryan, but...

 

Unfortunately, as a native Californian, I am a very non-violent person, and the 
Code of Conduct explicitly forbids violence, so can we be in utterly 
non-violent agreement about the fact that the Validation WG is already an SCWG 
subcommittee?   That will make it clear we have time to discuss rules about 
how subcommittees function and come to a consensus about what the right 
solution is.

 

I partially agree with you. The bylaws section 5.3.1(e) says in part that "A 
CWG-created Subcommittee needs to be approved by the CWG itself according to 
the approval process set forth in the CWG charter..." Since there is no 
approval process defined in the SCWG charter, one could argue that any form of 
approval is acceptable. However, I don't consider the LWG Chair's declaration 
that the LWG is converting to a Subcommittee to be a form of approval by the 
CWG. So I still think it would be best to put this one to a vote. 

 

In the meantime, I would like to once again re-iterate that the Validation 
Subcommittee will, to the best of its ability, 

Re: [cabfpub] [EXTERNAL]Re: Ballot SC10 – Establishing the Network Security Subcommittee of the SCWG

[Wayne Thayer via Public]

On Fri, Sep 14, 2018 at 1:50 PM Tim Hollebeek 
wrote:

> Wayne,
>
>
>
> My position is that LWGs are handled via the process in 5.3.4, and not
> 5.3.1(e), and as such, the Validation WG is somewhat special.
>

5.3.4 says "...converting to a Subcommittee under a CWG pursuant to Section
5.3.1(e).", so I don't understand how you can argue that 5.3.1(e) does not
apply to a 5.3.4 conversion.

This was actually the intent of the Governance Reform effort; it was
> intended that the Governance Reform effort would not be used to obstruct or
> impede the functioning of existing working groups (I’ll note that
> obstructing the work of the Forum is explicitly called out in the Code of
> Conduct as a Code of Conduct violation).  As I’ve stated repeatedly, I will
> probably support any and/or all attempts to improve clarity in this area,
> as long as it doesn’t impede the important work of the Validation WG.
> Though the suggestion that it is unclear whether Subcommittees have chairs
> is completely bizarre.  I’ve never been a member of a standards working
> group or committee that didn’t, and I’ve been on **WAY** too many of
> them.  Extraordinary claims require extraordinary evidence.
>
>
>
We are in peaceful agreement here. I suspect there are vast differences of
opinion on what a Subcommittee actually is, ranging from "that thing we
used to call a Working Group" to "some members who want to informally work
together on a project".

I will note that my recollection is that you were on both the VWG call
> before July 3rd when the proposal to exercise option (a) was discussed,
> and the VWG call immediately after July 3rd when the proposal to choose
> option (a) was discussed again, and didn’t object to that course of action
> at that time.  It’s not just a declaration of the Chair, it was the
> unanimous consensus of the WG, twice discussed.
>
>
> Correct, and I am not objecting to the VWG making the declaration. If I am
objecting to anything now, it's that the Bylaws say that the SCWG must
somehow "approve" the formation of a Subcommittee.

>
>
> I actually agree that the process for new Subcommittees (like the Network
> Security Subcommittee) leaves a lot to be desired, and should be improved
> by a ballot to improve the clarity of the Bylaws and/or SCWG charter with
> respect to creation of new Subcommittees.  However I agree with Virginia
> that the SCWG has the right to create subcommittees.  In the absence of
> explicit rules in the charter, the SCWG ballot rules seems to be the right
> way to create new SCWG Subcommittees.  Members are free to vote as they
> chose on such ballots.  But they are not free to obstruct the business of
> the Forum on procedural grounds that are unsupported by the Bylaws, and
> they are not free to deny members or working groups the rights and options
> they have that are clearly expressed in the Bylaws.
>
>
>
Sounds like we are in agreement that ballot SC9 should proceed.

>
>
> I will file Code of Conduct complaints if I have to, but would prefer not
> to.
>
>
>
> -Tim
>
>
>
> *From:* Wayne Thayer 
> *Sent:* Friday, September 14, 2018 3:21 PM
> *To:* Tim Hollebeek ; CA/Browser Forum Public
> Discussion List 
> *Cc:* Ryan Sleevi 
> *Subject:* Re: [cabfpub] [EXTERNAL]Re: Ballot SC10 – Establishing the
> Network Security Subcommittee of the SCWG
>
>
>
> On Fri, Sep 14, 2018 at 11:40 AM Tim Hollebeek via Public <
> public@cabforum.org> wrote:
>
> Ryan,
>
>
>
> I am not Ryan, but...
>
>
>
> Unfortunately, as a native Californian, I am a very non-violent person,
> and the Code of Conduct explicitly forbids violence, so can we be in
> utterly non-violent agreement about the fact that the Validation WG is
> already an SCWG subcommittee?   That will make it clear we have time to
> discuss rules about how subcommittees function and come to a consensus
> about what the right solution is.
>
>
>
> I partially agree with you. The bylaws section 5.3.1(e) says in part that
> "A CWG-created Subcommittee needs to be approved by the CWG itself
> according to the approval process set forth in the CWG charter..." Since
> there is no approval process defined in the SCWG charter, one could argue
> that any form of approval is acceptable. However, I don't consider the LWG
> Chair's declaration that the LWG is converting to a Subcommittee to be a
> form of approval by the CWG. So I still think it would be best to put this
> one to a vote.
>
>
>
> In the meantime, I would like to once again re-iterate that the Validation
> Subcommittee will, to the best of its ability, continue functioning as it
> historically has.  That includes publicly available discussions, agendas,
> and meeting notes.  We have a lot of very important work we are doing, and
> it is important we are able to continue making progress.
>
>
>
> I completely agree.
>
>
>
> -Tim
>
>
>
> *From:* Ryan Sleevi 
> *Sent:* Friday, September 14, 2018 1:54 PM
> *To:* Tim Hollebeek 
> *Cc:* CABFPub ; Kirk Hall <
> kirk.h...@entrustdatacard.com>
> 

Re: [cabfpub] Public Digest, Vol 77, Issue 81

[Ryan Sleevi via Public]

Security
> Subcommittee of the SCWG
>
>
>
> Would it be helpful to take a step back and propose an amendment to the
> Bylaws or SCWG charter that addresses Subcommittees in sufficient detail? I
> would be willing to work on that. Meanwhile, if the Network Security WG
> left some urgent work unfinished, nothing prevents SCWG members from
> collaborating outside of the Subcommittee structure.
>
>
>
> On Thu, Sep 13, 2018 at 3:49 PM Ryan Sleevi via Public <
> public@cabforum.org> wrote:
>
> I think that, without incorporating or responding to feedback, we will be
> opposed to this ballot. I agree that it's unfortunate we have gotten
> nowhere - but it's equally unfortunate to have spent two months without
> responding to any of the substance of the issues. It's great to see
> progress, but making small steps doesn't excuse leaving glaring issues.
> It's better to let these fall down than to support them with fundamental
> flaws.
>
>
>
> Concrete feedback is:
>
> Delete: "These renewed NCSSR documents will serve CAs, auditors and
> browsers in giving a state of the art set of rules for the deployment and
> operation of CAs computing infrastructures."
>
> Rationale: That presumes this output will be valid/valuable.
>
>
>
> Delete: "The Subcommittee may choose its own initial Chair."
>
> Rationale: Subcommittees don't have Chairs and votes. They're just
> meetings of the CWG with focus.
>
>
>
> Delete: "The Network Security Subcommittee shall produce one or more
> documents offering options to the Forum for establishing minimal security
> standards within the scope defined above, which may be used to modify the
> existing NCSSRs."
>
> Rationale: This is a pretty much a non-scope as worded, but worse,
> precludes some of the very activities you want to do. For example,
> reforming existing requirements doesn't establish minimums, so is out of
> scope.
>
>
>
> Obviously, that leaves you with nothing left. Hopefully there's something
> concrete you think should remain, and you can suggest improvements there.
>
>
>
>
>
>
>
> On Thu, Sep 13, 2018 at 6:24 PM Kirk Hall 
> wrote:
>
> On this ballot and Ballot SC10, I?m only going to consider comments and
> criticisms that propose specific alternate language that you will support.
> We have spent two months on creation of Subcommittees that simply continue
> the work we have been doing., and getting nowhere.  Time to finish up!
>
>
>
> Do you have specific alternate ballot language you want the Members to
> consider?  If so, please post.
>
>
>
> *From:* Ryan Sleevi [mailto:sle...@google.com]
> *Sent:* Thursday, September 13, 2018 2:55 PM
> *To:* Kirk Hall ; CABFPub <
> public@cabforum.org>
> *Subject:* [EXTERNAL]Re: [cabfpub] Ballot SC10 ? Establishing the Network
> Security Subcommittee of the SCWG
>
>
>
> On Thu, Sep 13, 2018 at 5:25 PM Kirk Hall via Public 
> wrote:
>
> *Scope: *Revising and improving the Network and Certificate Systems
> Security Requirements (NCSSRs).
>
>
> *Out of Scope: *No provision.
>
> *Deliverables: *The Network Security Subcommittee shall produce one or
> more documents offering options to the Forum for establishing minimal
> security standards within the scope defined above, which may be used to
> modify the existing NCSSRs. These renewed NCSSR documents will serve CAs,
> auditors and browsers in giving a state of the art set of rules for the
> deployment and operation of CAs computing infrastructures.  The
> Subcommittee may choose its own initial Chair.
>
>
>
> Is this Deliverable correct? Is that scope correct? The previous WG
> produced (only after significant prodding) a statement about 'options' -
> which was to modifying the existing NCSSRs. It seems like we're talking now
> about concrete recommendations for changes, and it seems more relevant to
> note what is in scope or out of scope.
>
>
>
> I disagree that the deliverable affirmatively stating "will serve CA,
> auditors, and browsers".
>
>
>
> However, there's other, more fundamental problems. Most notable is that
> Subcommittees aren't established to have Chairs - the point of the rework
> of the Bylaws was to make it clearer what activities are done and how they
> fit, and a SCWG subcommittee is just that - a subgroup of the SCWG. The
> other is that the SCWG does not yet have a defined process for the
> establishment of subcommittees.
>
> ___
> Public mailing list
> Public@cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
> -- next part --
> An HTML attachment was 

Re: [cabfpub] Public Digest, Vol 77, Issue 81

[Tim Hollebeek via Public]

 structure.



On Thu, Sep 13, 2018 at 3:49 PM Ryan Sleevi via Public <
public@cabforum.org <mailto:public@cabforum.org> > wrote:

I think that, without incorporating or responding to feedback, we will be
opposed to this ballot. I agree that it's unfortunate we have gotten
nowhere - but it's equally unfortunate to have spent two months without
responding to any of the substance of the issues. It's great to see
progress, but making small steps doesn't excuse leaving glaring issues.
It's better to let these fall down than to support them with fundamental
flaws.



Concrete feedback is:

Delete: "These renewed NCSSR documents will serve CAs, auditors and
browsers in giving a state of the art set of rules for the deployment and
operation of CAs computing infrastructures."

Rationale: That presumes this output will be valid/valuable.



Delete: "The Subcommittee may choose its own initial Chair."

Rationale: Subcommittees don't have Chairs and votes. They're just
meetings of the CWG with focus.



Delete: "The Network Security Subcommittee shall produce one or more
documents offering options to the Forum for establishing minimal security
standards within the scope defined above, which may be used to modify the
existing NCSSRs."

Rationale: This is a pretty much a non-scope as worded, but worse,
precludes some of the very activities you want to do. For example,
reforming existing requirements doesn't establish minimums, so is out of
scope.



Obviously, that leaves you with nothing left. Hopefully there's something
concrete you think should remain, and you can suggest improvements there.







On Thu, Sep 13, 2018 at 6:24 PM Kirk Hall mailto:kirk.h...@entrustdatacard.com> >
wrote:

On this ballot and Ballot SC10, I?m only going to consider comments and
criticisms that propose specific alternate language that you will support.
We have spent two months on creation of Subcommittees that simply continue
the work we have been doing., and getting nowhere.  Time to finish up!



Do you have specific alternate ballot language you want the Members to
consider?  If so, please post.



*From:* Ryan Sleevi [mailto:sle...@google.com <mailto:sle...@google.com> ]
*Sent:* Thursday, September 13, 2018 2:55 PM
*To:* Kirk Hall mailto:kirk.h...@entrustdatacard.com> >; CABFPub <
public@cabforum.org <mailto:public@cabforum.org> >
*Subject:* [EXTERNAL]Re: [cabfpub] Ballot SC10 ? Establishing the Network
Security Subcommittee of the SCWG



On Thu, Sep 13, 2018 at 5:25 PM Kirk Hall via Public mailto:public@cabforum.org> >
wrote:

*Scope: *Revising and improving the Network and Certificate Systems
Security Requirements (NCSSRs).


*Out of Scope: *No provision.

*Deliverables: *The Network Security Subcommittee shall produce one or
more documents offering options to the Forum for establishing minimal
security standards within the scope defined above, which may be used to
modify the existing NCSSRs. These renewed NCSSR documents will serve CAs,
auditors and browsers in giving a state of the art set of rules for the
deployment and operation of CAs computing infrastructures.  The
Subcommittee may choose its own initial Chair.



Is this Deliverable correct? Is that scope correct? The previous WG
produced (only after significant prodding) a statement about 'options' -
which was to modifying the existing NCSSRs. It seems like we're talking now
about concrete recommendations for changes, and it seems more relevant to
note what is in scope or out of scope.



I disagree that the deliverable affirmatively stating "will serve CA,
auditors, and browsers".



However, there's other, more fundamental problems. Most notable is that
Subcommittees aren't established to have Chairs - the point of the rework
of the Bylaws was to make it clearer what activities are done and how they
fit, and a SCWG subcommittee is just that - a subgroup of the SCWG. The
other is that the SCWG does not yet have a defined process for the
establishment of subcommittees.

___
Public mailing list
Public@cabforum.org <mailto:Public@cabforum.org> 
https://cabforum.org/mailman/listinfo/public



-- next part --
An HTML attachment was scrubbed...
URL: 
<http://cabforum.org/pipermail/public/attachments/20180914/7203cd81/attachment-0001.html>

--

Message: 2
Date: Fri, 14 Sep 2018 16:29:38 +
From: Tim Hollebeek mailto:tim.holleb...@digicert.com> >
To: Ryan Sleevi mailto:sle...@google.com> >
Cc: CABFPub mailto:public@cabforum.org> >
Subject: Re: [cabfpub] Ballot SC10 ? Establishing the Network Security
Subcommittee of the SCWG
Message-ID:
mailto:bn6pr14mb11066d38b44b3bf97d0857d883...@bn6pr14mb1106.namprd14.prod.outlook.com>
 >

Content-Type: text/plain; charset="utf-8"

My ballot that I didn?t get around to writing would have had something like:



?Th

Re: [cabfpub] [EXTERNAL]Re: Ballot SC10 – Establishing the Network Security Subcommittee of the SCWG

[Tim Hollebeek via Public]

Wayne,

 

My position is that LWGs are handled via the process in 5.3.4, and not 
5.3.1(e), and as such, the Validation WG is somewhat special.  This was 
actually the intent of the Governance Reform effort; it was intended that the 
Governance Reform effort would not be used to obstruct or impede the 
functioning of existing working groups (I’ll note that obstructing the work of 
the Forum is explicitly called out in the Code of Conduct as a Code of Conduct 
violation).  As I’ve stated repeatedly, I will probably support any and/or all 
attempts to improve clarity in this area, as long as it doesn’t impede the 
important work of the Validation WG.  Though the suggestion that it is unclear 
whether Subcommittees have chairs is completely bizarre.  I’ve never been a 
member of a standards working group or committee that didn’t, and I’ve been on 
*WAY* too many of them.  Extraordinary claims require extraordinary evidence.

 

I will note that my recollection is that you were on both the VWG call before 
July 3rd when the proposal to exercise option (a) was discussed, and the VWG 
call immediately after July 3rd when the proposal to choose option (a) was 
discussed again, and didn’t object to that course of action at that time.  It’s 
not just a declaration of the Chair, it was the unanimous consensus of the WG, 
twice discussed.

 

I actually agree that the process for new Subcommittees (like the Network 
Security Subcommittee) leaves a lot to be desired, and should be improved by a 
ballot to improve the clarity of the Bylaws and/or SCWG charter with respect to 
creation of new Subcommittees.  However I agree with Virginia that the SCWG has 
the right to create subcommittees.  In the absence of explicit rules in the 
charter, the SCWG ballot rules seems to be the right way to create new SCWG 
Subcommittees.  Members are free to vote as they chose on such ballots.  But 
they are not free to obstruct the business of the Forum on procedural grounds 
that are unsupported by the Bylaws, and they are not free to deny members or 
working groups the rights and options they have that are clearly expressed in 
the Bylaws.

 

I will file Code of Conduct complaints if I have to, but would prefer not to.

 

-Tim

 

From: Wayne Thayer  
Sent: Friday, September 14, 2018 3:21 PM
To: Tim Hollebeek ; CA/Browser Forum Public 
Discussion List 
Cc: Ryan Sleevi 
Subject: Re: [cabfpub] [EXTERNAL]Re: Ballot SC10 – Establishing the Network 
Security Subcommittee of the SCWG

 

On Fri, Sep 14, 2018 at 11:40 AM Tim Hollebeek via Public mailto:public@cabforum.org> > wrote:

Ryan,

 

I am not Ryan, but...

