Ben,
This seems like a good option. I’d say maybe we need to increase the 6 months period to 12, otherwise within a 6 months period there may only be 1 F2F. Requiring attendance (remote or in-person) if there’s only 1 F2F in the time-span, could be hard if there’s a case of bad timing. Additionally, I’d like to request the addition of an additional criteria (although it’s related to the “publish how it decides to add or remove a CA certificate from its list.” item. I’d like to request we add a requirement to: * Publish how a CA can apply for inclusion in its root store With this addition, I’d be happy to endorse Regards, Martijn From: Servercert-wg <[email protected]> On Behalf Of Ben Wilson via Servercert-wg Sent: Thursday, 31 August 2023 00:50 To: CA/B Forum Server Certificate WG Public Discussion List <[email protected]> Subject: [Servercert-wg] Proposed Revision of SCWG Charter CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. All, Thanks for your suggestions and recommendations. I think we are much closer to an acceptable revision of the Server Certificate Working Group Charter. Here is the current draft: https://github.com/cabforum/forum/blob/BenWilson-SCWG-charter-1.3/SCWG-charter.md <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fforum%2Fblob%2FBenWilson-SCWG-charter-1.3%2FSCWG-charter.md&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7C8b9a53bc77c6445114a808dba9ab7821%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638290326178847047%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=v5YGnqCdwBXA4fa4h%2FMaUTSLaGOOXxUdcP5mwUYbRRA%3D&reserved=0> We have decided that a participation/attendance requirement for ongoing membership is currently too complicated to manage, but we believe it is important that there be a probationary period of six months during which all new CABF-voting applicants must attend at least 30% of the teleconferences and at least the SCWG portion of one F2F (virtually or in-person). See section 4(d) in the draft cited above. We believe that with this limited scope, we can and should measure attendance to ensure that prospective members are serious about participating in the Forum. We no longer seek to require that a Certificate Consumer have any particular size or user base (or that they meet other criteria that were floated in recent emails). Those criteria were also currently too complicated. However, in addition to those Certificate Consumer requirements that are in the existing charter, we want a Certificate Consumer to: * have public documentation stating that it requires Certificate Issuers to comply with the TLS Baseline Requirements; * maintain a list of CA certificates used to validate the chain of trust from a TLS certificate to a CA certificate in such list; and * publish how it decides to add or remove a CA certificate from its list. I am looking for two endorsers of a FORUM ballot, so if the above-referenced draft is generally acceptable, please contact me, and we can work out any remaining details. Thanks, Ben On Tue, Jul 25, 2023 at 11:07 PM Roman Fischer via Servercert-wg <[email protected] <mailto:[email protected]> > wrote: Dear Ben, I like your two new suggestions as they offer more lightweight mechanisms. One other idea (completely ad hoc and not really thought through) would be to change the charter to allow suspension of members from the SCWG by ballot. That way a ballot could be proposed, discussed, endorsed and voted on. And since the state of “suspended membership” is well defined (including the way back to full membership), this might offer the “accused” member enough possibility to counter the “allegations” made in the ballot. It would also make transparent who wants to suspend whom for what reasons… Kind regards Roman From: Ben Wilson <[email protected] <mailto:[email protected]> > Sent: Dienstag, 25. Juli 2023 17:40 To: Roman Fischer <[email protected] <mailto:[email protected]> > Cc: CA/B Forum Server Certificate WG Public Discussion List <[email protected] <mailto:[email protected]> > Subject: Re: [Servercert-wg] Participation Proposal for Revised SCWG Charter Thanks for your insights, Roman. I'm not yet convinced that the attendance approach would not be effective. Nevertheless, here are some other potential alternatives to discuss: 1 - require that a Certificate Consumer have a certain size userbase, or alternatively, that they be a Root Store member of the Common CA Database <https://www.ccadb.org/rootstores/how> , or 2 - require that a Certificate Consumer pay a membership fee to the CA/Browser Forum. Does anyone have any other ideas, proposals, or suggestions that we can discuss? The approaches listed above would be in addition to the following other requirements already proposed: The Certificate Consumer has public documentation stating that it requires Certification Authorities to comply with the CA/Browser Forum’s Baseline Requirements for the issuance and maintenance of TLS server certificates; its membership-qualifying software product uses a list of CA certificates to validate the chain of trust from a TLS certificate to a CA certificate in such list; and it publishes how it decides to add or remove a CA certificate from the root store used in its membership-qualifying software product. Thanks, Ben On Mon, Jul 24, 2023 at 10:48 PM Roman Fischer <[email protected] <mailto:[email protected]> > wrote: Dear Ben, As stated before, I’m against minimal attendance (or even participation – however you would measure that, numbers of words spoken or written?) requirements. I’ve seen in university, in private associations, policitcs… that this simply doesn’t solve the problem. I totally agree with Tim: It will create administrative overhead and not solve the problem. IMHO non-particpants taking part in the democratic process (i.e. voting) is just something we have to accept and factor in. It’s one end of the extreme spectrum. There might be over-active participants that overwhelm the group by pushing their own agenda… If we have minimum participation requirements, then we maybe should also have maximum participation rules? 