[cabfpub] Research references for CAs

Ryan Sleevi sleevi at google.com
Mon Jun 18 09:35:26 MST 2018

On Mon, Jun 18, 2018 at 11:59 AM, Tim Hollebeek <tim.hollebeek at digicert.com>

> Unfortunately, exclusively focusing on research by Googlers introduces a
> huge selection bias into this list, making it completely useless as a
> research overview.  A lot of really good research in this area happens at
> CMU, for example.

Hi Tim, I agree, there's a lot of valuable research going on in this space.
As noted in the e-mail, however, this was specifically calling out some of
the research by Googlers to explain how our decision making has been
informed. I apologize it if seemed like this was somehow interpreted as
presenting the definitive source of truth - but I'm also not sure how your
reply is at odds with what was written.

For example, this research that helps explore specific questions that
Google and the Chrome team have explored also heavily cites a large body of
related work, and thus remains an extremely valuable reference for those
wanting to understand the space.

Would you be able to share any of the peer-reviewed papers and
presentations that you think are also relevant?

> We should all remember that at the same meeting, two Googlers explicitly
> stated based on no evidence at all that they were confident that there was
> a difference between 90 day certificates and two year certificates for
> phishing sites, despite the fact that the typical lifetime of a phishing
> certificate is best measured in hours.  Starting with the conclusion you
> want, and then working backwards to find the arguments and data that
> matches them is the wrong way to think about hard problems.

I'm sorry, I'm really not at all familiar with what you're referencing, and
this isn't in the minutes yet. This certainly seems like it's a
misunderstanding of what was stated, so I'd be happy to help you understand
what was actually said. This is especially important, because it's hard to
tell if your confusion about what was stated is causing active
misrepresentation, and thus we'd love to help you better understand what
was actually stated. I'm hopeful it wasn't your intent, but the way you
phrased it, it sounds like you believe this research also started from
conclusions and worked backwards - but I hope you can see from the peer
review and the papers themselves, this is not a view that is justified or

> An excellent paper that I happened to read on the plane to London is
> “Instrumenting Simple Risk Communication for Safer Browsing”, by Camp et al
> from the recent security & human behavior workshop at CMU:
> https://www.heinz.cmu.edu/~acquisti/SHB2018/participants.htm
> http://ljean.com/files/Toolbar_Extension.pdf
> I highly recommend the paper, it’s very relevant and up to date.  I wish I
> had time to do a proper survey of all the existing research; I’m sure
> there’s lots of other good stuff out there.

Thanks for sharing. As I mentioned, this wasn't presented or intended to be
a comprehensive literature survey. As explicitly called out, it was some of
the research that has informed decisions - along with heavy citations for
further relevant reading. Building up a comprehensive survey is no doubt
complex, in part because of the confusion between research conducted with
scientific rigor and peer review, and market research conducted upon one's
customer base.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20180618/d22bc18e/attachment.html>

More information about the Public mailing list