Mozilla CA Program Roundtable Discussion

[Ben Wilson]

Greetings,

I’d like to announce that the Mozilla CA Program will hold a roundtable discussion on Zoom to gather feedback and ideas to improve our root program.

The roundtable will be scheduled for 90 minutes, although we may adjourn early if we complete our discussions. I am currently considering holding this on an upcoming Friday at 14:00 UTC, and would appreciate input on which of the following dates might work best for potential attendees, Doodle Poll:  April 18, April 25, May 2, or May 16.

The purpose of the meeting would be to engage in open, constructive dialogue regarding:

• Suggested improvements to the Mozilla Root Store Policy
• Updates or enhancements to CA-related wiki pages
• Efficiency and effectiveness during the root inclusion process or with CA incident handling
• Clarity and consistency of Mozilla program communications
• Broader discussions re: paths forward for the Web PKI

Also, if you have suggestions for specific topics you'd like discussed, or if there are particular areas where you think we can do better, please feel free to share those with me off-list. Your feedback will help shape the agenda for the roundtable.

I’ll share a Zoom link once the date and time have been finalized.

Thank you,

Ben

[Ben Wilson]

Greetings,

It looks like the best time for this roundtable discussion will be Friday, May 16, 2025, at 1400 UTC. 

Here is the registration link for the meeting:  https://mozilla.zoom.us/meeting/register/_IcrRRB6TuqcZVG7VcB-EA.

Upon registering, you will receive a confirmation email with the meeting link and passcode.  

We look forward to your participation!

Thanks,

Ben

[Matt Palmer]

On Mon, Apr 07, 2025 at 11:13:04AM -0600, 'Ben Wilson' via dev-secur...@mozilla.org wrote:
> I’d like to announce that the Mozilla CA Program will hold a roundtable
> discussion on Zoom to gather feedback and ideas to improve our root program.

I would like to express my strong disapproval of this approach to
discussing the Mozilla root program. It disadvantages those in
timezones which do not align with the chosen one, and also anyone who is
unable for whatever reason to be available at the specified time.
Further, there is already far too many instances of (variations of) the
phrase "that was discussed at the F2F" in various places, seemingly used
in an attempt to shut down discussion, and the addition of the phrase
"that was discussed in the Zoom" will not improve the situation.

It would be far more inclusive for all discussion to take place on
async-friendly mediums, in forms that are amenable to archiving and
straightforward referencing.

> The roundtable will be scheduled for 90 minutes

[...]

> The purpose of the meeting would be to engage in open, constructive
> dialogue regarding:
>

> - Suggested improvements to the Mozilla Root Store Policy
> - Updates or enhancements to CA-related wiki pages
> - Efficiency and effectiveness during the root inclusion process or with
> CA incident handling
> - Clarity and consistency of Mozilla program communications
> - Broader discussions re: paths forward for the Web PKI

I could talk, single-handedly, for 90 minutes on each of those topics,
and I'm not even particularly deeply involved in the minutiae of the
WebPKI.

- Matt

[Ben Wilson]

Hi Matt,

Thanks for your feedback and for sharing your concerns.

To clarify, this meeting is not intended to replace or diminish any of the existing asynchronous channels for discussion about the Mozilla root program, such as this list, Bugzilla, and GitHub. They all remain the primary forums for open, transparent, and inclusive input regarding the root program. The round-table discussion is meant only to supplement these by specifically focusing attention toward improving the root program.

While I understand, respect, and agree with your points that accessibility and transparency are important, I plan to move forward, but I commit to making the outcomes of the meeting available to the greatest extent possible with notes and follow-up discussions here to ensure that all interested parties can stay informed and contribute.

Again, we appreciate your participation and involvement in our ongoing discussions, in which your insights are always highly valued.

Thanks again,

Ben

On Wednesday, April 9, 2025 at 5:09:23 PM UTC-6 Matt Palmer wrote:

[Ben Wilson]

Greetings all,

I have created a survey (pasted below) to help shape the agenda for the round-table discussion scheduled for Friday, May 16, 2025.

The survey will help identify the topics you’re most interested in discussing.

Please take a few minutes to review the list of potential topics and indicate your level of interest. Your input will help us prioritize the topics and ensure that the discussion is productive and relevant. You’re welcome to suggest additional topics at the bottom of the survey. I’ll share a draft agenda and event details here once I’ve reviewed the responses.

