<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 18. jan. 2014 03:40, Ryan Sleevi
wrote:<br>
</div>
<blockquote
cite="mid:CACvaWvbUYBVaUGaxoj5QoRAYu7ORgy_mmifNk8gjrOG1DSCq2A@mail.gmail.com"
type="cite">
<div dir="ltr"><br>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Fri, Jan 17, 2014 at 6:26 PM, Ben
Wilson <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:ben@digicert.com" target="_blank">ben@digicert.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div link="blue" vlink="purple" lang="EN-US">
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Ryan,</span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">See
my responses inline below.</span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Thanks,</span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Ben</span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></p>
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
<a moz-do-not-send="true"
href="mailto:public-bounces@cabforum.org"
target="_blank">public-bounces@cabforum.org</a>
[mailto:<a moz-do-not-send="true"
href="mailto:public-bounces@cabforum.org"
target="_blank">public-bounces@cabforum.org</a>]
<b>On Behalf Of </b>Ryan Sleevi<br>
<b>Sent:</b> Friday, January 17, 2014 5:37 PM<br>
<b>To:</b> Ben Wilson<br>
<b>Cc:</b> CABFPub<br>
<b>Subject:</b> Re: [cabfpub] Ballot 110 - Motion
to Adopt Version 1.1 of the Bylaws</span></p>
<p class="MsoNormal">
</p>
<div>
<div class="im">
<p class="MsoNormal">While I realize it's not at
ballot review period, a few thoughts, given the
time constraints being operated in:</p>
<div>
<p class="MsoNormal"> </p>
</div>
</div>
<div>
<div class="im">
<p class="MsoNormal">1) I'd prefer to not change
the "Purpose of the Forum" (Section 1.1) at
this time.</p>
<p class="MsoNormal"><span style="color:#1f497d"> </span></p>
</div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">BTW:
That’s fine. I just didn’t like the current
wording because it was written as if we’d just
finished version 1.0 of the EV Guidelines.</span></p>
</div>
</div>
</div>
</div>
</blockquote>
<div><br>
</div>
<div>Yup. I'd love to see this iteratively refined, I just
wouldn't want to hold up the IG aspects.</div>
<div> </div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div link="blue" vlink="purple" lang="EN-US">
<div>
<div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"></span></p>
</div>
<div>
<p class="MsoNormal">
</p>
</div>
<div>
<div class="im">
<p class="MsoNormal">2) Section 2.1
("authenticate digitally signed code") is
still a much greater increase of scope of the
work of the members. I'd prefer if we could
leave that for broader discussion. While I'm
aware of the "Code Signing WG" discussions,
this change in definitions has the effective
quality of allowing/encouraging vendors with
no/limited stake in the SSL/TLS ecosystem to
vote on changes to the BRs / EVGs, and vice
versa. I'm sure you can recognize at it's
face, that has some degree of undesirability,
and effectively changes the "CA/Browser Forum"
to the "CA/ISV Forum"</p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></p>
</div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">BTW:
I disagree that we’re calling it the “ISV”
forum under the proposed language, but in any
event I’m fine with reverting the title to
“Browser Member”. I also thought that the
wording was sufficient to limit potential
browser concerns, but here is a start on
revised language that could make it a little
more clear in its restrictions:</span></p>
</div>
</div>
</div>
</div>
</blockquote>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div link="blue" vlink="purple" lang="EN-US">
<div>
<div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></p>
<p class="MsoNormal" style="margin-left:.5in"><span
style="font-family:"Arial","sans-serif"" lang="EN">(3)
<u>Browser Member</u>: The member
organization:</span></p>
<p class="MsoNormal"
style="margin-left:.5in;text-indent:.5in"><span
style="font-family:"Arial","sans-serif"" lang="EN">(A)
manages a root store AND </span></p>
<p class="MsoNormal"
style="margin-left:.5in;text-indent:.5in">
<span
style="font-family:"Arial","sans-serif""
lang="EN">(B) is a major global provider of a
hardware or software product that is: </span></p>
<p class="MsoNormal"
style="margin-left:1.0in;text-indent:.5in">
<span
style="font-family:"Arial","sans-serif""
lang="EN">(i) used by the general public as a
browser or computing platform, </span></p>
<p class="MsoNormal"
style="margin-left:1.0in;text-indent:.5in">
<span
style="font-family:"Arial","sans-serif""
lang="EN">(ii) used to browse the Web securely
or authenticate digitally signed code, AND </span></p>
<p class="MsoNormal"
style="margin-left:1.0in;text-indent:.5in">
<span
style="font-family:"Arial","sans-serif""
lang="EN">(iii) able to verify the digital
signatures on certificates used with the
product (i.e. by processing the chain to a
root certificate managed within the member’s
root store). </span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"
lang="EN"> </span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">However,
if browser members still have strong
opposition to the proposed wording, or this
alternative above, I’d rather delete it from
the proposal now than have the ballot fail,
but I would hope you could see the importance
of it to CAs who must deal with public key
stores.</span></p>
</div>
</div>
</div>
</div>
</blockquote>
<div><br>
</div>
<div>I'd love to deal with this in a separate ballot, since
it doesn't really tie to the Invited Guests discussion. I
certainly can understand how it was originally part of a
general clean-up, whereas now we're at a point of just
trying to get a bylaws revision in place before the next
F2F.</div>
</div>
</div>
</div>
</blockquote>
I would also like to have this definition in a separate ballot.