 

Unfortunately, as a native Californian, I am a very non-violent person, and the 
Code of Conduct explicitly forbids violence, so can we be in utterly 
non-violent agreement about the fact that the Validation WG is already an SCWG 
subcommittee?   That will make it clear we have time to discuss rules about 
how subcommittees function and come to a consensus about what the right 
solution is.

 

I partially agree with you. The bylaws section 5.3.1(e) says in part that "A 
CWG-created Subcommittee needs to be approved by the CWG itself according to 
the approval process set forth in the CWG charter..." Since there is no 
approval process defined in the SCWG charter, one could argue that any form of 
approval is acceptable. However, I don't consider the LWG Chair's declaration 
that the LWG is converting to a Subcommittee to be a form of approval by the 
CWG. So I still think it would be best to put this one to a vote. 

 

In the meantime, I would like to once again re-iterate that the Validation 
Subcommittee will, to the best of its ability, continue functioning as it 
historically has.  That includes publicly available discussions, agendas, and 
meeting notes.  We have a lot of very important work we are doing, and it is 
important we are able to continue making progress.

 

I completely agree.

 

-Tim

 

From: Ryan Sleevi mailto:sle...@google.com> > 
Sent: Friday, September 14, 2018 1:54 PM
To: Tim Hollebeek mailto:tim.holleb...@digicert.com> >
Cc: CABFPub mailto:public@cabforum.org> >; Kirk Hall 
mailto:kirk.h...@entrustdatacard.com> >
Subject: Re: [cabfpub] [EXTERNAL]Re: Ballot SC10 – Establishing the Network 
Security Subcommittee of the SCWG

 

We're in violent agreement, Tim. :)

 

But there's still an issue to solve. The bylaws don't establish how 
subcommittees are run - minutes and lists are two examples. Whether or not a 
chair is another. That's the sort of problem that a ballot is needed to resolve 
- not the conversion. That's just 5.3.1(d) and (e).

 

On Fri, Sep 14, 2018 at 1:38 PM Tim Hollebeek mailto:tim.holleb...@digicert.com> > wrote:

What the Bylaws actually say is:

 

“5.3.4 Legacy Working Groups Any “Legacy” Working Groups (“LWG”) in existence 
when this Bylaws v.1.8 is approved by the Forum shall have the option of (a) 
converting to a Subcommittee under a CWG pursuant to Section 5.3.1(e), 

Re: [cabfpub] Public Digest, Vol 77, Issue 81

[Ryan Sleevi via Public]

's better to let these fall down than to support them with fundamental
> flaws.
>
>
>
> Concrete feedback is:
>
> Delete: "These renewed NCSSR documents will serve CAs, auditors and
> browsers in giving a state of the art set of rules for the deployment and
> operation of CAs computing infrastructures."
>
> Rationale: That presumes this output will be valid/valuable.
>
>
>
> Delete: "The Subcommittee may choose its own initial Chair."
>
> Rationale: Subcommittees don't have Chairs and votes. They're just
> meetings of the CWG with focus.
>
>
>
> Delete: "The Network Security Subcommittee shall produce one or more
> documents offering options to the Forum for establishing minimal security
> standards within the scope defined above, which may be used to modify the
> existing NCSSRs."
>
> Rationale: This is a pretty much a non-scope as worded, but worse,
> precludes some of the very activities you want to do. For example,
> reforming existing requirements doesn't establish minimums, so is out of
> scope.
>
>
>
> Obviously, that leaves you with nothing left. Hopefully there's something
> concrete you think should remain, and you can suggest improvements there.
>
>
>
>
>
>
>
> On Thu, Sep 13, 2018 at 6:24 PM Kirk Hall 
> wrote:
>
> On this ballot and Ballot SC10, I?m only going to consider comments and
> criticisms that propose specific alternate language that you will support.
> We have spent two months on creation of Subcommittees that simply continue
> the work we have been doing., and getting nowhere.  Time to finish up!
>
>
>
> Do you have specific alternate ballot language you want the Members to
> consider?  If so, please post.
>
>
>
> *From:* Ryan Sleevi [mailto:sle...@google.com]
> *Sent:* Thursday, September 13, 2018 2:55 PM
> *To:* Kirk Hall ; CABFPub <
> public@cabforum.org>
> *Subject:* [EXTERNAL]Re: [cabfpub] Ballot SC10 ? Establishing the Network
> Security Subcommittee of the SCWG
>
>
>
> On Thu, Sep 13, 2018 at 5:25 PM Kirk Hall via Public 
> wrote:
>
> *Scope: *Revising and improving the Network and Certificate Systems
> Security Requirements (NCSSRs).
>
>
> *Out of Scope: *No provision.
>
> *Deliverables: *The Network Security Subcommittee shall produce one or
> more documents offering options to the Forum for establishing minimal
> security standards within the scope defined above, which may be used to
> modify the existing NCSSRs. These renewed NCSSR documents will serve CAs,
> auditors and browsers in giving a state of the art set of rules for the
> deployment and operation of CAs computing infrastructures.  The
> Subcommittee may choose its own initial Chair.
>
>
>
> Is this Deliverable correct? Is that scope correct? The previous WG
> produced (only after significant prodding) a statement about 'options' -
> which was to modifying the existing NCSSRs. It seems like we're talking now
> about concrete recommendations for changes, and it seems more relevant to
> note what is in scope or out of scope.
>
>
>
> I disagree that the deliverable affirmatively stating "will serve CA,
> auditors, and browsers".
>
>
>
> However, there's other, more fundamental problems. Most notable is that
> Subcommittees aren't established to have Chairs - the point of the rework
> of the Bylaws was to make it clearer what activities are done and how they
> fit, and a SCWG subcommittee is just that - a subgroup of the SCWG. The
> other is that the SCWG does not yet have a defined process for the
> establishment of subcommittees.
>
> ___
> Public mailing list
> Public@cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
>
> -- next part --
> An HTML attachment was scrubbed...
> URL: <
> http://cabforum.org/pipermail/public/attachments/20180914/7203cd81/attachment-0001.html
> >
>
> --
>
> Message: 2
> Date: Fri, 14 Sep 2018 16:29:38 +
> From: Tim Hollebeek 
> To: Ryan Sleevi 
> Cc: CABFPub 
> Subject: Re: [cabfpub] Ballot SC10 ? Establishing the Network Security
> Subcommittee of the SCWG
> Message-ID:
> <
> bn6pr14mb11066d38b44b3bf97d0857d883...@bn6pr14mb1106.namprd14.prod.outlook.com
> >
>
> Content-Type: text/plain; charset="utf-8"
>
> My ballot that I didn?t get around to writing would have had something
> like:
>
>
>
> ?The current Bylaws lack clarity and precision about the functioning of
> subcommittees.  Until such a time as that is corrected, subcommittees
> created from LWGs shall operate in the same manner as pre-gov

Re: [cabfpub] Public Digest, Vol 77, Issue 81

[Virginia Fournier via Public]

 
> Delete: "The Network Security Subcommittee shall produce one or more
> documents offering options to the Forum for establishing minimal security
> standards within the scope defined above, which may be used to modify the
> existing NCSSRs."
> 
> Rationale: This is a pretty much a non-scope as worded, but worse,
> precludes some of the very activities you want to do. For example,
> reforming existing requirements doesn't establish minimums, so is out of
> scope.
> 
> 
> 
> Obviously, that leaves you with nothing left. Hopefully there's something
> concrete you think should remain, and you can suggest improvements there.
> 
> 
> 
> 
> 
> 
> 
> On Thu, Sep 13, 2018 at 6:24 PM Kirk Hall 
> wrote:
> 
> On this ballot and Ballot SC10, I?m only going to consider comments and
> criticisms that propose specific alternate language that you will support.
> We have spent two months on creation of Subcommittees that simply continue
> the work we have been doing., and getting nowhere.  Time to finish up!
> 
> 
> 
> Do you have specific alternate ballot language you want the Members to
> consider?  If so, please post.
> 
> 
> 
> *From:* Ryan Sleevi [mailto:sle...@google.com]
> *Sent:* Thursday, September 13, 2018 2:55 PM
> *To:* Kirk Hall ; CABFPub <
> public@cabforum.org>
> *Subject:* [EXTERNAL]Re: [cabfpub] Ballot SC10 ? Establishing the Network
> Security Subcommittee of the SCWG
> 
> 
> 
> On Thu, Sep 13, 2018 at 5:25 PM Kirk Hall via Public 
> wrote:
> 
> *Scope: *Revising and improving the Network and Certificate Systems
> Security Requirements (NCSSRs).
> 
> 
> *Out of Scope: *No provision.
> 
> *Deliverables: *The Network Security Subcommittee shall produce one or
> more documents offering options to the Forum for establishing minimal
> security standards within the scope defined above, which may be used to
> modify the existing NCSSRs. These renewed NCSSR documents will serve CAs,
> auditors and browsers in giving a state of the art set of rules for the
> deployment and operation of CAs computing infrastructures.  The
> Subcommittee may choose its own initial Chair.
> 
> 
> 
> Is this Deliverable correct? Is that scope correct? The previous WG
> produced (only after significant prodding) a statement about 'options' -
> which was to modifying the existing NCSSRs. It seems like we're talking now
> about concrete recommendations for changes, and it seems more relevant to
> note what is in scope or out of scope.
> 
> 
> 
> I disagree that the deliverable affirmatively stating "will serve CA,
> auditors, and browsers".
> 
> 
> 
> However, there's other, more fundamental problems. Most notable is that
> Subcommittees aren't established to have Chairs - the point of the rework
> of the Bylaws was to make it clearer what activities are done and how they
> fit, and a SCWG subcommittee is just that - a subgroup of the SCWG. The
> other is that the SCWG does not yet have a defined process for the
> establishment of subcommittees.
> 
> ___
> Public mailing list
> Public@cabforum.org
> https://cabforum.org/mailman/listinfo/public
> 
> 
-- next part --
An HTML attachment was scrubbed...
URL: 
<http://cabforum.org/pipermail/public/attachments/20180914/7203cd81/attachment-0001.html>

--

Message: 2
Date: Fri, 14 Sep 2018 16:29:38 +
From: Tim Hollebeek 
To: Ryan Sleevi 
Cc: CABFPub 
Subject: Re: [cabfpub] Ballot SC10 ? Establishing the Network Security
Subcommittee of the SCWG
Message-ID:



Content-Type: text/plain; charset="utf-8"

My ballot that I didn?t get around to writing would have had something like:



?The current Bylaws lack clarity and precision about the functioning of 
subcommittees.  Until such a time as that is corrected, subcommittees created 
from LWGs shall operate in the same manner as pre-governance reform working 
groups.?



Would that help?



-Tim



P.S. I asked the Validation WG chair if the Validation Subcommittee would 
continue using the validation mailing list, and continue to produce agendas and 
minutes, and he said yes.



From: Ryan Sleevi  
Sent: Friday, September 14, 2018 12:19 PM
To: Tim Hollebeek 
Cc: Wayne Thayer ; CABFPub 
Subject: Re: [cabfpub] Ballot SC10 ? Establishing the Network Security 
Subcommittee of the SCWG



Subcommittees don't have requirements for minutes or publicly-available notes.



That's the point. All this thinking about subcommittees working "just like" 
LWGs is not the case. All of that was lost from the Bylaws. A subcommittee can 
just be two people having a chat, at least as written in the Bylaws today.



There's nothi

Re: [cabfpub] [Servercert-wg] Ballot FORUM-4 v3

[James Burton via Public]

I haven't got any influence in these proceedings at all but I feel that
maybe the forum could use another platform for ballots.

On Fri, Sep 14, 2018 at 7:50 PM Tim Hollebeek via Servercert-wg <
servercert...@cabforum.org> wrote:

>
>
> As no additional typos or mistakes appear to have been found in the
> proposed redline, Ballot FORUM-4 v2 is hereby withdrawn, and this new
> Ballot FORUM-4 v3 submitted in its place.  Apologies for not including the
> latest ETSI fixes; I really wanted to include them, but I’m just worried
> that discussion may not be over yet.
>
>
>
> Ballot FORUM-4 v3: Fix mistakes made during passage of Governance Reform
> Ballot 206
>
>
>
> Purpose of Ballot
>
>
>
> The Governance Reform ballot (Ballot 206 under the old ballot numbering
> scheme) was extremely complicated and took roughly two years to draft.
>
> The changes to the Bylaws from Ballot 216 were intended to be included in
> the Governance Reform ballot, but were accidentally not included.
>
>
>
> The attached version of the Bylaws restores the important discussion
> period changes that were approved by the members but then accidentally
> overwritten.
>
>
>
> The following motion has been proposed by Tim Hollebeek of DigiCert and
> endorsed by Wayne Thayer of Mozilla and Moudrick Dadashov of SSC.
>
>
>
> --- MOTION BEGINS ---
>
>
>
> This ballot replaces the “Bylaws of the CA/Browser Forum” version 1.9 with
> version 2.0 of those Bylaws, attached to this ballot.
>
>
>
> --- MOTION ENDS ---
>
>
>
> The procedure for approval of this ballot is as follows:
>
>
>
> Discussion (7 days)
>
>
>
> Start Time: 2018-09-14, 2:50 pm Eastern Time
>
>
>
> End Time: 2018-09-21, 2:50 pm Eastern Time
>
>
>
> Vote for approval (7 days)
>
>
>
> Start Time: 2018-09-21, 2:50 pm Eastern Time
>
>
>
> End Time: 2018-09-28, 2:50 pm Eastern Time
>
>
>
>
> ___
> Servercert-wg mailing list
> servercert...@cabforum.org
> http://cabforum.org/mailman/listinfo/servercert-wg
>
___
Public mailing list
Public@cabforum.org
https://cabforum.org/mailman/listinfo/public

Re: [cabfpub] [EXTERNAL]Re: Ballot SC10 – Establishing the Network Security Subcommittee of the SCWG

[Wayne Thayer via Public]

On Fri, Sep 14, 2018 at 11:40 AM Tim Hollebeek via Public <
public@cabforum.org> wrote:

> Ryan,
>
>
>
I am not Ryan, but...

Unfortunately, as a native Californian, I am a very non-violent person, and
> the Code of Conduct explicitly forbids violence, so can we be in utterly
> non-violent agreement about the fact that the Validation WG is already an
> SCWG subcommittee?   That will make it clear we have time to discuss
> rules about how subcommittees function and come to a consensus about what
> the right solution is.
>
>
>
I partially agree with you. The bylaws section 5.3.1(e) says in part that
"A CWG-created Subcommittee needs to be approved by the CWG itself
according to the approval process set forth in the CWG charter..." Since
there is no approval process defined in the SCWG charter, one could argue
that any form of approval is acceptable. However, I don't consider the LWG
Chair's declaration that the LWG is converting to a Subcommittee to be a
form of approval by the CWG. So I still think it would be best to put this
one to a vote.

In the meantime, I would like to once again re-iterate that the Validation
> Subcommittee will, to the best of its ability, continue functioning as it
> historically has.  That includes publicly available discussions, agendas,
> and meeting notes.  We have a lot of very important work we are doing, and
> it is important we are able to continue making progress.
>
>
>
I completely agree.

-Tim
>
>
>
> *From:* Ryan Sleevi 
> *Sent:* Friday, September 14, 2018 1:54 PM
> *To:* Tim Hollebeek 
> *Cc:* CABFPub ; Kirk Hall <
> kirk.h...@entrustdatacard.com>
> *Subject:* Re: [cabfpub] [EXTERNAL]Re: Ballot SC10 – Establishing the
> Network Security Subcommittee of the SCWG
>
>
>
> We're in violent agreement, Tim. :)
>
>
>
> But there's still an issue to solve. The bylaws don't establish how
> subcommittees are run - minutes and lists are two examples. Whether or not
> a chair is another. That's the sort of problem that a ballot is needed to
> resolve - not the conversion. That's just 5.3.1(d) and (e).
>
>
>
> On Fri, Sep 14, 2018 at 1:38 PM Tim Hollebeek 
> wrote:
>
> What the Bylaws actually say is:
>
>
>
> “5.3.4 Legacy Working Groups Any “Legacy” Working Groups (“LWG”) in
> existence when this Bylaws v.1.8 is approved by the Forum shall have the
> option of (a) converting to a Subcommittee under a CWG pursuant to Section
> 5.3.1(e), (b) immediately terminating, or (c) continuing in effect without
> change for 6 months following such approval. For an LWG to continue beyond
> such 6 months, it must have a charter approved as described in Section
> 5.3.1 above, as if it was a new Working Group.”
>
>
>
> The Validation Working Group has expressed its intention to become a
> Subcommittee at every opportunity.  Those who continually seek to deny it
> that option are clearly in violation of the Bylaws.
>
>
>
> Once again, the Validation Working Group has selected option (a).  If we
> want a Ballot to confirm that, we can have a ballot, but I will not allow
> members to obstruct the LWG’s right to choose option (a), a right the
> Working Group clearly has, as stated in the Bylaws.
>
>
>
> -Tim
>
>
>
>
___
Public mailing list
Public@cabforum.org
https://cabforum.org/mailman/listinfo/public

[cabfpub] VOTING HAS STARTED Ballot Forum-2 - Chair and Vice-Chair Term Extensions

[Ben Wilson via Public]

VOTING HAS STARTED.