Thanks,

Ben 

SURVEY

Respondent Information

• Name (optional)
  
  

• Organization (optional)
  
  

• Email (optional)
  
  Mozilla Root Store Policy (MRSP) and Governance

• Adding MRSP Issues in GitHub
  (Collecting and managing proposed policy changes using GitHub’s issue tracker for transparency and collaboration)
  
  

• Gather suggestions for improvements to incorporate into MRSP v.3.1
  (Soliciting input to shape the next version of the Mozilla Root Store Policy)
  
  

• Triaging and prioritizing the MRSP Issues listed in GitHub
  (Deciding which proposed policy updates should be addressed first and how to resolve them)
  
  

• Mozilla's compliance expectations for new MRSP v.3.0 requirements
  (Clarifying how CAs should interpret and comply with newly effective policy requirements)
  
  

• Re-prioritization of Mozilla’s root store policy initiatives and general work conducted
  (Evaluating whether Mozilla's current focus areas still align with ecosystem needs)
  
  

---

Community Engagement and Communication

• Improving community engagement during policy discussions
  (Exploring ways to increase participation and constructive input in dev-security-policy or GitHub threads)
  
  

• Improving professionalism and civility and reducing friction during discussions
  (Establishing norms and tools that encourage respectful dialogue and reduce hostility)
  
  

• Improving the clarity and effectiveness of dev-security-policy announcements
  (Making communications clearer and more actionable for stakeholders)
  
  

---

Mozilla CA Wiki and Documentation

• Improving and updating information stored on the Mozilla CA wiki
  (Refreshing outdated content and improving the structure of CA guidance documentation)
  
  

• Updating the Mozilla CA wiki’s list of recommended practices
  (Reviewing and expanding best-practice examples for CA operations and disclosures)
  
  

• Updating the Mozilla CA wiki’s list of problematic practices
  (Clarifying behaviors that could result in compliance concerns or distrust discussions)
  
  

---

CA Compliance and Maturity

• Improving the quality of CAs’ Certification Practice Statements
  (Identifying common CPS issues and helping CAs meet expectations more effectively)
  
  

• Improving CA compliance posture, sophistication, i.e. the CA maturity model
  (Discussing tools and benchmarks to measure and raise the maturity of CA operations)
  
  

• Challenges that CAs face
  (Gathering CA pain points or systemic barriers to compliance or improvement)
  
  

---

Root Inclusion and Incident Handling

• Improving the speed and quality of Mozilla's root inclusion process
  (Exploring ways to streamline reviews and have public discussion while maintaining security and public transparency)
  
  

• Improving Bugzilla's usefulness for tracking incidents and root inclusion requests
  (Considering structured fields, labels, and templates to make Bugzilla more useful and efficient)
  
  

---

CCADB Feedback

• Gather feedback on CCADB usability, usefulness, and public reports
  (Collecting insights on how to improve the CCADB’s workflows, and reporting)
  
  

---

Certificate Lifecycle and Automation

• Revising and improving revocation reason codes to match real-world revocation scenarios and to improve CRLite
  (Ensuring revocation codes better reflect root program needs and help optimize revocation checking)
  
  

• Promoting and educating subscribers to help them implement automation of certificate lifecycle processes
  (Identifying ways to support and encourage automation among certificate users)
  
  

Open Comments

• Revisions / tweaks to topic(s) listed above

• Additional topics to discuss 

• Interested in leading the discussion of one of the topics? And if so, which one(s)?

On Wed, Apr 23, 2025 at 2:14 PM 'Ben Wilson' via dev-secur...@mozilla.org <dev-secur...@mozilla.org> wrote:

Hi Matt,

Thanks for your feedback and for sharing your concerns.

To clarify, this meeting is not intended to replace or diminish any of the existing asynchronous channels for discussion about the Mozilla root program, such as this list, Bugzilla, and GitHub. They all remain the primary forums for open, transparent, and inclusive input regarding the root program. The round-table discussion is meant only to supplement these by specifically focusing attention toward improving the root program.

While I understand, respect, and agree with your points that accessibility and transparency are important, I plan to move forward, but I commit to making the outcomes of the meeting available to the greatest extent possible with notes and follow-up discussions here to ensure that all interested parties can stay informed and contribute.

Again, we appreciate your participation and involvement in our ongoing discussions, in which your insights are always highly valued.

Thanks again,

Ben

On Wednesday, April 9, 2025 at 5:09:23 PM UTC-6 Matt Palmer wrote:

--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/893fdc14-8032-4ac5-afd2-6fac96f8c93cn%40mozilla.org.

[Mike Shaver]

For what it’s worth, as someone who is not able to attend the scheduled times, I’m happy that there’s another medium for people to use to participate in discussion about the CA program. I have confidence that Ben and Mozilla will maintain their high standards of transparency and inclusion with this process.

Mike

On Wed, Apr 23, 2025 at 2:14 PM 'Ben Wilson' via dev-secur...@mozilla.org <dev-secur...@mozilla.org> wrote:

Hi Matt,

Thanks for your feedback and for sharing your concerns.