Opera (from 15+), like Google's Chrome, uses the rootstore on the OS
and we do not explicitly decide which certificates are present in
the rootstore. We do, however, take many decisions on top of the
rootstores that are relevant to cabforum, like blacklisting, how
certificates are verified and how they are presented to the user.<br>
<br>
<blockquote
cite="mid:CACvaWvbUYBVaUGaxoj5QoRAYu7ORgy_mmifNk8gjrOG1DSCq2A@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div> </div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div link="blue" vlink="purple" lang="EN-US">
<div>
<div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"></span></p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<div class="im">
<p class="MsoNormal">3) Why the removal of the
transparency requirements in Section 5.2 for
WGs? This is not at all desirable - although
the modifications to Section 5.2(c) are.</p>
</div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">BTW:
The current language requires that EVERYTHING
(even things that are not currently being
done, like the creation of agendas and minutes
for working groups) be posted to the public
list – for some people, the amount of email
traffic on the public list is already bad.
Read Section 5.2(e) where “important” working
group updates are addressed. Otherwise, as
the responsible executive interpreting the
bylaws I will have to start telling everyone
that they must prepare agendas and minutes and
that all emails and every single interim
draft, agenda and all minutes will now need to
be posted to the public list, and then we’ll
just eliminate the WG lists. </span></p>
</div>
</div>
</div>
</div>
</blockquote>
<div><br>
</div>
<div>I for one would welcome the enhanced transparency, and
see it as a feature, even as I'm already deluged in
e-mail.</div>
<div> </div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div link="blue" vlink="purple" lang="EN-US">
<div>
<div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">
</span></p>
</div>
<div class="im">
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">4) Why are Invited Guests
at the sole discretion of Chair/Vice-Chair,
whereas Interested Parties go through Forum/WG
consent? If anything, Invited Guests represent
the greatest "threat" to members, in that
they've not executed any IPR Agreement for any
of the discussions they are present in.</p>
</div>
</div>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">BTW:
If someone represents such a threat, we just
won’t invite them—problem solved. However, we
will likely run into situations where we value
the input of someone, or we want their
individual expertise, and for one reason or
another they cannot sign the agreement in time
(because of employment situation, legal advice,
or whatever), then we will have to “pass” on
having that person attend, and then maybe we’ll
miss out on valuable information. If we invite
[fill-in-the-blank] as our “invited guest”, I
want to have sufficient discretion on whether to
require them to sign the IPR Agreement. I would
hope that attendees would we able to identify
when an invited guest is trying to submarine us
with some great idea (albeit contained in an
undisclosed patent), and hopefully the Chair or
Vice Chair, who we elect as our trusted
representative will be smart enough to exercise
his or her discretion appropriately. If we do
change this, then we’ll need something
appropriate to take its place—I’m fine if
someone comes up with a simplified voting
process that can also accommodate last-minute
guest speaker replacements, etc.</span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Thanks
again for your comments.</span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt">
<span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Cheers,</span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Ben
</span></p>
</div>
</div>
</div>
</blockquote>
<div>When I used such a loaded term as "threat", I do not
ascribe malicious intent. I simply mean that, for the
members, every one of these IGs - and their contributions
- does represent a threat to anything produced by a
Standards Defining Organization or (as in the CA/B Forum's
case) "similar" organizations. That is the unfortunate
situation that we find ourselves in with respect to IPR.<br>
</div>
<div> </div>
<div>I would definitely feel more comfortable seeing us put
the same rigor as applied to members / associates, and
simply present it to the Forum, especially when
attendance-without-IPR-agreement is an entirely dangerous
can of worms, no matter how well-intentioned or
well-meaning the IG is. The further nuance is that an IG
is, presumably, a natural person, whereas the IPR
agreement is with legal persons - typically, corporations.