 

DigiCert votes "YES"

 

From: Public [mailto:public-boun...@cabforum.org] On Behalf Of Ben Wilson
via Public
Sent: Wednesday, September 5, 2018 9:35 PM
To: CABFPub mailto:public@cabforum.org> >
Subject: [EXTERNAL][cabfpub] Ballot Forum-2 - Chair and Vice-Chair Term
Extensions

 

Ballot Forum-2 - Chair and Vice-Chair Term Extensions

 

Ben Wilson of DigiCert calls the following proposed ballot to be published
for discussion and comment by the CABF membership. 

 

Dimitris Zacharopoulos of HARICA and Jos Purvis of Cisco have endorsed the
proposed ballot.  

 

Explanation of Ballot: 

 

Kirk Hall was elected to a two-year term as Chair of the Forum by Ballot
177, and Ben Wilson was elected to a two-year term as Vice Chair of the
Forum by Ballot 178.  Their terms run from October 22, 2016 through October
21, 2018.  The Forum wishes to extend these terms by 10 days, to run through
October 31, 2018, in order that their successors can be elected to new
two-year terms starting on November 1, 2018, by separate ballots and so that
there will be no gap in leadership.

 

---Ballot Begins --- 

 

Kirk Hall's term as Chair of the CA/Browser Forum is hereby extended from
October 21, 2018 through October 31, 2018, and Ben Wilson's term as Vice
Chair of the CA/Browser Forum is hereby extended from October 21, 2018
through October 31, 2018. 

 

---Ballot Ends ---

 

The procedure for approval of this ballot is as follows:

 

Discussion Period (7 days)Start Time: 6-Sept-2018 16:00:00 UTC
End Time: 13-Sept-2018 16:00:00 UTC

 

Voting Period (7 days)   Start Time: 13-Sept-2018 16:00:00
UTC End Time: 20-Sept-2018 16:00:00 UTC

 

 



smime.p7s
Description: S/MIME cryptographic signature
___
Public mailing list
Public@cabforum.org
https://cabforum.org/mailman/listinfo/public

[cabfpub] Ballot FORUM-4 v3

[Tim Hollebeek via Public]

 

As no additional typos or mistakes appear to have been found in the proposed
redline, Ballot FORUM-4 v2 is hereby withdrawn, and this new Ballot FORUM-4
v3 submitted in its place.  Apologies for not including the latest ETSI
fixes; I really wanted to include them, but I'm just worried that discussion
may not be over yet.

 

Ballot FORUM-4 v3: Fix mistakes made during passage of Governance Reform
Ballot 206

 

Purpose of Ballot

 

The Governance Reform ballot (Ballot 206 under the old ballot numbering
scheme) was extremely complicated and took roughly two years to draft. 

The changes to the Bylaws from Ballot 216 were intended to be included in
the Governance Reform ballot, but were accidentally not included.

 

The attached version of the Bylaws restores the important discussion period
changes that were approved by the members but then accidentally overwritten.

 

The following motion has been proposed by Tim Hollebeek of DigiCert and
endorsed by Wayne Thayer of Mozilla and Moudrick Dadashov of SSC.

 

--- MOTION BEGINS ---

 

This ballot replaces the "Bylaws of the CA/Browser Forum" version 1.9 with
version 2.0 of those Bylaws, attached to this ballot.

 

--- MOTION ENDS ---

 

The procedure for approval of this ballot is as follows:

 

Discussion (7 days)

 

Start Time: 2018-09-14, 2:50 pm Eastern Time

 

End Time: 2018-09-21, 2:50 pm Eastern Time

 

Vote for approval (7 days)

 

Start Time: 2018-09-21, 2:50 pm Eastern Time

 

End Time: 2018-09-28, 2:50 pm Eastern Time

 

 



CABF-Bylaws-v.2.0-redline-for-ballot v3.docx
Description: MS-Word 2007 document


smime.p7s
Description: S/MIME cryptographic signature
___
Public mailing list
Public@cabforum.org
https://cabforum.org/mailman/listinfo/public

Re: [cabfpub] [EXTERNAL]Re: Ballot SC10 – Establishing the Network Security Subcommittee of the SCWG

[Tim Hollebeek via Public]

Ryan,

 

Unfortunately, as a native Californian, I am a very non-violent person, and the 
Code of Conduct explicitly forbids violence, so can we be in utterly 
non-violent agreement about the fact that the Validation WG is already an SCWG 
subcommittee?   That will make it clear we have time to discuss rules about 
how subcommittees function and come to a consensus about what the right 
solution is.

 

In the meantime, I would like to once again re-iterate that the Validation 
Subcommittee will, to the best of its ability, continue functioning as it 
historically has.  That includes publicly available discussions, agendas, and 
meeting notes.  We have a lot of very important work we are doing, and it is 
important we are able to continue making progress.

 

-Tim

 

From: Ryan Sleevi  
Sent: Friday, September 14, 2018 1:54 PM
To: Tim Hollebeek 
Cc: CABFPub ; Kirk Hall 
Subject: Re: [cabfpub] [EXTERNAL]Re: Ballot SC10 – Establishing the Network 
Security Subcommittee of the SCWG

 

We're in violent agreement, Tim. :)

 

But there's still an issue to solve. The bylaws don't establish how 
subcommittees are run - minutes and lists are two examples. Whether or not a 
chair is another. That's the sort of problem that a ballot is needed to resolve 
- not the conversion. That's just 5.3.1(d) and (e).

 

On Fri, Sep 14, 2018 at 1:38 PM Tim Hollebeek mailto:tim.holleb...@digicert.com> > wrote:

What the Bylaws actually say is:

 

“5.3.4 Legacy Working Groups Any “Legacy” Working Groups (“LWG”) in existence 
when this Bylaws v.1.8 is approved by the Forum shall have the option of (a) 
converting to a Subcommittee under a CWG pursuant to Section 5.3.1(e), (b) 
immediately terminating, or (c) continuing in effect without change for 6 
months following such approval. For an LWG to continue beyond such 6 months, it 
must have a charter approved as described in Section 5.3.1 above, as if it was 
a new Working Group.”

 

The Validation Working Group has expressed its intention to become a 
Subcommittee at every opportunity.  Those who continually seek to deny it that 
option are clearly in violation of the Bylaws.

 

Once again, the Validation Working Group has selected option (a).  If we want a 
Ballot to confirm that, we can have a ballot, but I will not allow members to 
obstruct the LWG’s right to choose option (a), a right the Working Group 
clearly has, as stated in the Bylaws.

 

-Tim

 

From: Public mailto:public-boun...@cabforum.org> 
> On Behalf Of Ryan Sleevi via Public
Sent: Friday, September 14, 2018 1:22 PM
To: Kirk Hall mailto:kirk.h...@entrustdatacard.com> >; CABFPub mailto:public@cabforum.org> >
Subject: Re: [cabfpub] [EXTERNAL]Re: Ballot SC10 – Establishing the Network 
Security Subcommittee of the SCWG

 

Kirk,

 

You have a real opportunity to resolve these issues, and I hope you will 
incorporate that feedback into consideration. There are now multiple threads, 
in part because some of your forked replies, but to summarize where we stand:

 

Nothing in the Bylaws requires resolution on/by October 3, other than that they 
will cease to be LWGs.

While no longer LWGs, if they choose to be subcommittees, then it has to be 
done using the process defined by the SCWG.

The SCWG has not defined or balloted its process for these.

If you're proposing that these ballots use an assumed process that is not 
specified, we're opposed and remain opposed, because having the Forum and the 
Chair make up process continues to undermine the legitimacy of the Forum and 
its value, needlessly and irresponsibly.

 

If you feel it's important to establish these before Oct 3 - which it isn't, 
procedurally - then one path you can do that can resolve the feedback and 
concerns is to actually spell out the things you are assuming, such as that 
subcommittees will produce minutes, operate on public lists, allow 
participation, etc. This is not difficult, it's just more work - but that's the 
cost of doing things right, you sometimes have to put a bit of effort in to do 
it right.

 

As you can see from those minutes, this has been known to be a problem for 
months. The proposal was simple: "Dimitris again noted that new Bylaw 5.3.1(e) 
did not provide for a method for creating Subcommittees, and maybe the Bylaws 
or Charter should be amended to provide a method, and Wayne agreed."

 

There's still no definition for how the Subcommittee will operate, and that 
should be in the ballot to form it, since the Chair did not propose a ballot 
based on the Doodle Poll that the Chair conducted for a matter the Chair 
brought to resolve.

 

On Fri, Sep 14, 2018 at 1:08 PM Kirk Hall via Public mailto:public@cabforum.org> > wrote:

Exactly right.  To add one other point – I am the one who proposed we allow 
“Subcommittees” in the new Working Groups during the early discussions in the 
Governance Change Working Group that led to Ballot 206.  I chose the name 
“Subcommittee” to avoid confusion (as we were now using the 

Re: [cabfpub] [EXTERNAL]Re: Ballot SC10 – Establishing the Network Security Subcommittee of the SCWG

[Ryan Sleevi via Public]

We're in violent agreement, Tim. :)

But there's still an issue to solve. The bylaws don't establish how
subcommittees are run - minutes and lists are two examples. Whether or not
a chair is another. That's the sort of problem that a ballot is needed to
resolve - not the conversion. That's just 5.3.1(d) and (e).

On Fri, Sep 14, 2018 at 1:38 PM Tim Hollebeek 
wrote:

> What the Bylaws actually say is:
>
>
>
> “5.3.4 Legacy Working Groups Any “Legacy” Working Groups (“LWG”) in
> existence when this Bylaws v.1.8 is approved by the Forum shall have the
> option of (a) converting to a Subcommittee under a CWG pursuant to Section
> 5.3.1(e), (b) immediately terminating, or (c) continuing in effect without
> change for 6 months following such approval. For an LWG to continue beyond
> such 6 months, it must have a charter approved as described in Section
> 5.3.1 above, as if it was a new Working Group.”
>
>
>
> The Validation Working Group has expressed its intention to become a
> Subcommittee at every opportunity.  Those who continually seek to deny it
> that option are clearly in violation of the Bylaws.
>
>
>
> Once again, the Validation Working Group has selected option (a).  If we
> want a Ballot to confirm that, we can have a ballot, but I will not allow
> members to obstruct the LWG’s right to choose option (a), a right the
> Working Group clearly has, as stated in the Bylaws.
>
>
>
> -Tim
>
>
>
> *From:* Public  *On Behalf Of *Ryan Sleevi
> via Public
> *Sent:* Friday, September 14, 2018 1:22 PM
> *To:* Kirk Hall ; CABFPub <
> public@cabforum.org>
> *Subject:* Re: [cabfpub] [EXTERNAL]Re: Ballot SC10 – Establishing the
> Network Security Subcommittee of the SCWG
>
>
>
> Kirk,
>
>
>
> You have a real opportunity to resolve these issues, and I hope you will
> incorporate that feedback into consideration. There are now multiple
> threads, in part because some of your forked replies, but to summarize
> where we stand:
>
>
>
> Nothing in the Bylaws requires resolution on/by October 3, other than that
> they will cease to be LWGs.
>
> While no longer LWGs, if they choose to be subcommittees, then it has to
> be done using the process defined by the SCWG.
>
> The SCWG has not defined or balloted its process for these.
>
> If you're proposing that these ballots use an assumed process that is not
> specified, we're opposed and remain opposed, because having the Forum and
> the Chair make up process continues to undermine the legitimacy of the
> Forum and its value, needlessly and irresponsibly.
>
>
>
> If you feel it's important to establish these before Oct 3 - which it
> isn't, procedurally - then one path you can do that can resolve the
> feedback and concerns is to actually spell out the things you are assuming,
> such as that subcommittees will produce minutes, operate on public lists,
> allow participation, etc. This is not difficult, it's just more work - but
> that's the cost of doing things right, you sometimes have to put a bit of
> effort in to do it right.
>
>
>
> As you can see from those minutes, this has been known to be a problem for
> months. The proposal was simple: "Dimitris again noted that new Bylaw
> 5.3.1(e) did not provide for a method for creating Subcommittees, and maybe
> the Bylaws or Charter should be amended to provide a method, and Wayne
> agreed."
>
>
>
> There's still no definition for how the Subcommittee will operate, and
> that should be in the ballot to form it, since the Chair did not propose a
> ballot based on the Doodle Poll that the Chair conducted for a matter the
> Chair brought to resolve.
>
>
>
> On Fri, Sep 14, 2018 at 1:08 PM Kirk Hall via Public 
> wrote:
>
> Exactly right.  To add one other point – I am the one who proposed we
> allow “Subcommittees” in the new Working Groups during the early
> discussions in the Governance Change Working Group that led to Ballot 206.
> I chose the name “Subcommittee” to avoid confusion (as we were now using
> the term “Working Group” to refer to the main group that needed
> Subcommittees to do preliminary work on ballot proposal), but I made it
> clear at the time that the new Subcommittees of the new Working Groups
> would function exactly the same as the old Working Groups of the Forum.
> There was no confusion or argument on this point among the Governance
> Change participants.
>
>
>
> I personally don’t see the need for yet more work to further define
> Subcommittees in the Bylaws, but will not object if others want to work on
> that.  In the meantime, we need to move forward on creating the Validation
> and NetSec Subcommittees so they can continue their work after October 3
> (and can meet as part of the Tuesday agenda at the Shanghai F2F meeting
> next month).  Those who don’t like the process can always vote no.
>
>
>
> I will present a revised draft of SC9 and SC10 later today taking into
> account the comments already received.
>
>
>
> *From:* Dimitris Zacharopoulos [mailto:ji...@it.auth.gr]
> *Sent:* Thursday, 

Re: [cabfpub] Ballot SC6 v3 - Revocation Timeline Extension

[Peter Miškovič via Public]

Disig votes „Yes“ on Ballot SC6 version 3.

Regards
Peter

From: Public  On Behalf Of Wayne Thayer via Public
Sent: Monday, September 10, 2018 8:54 PM
To: CA/B Forum Server Certificate WG Public Discussion List 

Cc: CA/Browser Forum Public Discussion List 
Subject: Re: [cabfpub] Ballot SC6 v3 - Revocation Timeline Extension

This ballot entered the voting period late on Friday. Voting ends this Friday 
2018-09-14 at 20:00 UTC.

On Fri, Aug 31, 2018 at 12:51 PM Wayne Thayer 
mailto:wtha...@mozilla.com>> wrote:
Here is version 3 of this ballot, incorporating changes to v2 suggested by 
Bruce and Ryan (thanks!).

I noticed that our current bylaws have reverted back to a fixed-length 
discussion period, so I have changed this version to comply.

==


Purpose of Ballot:
Section 4.9.1.1 of the Baseline Requirements currently requires CAs to revoke a 
Subscriber certificate within 24 hours of identifying any of 15 issues 
affecting the certificate. In cases where there is not an immediate threat of 
misuse of the certificate, this requirement can cause undue harm to a 
Subscriber that isn't capable of replacing the certificate prior to revocation. 
This ballot makes a number of improvements to the revocation rules imposed by 
the Baseline Requirements:
* Primarily, it creates a tiered timeline for revocations. The most critical 
"reasons" still require revocation within 24 hours, but for many others 24 
hours becomes a SHOULD and the CA has 5 days before they MUST revoke.
* A new "reason for revocation" was added to address the fact that there is 
currently no requirement for CAs to revoke a certificate when requested by the 
domain name registrant. After considering some more specific language that 
required CAs to follow 3.2.2.4 to validate domain control, I settled on the 
following more general "reason": "The CA obtains evidence that the validation 
of domain authorization or control for any Fully-Qualified Domain Name or IP 
address in the Certificate should not be relied upon."
* Reason #10 states "The CA determines that any of the information appearing in 
the Certificate is inaccurate or misleading;" This ballot removes "or 
misleading" because that is a subjective judgement that could effectively be 
used to justify censorship, as discussed at length in relation to the "Stripe, 
Inc of Kentucky" EV certificates.
* Current reasons #11 and #13 were removed from the section on subscriber 
certificates because they address cases where the intermediate and/or root must 
be revoked, so there isn't much sense (and some possible harm) in requiring 
revocation of all the leaf certs.
* It requires CAs to disclose their problem reporting mechanisms in a standard 
location: CPS section 1.5.2.
* Within 24 hours of receiving a problem report, the CA is now required to 
report back to both the entity reporting the problem and the Subscriber on the 
CA's findings, and to work with the reporter and Subscriber to establish a date 
by which the CA will revoke the certificate.

The following motion has been proposed by  Wayne Thayer of Mozilla and endorsed 
by Tim Hollebeek of DigiCert and Dimitris Zacharopoulos of Harica.


--- MOTION BEGINS ---

This ballot modifies the “Baseline Requirements for the 
Issuance and Management of Publicly-Trusted Certificates” as follows, based on 
Version 1.6.0:



** Modify the definition of Key Compromise as follows: **
Key Compromise: A Private Key is said to be compromised if its value has been 
disclosed to an unauthorized person or an unauthorized person has had access to 
it.

