<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
@font-face
{font-family:"Times New Roman \, serif";
panose-1:0 0 0 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Plain Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
color:black;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";
color:black;}
span.PlainTextChar
{mso-style-name:"Plain Text Char";
mso-style-priority:99;
mso-style-link:"Plain Text";
font-family:"Calibri","sans-serif";}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:black;}
span.EmailStyle23
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body bgcolor="white" lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:windowtext">Responding to both Moudrick and Eddy:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">I think Moudrick is indicating that the Trend Micro governance proposal will work well for an organization with a smaller number of active members (like today – we only had 17 members participate on the first
round of governance voting), but that it wouldn’t work as well if the membership grew to 50 or 100 active members – a “critical point” – then we might need a more formal structure, a Board with executive powers, membership fees, etc.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">I agree with Moudrick’s observation. Trend Micro would not object if later in the final written governance rules we commit ourselves to a new discussion of governance structure when the Forum active membership
reaches a “critical point” target number (such as 50, or whatever number the members want to choose). At that time Trend Micro itself would probably support change to a more formal and structured body.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">Kirk<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext"><o:p> </o:p></span></b></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext"> public-bounces@cabforum.org [mailto:public-bounces@cabforum.org]
<b>On Behalf Of </b>Eddy Nigg (StartCom Ltd.)<br>
<b>Sent:</b> Tuesday, September 18, 2012 4:09 PM<br>
<b>To:</b> CABFPub (public@cabforum.org)<br>
<b>Subject:</b> Re: [cabfpub] T-Systems comments regarding Trend Micro governance proposal<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><br>
On 09/19/2012 02:05 AM, From Moudrick M. Dadashov: <o:p></o:p></p>
<p class="MsoNormal">Hi Kirk,<br>
<br>
I think the proposed model should work quite well the way it did so far but as (if) the number of members reaches some critical point the Forum will need some reform again.<o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
Can you explain why you think that there is a some "critical point" and why it should matter?<o:p></o:p></p>
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0">
<tbody>
<tr>
<td colspan="2" style="padding:0in 0in 0in 0in">
<p class="MsoNormal">Regards <span style="font-size:12.0pt"><o:p></o:p></span></p>
</td>
</tr>
<tr>
<td colspan="2" style="padding:0in 0in 0in 0in">
<p class="MsoNormal"> <span style="font-size:12.0pt"><o:p></o:p></span></p>
</td>
</tr>
<tr>
<td style="padding:0in 0in 0in 0in">
<p class="MsoNormal">Signer: <span style="font-size:12.0pt"><o:p></o:p></span></p>
</td>
<td style="padding:0in 0in 0in 0in">
<p class="MsoNormal">Eddy Nigg, COO/CTO<span style="font-size:12.0pt"><o:p></o:p></span></p>
</td>
</tr>
<tr>
<td style="padding:0in 0in 0in 0in">
<p class="MsoNormal"> <span style="font-size:12.0pt"><o:p></o:p></span></p>
</td>
<td style="padding:0in 0in 0in 0in">
<p class="MsoNormal"><a href="http://www.startcom.org">StartCom Ltd.</a><span style="font-size:12.0pt"><o:p></o:p></span></p>
</td>
</tr>
<tr>
<td style="padding:0in 0in 0in 0in">
<p class="MsoNormal">XMPP: <span style="font-size:12.0pt"><o:p></o:p></span></p>
</td>
<td style="padding:0in 0in 0in 0in">
<p class="MsoNormal"><a href="xmpp:startcom@startcom.org">startcom@startcom.org</a><span style="font-size:12.0pt"><o:p></o:p></span></p>
</td>
</tr>
<tr>
<td style="padding:0in 0in 0in 0in">
<p class="MsoNormal">Blog: <span style="font-size:12.0pt"><o:p></o:p></span></p>
</td>
<td style="padding:0in 0in 0in 0in">
<p class="MsoNormal"><a href="http://blog.startcom.org">Join the Revolution!</a><span style="font-size:12.0pt"><o:p></o:p></span></p>
</td>
</tr>
<tr>
<td style="padding:0in 0in 0in 0in">
<p class="MsoNormal">Twitter: <span style="font-size:12.0pt"><o:p></o:p></span></p>
</td>
<td style="padding:0in 0in 0in 0in">
<p class="MsoNormal"><a href="http://twitter.com/eddy_nigg">Follow Me</a><span style="font-size:12.0pt"><o:p></o:p></span></p>
</td>
</tr>
<tr>
<td colspan="2" style="padding:0in 0in 0in 0in">
<p class="MsoNormal"> <span style="font-size:12.0pt"><o:p></o:p></span></p>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext"> Moudrick M. Dadashov [mailto:md@ssc.lt]
<br>
<b>Sent:</b> Tuesday, September 18, 2012 4:05 PM<br>
<b>To:</b> Kirk Hall (RD-US)<br>
<b>Cc:</b> CABFPub (public@cabforum.org)<br>
<b>Subject:</b> Re: [cabfpub] T-Systems comments regarding Trend Micro governance proposal<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">Hi Kirk,<br>
<br>
I think the proposed model should work quite well the way it did so far but as (if) the number of members reaches some critical point the Forum will need some reform again.<br>
<br>
Would it be acceptable for your proposal to include some provision for the next governance model "update", if, e.g. the Forum membership gets closer to some critical figure (50, 100 etc..)?<br>
<br>
Thanks,<br>
M.D.<br>
<br>
On 9/18/2012 10:41 PM, <a href="mailto:kirk_hall@trendmicro.com">kirk_hall@trendmicro.com</a> wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif"">Dear Karsten and Iņigo:</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif""> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif"">Thanks for forwarding the excellent comments from Christoph Schmitz.