The distinction is that no matter how good the IG is, they
may be employed by an organization that does not share the
same values, and thus that presents a 'risk'.</div>
<div><br>
</div>
<div>Anyways, I think these are the foundations of a series
of good changes, I just think they will trigger a variable
level of engagement, and for expediency, it might be best
to just ballot the minimal set of changes for the F2F, and
perhaps simultaneously ballot "the rest" for further
discussion. Just $.02 from dealing with code and "minimal
patches" / "one commit, one bug".</div>
<div><br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div link="blue" vlink="purple" lang="EN-US">
<div>
<div>
<div class="im">
<p class="MsoNormal" style="margin-bottom:12.0pt">
<span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">
</span></p>
<div>
<p class="MsoNormal">On Fri, Jan 17, 2014 at
3:49 PM, Ben Wilson <<a
moz-do-not-send="true"
href="mailto:ben@digicert.com"
target="_blank">ben@digicert.com</a>>
wrote:</p>
<div>
<div>
<p class="MsoNormal">I am seeking two
endorsers.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">On 17 January 2014, Ben
Wilson of DigiCert made the following
motion, endorsed by _____ of _______ and
______ of __________:</p>
<p>–Motion Begins– </p>
<p>Be it resolved that the CA / Browser
Forum adopts the attached “CA-Browser
Forum Bylaws v. 1.1- Draft for Ballot 110”
as its Bylaws, effective as of 4 February
2014. </p>
<p>–Motion Ends– </p>
<p class="MsoNormal">The review period for
this ballot shall commence at 2100 UTC on
20 January 2014 and will close at 2100 UTC
on 27 January 2014. Unless the motion is
withdrawn during the review period, the
voting period will start immediately
thereafter and will close at 2100 UTC on 3
February 2014. </p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">Votes must be cast by
posting an on-list reply to this thread. A
vote in favor of the ballot must indicate
a clear ‘yes’ in the response. A vote
against the ballot must indicate a clear
‘no’ in the response. A vote to abstain
must indicate a clear ‘abstain’ in the
response. Unclear responses will not be
counted. The latest vote received from any
representative of a voting member before
the close of the voting period will be
counted. </p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">Voting members are
listed here: <a moz-do-not-send="true"
href="https://cabforum.org/members/"
target="_blank">https://cabforum.org/members/</a>.
In order for the motion to be adopted, two
thirds or more of the votes cast by
members in the CA category and more than
one half of the votes cast by members in
the browser category must be in favor.
Quorum is currently six (6) members– at
least six members must participate in the
ballot, either by voting in favor, voting
against, or by abstaining for the vote to
be valid. </p>
<p class="MsoNormal"> </p>
<p> </p>
<p> </p>
<p class="MsoNormal"> </p>
</div>
</div>
<p class="MsoNormal"
style="margin-bottom:12.0pt"><br>
_______________________________________________<br>
Public mailing list<br>
<a moz-do-not-send="true"
href="mailto:Public@cabforum.org"
target="_blank">Public@cabforum.org</a><br>
<a moz-do-not-send="true"
href="https://cabforum.org/mailman/listinfo/public"
target="_blank">https://cabforum.org/mailman/listinfo/public</a></p>
</div>
<p class="MsoNormal"> </p>
</div>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Public mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Public@cabforum.org">Public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://cabforum.org/mailman/listinfo/public">https://cabforum.org/mailman/listinfo/public</a>
</pre>
</blockquote>
<br>
</body>
</html>