😉 Rgds Roman From: Servercert-wg <[email protected] <mailto:[email protected]> > On Behalf Of Ben Wilson via Servercert-wg Sent: Montag, 24. Juli 2023 21:40 To: Tim Hollebeek <[email protected] <mailto:[email protected]> >; CA/B Forum Server Certificate WG Public Discussion List <[email protected]> Subject: Re: [Servercert-wg] Participation Proposal for Revised SCWG Charter Tim, One problem we're trying to address is the potential for a great number of “submarine voters”. Such members may remain inactive for extended periods of time and then surface only to vote for or against something they suddenly are urged to support or oppose, without being aware of the issues. This will skew and damage the decision-making process. Another problem, that I don't think has been mentioned before, is the reliability of the CA/Browser Forum to adopt well-informed standards going forward. In other words, if something like I suggest happens, then I can see Certificate Consumers leaving the Forum and unilaterally setting very separate and distinct rules. This will result in fragmentation, inconsistency, and much more management overhead for CAs than the effort needed to keep track of attendance, which is already being done by the Forum. (If you'd like, I can share with everyone the list of members who have not voted or attended meetings in over two years.) Ben On Mon, Jul 24, 2023 at 11:41 AM Tim Hollebeek <[email protected] <mailto:[email protected]> > wrote: What is your argument in response to the point that any potential bad actors will be trivially able to satisfy the participation metrics? I’m very worried we’ll end up doing a lot of management and tracking work, without actually solving the problem. -Tim From: Ben Wilson <[email protected] <mailto:[email protected]> > Sent: Monday, July 24, 2023 10:21 AM To: Ben Wilson <[email protected] <mailto:[email protected]> >; CA/B Forum Server Certificate WG Public Discussion List <[email protected] <mailto:[email protected]> > Cc: Tim Hollebeek <[email protected] <mailto:[email protected]> > Subject: Re: [Servercert-wg] Participation Proposal for Revised SCWG Charter All, I have thought a lot about this, including various other formulas (e.g. market share) to come up with something reasonable, but I've come back to attendance as the key metric that we need to focus on. I just think that an attendance metric provides the only workable, measurable, and sound solution for determining the right to vote as a Certificate Consumer because it offers the following three elements: * Informed Decision-Making: Voting requires a comprehensive understanding of ongoing discussions and developments. Regular attendance provides members with the necessary context and knowledge to make well-informed decisions. * Commitment: Attendance is a tangible and measurable representation of a member's commitment to the Server Certificate WG and its objectives. It demonstrates a genuine interest in contributing to the development and improvement of the requirements. * Active Involvement: By prioritizing attendance, we encourage active involvement and discourage passive membership. Voting rights should be earned through consistent engagement, as this ensures that decisions are made by those who are genuinely invested in the outcomes. At this point, I'm going to re-draft a proposal for a revision to the Server Certificate WG Charter and present it on the public list (because an eventual revision of the Charter will have to take place at the Forum level). Thanks, Ben On Thu, Jul 13, 2023 at 9:45 AM Ben Wilson via Servercert-wg <[email protected] <mailto:[email protected]> > wrote: Thanks, Tim. All, I will look closer at the distribution and use of software for browsing the internet securely, instead of participation metrics. There is at least one source, StatCounter (https://gs.statcounter.com/browser-market-share <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgs.statcounter.com%2Fbrowser-market-share&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7C8b9a53bc77c6445114a808dba9ab7821%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638290326179003260%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=ydD0D6sfKEJ6o2wTujCNQ%2BdatbbJCovHalOjQM9heHA%3D&reserved=0> ), that purports to measure use of browsing software, both globally and regionally. Would it be worthwhile to explore distribution by region and come up with a reasonable threshold? Can we rely on StatCounter, or should we look elsewhere? Thanks, Ben On Wed, Jul 12, 2023 at 9:30 AM Tim Hollebeek via Servercert-wg <[email protected] <mailto:[email protected]> > wrote: I have a meaningful comment. I don’t want to ever have to discuss or judge whether someone’s comment is “meaningful” or not, and I don’t think incentivizing people to post more comments than they otherwise would is helpful. I also think getting the chairs involved in any way in discussing whether a member representative did or did not have a medical condition during a particular time period is an extremely bad idea. Given that the original issue was trying to determine whether a certificate consumer is in fact a legitimate player in the ecosystem or not, I would suggest that exploring metrics like market share might be far more useful. Metrics like participation are rather intrusive and onerous, except to those who are trying to game them, and those trying to game such metrics will succeed with little or no effort. -Tim From: Servercert-wg <[email protected] <mailto:[email protected]> > On Behalf Of Roman Fischer via Servercert-wg Sent: