Hello, Michael Barrett here;
Back in February, my team and I came to the CA/Browser Forum to initiate a reform process to help grow that organization into a more mature and capable body, able to address the growing threats to trust on the Internet and the looming crisis of confidence in the Certificate Authority system.
In the wake of the DigiNotar breach and other weaknesses appearing across the HTTPS ecosystem, we felt that several systematic problems stood in the way of improving this critical part of the Internet’s trust infrastructure – problems that would require coordination among browsers, CAs and website operators to solve. Although the CA/Browser Forum was not set up to deal with these problems in its current form, it was the best thing available – the place where we had most of “the right people in the room”, representing the vast majority of the market share of web browsers, operating systems, smartphone platforms and the certificate issuers themselves – we just needed to have representation for users to establish legitimate technical trust requirements.
In response to our request, the organization agreed to solicit ideas and comments from the larger Internet community for the first time in its history, and together we embarked on a process to explore ways to move the organization forward. That process came to an end with a vote among current Forum members few days ago, and the organization has chosen not step into a larger role. Despite calls from across the Internet community for openness and inclusiveness, the CA/Browser Forum chose to remain a closed group concerned primarily with the details of audit requirements for browser trust store programs; visible to, but with no vote for, the user community. With this action, we believe the CABF remains a crippled institution that cannot adequately address the full range of certificate issues impacting literally billions of Internet users. Sadly, the moment that the CA/Browser Forum has chosen to make its proceedings publicly visible also appears to be the moment they’ve decided they should be largely irrelevant.
The issues for which the Forum has chosen to sidestep responsibility remain and grow more urgent. While disappointed, my team and I remain committed to the Internet being a safe and secure place to socialize, organize, communicate and conduct commerce.
We will work where we can to advance and preserve an Internet that deserves users' trust: in public/private partnerships, in direct collaboration with industry partners, in organizations like the IETF, W3C, and other fora where we and others can participate on an equitable basis. Given the importance of these issues and the continued lack of any credible multi-stakeholder, self-governing organization to address them, we expect increased national and international regulatory pressure and will work within organizations like the ITU, where these issues are certain to be raised.