** Modify Section 4.9.1 to read as follows: **



4.9.1.1 Reasons for Revoking a Subscriber Certificate

The CA SHALL revoke a Certificate within 24 hours if one or more of the 
following occurs:
1. The Subscriber requests in writing that the CA revoke the Certificate;
2. The Subscriber notifies the CA that the original certificate request was not 
authorized and does not retroactively grant authorization;
3. The CA obtains evidence that the Subscriber's Private Key corresponding to 
the Public Key in the Certificate suffered a Key Compromise; or
4. The CA obtains evidence that the validation of domain authorization or 
control for any Fully-Qualified Domain Name or IP address in the Certificate 
should not be relied upon.

The CA SHOULD revoke a certificate within 24 hours and MUST revoke a 
Certificate within 5 days if one or more of the following occurs:
1. The Certificate no longer complies with the requirements of Sections 6.1.5 
and 6.1.6;
2. The CA obtains evidence that the Certificate was misused;
3. The CA is made aware that a Subscriber has violated one or more of its 
material obligations under the Subscriber Agreement or Terms of Use;
4. The CA is made aware of any circumstance indicating that use of a 
Fully-Qualified Domain Name or IP address in the Certificate is no longer 
legally permitted (e.g. a court or arbitrator has revoked a Domain Name 

Re: [cabfpub] [EXTERNAL]Re: Ballot SC10 – Establishing the Network Security Subcommittee of the SCWG

[Tim Hollebeek via Public]

As I’ve repeatedly pointed out every time it’s come up, there’s no support in 
the Bylaws for these additional obstacles to the Validation Working Group’s 
clearly expressed choice of option (a).

 

-Tim

 

From: Public  On Behalf Of Ryan Sleevi via Public
Sent: Friday, September 14, 2018 1:37 PM
To: Kirk Hall 
Cc: CABFPub 
Subject: Re: [cabfpub] [EXTERNAL]Re: Ballot SC10 – Establishing the Network 
Security Subcommittee of the SCWG

 

That's a fairly broad misrepresentation. It hasn't been stalemated - it's that 
someone who said they'd work on it has not made any apparent effort to put 
forward.

 

Since that conversation in July, in which members agreed upon the problem 
statement and proposed path forward, no actual concrete proposal was made. Now 
we see a concrete proposal, with issues, and it seems you have no interest in 
resolving those issues. Perhaps if you'd put forth a concrete proposal 2 months 
ago, it wouldn't feel like a stalemate?

 

In any event, it's not correct there's a stalemate. There's been relatively 
good agreement on the problem, and it's just that the proposed solution - which 
has only come forward in the past few days after relatively limited discussion 
- is significantly flawed for the problem.

 

On Fri, Sep 14, 2018 at 1:27 PM Kirk Hall mailto:kirk.h...@entrustdatacard.com> > wrote:

This discussion is no longer productive – we have been stalemated for two 
months or so, and I don’t think most members agree with your approach.  It 
would probably be best for just to just vote no on the ballots, but *also* 
volunteer to work with Ben to amend the Bylaws in whatever way you think is 
needed.

 

From: Ryan Sleevi [mailto:sle...@google.com  ] 
Sent: Friday, September 14, 2018 10:22 AM
To: Kirk Hall mailto:kirk.h...@entrustdatacard.com> >; CABFPub mailto:public@cabforum.org> >
Subject: Re: [cabfpub] [EXTERNAL]Re: Ballot SC10 – Establishing the Network 
Security Subcommittee of the SCWG

 

Kirk,

 

You have a real opportunity to resolve these issues, and I hope you will 
incorporate that feedback into consideration. There are now multiple threads, 
in part because some of your forked replies, but to summarize where we stand:

 

Nothing in the Bylaws requires resolution on/by October 3, other than that they 
will cease to be LWGs.

While no longer LWGs, if they choose to be subcommittees, then it has to be 
done using the process defined by the SCWG.

The SCWG has not defined or balloted its process for these.

If you're proposing that these ballots use an assumed process that is not 
specified, we're opposed and remain opposed, because having the Forum and the 
Chair make up process continues to undermine the legitimacy of the Forum and 
its value, needlessly and irresponsibly.

 

If you feel it's important to establish these before Oct 3 - which it isn't, 
procedurally - then one path you can do that can resolve the feedback and 
concerns is to actually spell out the things you are assuming, such as that 
subcommittees will produce minutes, operate on public lists, allow 
participation, etc. This is not difficult, it's just more work - but that's the 
cost of doing things right, you sometimes have to put a bit of effort in to do 
it right.

 

As you can see from those minutes, this has been known to be a problem for 
months. The proposal was simple: "Dimitris again noted that new Bylaw 5.3.1(e) 
did not provide for a method for creating Subcommittees, and maybe the Bylaws 
or Charter should be amended to provide a method, and Wayne agreed."

 

There's still no definition for how the Subcommittee will operate, and that 
should be in the ballot to form it, since the Chair did not propose a ballot 
based on the Doodle Poll that the Chair conducted for a matter the Chair 
brought to resolve.

 

On Fri, Sep 14, 2018 at 1:08 PM Kirk Hall via Public mailto:public@cabforum.org> > wrote:

Exactly right.  To add one other point – I am the one who proposed we allow 
“Subcommittees” in the new Working Groups during the early discussions in the 
Governance Change Working Group that led to Ballot 206.  I chose the name 
“Subcommittee” to avoid confusion (as we were now using the term “Working 
Group” to refer to the main group that needed Subcommittees to do preliminary 
work on ballot proposal), but I made it clear at the time that the new 
Subcommittees of the new Working Groups would function exactly the same as the 
old Working Groups of the Forum.  There was no confusion or argument on this 
point among the Governance Change participants.

 

I personally don’t see the need for yet more work to further define 
Subcommittees in the Bylaws, but will not object if others want to work on 
that.  In the meantime, we need to move forward on creating the Validation and 
NetSec Subcommittees so they can continue their work after October 3 (and can 
meet as part of the Tuesday agenda at the Shanghai F2F meeting next month).  
Those who don’t like the 

Re: [cabfpub] [EXTERNAL]Re: Ballot SC10 – Establishing the Network Security Subcommittee of the SCWG

[Tim Hollebeek via Public]

What the Bylaws actually say is:

 

“5.3.4 Legacy Working Groups Any “Legacy” Working Groups (“LWG”) in existence 
when this Bylaws v.1.8 is approved by the Forum shall have the option of (a) 
converting to a Subcommittee under a CWG pursuant to Section 5.3.1(e), (b) 
immediately terminating, or (c) continuing in effect without change for 6 
months following such approval. For an LWG to continue beyond such 6 months, it 
must have a charter approved as described in Section 5.3.1 above, as if it was 
a new Working Group.”

 

The Validation Working Group has expressed its intention to become a 
Subcommittee at every opportunity.  Those who continually seek to deny it that 
option are clearly in violation of the Bylaws.

 

Once again, the Validation Working Group has selected option (a).  If we want a 
Ballot to confirm that, we can have a ballot, but I will not allow members to 
obstruct the LWG’s right to choose option (a), a right the Working Group 
clearly has, as stated in the Bylaws.

 

-Tim

 

From: Public  On Behalf Of Ryan Sleevi via Public
Sent: Friday, September 14, 2018 1:22 PM
To: Kirk Hall ; CABFPub 
Subject: Re: [cabfpub] [EXTERNAL]Re: Ballot SC10 – Establishing the Network 
Security Subcommittee of the SCWG

 

Kirk,

 

You have a real opportunity to resolve these issues, and I hope you will 
incorporate that feedback into consideration. There are now multiple threads, 
in part because some of your forked replies, but to summarize where we stand:

 

Nothing in the Bylaws requires resolution on/by October 3, other than that they 
will cease to be LWGs.

While no longer LWGs, if they choose to be subcommittees, then it has to be 
done using the process defined by the SCWG.

The SCWG has not defined or balloted its process for these.

If you're proposing that these ballots use an assumed process that is not 
specified, we're opposed and remain opposed, because having the Forum and the 
Chair make up process continues to undermine the legitimacy of the Forum and 
its value, needlessly and irresponsibly.

 

If you feel it's important to establish these before Oct 3 - which it isn't, 
procedurally - then one path you can do that can resolve the feedback and 
concerns is to actually spell out the things you are assuming, such as that 
subcommittees will produce minutes, operate on public lists, allow 
participation, etc. This is not difficult, it's just more work - but that's the 
cost of doing things right, you sometimes have to put a bit of effort in to do 
it right.

 

As you can see from those minutes, this has been known to be a problem for 
months. The proposal was simple: "Dimitris again noted that new Bylaw 5.3.1(e) 
did not provide for a method for creating Subcommittees, and maybe the Bylaws 
or Charter should be amended to provide a method, and Wayne agreed."

 

There's still no definition for how the Subcommittee will operate, and that 
should be in the ballot to form it, since the Chair did not propose a ballot 
based on the Doodle Poll that the Chair conducted for a matter the Chair 
brought to resolve.

 

On Fri, Sep 14, 2018 at 1:08 PM Kirk Hall via Public mailto:public@cabforum.org> > wrote:

Exactly right.  To add one other point – I am the one who proposed we allow 
“Subcommittees” in the new Working Groups during the early discussions in the 
Governance Change Working Group that led to Ballot 206.  I chose the name 
“Subcommittee” to avoid confusion (as we were now using the term “Working 
Group” to refer to the main group that needed Subcommittees to do preliminary 
work on ballot proposal), but I made it clear at the time that the new 
Subcommittees of the new Working Groups would function exactly the same as the 
old Working Groups of the Forum.  There was no confusion or argument on this 
point among the Governance Change participants.

 

I personally don’t see the need for yet more work to further define 
Subcommittees in the Bylaws, but will not object if others want to work on 
that.  In the meantime, we need to move forward on creating the Validation and 
NetSec Subcommittees so they can continue their work after October 3 (and can 
meet as part of the Tuesday agenda at the Shanghai F2F meeting next month).  
Those who don’t like the process can always vote no.

 

I will present a revised draft of SC9 and SC10 later today taking into account 
the comments already received.

 

From: Dimitris Zacharopoulos [mailto:ji...@it.auth.gr  
] 
Sent: Thursday, September 13, 2018 10:43 PM
To: Ryan Sleevi mailto:sle...@google.com> >; CA/Browser 
Forum Public Discussion List mailto:public@cabforum.org> 
>; Kirk Hall mailto:kirk.h...@entrustdatacard.com> >
Subject: [EXTERNAL]Re: [cabfpub] Ballot SC10 – Establishing the Network 
Security Subcommittee of the SCWG

 

It looks like a similar conversation was captured in the minutes of previous 
Server Certificate WG teleconferences.

*   https://cabforum.org/2018/07/12/2018-07-12-scwg-minutes/ 

Re: [cabfpub] [EXTERNAL]Re: Ballot SC10 – Establishing the Network Security Subcommittee of the SCWG

[Ryan Sleevi via Public]

That's a fairly broad misrepresentation. It hasn't been stalemated - it's
that someone who said they'd work on it has not made any apparent effort to
put forward.

Since that conversation in July, in which members agreed upon the problem
statement and proposed path forward, no actual concrete proposal was made.
Now we see a concrete proposal, with issues, and it seems you have no
interest in resolving those issues. Perhaps if you'd put forth a concrete
proposal 2 months ago, it wouldn't feel like a stalemate?

In any event, it's not correct there's a stalemate. There's been relatively
good agreement on the problem, and it's just that the proposed solution -
which has only come forward in the past few days after relatively limited
discussion - is significantly flawed for the problem.

On Fri, Sep 14, 2018 at 1:27 PM Kirk Hall 
wrote:

> This discussion is no longer productive – we have been stalemated for two
> months or so, and I don’t think most members agree with your approach.  It
> would probably be best for just to just vote no on the ballots, but *
> *also** volunteer to work with Ben to amend the Bylaws in whatever way
> you think is needed.
>
>
>
> *From:* Ryan Sleevi [mailto:sle...@google.com]
> *Sent:* Friday, September 14, 2018 10:22 AM
> *To:* Kirk Hall ; CABFPub <
> public@cabforum.org>
> *Subject:* Re: [cabfpub] [EXTERNAL]Re: Ballot SC10 – Establishing the
> Network Security Subcommittee of the SCWG
>
>
>
> Kirk,
>
>
>
> You have a real opportunity to resolve these issues, and I hope you will
> incorporate that feedback into consideration. There are now multiple
> threads, in part because some of your forked replies, but to summarize
> where we stand:
>
>
>
> Nothing in the Bylaws requires resolution on/by October 3, other than that
> they will cease to be LWGs.
>
> While no longer LWGs, if they choose to be subcommittees, then it has to
> be done using the process defined by the SCWG.
>
> The SCWG has not defined or balloted its process for these.
>
> If you're proposing that these ballots use an assumed process that is not
> specified, we're opposed and remain opposed, because having the Forum and
> the Chair make up process continues to undermine the legitimacy of the
> Forum and its value, needlessly and irresponsibly.
>
>
>
> If you feel it's important to establish these before Oct 3 - which it
> isn't, procedurally - then one path you can do that can resolve the
> feedback and concerns is to actually spell out the things you are assuming,
> such as that subcommittees will produce minutes, operate on public lists,
> allow participation, etc. This is not difficult, it's just more work - but
> that's the cost of doing things right, you sometimes have to put a bit of
> effort in to do it right.
>
>
>
> As you can see from those minutes, this has been known to be a problem for
> months. The proposal was simple: "Dimitris again noted that new Bylaw
> 5.3.1(e) did not provide for a method for creating Subcommittees, and maybe
> the Bylaws or Charter should be amended to provide a method, and Wayne
> agreed."
>
>
>
> There's still no definition for how the Subcommittee will operate, and
> that should be in the ballot to form it, since the Chair did not propose a
> ballot based on the Doodle Poll that the Chair conducted for a matter the
> Chair brought to resolve.
>
>
>
> On Fri, Sep 14, 2018 at 1:08 PM Kirk Hall via Public 
> wrote:
>
> Exactly right.  To add one other point – I am the one who proposed we
> allow “Subcommittees” in the new Working Groups during the early
> discussions in the Governance Change Working Group that led to Ballot 206.
> I chose the name “Subcommittee” to avoid confusion (as we were now using
> the term “Working Group” to refer to the main group that needed
> Subcommittees to do preliminary work on ballot proposal), but I made it
> clear at the time that the new Subcommittees of the new Working Groups
> would function exactly the same as the old Working Groups of the Forum.
> There was no confusion or argument on this point among the Governance
> Change participants.
>
>
>
> I personally don’t see the need for yet more work to further define
> Subcommittees in the Bylaws, but will not object if others want to work on
> that.  In the meantime, we need to move forward on creating the Validation
> and NetSec Subcommittees so they can continue their work after October 3
> (and can meet as part of the Tuesday agenda at the Shanghai F2F meeting
> next month).  Those who don’t like the process can always vote no.
>
>
>
> I will present a revised draft of SC9 and SC10 later today taking into
> account the comments already received.
>
>
>
> *From:* Dimitris Zacharopoulos [mailto:ji...@it.auth.gr]
> *Sent:* Thursday, September 13, 2018 10:43 PM
> *To:* Ryan Sleevi ; CA/Browser Forum Public Discussion
> List ; Kirk Hall 
> *Subject:* [EXTERNAL]Re: [cabfpub] Ballot SC10 – Establishing the Network
> Security Subcommittee of the SCWG
>
>
>
> It looks like a similar conversation 

Re: [cabfpub] [EXTERNAL]Re: Ballot SC10 – Establishing the Network Security Subcommittee of the SCWG

[Kirk Hall via Public]

This discussion is no longer productive – we have been stalemated for two 
months or so, and I don’t think most members agree with your approach.  It 
would probably be best for just to just vote no on the ballots, but *also* 
volunteer to work with Ben to amend the Bylaws in whatever way you think is 
needed.

From: Ryan Sleevi [mailto:sle...@google.com]
Sent: Friday, September 14, 2018 10:22 AM
To: Kirk Hall ; CABFPub 
Subject: Re: [cabfpub] [EXTERNAL]Re: Ballot SC10 – Establishing the Network 
Security Subcommittee of the SCWG

Kirk,

You have a real opportunity to resolve these issues, and I hope you will 
incorporate that feedback into consideration. There are now multiple threads, 
in part because some of your forked replies, but to summarize where we stand:

Nothing in the Bylaws requires resolution on/by October 3, other than that they 
will cease to be LWGs.
While no longer LWGs, if they choose to be subcommittees, then it has to be 
done using the process defined by the SCWG.
The SCWG has not defined or balloted its process for these.
If you're proposing that these ballots use an assumed process that is not 
specified, we're opposed and remain opposed, because having the Forum and the 
Chair make up process continues to undermine the legitimacy of the Forum and 
its value, needlessly and irresponsibly.

If you feel it's important to establish these before Oct 3 - which it isn't, 
procedurally - then one path you can do that can resolve the feedback and 
concerns is to actually spell out the things you are assuming, such as that 
subcommittees will produce minutes, operate on public lists, allow 
participation, etc. This is not difficult, it's just more work - but that's the 
cost of doing things right, you sometimes have to put a bit of effort in to do 
it right.

