<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Here is another draft for review and discussion.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> public-bounces@cabforum.org [mailto:public-bounces@cabforum.org] <b>On Behalf Of </b>Ryan Sleevi<br><b>Sent:</b> Wednesday, October 16, 2013 12:27 PM<br><b>To:</b> ben@digicert.com<br><b>Cc:</b> CABFPub<br><b>Subject:</b> Re: [cabfpub] Discussion Draft for Revisions to Bylaws<o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal style='margin-bottom:12.0pt'><o:p> </o:p></p><div><p class=MsoNormal>On Wed, Oct 16, 2013 at 11:12 AM, Ben Wilson <<a href="mailto:ben@digicert.com" target="_blank">ben@digicert.com</a>> wrote:<o:p></o:p></p><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>What about this?</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-family:"Arial","sans-serif"'>(3) <u>Browser/OS Producer</u>: The member organization is a major global provider of certificate-using software that depends upon certificates issued by multiple public CAs to support the secure use of its product by the general public. Examples of certificate-using software includes web browsers, cryptolibraries, root stores, operating systems, computing platforms, software distribution systems, and products for digital document signing and publication. [Expressly eligible for membership under this category are: Apple, Microsoft, Oracle, Google, Mozilla Foundation, Opera, Adobe, …]</span><o:p></o:p></p></div></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Note that the previous definition focused on the SSL/TLS ecosystem. That we have a Code Signing WG under these definitions is a bit... weird.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>This new definition, particularly with the inclusion of digital document signing/publication, seems to be a much broader scope for the CA/Browser Forum.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>I'm not necessarily saying that's an intrinsically bad thing, but this goes back to a lot of the discussions about the charter of the group and the openness & transparency discussions. There were a number of parties that tried to argue for a narrow scope of membership, on the basis that the relationship was between the CAs & Browsers, primarily.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>I'm not sure, for example, what impact document signing would have on browser vendors interested in SSL/TLS, but I'd be concerned if we were unable to improve the SSL/TLS ecosystem because of vendors who were not interested/opposed because of their other purposes.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>I just want to make sure we're fully considering the implications of the proposal here. I appreciate the effort for wording, but given that it can massively open the scope, particularly with regards to voting and agreeing on things like Baseline Requirements (for SSL/TLS), I want to make sure we're organizationally prepared. I don't believe we're at that point yet.<o:p></o:p></p></div><div><p class=MsoNormal> <o:p></o:p></p></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in'><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> <a href="mailto:public-bounces@cabforum.org" target="_blank">public-bounces@cabforum.org</a> [mailto:<a href="mailto:public-bounces@cabforum.org" target="_blank">public-bounces@cabforum.org</a>] <b>On Behalf Of </b>Ryan Sleevi<br><b>Sent:</b> Tuesday, October 15, 2013 5:46 PM<br><b>To:</b> <a href="mailto:ben@digicert.com" target="_blank">ben@digicert.com</a><br><b>Cc:</b> CABFPub<br><b>Subject:</b> Re: [cabfpub] Discussion Draft for Revisions to Bylaws</span><o:p></o:p></p><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>As expressed previously, I do have concerns about the definition of browser.<o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>For example, if I write a popular mobile application for Android and iOS that is downloaded by 10 million users, and which uses SSL/TLS to update an online leaderboard, it would appear that under the current definition of browser, I would qualify (and, presumably, as a voting-eligible member).<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>I realize that this is, perhaps, a challenging definition. For instance, we have organizations like Opera who have long participated and helped steer towards a more secure Internet, but which are in the process of transitioning away from operating a Root Store directly. Likewise, Google's participation has largely been made up of members from the Google Chrome team, even though the primary Root Programs are through Android and ChromeOS (as noted in the past, Chrome on Windows / Mac / Linux attempts to defer to a notion of a 'system' trust store). And on the other end, we have organizations like Oracle, for which operate a Root Program (for Java), which indirectly may be used towards the construction of either a Web Browser or any other number of applications.<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>However, I think it's best we balance the desire to be inclusive with the recognition of where the primary strength of this group lies in - the development of baseline policies that can reduce both the complexity of compliance to AND (hopefully) avoid any contradictory guidance between Browser Root Programs.<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>My fear is that an overly broad definition will destablize some of these efforts, bringing the industry back to a place it was 5 - 10 years ago - where each Root Program has an independent set of guidelines with limited commonality, and even weaker auditing frameworks.<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Just food for thought, as I don't yet have particular language to propose to enhance this, but am left with a general unease at the current wording.<o:p></o:p></p></div></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'> <o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>On Tue, Oct 15, 2013 at 4:23 PM, Ben Wilson <<a href="mailto:ben@digicert.com" target="_blank">ben@digicert.com</a>> wrote:<o:p></o:p></p><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Here is a discussion draft for changes to the bylaws. You’ll notice I haven’t edited any of the provisions related to Interested Parties because there are a few things to iron out there and maybe somebody else has some good suggestions. I’ll post the Word version on the wiki in case anyone needs it.<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Thanks,<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Ben<o:p></o:p></p></div></div><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'><br>_______________________________________________<br>Public mailing list<br><a href="mailto:Public@cabforum.org" target="_blank">Public@cabforum.org</a><br><a href="https://cabforum.org/mailman/listinfo/public" target="_blank">https://cabforum.org/mailman/listinfo/public</a><o:p></o:p></p></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div></div></div></div></div></blockquote></div><p class=MsoNormal><o:p> </o:p></p></div></div></div></body></html>