</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif""> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif"">Here are Trend Micro’s responses on those comments directed at the Trend Micro governance proposal (answers inline below):</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif""> </span><o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none"><b><span style="font-family:"Times New Roman , serif","serif"">COMMENT - Incorporated entity vs. participation agreement</span></b><o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none"><span style="font-family:"Times New Roman , serif","serif"">Whereas DigiCert proposes to found a legal entity (Delaware Law), TrendMicro wants to work together on a contractual basis (Participation/Consortia
Agreement). From a legal perspective the foundation of a legal entity is preferable as a legal entity restricts the personal liability of the members.</span><o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none"><span style="font-family:"Times New Roman , serif","serif""> </span><o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none"><span style="font-family:"Times New Roman , serif","serif"">The bylaws of a legal entity may be changed by a majority/two third majority at a member meeting whereas for a change of the participation
agreement all participants have to agree and sign a change agreement/adoption agreement. If a legal entity is incorporated as a "non-profit" organisation, the tax status is clarified.</span><o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:"Arial","sans-serif""> </span><o:p></o:p></p>
<p class="MsoNormal"><b><span style="font-family:"Arial","sans-serif"">[Trend Micro response]:</span></b><span style="font-family:"Arial","sans-serif""> We recognize that creation of a separate CA/Browser Forum legal entity (e.g., non-profit corporation) could,
in theory, limit the personal liability of Forum members as a matter of law. However, we believe this potential benefit is almost non-existent in this case given the very limited activities the Forum is engaged in – chiefly group telephone calls and occasional
meetings that are actually sponsored by individual member companies. The Forum has no employees, no budget, no commercial activities, no tax liabilities, and so it is hard to see how the Forum itself could face any classic tort, contract, or tax liability
to anyone. For this reason, we believe a corporate entity would not provide any particular benefit from these types of liability.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif""> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif"">What kind of legal liabilities could arise from Forum activities or membership? The chief potential liability that comes to mind could be liability for antitrust/unlawful trade restraints
from the Forum standards. However, under the law Forum members would likely have personal liability anyway for antitrust/unlawful trade restraints in any mandatory standards passed by Forum members, and the mere fact of incorporation of the Forum would not
be a shield or offer any protection to Forum members for such potential liability (as Forum members would be the “actors” who approved the unlawful standards or activities).
</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif""> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif"">There is one other point to consider – if the CA/Browser Forum is incorporated, it would be very easy for a disgruntled person or entity to sue the “Forum” simply by serving a summons and complaint
on the registered agent for the Forum in whatever state the Forum is incorporated. At that point, the Forum would either have to respond in court (file an Answer, incur court costs and legal charges), or not respond and be subject to a default judgment.