As you can see from those minutes, this has been known to be a problem for 
months. The proposal was simple: "Dimitris again noted that new Bylaw 5.3.1(e) 
did not provide for a method for creating Subcommittees, and maybe the Bylaws 
or Charter should be amended to provide a method, and Wayne agreed."

There's still no definition for how the Subcommittee will operate, and that 
should be in the ballot to form it, since the Chair did not propose a ballot 
based on the Doodle Poll that the Chair conducted for a matter the Chair 
brought to resolve.

On Fri, Sep 14, 2018 at 1:08 PM Kirk Hall via Public 
mailto:public@cabforum.org>> wrote:
Exactly right.  To add one other point – I am the one who proposed we allow 
“Subcommittees” in the new Working Groups during the early discussions in the 
Governance Change Working Group that led to Ballot 206.  I chose the name 
“Subcommittee” to avoid confusion (as we were now using the term “Working 
Group” to refer to the main group that needed Subcommittees to do preliminary 
work on ballot proposal), but I made it clear at the time that the new 
Subcommittees of the new Working Groups would function exactly the same as the 
old Working Groups of the Forum.  There was no confusion or argument on this 
point among the Governance Change participants.

I personally don’t see the need for yet more work to further define 
Subcommittees in the Bylaws, but will not object if others want to work on 
that.  In the meantime, we need to move forward on creating the Validation and 
NetSec Subcommittees so they can continue their work after October 3 (and can 
meet as part of the Tuesday agenda at the Shanghai F2F meeting next month).  
Those who don’t like the process can always vote no.

I will present a revised draft of SC9 and SC10 later today taking into account 
the comments already received.

From: Dimitris Zacharopoulos [mailto:ji...@it.auth.gr]
Sent: Thursday, September 13, 2018 10:43 PM
To: Ryan Sleevi mailto:sle...@google.com>>; CA/Browser Forum 
Public Discussion List mailto:public@cabforum.org>>; Kirk 
Hall mailto:kirk.h...@entrustdatacard.com>>
Subject: [EXTERNAL]Re: [cabfpub] Ballot SC10 – Establishing the Network 
Security Subcommittee of the SCWG

It looks like a similar conversation was captured in the minutes of previous 
Server Certificate WG teleconferences.

  *   https://cabforum.org/2018/07/12/2018-07-12-scwg-minutes/ where the 
ambiguity on how to form subcommittees was first raised
  *   
https://cabforum.org/2018/07/26/2018-07-26-server-certificate-working-group-minutes/
 where the members expressed their opinion (via doodle poll) and the majority 
chose to resolve this ambiguity by requiring ballots for the formation of 
subcommittees in the SCWG.
IMO, members are in favor of ballots to resolve issues like this. The 
definition of a subcommittee is broad enough and described in 5.3.1(e) "to 
address any of such CWG's business". It is very clear to me that both proposed 
subcommittees (validation and NetSec) are within the SCWG's scope.

I thought we had agreed that until the SCWG charter is amended (to include 
language around subcommittees, election of 

Re: [cabfpub] [EXTERNAL]Re: Ballot SC10 – Establishing the Network Security Subcommittee of the SCWG

[Ryan Sleevi via Public]

Kirk,

You have a real opportunity to resolve these issues, and I hope you will
incorporate that feedback into consideration. There are now multiple
threads, in part because some of your forked replies, but to summarize
where we stand:

Nothing in the Bylaws requires resolution on/by October 3, other than that
they will cease to be LWGs.
While no longer LWGs, if they choose to be subcommittees, then it has to be
done using the process defined by the SCWG.
The SCWG has not defined or balloted its process for these.
If you're proposing that these ballots use an assumed process that is not
specified, we're opposed and remain opposed, because having the Forum and
the Chair make up process continues to undermine the legitimacy of the
Forum and its value, needlessly and irresponsibly.

If you feel it's important to establish these before Oct 3 - which it
isn't, procedurally - then one path you can do that can resolve the
feedback and concerns is to actually spell out the things you are assuming,
such as that subcommittees will produce minutes, operate on public lists,
allow participation, etc. This is not difficult, it's just more work - but
that's the cost of doing things right, you sometimes have to put a bit of
effort in to do it right.

As you can see from those minutes, this has been known to be a problem for
months. The proposal was simple: "Dimitris again noted that new Bylaw
5.3.1(e) did not provide for a method for creating Subcommittees, and maybe
the Bylaws or Charter should be amended to provide a method, and Wayne
agreed."

There's still no definition for how the Subcommittee will operate, and that
should be in the ballot to form it, since the Chair did not propose a
ballot based on the Doodle Poll that the Chair conducted for a matter the
Chair brought to resolve.

On Fri, Sep 14, 2018 at 1:08 PM Kirk Hall via Public 
wrote:

> Exactly right.  To add one other point – I am the one who proposed we
> allow “Subcommittees” in the new Working Groups during the early
> discussions in the Governance Change Working Group that led to Ballot 206.
> I chose the name “Subcommittee” to avoid confusion (as we were now using
> the term “Working Group” to refer to the main group that needed
> Subcommittees to do preliminary work on ballot proposal), but I made it
> clear at the time that the new Subcommittees of the new Working Groups
> would function exactly the same as the old Working Groups of the Forum.
> There was no confusion or argument on this point among the Governance
> Change participants.
>
>
>
> I personally don’t see the need for yet more work to further define
> Subcommittees in the Bylaws, but will not object if others want to work on
> that.  In the meantime, we need to move forward on creating the Validation
> and NetSec Subcommittees so they can continue their work after October 3
> (and can meet as part of the Tuesday agenda at the Shanghai F2F meeting
> next month).  Those who don’t like the process can always vote no.
>
>
>
> I will present a revised draft of SC9 and SC10 later today taking into
> account the comments already received.
>
>
>
> *From:* Dimitris Zacharopoulos [mailto:ji...@it.auth.gr]
> *Sent:* Thursday, September 13, 2018 10:43 PM
> *To:* Ryan Sleevi ; CA/Browser Forum Public Discussion
> List ; Kirk Hall 
> *Subject:* [EXTERNAL]Re: [cabfpub] Ballot SC10 – Establishing the Network
> Security Subcommittee of the SCWG
>
>
>
> It looks like a similar conversation was captured in the minutes of
> previous Server Certificate WG teleconferences.
>
>- https://cabforum.org/2018/07/12/2018-07-12-scwg-minutes/ where the
>ambiguity on how to form subcommittees was first raised
>-
>
> https://cabforum.org/2018/07/26/2018-07-26-server-certificate-working-group-minutes/
>where the members expressed their opinion (via doodle poll) and the
>majority chose to resolve this ambiguity by requiring ballots for the
>formation of subcommittees in the SCWG.
>
> IMO, members are in favor of ballots to resolve issues like this. The
> definition of a subcommittee is broad enough and described in 5.3.1(e) "to
> address any of such CWG's business". It is very clear to me that both
> proposed subcommittees (validation and NetSec) are within the SCWG's scope.
>
> I thought we had agreed that until the SCWG charter is amended (to include
> language around subcommittees, election of officers and other issues that
> were discussed in previous calls), we would proceed with using ballots as
> the agreed-upon decision making process. I understand that Kirk's proposed
> ballots (as a process) are aligned with this decision. The content of the
> ballots (whether or not we will name "chairs", etc for subcommittees) is
> debatable and under discussion.
>
> As a general comment, I would like to note that the majority of
> Contributions were taking place during "Legacy Working Groups" with the
> previous governance. These "officially declared" teams had great momentum,
> produced a lot of 

Re: [cabfpub] [EXTERNAL]Re: Ballot SC10 – Establishing the Network Security Subcommittee of the SCWG

[Kirk Hall via Public]

Exactly right.  To add one other point – I am the one who proposed we allow 
“Subcommittees” in the new Working Groups during the early discussions in the 
Governance Change Working Group that led to Ballot 206.  I chose the name 
“Subcommittee” to avoid confusion (as we were now using the term “Working 
Group” to refer to the main group that needed Subcommittees to do preliminary 
work on ballot proposal), but I made it clear at the time that the new 
Subcommittees of the new Working Groups would function exactly the same as the 
old Working Groups of the Forum.  There was no confusion or argument on this 
point among the Governance Change participants.

I personally don’t see the need for yet more work to further define 
Subcommittees in the Bylaws, but will not object if others want to work on 
that.  In the meantime, we need to move forward on creating the Validation and 
NetSec Subcommittees so they can continue their work after October 3 (and can 
meet as part of the Tuesday agenda at the Shanghai F2F meeting next month).  
Those who don’t like the process can always vote no.

I will present a revised draft of SC9 and SC10 later today taking into account 
the comments already received.

From: Dimitris Zacharopoulos [mailto:ji...@it.auth.gr]
Sent: Thursday, September 13, 2018 10:43 PM
To: Ryan Sleevi ; CA/Browser Forum Public Discussion List 
; Kirk Hall 
Subject: [EXTERNAL]Re: [cabfpub] Ballot SC10 – Establishing the Network 
Security Subcommittee of the SCWG

It looks like a similar conversation was captured in the minutes of previous 
Server Certificate WG teleconferences.

  *   https://cabforum.org/2018/07/12/2018-07-12-scwg-minutes/ where the 
ambiguity on how to form subcommittees was first raised
  *   
https://cabforum.org/2018/07/26/2018-07-26-server-certificate-working-group-minutes/
 where the members expressed their opinion (via doodle poll) and the majority 
chose to resolve this ambiguity by requiring ballots for the formation of 
subcommittees in the SCWG.
IMO, members are in favor of ballots to resolve issues like this. The 
definition of a subcommittee is broad enough and described in 5.3.1(e) "to 
address any of such CWG's business". It is very clear to me that both proposed 
subcommittees (validation and NetSec) are within the SCWG's scope.

I thought we had agreed that until the SCWG charter is amended (to include 
language around subcommittees, election of officers and other issues that were 
discussed in previous calls), we would proceed with using ballots as the 
agreed-upon decision making process. I understand that Kirk's proposed ballots 
(as a process) are aligned with this decision. The content of the ballots 
(whether or not we will name "chairs", etc for subcommittees) is debatable and 
under discussion.

As a general comment, I would like to note that the majority of Contributions 
were taking place during "Legacy Working Groups" with the previous governance. 
These "officially declared" teams had great momentum, produced a lot of 
improvements to the Forum's Guidelines, met regularly and were coordinated by 
one or two people that facilitated the discussions and provided the necessary 
logistics (calendar scheduling, agendas, minutes and so on). I can't imagine 
that the Governance change intended to make things so hard to form these 
currently-called "subcommittees". In case of doubt, ballots were always a good 
way forward, unless they propose something that is clearly against the Bylaws.


Dimitris.

On 14/9/2018 3:43 πμ, Ryan Sleevi via Public wrote:

On Thu, Sep 13, 2018 at 8:39 PM Kirk Hall 
mailto:kirk.h...@entrustdatacard.com>> wrote:
Thanks for the list, Wayne.  Responses inline.  Remember, a Subcommittee has no 
real power, it’s just a place where members interested in a subject who want to 
be involved in drafting proposals for the whole SCWG can work together – we 
have 10+ years of successful experience with this approach, and are just 
continuing it at the SCWG level.

[Wayne] To respond to Kirk's question about subjects that need to be better 
defined, here is a start:

* Do Subcommittees have Chairs and if so how are they appointed?  [KH] Yes, for 
the same reason we had Chairs for old-style Working Groups of the Forum.  There 
is no change here (BTW, our Bylaws didn’t include rules for old WG Chairs 
either – somehow it all worked out).  Dean has correctly listed what a Chair 
does.

This answer doesn't suffice, because our new Bylaws do change things 
substantially, and the reasons for the old structure of WGs doesn't just 
naturally change to SCWGs.

* How are Subcommittees chartered? (are they chartered?)  [KH] Same as in the 
past when we created old-style WGs of the Forum – by ballots, in this case SCWG 
ballots.  No change here.

This is half correct, but misses the point of the question. The SCWG is 
responsible for defining how Subcommittees are created, per our Bylaws - and it 
has not. Yet.

* What are the required contents of a Subcommittee 

Re: [cabfpub] Ballot SC10 – Establishing the Network Security Subcommittee of the SCWG

[Ryan Sleevi via Public]

Put it differently: Why do we need to establish a Subcommittee? What's the
pressing or urgent need that's trying to be met? Can we resolve that
quickly?

I don't think that language, as a proposal, really resolves the issues. If
the answer is providing more clarity for SCWG's Subcommittees, yes, let's
solve that. That's a real and reasonable problem and doesn't leave us with
some unaddressed gap.

On Fri, Sep 14, 2018 at 12:29 PM Tim Hollebeek 
wrote:

> My ballot that I didn’t get around to writing would have had something
> like:
>
>
>
> “The current Bylaws lack clarity and precision about the functioning of
> subcommittees.  Until such a time as that is corrected, subcommittees
> created from LWGs shall operate in the same manner as pre-governance reform
> working groups.”
>
>
>
> Would that help?
>
>
>
> -Tim
>
>
>
> P.S. I asked the Validation WG chair if the Validation Subcommittee would
> continue using the validation mailing list, and continue to produce agendas
> and minutes, and he said yes.
>
>
>
> *From:* Ryan Sleevi 
> *Sent:* Friday, September 14, 2018 12:19 PM
> *To:* Tim Hollebeek 
> *Cc:* Wayne Thayer ; CABFPub 
> *Subject:* Re: [cabfpub] Ballot SC10 – Establishing the Network Security
> Subcommittee of the SCWG
>
>
>
> Subcommittees don't have requirements for minutes or publicly-available
> notes.
>
>
>
> That's the point. All this thinking about subcommittees working "just
> like" LWGs is not the case. All of that was lost from the Bylaws. A
> subcommittee can just be two people having a chat, at least as written in
> the Bylaws today.
>
>
>
> There's nothing stating subcommittees work with their own mailing lists,
> for example, in the way our old bylaws did. There's nothing establishing
> chairs or charters or deliverables. It's a one-off note.
>
>
>
> That's the point.
>
>
>
> On Fri, Sep 14, 2018 at 12:13 PM Tim Hollebeek 
> wrote:
>
> Collaborating outside of a subcommittee has a bunch of drawbacks,
> including a complete lack of public transparency and much weaker IPR
> protections.
>
>
>
> In my opinion, there’s already way, way too much going on in private that
> would be better handled in subcommittees where everyone can participate and
> there are publicly available notes.
>
>
>
> -Tim
>
>
>
> *From:* Public  *On Behalf Of *Wayne Thayer
> via Public
> *Sent:* Thursday, September 13, 2018 7:11 PM
> *To:* Ryan Sleevi ; CA/Browser Forum Public Discussion
> List 
> *Subject:* Re: [cabfpub] Ballot SC10 – Establishing the Network Security
> Subcommittee of the SCWG
>
>
>
> Would it be helpful to take a step back and propose an amendment to the
> Bylaws or SCWG charter that addresses Subcommittees in sufficient detail? I
> would be willing to work on that. Meanwhile, if the Network Security WG
> left some urgent work unfinished, nothing prevents SCWG members from
> collaborating outside of the Subcommittee structure.
>
>
>
> On Thu, Sep 13, 2018 at 3:49 PM Ryan Sleevi via Public <
> public@cabforum.org> wrote:
>
> I think that, without incorporating or responding to feedback, we will be
> opposed to this ballot. I agree that it's unfortunate we have gotten
> nowhere - but it's equally unfortunate to have spent two months without
> responding to any of the substance of the issues. It's great to see
> progress, but making small steps doesn't excuse leaving glaring issues.
> It's better to let these fall down than to support them with fundamental
> flaws.
>
>
>
> Concrete feedback is:
>
> Delete: "These renewed NCSSR documents will serve CAs, auditors and
> browsers in giving a state of the art set of rules for the deployment and
> operation of CAs computing infrastructures."
>
> Rationale: That presumes this output will be valid/valuable.
>
>
>
> Delete: "The Subcommittee may choose its own initial Chair."
>
> Rationale: Subcommittees don't have Chairs and votes. They're just
> meetings of the CWG with focus.
>
>
>
> Delete: "The Network Security Subcommittee shall produce one or more
> documents offering options to the Forum for establishing minimal security
> standards within the scope defined above, which may be used to modify the
> existing NCSSRs."
>
> Rationale: This is a pretty much a non-scope as worded, but worse,
> precludes some of the very activities you want to do. For example,
> reforming existing requirements doesn't establish minimums, so is out of
> scope.
>
>
>
> Obviously, that leaves you with nothing left. Hopefully there's something
> concrete you think should remain, and you can suggest improvements there.
>
>
>
>
>
>
>
> On Thu, Sep 13, 2018 at 6:24 PM Kirk Hall 
> wrote:
>
> On this ballot and Ballot SC10, I’m only going to consider comments and
> criticisms that propose specific alternate language that you will support.
> We have spent two months on creation of Subcommittees that simply continue
> the work we have been doing., and getting nowhere.  Time to finish up!
>
>
>
> Do you have specific alternate ballot language you want the Members to
> consider?  If 

Re: [cabfpub] Ballot SC10 – Establishing the Network Security Subcommittee of the SCWG

[Tim Hollebeek via Public]

My ballot that I didn’t get around to writing would have had something like:

 

“The current Bylaws lack clarity and precision about the functioning of 
subcommittees.  Until such a time as that is corrected, subcommittees created 
from LWGs shall operate in the same manner as pre-governance reform working 
groups.”