To clarify, this meeting is not intended to replace or diminish any of the existing asynchronous channels for discussion about the Mozilla root program, such as this list, Bugzilla, and GitHub. They all remain the primary forums for open, transparent, and inclusive input regarding the root program. The round-table discussion is meant only to supplement these by specifically focusing attention toward improving the root program.

While I understand, respect, and agree with your points that accessibility and transparency are important, I plan to move forward, but I commit to making the outcomes of the meeting available to the greatest extent possible with notes and follow-up discussions here to ensure that all interested parties can stay informed and contribute.

Again, we appreciate your participation and involvement in our ongoing discussions, in which your insights are always highly valued.

Thanks again,

Ben

On Wednesday, April 9, 2025 at 5:09:23 PM UTC-6 Matt Palmer wrote:

[Ben Wilson]

Hi everyone,

I’m really looking forward to our upcoming Mozilla CA Program roundtable discussion — it's happening next Friday, May 16th, and it will be a great opportunity to connect, share ideas, and discuss the Mozilla root program.

To make sure the agenda reflects your interests and priorities, I’d greatly appreciate your taking a few minutes to fill out the survey:  https://forms.gle/Ks3rbQxdkjETR7uJ7.  Even if you can’t attend the teleconference, your input via the survey will help shape what we focus on — and I’ll make meeting notes or a summary available afterward.

Thanks in advance.

Ben

[Rich Salz]

On Thu, May 8, 2025 at 2:29 PM 'Ben Wilson' via dev-secur...@mozilla.org <dev-secur...@mozilla.org> wrote:

I’m really looking forward to our upcoming Mozilla CA Program roundtable discussion — it's happening next Friday, May 16th, and it will be a great opportunity to connect, share ideas, and discuss the Mozilla root program.

To make sure the agenda reflects your interests and priorities, I’d greatly appreciate your taking a few minutes to fill out the survey:  https://forms.gle/Ks3rbQxdkjETR7uJ7.  Even if you can’t attend the teleconference, your input via the survey will help shape what we focus on — and I’ll make meeting notes or a summary available afterward.

So the survey is for things to have on the agenda?  With 1 NO! and 5 YES! ?

[Mike Shaver]

Yeah, 1 is "least interested" and 5 is "most interested".

--

You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.

To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAFH29tqtBUw8KNjVLQZaZfK0%3D-3fXQkJpJzN%2BP8jFb37ayfXAA%40mail.gmail.com.

[Ben Wilson]

All,

Listed below are some of the survey results and the top-scoring topics for Friday's roundtable discussion. It appears that Mozilla's expectations about CA compliance scored highly. Handling and prioritizing policy changes also scored high, as did improving the speed and quality of the root inclusion process. 

We also received comments that: more community-driven technical support is needed to help end users meet shorter certificate validity periods; recurring CA compliance issues may be due to unclear guidance in the CA/B Forum Baseline Requirements or in root store policies, which should be fixed; alternative incident reporting should be allowed for incidents involving minor, non-security-related issues; and root store policies seem to be diverging from CA/B Forum Baseline Requirements.

From this feedback, I'll work up and circulate an agenda. However, given the limited time and discussion format, we'll also have to prioritize and select topics based on the best use of our time.

Thanks,

Ben

Score	Topic
4.14

Updating the Mozilla CA wiki’s list of problematic practices (Clarifying behaviors that could result in compliance concerns or distrust discussions)

4.00

Mozilla's compliance expectations for new MRSP v.3.0 requirements (Clarifying how CAs should interpret and comply with newly effective policy requirements)

3.75

Adding MRSP Issues in GitHub  (Collecting and managing proposed policy changes using GitHub’s issue tracker for transparency and collaboration)

3.71

Improving the speed and quality of Mozilla's root inclusion process (Exploring ways to streamline reviews and have public discussion while maintaining security and public transparency)

3.71

Updating the Mozilla CA wiki’s list of recommended practices (Reviewing and expanding best-practice examples for CA operations and disclosures)

3.71

Re-prioritization of Mozilla’s root store policy initiatives and general work conducted

(Evaluating whether Mozilla's current focus areas still align with ecosystem)

3.57

Gather suggestions for improvements to incorporate into MRSP v.3.1  (Soliciting input to shape the next version of the Mozilla Root Store Policy)

3.57

Improving the quality of CAs’ Certification Practice Statements  (Identifying common CPS issues and helping CAs meet expectations more effectively)

3.57

Improving CA compliance posture, sophistication, i.e. the CA maturity model (Discussing tools and benchmarks to measure and raise the maturity of CA operations)

3.57

Challenges that CAs face  (Gathering CA pain points or systemic barriers to compliance or improvement)

3.57

Promoting and educating subscribers to help them implement automation of certificate lifecycle processes (Identifying ways to support and encourage automation among certificate users)