In other words, someone could force an incorporated Forum to respond to a single lawsuit against a single defendant (the Forum itself), which could make the Forum a “target” for potential litigation by anyone seeking to pull in CAs and browsers to a court
action. The same is true for any government regulatory actions (US or otherwise) – if the Forum is a legal entity, a government agency can effectively pull in all members simply by starting an administrative action against the Forum itself.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif""> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif"">In contrast, if the Forum is unincorporated it can’t effectively be sued as the “Forum” in a lawsuit or be pulled into a government administrative action. Instead, the legal plaintiff (or
the government agency) would need to sue – serve legal papers on – all the Forum members individually in order to obtain jurisdiction. I question whether it would be possible to gain proper jurisdiction in the United States over many non-US CAs, which could
create some limited protection against lawsuits and administrative actions in the US for non-US Forum members. It is our belief that many potential plaintiffs and government agencies will be deterred from starting legal action against the “Forum” if they
are required to serve legal papers separately on each and every Forum member.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif""> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif"">We have had experience with unincorporated industry groups in the past, and the lack of incorporation has not been a problem. Under the balance of the Trend Micro governance proposal, there
is no real need for incorporation because the Forum will not maintain a bank balance, will not hire employees, will not enter contracts with third party vendors, etc.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif""> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif"">Finally – the bylaws question. The Forum does not presently have a document called “Bylaws” where all governance rules can be found, but Trend Micro has proposed that we pull together all
existing and new governance rules into a single set of “Bylaws” and publish them in a public place. The voting rules for approving an initial set of Bylaws (as well as for approval of all future changes to the Bylaws) would be the same rules as the Forum
currently has for approval of all other matters (new standards, etc.), so there would be no change there.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif""> </span><o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none"><b><span style="font-family:"Times New Roman , serif","serif"">COMMENT - Legal Comments to TrendMicro</span></b><o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none"><span style="font-family:"Times New Roman , serif","serif"">In general the TrendMicro proposal is a possible way forward, but the foundation of a legal entity would be favourable (see above).
Currently it is unclear, how the Forum will be internally organized (eg. who is taking notes, who is archiving proposals, organising voting's etc.). According to the TM proposal, only "active members" are allowed to vote. The term "active member" is not defined
and could therefore lead to a discrimination of members and lengthy discussion about the validity of a vote.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif""> </span><o:p></o:p></p>
<p class="MsoNormal"><b><span style="font-family:"Arial","sans-serif"">[Trend Micro response]:</span></b><span style="font-family:"Arial","sans-serif""> Our general comments on the pros and cons of creating the Forum as a legal entity are covered by the response
above. Trend Micro is not adamantly opposed to creating a legal entity, we simply think it is not necessary and does not add value (plus it adds potential detriments). We would also have to select a jurisdiction of incorporation if we incorporate, pay filing
fees and for a registered agent, elect corporate officers, etc., which is additional time and expense. And Forum members would have to consider if they are legally permitted to be members of a US non-profit corporation, for example, if the Forum is organized
as a US corporation – would that mean the non-US member is legally “present” in the US and increase the likelihood that a plaintiff in a lawsuit could establish legal jurisdiction over the non-US member because of Forum membership?</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif""> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif"">The term “active member” was defined long ago by Ballot 5 (January 2008), and involves keeping track of the actual participation of nominal Forum members. Here is how Ballot 5 defines “active
members”:</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif""> </span><o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><span lang="EN" style="font-family:"Arial","sans-serif"">“A ballot result will be considered valid only when more than half of the number of currently active members has participated.
<u>The number of currently active members is the average number of member organizations that have participated in the previous three meetings (both teleconferences and face-to-face meetings</u>).”</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif""> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif"">There is even an online calculator at the Forum wiki to keep track of which members (and how many) are “active members” at any given time – see the Attendance and Quorum Calculator.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif""> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif"">If a Forum member does not participate for three successive meetings (phone or face to face), it remains a member (and can vote) but is no longer considered an “active members” for quorum purposes
until it has participated in three successive meetings. A quorum for voting purposes today requires only 6 members to vote on a matter (and not all must agree for the matter to pass – for example, a vote of 4-2 in favor is sufficient to pass a new mandatory
standard today), which Trend Micro thinks is too low and should be examined.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif""> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif"">The Trend Micro governance proposal does not change this existing rule considering who is an “active member” but simply incorporates it by reference – but we would be favorable to proposals
for change in the future after the governance structure is decided, as this existing “active members” rule may be too narrow. All these rules should be incorporated in a new, single set of public Bylaws that everyone can find.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif""> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif"">We would also be favorable to adding provisions to the new Bylaws defining a process by which meeting notes will be taken, documents will be archived and made available to members and the public,
etc. </span><o:p></o:p></p>
<p class="MsoPlainText"> <o:p></o:p></p>
<table class="MsoNormalTable" border="0" cellpadding="0">
<tbody>
<tr>
<td style="background:white;padding:.75pt .75pt .75pt .75pt">
<pre>TREND MICRO EMAIL NOTICE<o:p></o:p></pre>
<pre>The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.<o:p></o:p></pre>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman","serif""><br>
<br>
<br>
<o:p></o:p></span></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>Public mailing list<o:p></o:p></pre>
<pre><a href="mailto:Public@cabforum.org">Public@cabforum.org</a><o:p></o:p></pre>
<pre><a href="https://cabforum.org/mailman/listinfo/public">https://cabforum.org/mailman/listinfo/public</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman","serif""><o:p> </o:p></span></p>
</div>
</body>
</html>
<table><tr><td bgcolor=#ffffff><font color=#000000><pre>TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.</pre></font></td></tr></table>