 

Would that help?

 

-Tim

 

P.S. I asked the Validation WG chair if the Validation Subcommittee would 
continue using the validation mailing list, and continue to produce agendas and 
minutes, and he said yes.

 

From: Ryan Sleevi  
Sent: Friday, September 14, 2018 12:19 PM
To: Tim Hollebeek 
Cc: Wayne Thayer ; CABFPub 
Subject: Re: [cabfpub] Ballot SC10 – Establishing the Network Security 
Subcommittee of the SCWG

 

Subcommittees don't have requirements for minutes or publicly-available notes.

 

That's the point. All this thinking about subcommittees working "just like" 
LWGs is not the case. All of that was lost from the Bylaws. A subcommittee can 
just be two people having a chat, at least as written in the Bylaws today.

 

There's nothing stating subcommittees work with their own mailing lists, for 
example, in the way our old bylaws did. There's nothing establishing chairs or 
charters or deliverables. It's a one-off note.

 

That's the point.

 

On Fri, Sep 14, 2018 at 12:13 PM Tim Hollebeek mailto:tim.holleb...@digicert.com> > wrote:

Collaborating outside of a subcommittee has a bunch of drawbacks, including a 
complete lack of public transparency and much weaker IPR protections.

 

In my opinion, there’s already way, way too much going on in private that would 
be better handled in subcommittees where everyone can participate and there are 
publicly available notes.

 

-Tim

 

From: Public mailto:public-boun...@cabforum.org> 
> On Behalf Of Wayne Thayer via Public
Sent: Thursday, September 13, 2018 7:11 PM
To: Ryan Sleevi mailto:sle...@google.com> >; CA/Browser 
Forum Public Discussion List mailto:public@cabforum.org> >
Subject: Re: [cabfpub] Ballot SC10 – Establishing the Network Security 
Subcommittee of the SCWG

 

Would it be helpful to take a step back and propose an amendment to the Bylaws 
or SCWG charter that addresses Subcommittees in sufficient detail? I would be 
willing to work on that. Meanwhile, if the Network Security WG left some urgent 
work unfinished, nothing prevents SCWG members from collaborating outside of 
the Subcommittee structure.

 

On Thu, Sep 13, 2018 at 3:49 PM Ryan Sleevi via Public mailto:public@cabforum.org> > wrote:

I think that, without incorporating or responding to feedback, we will be 
opposed to this ballot. I agree that it's unfortunate we have gotten nowhere - 
but it's equally unfortunate to have spent two months without responding to any 
of the substance of the issues. It's great to see progress, but making small 
steps doesn't excuse leaving glaring issues. It's better to let these fall down 
than to support them with fundamental flaws.

 

Concrete feedback is:

Delete: "These renewed NCSSR documents will serve CAs, auditors and browsers in 
giving a state of the art set of rules for the deployment and operation of CAs 
computing infrastructures."

Rationale: That presumes this output will be valid/valuable.

 

Delete: "The Subcommittee may choose its own initial Chair."

Rationale: Subcommittees don't have Chairs and votes. They're just meetings of 
the CWG with focus.

 

Delete: "The Network Security Subcommittee shall produce one or more documents 
offering options to the Forum for establishing minimal security standards 
within the scope defined above, which may be used to modify the existing 
NCSSRs."

Rationale: This is a pretty much a non-scope as worded, but worse, precludes 
some of the very activities you want to do. For example, reforming existing 
requirements doesn't establish minimums, so is out of scope.

 

Obviously, that leaves you with nothing left. Hopefully there's something 
concrete you think should remain, and you can suggest improvements there.

 

 

 

On Thu, Sep 13, 2018 at 6:24 PM Kirk Hall mailto:kirk.h...@entrustdatacard.com> > wrote:

On this ballot and Ballot SC10, I’m only going to consider comments and 
criticisms that propose specific alternate language that you will support.  We 
have spent two months on creation of Subcommittees that simply continue the 
work we have been doing., and getting nowhere.  Time to finish up!

 

Do you have specific alternate ballot language you want the Members to 
consider?  If so, please post.

 

From: Ryan Sleevi [mailto:sle...@google.com  ] 
Sent: Thursday, September 13, 2018 2:55 PM
To: Kirk Hall mailto:kirk.h...@entrustdatacard.com> >; CABFPub mailto:public@cabforum.org> >
Subject: [EXTERNAL]Re: [cabfpub] Ballot SC10 – Establishing the Network 
Security Subcommittee of the SCWG

 

On Thu, Sep 13, 2018 at 5:25 PM Kirk Hall via Public mailto:public@cabforum.org> > wrote:

Scope: Revising and improving the Network and 

Re: [cabfpub] Ballot SC10 – Establishing the Network Security Subcommittee of the SCWG

[Ryan Sleevi via Public]

Subcommittees don't have requirements for minutes or publicly-available
notes.

That's the point. All this thinking about subcommittees working "just like"
LWGs is not the case. All of that was lost from the Bylaws. A subcommittee
can just be two people having a chat, at least as written in the Bylaws
today.

There's nothing stating subcommittees work with their own mailing lists,
for example, in the way our old bylaws did. There's nothing establishing
chairs or charters or deliverables. It's a one-off note.

That's the point.

On Fri, Sep 14, 2018 at 12:13 PM Tim Hollebeek 
wrote:

> Collaborating outside of a subcommittee has a bunch of drawbacks,
> including a complete lack of public transparency and much weaker IPR
> protections.
>
>
>
> In my opinion, there’s already way, way too much going on in private that
> would be better handled in subcommittees where everyone can participate and
> there are publicly available notes.
>
>
>
> -Tim
>
>
>
> *From:* Public  *On Behalf Of *Wayne Thayer
> via Public
> *Sent:* Thursday, September 13, 2018 7:11 PM
> *To:* Ryan Sleevi ; CA/Browser Forum Public Discussion
> List 
> *Subject:* Re: [cabfpub] Ballot SC10 – Establishing the Network Security
> Subcommittee of the SCWG
>
>
>
> Would it be helpful to take a step back and propose an amendment to the
> Bylaws or SCWG charter that addresses Subcommittees in sufficient detail? I
> would be willing to work on that. Meanwhile, if the Network Security WG
> left some urgent work unfinished, nothing prevents SCWG members from
> collaborating outside of the Subcommittee structure.
>
>
>
> On Thu, Sep 13, 2018 at 3:49 PM Ryan Sleevi via Public <
> public@cabforum.org> wrote:
>
> I think that, without incorporating or responding to feedback, we will be
> opposed to this ballot. I agree that it's unfortunate we have gotten
> nowhere - but it's equally unfortunate to have spent two months without
> responding to any of the substance of the issues. It's great to see
> progress, but making small steps doesn't excuse leaving glaring issues.
> It's better to let these fall down than to support them with fundamental
> flaws.
>
>
>
> Concrete feedback is:
>
> Delete: "These renewed NCSSR documents will serve CAs, auditors and
> browsers in giving a state of the art set of rules for the deployment and
> operation of CAs computing infrastructures."
>
> Rationale: That presumes this output will be valid/valuable.
>
>
>
> Delete: "The Subcommittee may choose its own initial Chair."
>
> Rationale: Subcommittees don't have Chairs and votes. They're just
> meetings of the CWG with focus.
>
>
>
> Delete: "The Network Security Subcommittee shall produce one or more
> documents offering options to the Forum for establishing minimal security
> standards within the scope defined above, which may be used to modify the
> existing NCSSRs."
>
> Rationale: This is a pretty much a non-scope as worded, but worse,
> precludes some of the very activities you want to do. For example,
> reforming existing requirements doesn't establish minimums, so is out of
> scope.
>
>
>
> Obviously, that leaves you with nothing left. Hopefully there's something
> concrete you think should remain, and you can suggest improvements there.
>
>
>
>
>
>
>
> On Thu, Sep 13, 2018 at 6:24 PM Kirk Hall 
> wrote:
>
> On this ballot and Ballot SC10, I’m only going to consider comments and
> criticisms that propose specific alternate language that you will support.
> We have spent two months on creation of Subcommittees that simply continue
> the work we have been doing., and getting nowhere.  Time to finish up!
>
>
>
> Do you have specific alternate ballot language you want the Members to
> consider?  If so, please post.
>
>
>
> *From:* Ryan Sleevi [mailto:sle...@google.com]
> *Sent:* Thursday, September 13, 2018 2:55 PM
> *To:* Kirk Hall ; CABFPub <
> public@cabforum.org>
> *Subject:* [EXTERNAL]Re: [cabfpub] Ballot SC10 – Establishing the Network
> Security Subcommittee of the SCWG
>
>
>
> On Thu, Sep 13, 2018 at 5:25 PM Kirk Hall via Public 
> wrote:
>
> *Scope: *Revising and improving the Network and Certificate Systems
> Security Requirements (NCSSRs).
>
>
> *Out of Scope: *No provision.
>
> *Deliverables: *The Network Security Subcommittee shall produce one or
> more documents offering options to the Forum for establishing minimal
> security standards within the scope defined above, which may be used to
> modify the existing NCSSRs. These renewed NCSSR documents will serve CAs,
> auditors and browsers in giving a state of the art set of rules for the
> deployment and operation of CAs computing infrastructures.  The
> Subcommittee may choose its own initial Chair.
>
>
>
> Is this Deliverable correct? Is that scope correct? The previous WG
> produced (only after significant prodding) a statement about 'options' -
> which was to modifying the existing NCSSRs. It seems like we're talking now
> about concrete recommendations for changes, and it seems more relevant to
> note what 

Re: [cabfpub] Ballot SC10 – Establishing the Network Security Subcommittee of the SCWG

[Tim Hollebeek via Public]

Collaborating outside of a subcommittee has a bunch of drawbacks, including a 
complete lack of public transparency and much weaker IPR protections.

 

In my opinion, there’s already way, way too much going on in private that would 
be better handled in subcommittees where everyone can participate and there are 
publicly available notes.

 

-Tim

 

From: Public  On Behalf Of Wayne Thayer via Public
Sent: Thursday, September 13, 2018 7:11 PM
To: Ryan Sleevi ; CA/Browser Forum Public Discussion List 

Subject: Re: [cabfpub] Ballot SC10 – Establishing the Network Security 
Subcommittee of the SCWG

 

Would it be helpful to take a step back and propose an amendment to the Bylaws 
or SCWG charter that addresses Subcommittees in sufficient detail? I would be 
willing to work on that. Meanwhile, if the Network Security WG left some urgent 
work unfinished, nothing prevents SCWG members from collaborating outside of 
the Subcommittee structure.

 

On Thu, Sep 13, 2018 at 3:49 PM Ryan Sleevi via Public mailto:public@cabforum.org> > wrote:

I think that, without incorporating or responding to feedback, we will be 
opposed to this ballot. I agree that it's unfortunate we have gotten nowhere - 
but it's equally unfortunate to have spent two months without responding to any 
of the substance of the issues. It's great to see progress, but making small 
steps doesn't excuse leaving glaring issues. It's better to let these fall down 
than to support them with fundamental flaws.

 

Concrete feedback is:

Delete: "These renewed NCSSR documents will serve CAs, auditors and browsers in 
giving a state of the art set of rules for the deployment and operation of CAs 
computing infrastructures."

Rationale: That presumes this output will be valid/valuable.

 

Delete: "The Subcommittee may choose its own initial Chair."

Rationale: Subcommittees don't have Chairs and votes. They're just meetings of 
the CWG with focus.

 

Delete: "The Network Security Subcommittee shall produce one or more documents 
offering options to the Forum for establishing minimal security standards 
within the scope defined above, which may be used to modify the existing 
NCSSRs."

Rationale: This is a pretty much a non-scope as worded, but worse, precludes 
some of the very activities you want to do. For example, reforming existing 
requirements doesn't establish minimums, so is out of scope.

 

Obviously, that leaves you with nothing left. Hopefully there's something 
concrete you think should remain, and you can suggest improvements there.

 

 

 

On Thu, Sep 13, 2018 at 6:24 PM Kirk Hall mailto:kirk.h...@entrustdatacard.com> > wrote:

On this ballot and Ballot SC10, I’m only going to consider comments and 
criticisms that propose specific alternate language that you will support.  We 
have spent two months on creation of Subcommittees that simply continue the 
work we have been doing., and getting nowhere.  Time to finish up!

 

Do you have specific alternate ballot language you want the Members to 
consider?  If so, please post.

 

From: Ryan Sleevi [mailto:sle...@google.com  ] 
Sent: Thursday, September 13, 2018 2:55 PM
To: Kirk Hall mailto:kirk.h...@entrustdatacard.com> >; CABFPub mailto:public@cabforum.org> >
Subject: [EXTERNAL]Re: [cabfpub] Ballot SC10 – Establishing the Network 
Security Subcommittee of the SCWG

 

On Thu, Sep 13, 2018 at 5:25 PM Kirk Hall via Public mailto:public@cabforum.org> > wrote:

Scope: Revising and improving the Network and Certificate Systems Security 
Requirements (NCSSRs). 


Out of Scope: No provision.

Deliverables: The Network Security Subcommittee shall produce one or more 
documents offering options to the Forum for establishing minimal security 
standards within the scope defined above, which may be used to modify the 
existing NCSSRs. These renewed NCSSR documents will serve CAs, auditors and 
browsers in giving a state of the art set of rules for the deployment and 
operation of CAs computing infrastructures.  The Subcommittee may choose its 
own initial Chair.

 

Is this Deliverable correct? Is that scope correct? The previous WG produced 
(only after significant prodding) a statement about 'options' - which was to 
modifying the existing NCSSRs. It seems like we're talking now about concrete 
recommendations for changes, and it seems more relevant to note what is in 
scope or out of scope.

 

I disagree that the deliverable affirmatively stating "will serve CA, auditors, 
and browsers".

 

However, there's other, more fundamental problems. Most notable is that 
Subcommittees aren't established to have Chairs - the point of the rework of 
the Bylaws was to make it clearer what activities are done and how they fit, 
and a SCWG subcommittee is just that - a subgroup of the SCWG. The other is 
that the SCWG does not yet have a defined process for the establishment of 
subcommittees.

___
Public mailing list

Re: [cabfpub] Ballot SC10 – Establishing the Network Security Subcommittee of the SCWG

[Tim Hollebeek via Public]

Subcommittees most certainly do have chairs, as they are the same as LWGs 
unless stated otherwise.  And I dare you to find text in the Bylaws that says 
“Subcommittees don’t have chairs”, because it’s not there.

 

-Tim

 

From: Public  On Behalf Of Ryan Sleevi via Public
Sent: Thursday, September 13, 2018 6:48 PM
To: Kirk Hall 
Cc: CABFPub 
Subject: Re: [cabfpub] Ballot SC10 – Establishing the Network Security 
Subcommittee of the SCWG

 

I think that, without incorporating or responding to feedback, we will be 
opposed to this ballot. I agree that it's unfortunate we have gotten nowhere - 
but it's equally unfortunate to have spent two months without responding to any 
of the substance of the issues. It's great to see progress, but making small 
steps doesn't excuse leaving glaring issues. It's better to let these fall down 
than to support them with fundamental flaws.

 

Concrete feedback is:

Delete: "These renewed NCSSR documents will serve CAs, auditors and browsers in 
giving a state of the art set of rules for the deployment and operation of CAs 
computing infrastructures."

Rationale: That presumes this output will be valid/valuable.

 

Delete: "The Subcommittee may choose its own initial Chair."

Rationale: Subcommittees don't have Chairs and votes. They're just meetings of 
the CWG with focus.

 

Delete: "The Network Security Subcommittee shall produce one or more documents 
offering options to the Forum for establishing minimal security standards 
within the scope defined above, which may be used to modify the existing 
NCSSRs."

Rationale: This is a pretty much a non-scope as worded, but worse, precludes 
some of the very activities you want to do. For example, reforming existing 
requirements doesn't establish minimums, so is out of scope.

 

Obviously, that leaves you with nothing left. Hopefully there's something 
concrete you think should remain, and you can suggest improvements there.

 

 

 

On Thu, Sep 13, 2018 at 6:24 PM Kirk Hall mailto:kirk.h...@entrustdatacard.com> > wrote:

On this ballot and Ballot SC10, I’m only going to consider comments and 
criticisms that propose specific alternate language that you will support.  We 
have spent two months on creation of Subcommittees that simply continue the 
work we have been doing., and getting nowhere.  Time to finish up!

 

Do you have specific alternate ballot language you want the Members to 
consider?  If so, please post.

 

From: Ryan Sleevi [mailto:sle...@google.com  ] 
Sent: Thursday, September 13, 2018 2:55 PM
To: Kirk Hall mailto:kirk.h...@entrustdatacard.com> >; CABFPub mailto:public@cabforum.org> >
Subject: [EXTERNAL]Re: [cabfpub] Ballot SC10 – Establishing the Network 
Security Subcommittee of the SCWG

 

On Thu, Sep 13, 2018 at 5:25 PM Kirk Hall via Public mailto:public@cabforum.org> > wrote:

Scope: Revising and improving the Network and Certificate Systems Security 
Requirements (NCSSRs). 


Out of Scope: No provision.

