My OperaOpera's CABForum reorganization position paper
By Yngve Nysæter Pettersenyngve. Friday, March 30, 2012 11:12:05 PM
A few weeks ago we told of the recent CABForum initiative to consider reorganizing the forum, and its request for public input into this process.
Today, Opera submitted its position paper to the CABForum, discussing some of the important aspects the initiative will need to consider:
Dear CABForum,
Below you will find some thoughts we at Opera Software have had about the changes being considered for the CABForum organization, as they might affect the membership and work process of the forum.
Expansion of membership
At present, the CABForum's membership, which includes, and will continue
to include Opera, consists of certificate authorities, browsers and other
clients that use certificates, plus a few observers, such as WebTrust and
PayPal.
A possible outcome of the reorganization under consideration is that the
forum opening the forum to new categories of members. Which groups should
be eligible for membership, what should the criteria for joining be, and
how will such an extension affect the CABforum's work?
Possible membership categories
New members should, as now, be approved by the existing forum members
before they are allowed to join. This is to ensure that perspectives
offered by the new members are relevant to the work done by the forum.
Both experts and user representatives might either apply to join or be
invited. In either case, new memberships must be approved by the existing
group, as detailed above.
Relationships with other standards organizations
Several other standards organizations work in areas that are either
overlapping or related to the areas that the CABForum covers.
Opera thinks the CABForum should establish relationships with relevant
standards organizations, so each can be kept up to date on what is going
on in the other organization.
Impact on work process
Increasing the membership of the forum will very likely cause trouble with
at least two areas of the current work process in the CABForum: balloting
the proposed specification and how public the groups discussions should be.
At present, there are different ballot majority rules for the CAs and the
browsers, and they are considered separately due to the huge difference in
numbers between the CA populace and the browser populace, in order to
prevent one group from steamrollering the other.
If more categories of members join the CABForum, then not only will such a
ballot system quickly become difficult to maintain, but also it may make
it very difficult to perform the balloting, at least in a meaningful
fashion.
We think it will, therefore, be necessary to change the final approval
phase of the CABForum work flow towards one based on achieving consensus
about a new specification in a working group, before issuing a Last Call
to the members. Once the Last Call has been completed, and the issues
resolved (which might be that nothing should be done about it or that it
is an issue to handle in the next version), then the specification is
considered ready be published.
The second aspect of the work process that need to be considered is
whether discussions should be public or private.
Opera thinks most discussion should be public, but there should still be
non-public discussion venues that can only be seen by members of the
CABForum. This system would be similar to the arrangement used by W3C.
IPR
With respect to Intellectual Property Rights (IPR), particularly patents,
Opera's position is that standards should be unencumbered by IPR claims,
and in the event that such claims are made, implementors of the standard
should be granted a free license to use the IPR, a so-called RAND-Z
license.
Sincerely,
Opera Software ASA
www.opera.com
Other announcements
In related news, we would like to thank Burak Beyzadeoğlu for his assistance in discovering and fixing several security issues with Opera's web sites.
Today, Opera submitted its position paper to the CABForum, discussing some of the important aspects the initiative will need to consider:
Dear CABForum,
Below you will find some thoughts we at Opera Software have had about the changes being considered for the CABForum organization, as they might affect the membership and work process of the forum.
Expansion of membership
At present, the CABForum's membership, which includes, and will continue
to include Opera, consists of certificate authorities, browsers and other
clients that use certificates, plus a few observers, such as WebTrust and
PayPal.
A possible outcome of the reorganization under consideration is that the
forum opening the forum to new categories of members. Which groups should
be eligible for membership, what should the criteria for joining be, and
how will such an extension affect the CABforum's work?
Possible membership categories
New members should, as now, be approved by the existing forum members
before they are allowed to join. This is to ensure that perspectives
offered by the new members are relevant to the work done by the forum.
- Websites, other certificates subscribers
It is our opinion that website operators, OS and software vendors, and
others who rely on certificates in their work (i.e., subscribers) and who
have an interest in the topic, should be able to join.
- Users
This is the largest group of potential members, as it includes every
internet user in the world. The browser vendors have seen it as their
responsibility to guard the interests of users, but, as in any area, there
are those who will disagree with the positions taken. It might, therefore,
be beneficial to have more user-related viewpoints represented.
As the "users" category is so large, it is not very practical to open the
CABForum to individual users. Instead, organizations that represent groups
of users and that have an interest in what the CABForum works on should be
allowed to join the forum.
- Independent experts
While many of the members will have experts working in many areas within
the CABForum's purview and will draw on those experts' expertise while
working in the forum, other independent experts may provide different and
relevant viewpoints.
Security is not the only area where such experts may prove useful; other
areas are UI, lawyers, etc., and experts in these areas with an additional
interest in the topics covered by the forum should be allowed to join.
Both experts and user representatives might either apply to join or be
invited. In either case, new memberships must be approved by the existing
group, as detailed above.
Relationships with other standards organizations
Several other standards organizations work in areas that are either
overlapping or related to the areas that the CABForum covers.
Opera thinks the CABForum should establish relationships with relevant
standards organizations, so each can be kept up to date on what is going
on in the other organization.
Impact on work process
Increasing the membership of the forum will very likely cause trouble with
at least two areas of the current work process in the CABForum: balloting
the proposed specification and how public the groups discussions should be.
At present, there are different ballot majority rules for the CAs and the
browsers, and they are considered separately due to the huge difference in
numbers between the CA populace and the browser populace, in order to
prevent one group from steamrollering the other.
If more categories of members join the CABForum, then not only will such a
ballot system quickly become difficult to maintain, but also it may make
it very difficult to perform the balloting, at least in a meaningful
fashion.
We think it will, therefore, be necessary to change the final approval
phase of the CABForum work flow towards one based on achieving consensus
about a new specification in a working group, before issuing a Last Call
to the members. Once the Last Call has been completed, and the issues
resolved (which might be that nothing should be done about it or that it
is an issue to handle in the next version), then the specification is
considered ready be published.
The second aspect of the work process that need to be considered is
whether discussions should be public or private.
Opera thinks most discussion should be public, but there should still be
non-public discussion venues that can only be seen by members of the
CABForum. This system would be similar to the arrangement used by W3C.
IPR
With respect to Intellectual Property Rights (IPR), particularly patents,
Opera's position is that standards should be unencumbered by IPR claims,
and in the event that such claims are made, implementors of the standard
should be granted a free license to use the IPR, a so-called RAND-Z
license.
Sincerely,
Opera Software ASA
www.opera.com
Other announcements
In related news, we would like to thank Burak Beyzadeoğlu for his assistance in discovering and fixing several security issues with Opera's web sites.
leohims # Sunday, April 1, 2012 6:49:44 PM
Charles SchlossChas4 # Monday, April 2, 2012 5:08:25 AM
The biggest effect the CABForum has is on the Internet and its users
Charles SchlossChas4 # Tuesday, April 24, 2012 3:54:38 PM
Comments open for NIST-proposed updates to Digital Signature Standard
http://isc.sans.edu/diary.html?storyid=13033
Charles SchlossChas4 # Thursday, May 24, 2012 12:07:39 AM
SSL fix flags forged certificates before they're accepted by browsers
An IETF proposal hopes to mend cracks in the Internet's foundation of trust.
http://arstechnica.com/security/2012/05/ssl-fix-flags-forged-certificates-before-theyre-accepted-by-browsers/