PayPal is pleased to note the creation of a working group at the CA/Browser Forum to address rechartering itself as a more mature and capable organization with a broader scope of action. We are entirely supportive of the work; indeed, we believe it is vital. Through collaborative efforts like Extended Validation Certificates, the CA/Browser Forum has already played an important role in promoting consumer trust online. However, recent events such as the DigiNotar compromise have demonstrated that the foundations of Internet trust are under increasingly serious threat, and that the community is reaching the limits of our ability to respond, in both the technical and policy arenas.
In the short term, technical innovation will be a key part of that response, and a forum is needed to host collaborative requirements gathering, research, and alignment among various stakeholders in the HTTPS ecosystem. In the medium and long term, better governance and incentives for the consumer PKI market are needed to insure that it can accommodate and adapt to the rapid growth and diversity of both legitimate uses and emerging threats. PayPal believes that an open, public, multi-stakeholder process provides a proven model for these activities. PayPal, our users and our merchant community depend on the security and trust of the X.509 and TLS technologies. As a longstanding industry leader, PayPal would continue to commit significant resources towards advancing and defending a secure Internet at a reformed CA/Browser Forum.
We believe a reformed CA/Browser Forum should:
- Represent the voices of all stakeholder communities
- Certification authorities
- Software vendors of web browsers and other PKI trust stores
- CA customers, governments and the browser-using public
- Experts in the technical, legal, audit and privacy communities
- Deliver market reform, operational guidance, audit frameworks and management policies
- Include uses of certificates beyond the browser in its considerations and recommendations
- Avoid the creation of new technical standards
- Minimize overlap and conflict with existing bodies such as the IETF
- Minimize the intellectual property rights commitments required to participate
- Provide a pre-standards track incubation and discussion space
- Organize industry opinion, provide problem statements, requirements and indications of interest to support the charter of working groups in standards setting organizations such as the IETF or W3C
- Operate publicly and transparently
- Advance recommendations by voting rights, rather than a consensus-driven, process
- Structure representation in the decision process via a constituency-based, election process
- Provide a balance of power by giving each stakeholder constituency a meaningful voice
- Prevent minority interests or a single constituency group from controlling outcomes
- Be enabled to provide necessary ongoing operational capabilities, including but not limited to marketing and outreach
- Deliver recommendations that may be freely and voluntarily adopted by members and non-members alike
These reforms represent a somewhat radical departure from the current, closed structure of the CA/Browser forum, but the industry is at a time of great challenges. We fear that missing this opportunity to embrace change from within will inevitably lead to change being forced on the industry from the outside. The consequences of governmental or ITU takeover of PKI governance – Internet trust fractured across national borders and cumbersome regulatory regimes that impair growth and innovation in secure online services – would be costly and please few.
By reforming the organization along the lines proposed here, Certification Authorities and other industry stakeholders can be flexible, responsive and agile in a way that government regulation and more rigid, centralized oversight cannot. We sincerely hope the CA/Browser Forum will embrace the opportunity to act decisively and credibly, and take on broader responsibility for promoting the growth and maintenance of the public PKI and certificate ecosystem in the interests of Internet security and the broader public good.
We have submitted these remarks as our public position to the CA/Browser Forum reform working group, and encourage other interested stakeholders to submit comments and support these important goals at: firstname.lastname@example.org.