Deliverables: The Network Security Subcommittee shall produce one or more 
documents offering options to the Forum for establishing minimal security 
standards within the scope defined above, which may be used to modify the 
existing NCSSRs. These renewed NCSSR documents will serve CAs, auditors and 
browsers in giving a state of the art set of rules for the deployment and 
operation of CAs computing infrastructures.  The Subcommittee may choose its 
own initial Chair.

 

Is this Deliverable correct? Is that scope correct? The previous WG produced 
(only after significant prodding) a statement about 'options' - which was to 
modifying the existing NCSSRs. It seems like we're talking now about concrete 
recommendations for changes, and it seems more relevant to note what is in 
scope or out of scope.

 

I disagree that the deliverable affirmatively stating "will serve CA, auditors, 
and browsers".

 

However, there's other, more fundamental problems. Most notable is that 
Subcommittees aren't established to have Chairs - the point of the rework of 
the Bylaws was to make it clearer what activities are done and how they fit, 
and a SCWG subcommittee is just that - a subgroup of the SCWG. The other is 
that the SCWG does not yet have a defined process for the establishment of 
subcommittees.



smime.p7s
Description: S/MIME cryptographic signature
___
Public mailing list
Public@cabforum.org
https://cabforum.org/mailman/listinfo/public

Re: [cabfpub] Ballot SC9 – Conversion of Validation and NetSec Working Groups to SCWG Subcommittees

[Tim Hollebeek via Public]

For the record, I’m in favor of making it explicitly clear that the scope 
remains the same.

 

If you’re making changes, feel free to also add Wayne as Validation WG Vice 
Chair, since he already runs the meetings for me when I’m traveling.

 

-Tim

 

From: Kirk Hall  
Sent: Thursday, September 13, 2018 6:22 PM
To: Wayne Thayer 
Cc: Tim Hollebeek ; CA/Browser Forum Public 
Discussion List 
Subject: Re: [cabfpub] Ballot SC9 – Conversion of Validation and NetSec Working 
Groups to SCWG Subcommittees

 

I’m taking your comment as saying you will vote in favor of the ballot if I 
make that specific change, so I’ll make that change.  Otherwise, on this ballot 
and Ballot SC10, I’m only going to consider comments and criticisms that 
propose specific alternate language.  We have spent two months on creation of 
Subcommittees that simply continue the work we have been doing., and getting 
nowhere.  Time to finish up!

 

From: Wayne Thayer [  mailto:wtha...@mozilla.com] 
Sent: Thursday, September 13, 2018 2:43 PM
To: Kirk Hall <  
kirk.h...@entrustdatacard.com>
Cc: Tim Hollebeek <  
tim.holleb...@digicert.com>; CA/Browser Forum Public Discussion List < 
 public@cabforum.org>
Subject: [EXTERNAL]Re: [cabfpub] Ballot SC9 – Conversion of Validation and 
NetSec Working Groups to SCWG Subcommittees

 

Kirk,

 

My concern is that the ballot doesn't explicitly state what you (and I agree) 
believe is intended here. Someone in the future can look back at the ballot 
language we passed with SC9 and interpret it differently. Simply copying the 
VWG scope (and deliverables) into the body of the motion would address this.

 

On Thu, Sep 13, 2018 at 2:33 PM Kirk Hall mailto:kirk.h...@entrustdatacard.com> > wrote:

Wayne – sorry, I didn’t see your message until now.

 

In my view, “converting” the Validation Working Group to the Validation 
Subcommittee under Bylaw 5.3.4 means it has the same scope as it had under 
Ballot 143, which established the Validation Working Group.  If the scope is 
repeated or changed to create the new Subcommittee, then it’s not really 
“converted” – it’s no different than simply creating a new Subcommittee under 
Bylaw 5.3.1(e) with a stated scope, etc. – right?

 

On your second point – sure, we can say that only “legacy” WGs of the Forum 
expire on Oct. 3 (as the *new* WGs like the SCWG clearly doesn’t expire).  I 
can make that change in the next draft.

 

From: Wayne Thayer [mailto:  wtha...@mozilla.com] 
Sent: Thursday, September 13, 2018 11:35 AM
To: Tim Hollebeek <  
tim.holleb...@digicert.com>; CA/Browser Forum Public Discussion List < 
 public@cabforum.org>
Cc: Kirk Hall <  
kirk.h...@entrustdatacard.com>
Subject: [EXTERNAL]Re: [cabfpub] Ballot SC9 – Conversion of Validation and 
NetSec Working Groups to SCWG Subcommittees

 

 

This ballot doesn't appear to account for any of the scoping proposed or 
concerns raised in this thread: 
https://cabforum.org/pipermail/public/2018-July/013736.html

 

If the intent here is that conversion of an existing WG binds the new 
subcommittee to the original scope of the WG, then that should be explicitly 
stated in the ballot. As it stands, I think this ballot creates two 
Subcommittees that have no defined scope whatsoever.

 

Also a nit - the Purpose section begins with the statement that "All Working 
Groups of the Forum will expire on October 3, 2018." This should say all LEGACY 
Working Groups because the SCWG is not about to expire.

 

- Wayne

 

On Wed, Sep 12, 2018 at 6:07 PM Tim Hollebeek via Public mailto:public@cabforum.org> > wrote:

Thanks for taking the time to write this, Kirk.  I’ll endorse.

-Tim

From: Public  On Behalf Of Kirk Hall via Public
Sent: Wednesday, September 12, 2018 6:52 PM
To: CABFPub mailto:public@cabforum.org> >
Subject: [cabfpub] Ballot SC9 – Conversion of Validation and NetSec Working 
Groups to SCWG Subcommittees

 

I am proposing the following ballot – are there two endorsers?  If we move soon 
on this, we can get this ballot approved before October 3, and there will be no 
lapse for these two Subcommittees.  

 

(Note: I considered also converting the Governance Change Working Group to a 
Subcommittee, but it doesn’t belong as a Subcommittee of the SCWG, and our 
Bylaws do not permit Subcommittees of the Forum itself.  Also, Dimitris and Ben 
seem not to want to convert the Policy Working Group to a Subcommittee of the 
SCWG, so I have not included that.)

 

Ballot SC9 – Conversion of Validation and NetSec Working Groups to SCWG 
Subcommittees

 

Purpose of Ballot: 

 

All Working Groups of the Forum will expire on October 3, 2018.  Bylaws 
Sections 5.3.1(e) and 5.3.4 allow any “Legacy” Working Groups (“LWG”) in 
existence when Bylaws v.1.9 

Re: [cabfpub] [Servercert-wg] Ballot SC6 v3 - Revocation Timeline Extension

[Neil Dunbar via Public]

TrustCor votes YES on Ballot SC6v3.

Regards,

Neil

> On 31 Aug 2018, at 20:51, Wayne Thayer via Servercert-wg 
>  wrote:
> 
> Here is version 3 of this ballot, incorporating changes to v2 suggested by 
> Bruce and Ryan (thanks!).
> 
> I noticed that our current bylaws have reverted back to a fixed-length 
> discussion period, so I have changed this version to comply.
> 
> ==
> 
> Ballot SC6 version 3: Revocation Timeline Extension
> 
> Purpose of Ballot:
> Section 4.9.1.1 of the Baseline Requirements currently requires CAs to revoke 
> a Subscriber certificate within 24 hours of identifying any of 15 issues 
> affecting the certificate. In cases where there is not an immediate threat of 
> misuse of the certificate, this requirement can cause undue harm to a 
> Subscriber that isn't capable of replacing the certificate prior to 
> revocation. This ballot makes a number of improvements to the revocation 
> rules imposed by the Baseline Requirements:
> * Primarily, it creates a tiered timeline for revocations. The most critical 
> "reasons" still require revocation within 24 hours, but for many others 24 
> hours becomes a SHOULD and the CA has 5 days before they MUST revoke.
> * A new "reason for revocation" was added to address the fact that there is 
> currently no requirement for CAs to revoke a certificate when requested by 
> the domain name registrant. After considering some more specific language 
> that required CAs to follow 3.2.2.4 to validate domain control, I settled on 
> the following more general "reason": "The CA obtains evidence that the 
> validation of domain authorization or control for any Fully-Qualified Domain 
> Name or IP address in the Certificate should not be relied upon."
> * Reason #10 states "The CA determines that any of the information appearing 
> in the Certificate is inaccurate or misleading;" This ballot removes "or 
> misleading" because that is a subjective judgement that could effectively be 
> used to justify censorship, as discussed at length in relation to the 
> "Stripe, Inc of Kentucky" EV certificates.
> * Current reasons #11 and #13 were removed from the section on subscriber 
> certificates because they address cases where the intermediate and/or root 
> must be revoked, so there isn't much sense (and some possible harm) in 
> requiring revocation of all the leaf certs.
> * It requires CAs to disclose their problem reporting mechanisms in a 
> standard location: CPS section 1.5.2.
> * Within 24 hours of receiving a problem report, the CA is now required to 
> report back to both the entity reporting the problem and the Subscriber on 
> the CA's findings, and to work with the reporter and Subscriber to establish 
> a date by which the CA will revoke the certificate.
> 
> The following motion has been proposed by  Wayne Thayer of Mozilla and 
> endorsed by Tim Hollebeek of DigiCert and Dimitris Zacharopoulos of Harica.
> 
> --- MOTION BEGINS ---
> 
> This ballot modifies the “Baseline Requirements 
> for the Issuance and Management of Publicly-Trusted Certificates” as follows, 
> based on Version 1.6.0:
> 
> ** Modify the definition of Key Compromise as follows: **
> Key Compromise: A Private Key is said to be compromised if its value has been 
> disclosed to an unauthorized person or an unauthorized person has had access 
> to it.
> 
> ** Modify Section 4.9.1 to read as follows: **
> 
> 4.9.1.1 Reasons for Revoking a Subscriber Certificate
> 
> The CA SHALL revoke a Certificate within 24 hours if one or more of the 
> following occurs:
> 1. The Subscriber requests in writing that the CA revoke the Certificate;
> 2. The Subscriber notifies the CA that the original certificate request was 
> not authorized and does not retroactively grant authorization;
> 3. The CA obtains evidence that the Subscriber's Private Key corresponding to 
> the Public Key in the Certificate suffered a Key Compromise; or
> 4. The CA obtains evidence that the validation of domain authorization or 
> control for any Fully-Qualified Domain Name or IP address in the Certificate 
> should not be relied upon.
> 
> The CA SHOULD revoke a certificate within 24 hours and MUST revoke a 
> Certificate within 5 days if one or more of the following occurs:
> 1. The Certificate no longer complies with the requirements of Sections 6.1.5 
> and 6.1.6;
> 2. The CA obtains evidence that the Certificate was misused;
> 3. The CA is made aware that a Subscriber has violated one or more of its 
> material obligations under the Subscriber Agreement or Terms of Use;
> 4. The CA is made aware of any circumstance indicating that use of a 
> Fully-Qualified Domain Name or IP address in the Certificate is no longer 
> legally permitted (e.g. a court or arbitrator has revoked a Domain Name 
> Registrant's right to use the Domain Name, a relevant licensing or services 
> agreement between the Domain Name Registrant and the Applicant has 
> terminated, or the Domain Name 

[cabfpub] 答复: [Servercert-wg] Ballot SC6 v3 - Revocation Timeline Extensi on

[张翼 via Public]

CFCA  votes YES on Ballot SC6 v3. 

 

CFCA

Yi Zhang

 

From: Servercert-wg  On Behalf Of Wayne 
Thayer via Servercert-wg
Sent: fredag 31. august 2018 21:52
To: CA/B Forum Server Certificate WG Public Discussion List 

Cc: CA/Browser Forum Public Discussion List 
Subject: [Servercert-wg] Ballot SC6 v3 - Revocation Timeline Extension

 

Here is version 3 of this ballot, incorporating changes to v2 suggested by 
Bruce and Ryan (thanks!).

 

I noticed that our current bylaws have reverted back to a fixed-length 
discussion period, so I have changed this version to comply.


==

Ballot SC6 version 3: Revocation Timeline Extension

 

Purpose of Ballot:
Section 4.9.1.1 of the Baseline Requirements currently requires CAs to revoke a 
Subscriber certificate within 24 hours of identifying any of 15 issues 
affecting the certificate. In cases where there is not an immediate threat of 
misuse of the certificate, this requirement can cause undue harm to a 
Subscriber that isn't capable of replacing the certificate prior to revocation. 
This ballot makes a number of improvements to the revocation rules imposed by 
the Baseline Requirements:
* Primarily, it creates a tiered timeline for revocations. The most critical 
"reasons" still require revocation within 24 hours, but for many others 24 
hours becomes a SHOULD and the CA has 5 days before they MUST revoke.
* A new "reason for revocation" was added to address the fact that there is 
currently no requirement for CAs to revoke a certificate when requested by the 
domain name registrant. After considering some more specific language that 
required CAs to follow 3.2.2.4 to validate domain control, I settled on the 
following more general "reason": "The CA obtains evidence that the validation 
of domain authorization or control for any Fully-Qualified Domain Name or IP 
address in the Certificate should not be relied upon."
* Reason #10 states "The CA determines that any of the information appearing in 
the Certificate is inaccurate or misleading;" This ballot removes "or 
misleading" because that is a subjective judgement that could effectively be 
used to justify censorship, as discussed at length in relation to the "Stripe, 
Inc of Kentucky" EV certificates.
* Current reasons #11 and #13 were removed from the section on subscriber 
certificates because they address cases where the intermediate and/or root must 
be revoked, so there isn't much sense (and some possible harm) in requiring 
revocation of all the leaf certs.
* It requires CAs to disclose their problem reporting mechanisms in a standard 
location: CPS section 1.5.2.
* Within 24 hours of receiving a problem report, the CA is now required to 
report back to both the entity reporting the problem and the Subscriber on the 
CA's findings, and to work with the reporter and Subscriber to establish a date 
by which the CA will revoke the certificate.

The following motion has been proposed by  Wayne Thayer of Mozilla and endorsed 
by Tim Hollebeek of DigiCert and Dimitris Zacharopoulos of Harica.



--- MOTION BEGINS ---

This ballot modifies the “Baseline Requirements for the 
Issuance and Management of Publicly-Trusted Certificates” as follows, based on 
Version 1.6.0:



 

** Modify the definition of Key Compromise as follows: **

Key Compromise: A Private Key is said to be compromised if its value has been 
disclosed to an unauthorized person or an unauthorized person has had access to 
it.

 

** Modify Section 4.9.1 to read as follows: **



 

4.9.1.1 Reasons for Revoking a Subscriber Certificate

 

The CA SHALL revoke a Certificate within 24 hours if one or more of the 
following occurs:

1. The Subscriber requests in writing that the CA revoke the Certificate;
2. The Subscriber notifies the CA that the original certificate request was not 
authorized and does not retroactively grant authorization;
3. The CA obtains evidence that the Subscriber's Private Key corresponding to 
the Public Key in the Certificate suffered a Key Compromise; or
4. The CA obtains evidence that the validation of domain authorization or 
control for any Fully-Qualified Domain Name or IP address in the Certificate 
should not be relied upon.

The CA SHOULD revoke a certificate within 24 hours and MUST revoke a 
Certificate within 5 days if one or more of the following occurs:
1. The Certificate no longer complies with the requirements of Sections 6.1.5 
and 6.1.6;
2. The CA obtains evidence that the Certificate was misused;
3. The CA is made aware that a Subscriber has violated one or more of its 
material obligations under the Subscriber Agreement or Terms of Use;
4. The CA is made aware of any circumstance indicating that use of a 
Fully-Qualified Domain Name or IP address in the Certificate is no longer 
legally permitted (e.g. a court or arbitrator has revoked a Domain Name 
Registrant's right to use the Domain Name, a relevant licensing or services 
agreement between the Domain 

Re: [cabfpub] [Servercert-wg] Ballot SC6 v3 - Revocation Timeline Extensi on

[realsky(CHT) via Public]

Chunghwa Telecom  votes YES to Ballot SC6 v3. 




   Li-Chun Chen
 
From: Servercert-wg On Behalf Of Wayne 
Thayer via Servercert-wg
Sent: fredag 31. august 2018 21:52
To: CA/B Forum Server Certificate WG Public Discussion List 

Cc: CA/Browser Forum Public Discussion List 
Subject: [Servercert-wg] Ballot SC6 v3 - Revocation Timeline Extension
 
Here is version 3 of this ballot, incorporating changes to v2 suggested by 
Bruce and Ryan (thanks!).

 

I noticed that our current bylaws have reverted back to a fixed-length 
discussion period, so I have changed this version to comply.