Wednesday, July 12, 2023 7:23 AM To: CA/B Forum Server Certificate WG Public Discussion List <[email protected] <mailto:[email protected]> > Subject: Re: [Servercert-wg] Participation Proposal for Revised SCWG Charter Dear Ben, Mandatory participation has in my experience never resulted in more or better discussions. People will dial into the telco and let it run in the background to “earn the credits”. Also, what would happen after the 90 day suspension? Would the organization be removed as a CA/B member? Rgds Roman From: Servercert-wg <[email protected] <mailto:[email protected]> > On Behalf Of Ben Wilson via Servercert-wg Sent: Freitag, 7. Juli 2023 21:59 To: CA/B Forum Server Certificate WG Public Discussion List <[email protected] <mailto:[email protected]> > Subject: [Servercert-wg] Participation Proposal for Revised SCWG Charter All, Here is a draft participation proposal for the SCWG to consider and discuss for inclusion in a revised SCWG Charter. #. Participation Requirements to Maintain Voting Privileges (a) Attendance. The privilege to vote “Yes” or “No” on ballots is suspended for 90 days if a Voting Member fails to meet the following attendance requirement over any 365-day period: * 10% of SCWG meetings for Voting Members located in time zones offset by UTC +5 through UTC +12 * 30% of SCWG meetings for Voting Members located in all other time zones (b) Meaningful Comments. Posting a Meaningful Comment is an alternative means of meeting the attendance requirement in subsection (a). A Voting Member can earn an attendance credit to make up for each missed meeting by posting a Meaningful Comment to the SCWG Public Mail List. Each Meaningful Comment is equal to attending one (1) meeting. A Meaningful Comment is one that follows the Code of Conduct and provides relevant information to the SCWG, such as new information, an insight, suggestion, or perspective related to the Scope of the SCWG, or that proposes an improvement to the TLS Baseline Requirements or EV Guidelines. It can also be something that responds to or builds on the comments of others in a meaningful way, or that offers feedback, suggestions, or solutions to the issues or challenges raised by the topic of discussion. A Meaningful Comment should be both relevant (within the Scope of the SCWG or related to the discussion that is taking place on the mailing list) and well-supported (clear reasons why the Voting Representative believes what they believe and supported by facts, data, or other information.) (c) A Voting Member that has failed to meet the attendance requirement in subsection (a) above is considered an "Inactive Member". Any Member who believes that any other Member is an Inactive Member may report that Member on the Forum's Management List by providing specific information about that Member's non-participation, and the SCWG Chair shall send written notice to the Inactive Member by email within seven (7) calendar days. The notice will include a reminder of the requirement to participate and inform the Inactive Member of the consequences of not participating. (d) Suspension of Voting Privileges. The Inactive Member's privilege to vote “Yes” or “No” on any ballot shall be temporarily suspended for a period of 90 days from the date of the notice. During the suspension period, the Inactive Member may vote “Abstain” on ballots. (e) Restoration of Voting Privilege. Voting privileges will be automatically restored to the Inactive Member upon attending three consecutive meetings. The restoration of voting privileges will be effective on the next ballot that enters the voting period after the Inactive Member meets the reactivation criteria. (f) Exceptional Circumstances. In cases where an Inactive Member can demonstrate justifiable reasons for their inability to participate, such as medical conditions or other extenuating circumstances affecting their Voting Representative(s), the SCWG Chair may review and consider reinstating voting privileges on a case-by-case basis. Thanks, Ben _______________________________________________ Servercert-wg mailing list [email protected] <mailto:[email protected]> https://lists.cabforum.org/mailman/listinfo/servercert-wg <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cabforum.org%2Fmailman%2Flistinfo%2Fservercert-wg&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7C8b9a53bc77c6445114a808dba9ab7821%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638290326179003260%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=mtCK0NJkw5hpj930sutPJm39JGzqRirYiQH7YIL2XEo%3D&reserved=0> _______________________________________________ Servercert-wg mailing list [email protected] <mailto:[email protected]> https://lists.cabforum.org/mailman/listinfo/servercert-wg <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cabforum.org%2Fmailman%2Flistinfo%2Fservercert-wg&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7C8b9a53bc77c6445114a808dba9ab7821%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638290326179003260%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=mtCK0NJkw5hpj930sutPJm39JGzqRirYiQH7YIL2XEo%3D&reserved=0> _______________________________________________ Servercert-wg mailing list [email protected] <mailto:[email protected]> https://lists.cabforum.org/mailman/listinfo/servercert-wg <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cabforum.org%2Fmailman%2Flistinfo%2Fservercert-wg&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7C8b9a53bc77c6445114a808dba9ab7821%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638290326179003260%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=mtCK0NJkw5hpj930sutPJm39JGzqRirYiQH7YIL2XEo%3D&reserved=0>
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Servercert-wg mailing list [email protected] https://lists.cabforum.org/mailman/listinfo/servercert-wg