==
Ballot SC6 version 3: Revocation Timeline Extension

 

Purpose of Ballot:
Section 4.9.1.1 of the Baseline Requirements currently requires CAs to revoke a 
Subscriber certificate within 24 hours of identifying any of 15 issues 
affecting the certificate. In cases where there is not an immediate threat of 
misuse of the certificate, this requirement can cause undue harm to a 
Subscriber that isn't capable of replacing the certificate prior to revocation. 
This ballot makes a number of improvements to the revocation rules imposed by 
the Baseline Requirements:
* Primarily, it creates a tiered timeline for revocations. The most critical 
"reasons" still require revocation within 24 hours, but for many others 24 
hours becomes a SHOULD and the CA has 5 days before they MUST revoke.
* A new "reason for revocation" was added to address the fact that there is 
currently no requirement for CAs to revoke a certificate when requested by the 
domain name registrant. After considering some more specific language that 
required CAs to follow 3.2.2.4 to validate domain control, I settled on the 
following more general "reason": "The CA obtains evidence that the validation 
of domain authorization or control for any Fully-Qualified Domain Name or IP 
address in the Certificate should not be relied upon."
* Reason #10 states "The CA determines that any of the information appearing in 
the Certificate is inaccurate or misleading;" This ballot removes "or 
misleading" because that is a subjective judgement that could effectively be 
used to justify censorship, as discussed at length in relation to the "Stripe, 
Inc of Kentucky" EV certificates.
* Current reasons #11 and #13 were removed from the section on subscriber 
certificates because they address cases where the intermediate and/or root must 
be revoked, so there isn't much sense (and some possible harm) in requiring 
revocation of all the leaf certs.
* It requires CAs to disclose their problem reporting mechanisms in a standard 
location: CPS section 1.5.2.
* Within 24 hours of receiving a problem report, the CA is now required to 
report back to both the entity reporting the problem and the Subscriber on the 
CA's findings, and to work with the reporter and Subscriber to establish a date 
by which the CA will revoke the certificate.

The following motion has been proposed by  Wayne Thayer of Mozilla and endorsed 
by Tim Hollebeek of DigiCert and Dimitris Zacharopoulos of Harica.


--- MOTION BEGINS ---

This ballot modifies the “Baseline Requirements for the 
Issuance and Management of Publicly-Trusted Certificates” as follows, based on 
Version 1.6.0:



 

** Modify the definition of Key Compromise as follows: **

Key Compromise: A Private Key is said to be compromised if its value has been 
disclosed to an unauthorized person or an unauthorized person has had access to 
it.
 

** Modify Section 4.9.1 to read as follows: **



 

4.9.1.1 Reasons for Revoking a Subscriber Certificate

 

The CA SHALL revoke a Certificate within 24 hours if one or more of the 
following occurs:

1. The Subscriber requests in writing that the CA revoke the Certificate;
2. The Subscriber notifies the CA that the original certificate request was not 
authorized and does not retroactively grant authorization;
3. The CA obtains evidence that the Subscriber's Private Key corresponding to 
the Public Key in the Certificate suffered a Key Compromise; or
4. The CA obtains evidence that the validation of domain authorization or 
control for any Fully-Qualified Domain Name or IP address in the Certificate 
should not be relied upon.

The CA SHOULD revoke a certificate within 24 hours and MUST revoke a 
Certificate within 5 days if one or more of the following occurs:
1. The Certificate no longer complies with the requirements of Sections 6.1.5 
and 6.1.6;
2. The CA obtains evidence that the Certificate was misused;
3. The CA is made aware that a Subscriber has violated one or more of its 
material obligations under the Subscriber Agreement or Terms of Use;
4. The CA is made aware of any circumstance indicating that use of a 
Fully-Qualified Domain Name or IP address in the Certificate is no longer 
legally permitted (e.g. a court or arbitrator has revoked a Domain Name 
Registrant's right to use the Domain Name, a relevant licensing or services 
agreement between the 

Re: [cabfpub] [Servercert-wg] Ballot SC6 v3 - Revocation Timeline Extension

[Mads Egil Henriksveen via Public]

Buypass votes YES.


Regards

Mads



From: Servercert-wg  On Behalf Of Wayne 
Thayer via Servercert-wg
Sent: fredag 31. august 2018 21:52
To: CA/B Forum Server Certificate WG Public Discussion List 

Cc: CA/Browser Forum Public Discussion List 
Subject: [Servercert-wg] Ballot SC6 v3 - Revocation Timeline Extension



Here is version 3 of this ballot, incorporating changes to v2 suggested by 
Bruce and Ryan (thanks!).



I noticed that our current bylaws have reverted back to a fixed-length 
discussion period, so I have changed this version to comply.


==

Ballot SC6 version 3: Revocation Timeline Extension



Purpose of Ballot:
Section 4.9.1.1 of the Baseline Requirements currently requires CAs to revoke a 
Subscriber certificate within 24 hours of identifying any of 15 issues 
affecting the certificate. In cases where there is not an immediate threat of 
misuse of the certificate, this requirement can cause undue harm to a 
Subscriber that isn't capable of replacing the certificate prior to revocation. 
This ballot makes a number of improvements to the revocation rules imposed by 
the Baseline Requirements:
* Primarily, it creates a tiered timeline for revocations. The most critical 
"reasons" still require revocation within 24 hours, but for many others 24 
hours becomes a SHOULD and the CA has 5 days before they MUST revoke.
* A new "reason for revocation" was added to address the fact that there is 
currently no requirement for CAs to revoke a certificate when requested by the 
domain name registrant. After considering some more specific language that 
required CAs to follow 3.2.2.4 to validate domain control, I settled on the 
following more general "reason": "The CA obtains evidence that the validation 
of domain authorization or control for any Fully-Qualified Domain Name or IP 
address in the Certificate should not be relied upon."
* Reason #10 states "The CA determines that any of the information appearing in 
the Certificate is inaccurate or misleading;" This ballot removes "or 
misleading" because that is a subjective judgement that could effectively be 
used to justify censorship, as discussed at length in relation to the "Stripe, 
Inc of Kentucky" EV certificates.
* Current reasons #11 and #13 were removed from the section on subscriber 
certificates because they address cases where the intermediate and/or root must 
be revoked, so there isn't much sense (and some possible harm) in requiring 
revocation of all the leaf certs.
* It requires CAs to disclose their problem reporting mechanisms in a standard 
location: CPS section 1.5.2.
* Within 24 hours of receiving a problem report, the CA is now required to 
report back to both the entity reporting the problem and the Subscriber on the 
CA's findings, and to work with the reporter and Subscriber to establish a date 
by which the CA will revoke the certificate.

The following motion has been proposed by  Wayne Thayer of Mozilla and endorsed 
by Tim Hollebeek of DigiCert and Dimitris Zacharopoulos of Harica.



--- MOTION BEGINS ---

This ballot modifies the “Baseline Requirements for the 
Issuance and Management of Publicly-Trusted Certificates” as follows, based on 
Version 1.6.0:





** Modify the definition of Key Compromise as follows: **

Key Compromise: A Private Key is said to be compromised if its value has been 
disclosed to an unauthorized person or an unauthorized person has had access to 
it.



** Modify Section 4.9.1 to read as follows: **





4.9.1.1 Reasons for Revoking a Subscriber Certificate



The CA SHALL revoke a Certificate within 24 hours if one or more of the 
following occurs:

1. The Subscriber requests in writing that the CA revoke the Certificate;
2. The Subscriber notifies the CA that the original certificate request was not 
authorized and does not retroactively grant authorization;
3. The CA obtains evidence that the Subscriber's Private Key corresponding to 
the Public Key in the Certificate suffered a Key Compromise; or
4. The CA obtains evidence that the validation of domain authorization or 
control for any Fully-Qualified Domain Name or IP address in the Certificate 
should not be relied upon.

The CA SHOULD revoke a certificate within 24 hours and MUST revoke a 
Certificate within 5 days if one or more of the following occurs:
1. The Certificate no longer complies with the requirements of Sections 6.1.5 
and 6.1.6;
2. The CA obtains evidence that the Certificate was misused;
3. The CA is made aware that a Subscriber has violated one or more of its 
material obligations under the Subscriber Agreement or Terms of Use;
4. The CA is made aware of any circumstance indicating that use of a 
Fully-Qualified Domain Name or IP address in the Certificate is no longer 
legally permitted (e.g. a court or arbitrator has revoked a Domain Name 
Registrant's right to use the Domain Name, a relevant licensing or services 
agreement between the Domain Name Registrant and the 

Re: [cabfpub] [Servercert-wg] Ballot FORUM-4 v2

[Dimitris Zacharopoulos via Public]

Following-up on these comments, here is a proposed red-lined version 
that fixes the ETSI references.


Dimitris.

On 14/9/2018 10:06 πμ, InigoBarreira via Public wrote:

Tim,

I´d remove all mentions to ETSI TS documents (102 042 and 101 456) in 
all CABF documents. These TSs have not been updated for years, they 
don´t reflect the current requirements of the CABF.


Regards

*De:* Servercert-wg [servercert-wg-boun...@cabforum.org] en nombre de 
Tim Hollebeek via Servercert-wg [servercert...@cabforum.org]

*Enviado:* jueves, 13 de septiembre de 2018 20:46
*Para:* Tim Hollebeek; CA/Browser Forum Public Discussion List; Ryan 
Sleevi; servercert...@cabforum.org

*Asunto:* Re: [Servercert-wg] Ballot FORUM-4 v2

As discussed on the Validation WG call, this unfortunately is probably 
not going to be possible for this particular ballot.  Ben did a lot of 
work to get the current redlined document to accurately reflect what 
the Bylaws were intended to be at this point.


In the attached version 3, I’ve corrected a typo that was left behind 
after I reverted the ETSI changes.  I would urge a few people to take 
a close look at it and make sure there are no additional errors …


I’ll aim to update the ballot (again, sigh…) once I’ve heard from a 
few people that it looks good based on analysis that is independent of 
mine and Ben’s.


-Tim

*From:* Public  *On Behalf Of *Tim 
Hollebeek via Public

*Sent:* Thursday, September 13, 2018 9:33 AM
*To:* Ryan Sleevi ; servercert...@cabforum.org
*Cc:* CABFPub 
*Subject:* Re: [cabfpub] [Servercert-wg] Ballot FORUM-4 v2

I’m highly sympathetic to that, especially with a document as 
important as the Bylaws.  I’ve had the same concern as well as I look 
through Ben’s redline.  After looking at it closer on the plane last 
night, I have some concerns about what appear to be some changes to 
cross-references that appear correct, but I’m not sure if they’re needed.


I will also note that I have previously pointed out that according to 
the Bylaws, redlines are REQUIRED, but cannot be trusted in any way, 
shape, or form, as our Bylaws clearly state they are ignored for the 
purposed of updating the requirements.  Yet everyone seems to want to 
review the redlines, not the ballot text.  As I’ve pointed out several 
times, creating an additional representation of the changes that is 
required but cannot be trusted doesn’t help anyone.


This is really, really silly, and I wish people were more vocal and 
active in finding a solution to it that works for everyone.  And no, I 
don’t want to discuss what tools or processes should be used to 
produce redlines.


Each ballot should have one and only one official representation of 
the proposed changes, and no alternative unofficial changes should be 
required.  I’ve circulated several proposals, but I really don’t care 
about the details, as long as the problem is solved.


In this case, I think I’m going to look and see if the Ballot Text 
from 216 applies cleanly to the latest Bylaws, and produce a redline 
based on that.


-Tim

*From:* Ryan Sleevi mailto:sle...@google.com>>
*Sent:* Thursday, September 13, 2018 2:15 AM
*To:* Tim Hollebeek >; servercert...@cabforum.org 


*Cc:* CABFPub mailto:public@cabforum.org>>
*Subject:* Re: [Servercert-wg] Ballot FORUM-4 v2

Tim,

I believe there had been a previous suggestion to provide this as a 
clearer redline, rather than an "Adopt Document X". Can you clarify that?


By presenting it as you have, it's going to create more work to even 
make sure that the formatting of the document - claiming to be a 
redline - actually matches to the last canonical version, and that the 
changes you've highlighted in red, are, well the changes to be made.


I hope you can understand why that's more difficult, because it 
requires wholesale comparison rather than taking the previous version 
and showing how it would be corrected.


On Wed, Sep 12, 2018 at 9:20 PM Tim Hollebeek via Servercert-wg 
mailto:servercert...@cabforum.org>> wrote:


Ballot FORUM-4 v2: Fix mistakes made during passage of Governance
Reform Ballot 206

Purpose of Ballot

The Governance Reform ballot (Ballot 206 under the old ballot
numbering scheme) was extremely complicated and took roughly two
years to draft.

The changes to the Bylaws from Ballot 216 were intended to be
included in the Governance Reform ballot, but were accidentally
not included.

The attached version of the Bylaws restores the important
discussion period changes that were approved by the members but
then accidentally overwritten.

The following motion has been proposed by Tim Hollebeek of
DigiCert and endorsed by Wayne Thayer of Mozilla and Moudrick
Dadashov of SSC.

--- MOTION BEGINS ---

This ballot replaces the “Bylaws of the CA/Browser Forum” version
  

Re: [cabfpub] [Servercert-wg] Ballot FORUM-4 v2

[InigoBarreira via Public]

Tim,

I´d remove all mentions to ETSI TS documents (102 042 and 101 456) in all CABF 
documents. These TSs have not been updated for years, they don´t reflect the 
current requirements of the CABF.

Regards

De: Servercert-wg [servercert-wg-boun...@cabforum.org] en nombre de Tim 
Hollebeek via Servercert-wg [servercert...@cabforum.org]
Enviado: jueves, 13 de septiembre de 2018 20:46
Para: Tim Hollebeek; CA/Browser Forum Public Discussion List; Ryan Sleevi; 
servercert...@cabforum.org
Asunto: Re: [Servercert-wg] Ballot FORUM-4 v2

As discussed on the Validation WG call, this unfortunately is probably not 
going to be possible for this particular ballot.  Ben did a lot of work to get 
the current redlined document to accurately reflect what the Bylaws were 
intended to be at this point.

In the attached version 3, I’ve corrected a typo that was left behind after I 
reverted the ETSI changes.  I would urge a few people to take a close look at 
it and make sure there are no additional errors …

I’ll aim to update the ballot (again, sigh…) once I’ve heard from a few people 
that it looks good based on analysis that is independent of mine and Ben’s.

-Tim

From: Public  On Behalf Of Tim Hollebeek via Public
Sent: Thursday, September 13, 2018 9:33 AM
To: Ryan Sleevi ; servercert...@cabforum.org
Cc: CABFPub 
Subject: Re: [cabfpub] [Servercert-wg] Ballot FORUM-4 v2

I’m highly sympathetic to that, especially with a document as important as the 
Bylaws.  I’ve had the same concern as well as I look through Ben’s redline.  
After looking at it closer on the plane last night, I have some concerns about 
what appear to be some changes to cross-references that appear correct, but I’m 
not sure if they’re needed.

I will also note that I have previously pointed out that according to the 
Bylaws, redlines are REQUIRED, but cannot be trusted in any way, shape, or 
form, as our Bylaws clearly state they are ignored for the purposed of updating 
the requirements.  Yet everyone seems to want to review the redlines, not the 
ballot text.  As I’ve pointed out several times, creating an additional 
representation of the changes that is required but cannot be trusted doesn’t 
help anyone.

This is really, really silly, and I wish people were more vocal and active in 
finding a solution to it that works for everyone.  And no, I don’t want to 
discuss what tools or processes should be used to produce redlines.

Each ballot should have one and only one official representation of the 
proposed changes, and no alternative unofficial changes should be required.  
I’ve circulated several proposals, but I really don’t care about the details, 
as long as the problem is solved.

In this case, I think I’m going to look and see if the Ballot Text from 216 
applies cleanly to the latest Bylaws, and produce a redline based on that.

-Tim

From: Ryan Sleevi mailto:sle...@google.com>>
Sent: Thursday, September 13, 2018 2:15 AM
To: Tim Hollebeek 
mailto:tim.holleb...@digicert.com>>; 
servercert...@cabforum.org
Cc: CABFPub mailto:public@cabforum.org>>
Subject: Re: [Servercert-wg] Ballot FORUM-4 v2

Tim,

I believe there had been a previous suggestion to provide this as a clearer 
redline, rather than an "Adopt Document X". Can you clarify that?

By presenting it as you have, it's going to create more work to even make sure 
that the formatting of the document - claiming to be a redline - actually 
matches to the last canonical version, and that the changes you've highlighted 
in red, are, well the changes to be made.

I hope you can understand why that's more difficult, because it requires 
wholesale comparison rather than taking the previous version and showing how it 
would be corrected.

On Wed, Sep 12, 2018 at 9:20 PM Tim Hollebeek via Servercert-wg 
mailto:servercert...@cabforum.org>> wrote:
Ballot FORUM-4 v2: Fix mistakes made during passage of Governance Reform Ballot 
206

Purpose of Ballot

The Governance Reform ballot (Ballot 206 under the old ballot numbering scheme) 
was extremely complicated and took roughly two years to draft.
The changes to the Bylaws from Ballot 216 were intended to be included in the 
Governance Reform ballot, but were accidentally not included.

The attached version of the Bylaws restores the important discussion period 
changes that were approved by the members but then accidentally overwritten.

The following motion has been proposed by Tim Hollebeek of DigiCert and 
endorsed by Wayne Thayer of Mozilla and Moudrick Dadashov of SSC.

--- MOTION BEGINS ---

This ballot replaces the “Bylaws of the CA/Browser Forum” version 1.9 with 
version 2.0 of those Bylaws, attached to this ballot.

--- MOTION ENDS ---

The procedure for approval of this ballot is as follows:

Discussion (7 days)

Start Time: 2018-09-12, 9:30 pm Eastern Time

End Time: 2018-09-19, 9:30 pm Eastern Time

Vote for approval (7 days)

Start Time: 2018-09-19, 9:30 pm Eastern Time