<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Clearly we’re not going to agree here but I just wanted to respond to a few points for the record:<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I’m happy to take your facts regarding past ballots at face value and have no reason to disbelieve them. I don’t think I ever said there was a ballot to charter the CSWG. You are correct that there should have been and perhaps it was just an email after a F2F meeting, but I point to several factors that took place prior to the formation of the group and are may be to blame: (1) the forum had recently undergone a Governance reform and (2) a new set of bylaws were introduced and codified and (3) a new chair had been appointed and (4) everyone was just getting familiar with the bylaws. So it is certainly possible that due to this confluence of factors, not every rule was properly followed. I’m not blaming anyone specific, just stating the facts. And we’ve all greatly improved our understanding and compliance with the bylaws since. But my point is that after the formation of the group (in the minutes you pointed out), there were bi-weekly updates at mostly every CABF teleconference given by either myself or Jeremy on the group’s status. Until a few months ago (when we announced we were closing in on a draft work product and you voiced your concern), I don’t recall ever hearing an objection. So about a year went by without any notification of a concern despite bi-weekly updates. Should we sacrifice improved Internet security because of a procedural error?<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal>- All activity on this will be subject to the Forum's IPR policies<o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Yes, per the policy voted in by the members. Isn’t this what the members wanted so no one could “submarine” a patent during the development of a guideline? Please elaborate on your point.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal>- Our current bylaws do not provide a definition for other vendors of such products, which do not produce Web Browsers used by the general public, and thus would either need to change or, by very definition, be exclusionary.<o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>We are not asking for anyone that is not a participant in the forum to mandate these BRs. But during our working group, it became apparent that after having discussions with other constituencies, they were very interested in these guidelines and would consider adopting them as part of their own programs. So any of the names I mentioned previously are free to adopt, discard, use pieces of, or do whatever they want with them. If the BRs are adopted by non-members of the forum, is that considered a failure or success?<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal>- Activity and participation by the public is, as per our bylaws, restricted. Just like the SSL policies affect site operators as much as it affects CAs and Browsers, so to would Code Signing policies affect both Users and Developers, who by our very Bylaws cannot participate in this working group.<o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Activity and participation by the public is not restricted, in fact it was encouraged. We advertised it on our website, and invited participation from the public list. I’m sure you know have a membership category called “Interested Parties” which applies to Working Groups. For the record I count 20 subscribed companies in the CSWG list, 6 of which were non-members.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal>Ballots 87, 90 and 94 have shown there is exceptional resistance towards greater participation, which we view as essential, and the above proposals with respect to Bylaws Amendments equally raise serious concerns about how the SSL Baseline Requirements, which we view as the essential work product of the Forum, are also constructed and decided.<o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I don’t think everyone shares these “serious concerns” that Google is touting but that’s fine and as always, members are free to express themselves. Members also have the right to agree or disagree.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Thank you for raising your concern. I just wish it had been done earlier on while the group was getting going.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>The group feels that the BR is a document worthy of consideration of the forum and the ecosystems that could take advantage of them. Given the work that has been done to date, the group feels we should continue forward. If they end up not being adopted, then we’ll have to evaluate the next steps.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Thanks,<br>Dean<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>CSWG co-chair<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Ryan Sleevi [</span><a href="mailto:sleevi@google.com"><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>mailto:sleevi@google.com</span></a><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>] <br><b>Sent:</b> Tuesday, August 26, 2014 6:35 PM<br><b>To:</b> Dean Coclin<br><b>Cc:</b> Jeremy Rowley; </span><a href="mailto:public@cabforum.org"><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>public@cabforum.org</span></a><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'><br><b>Subject:</b> Re: [cabfpub] Code Signing Baseline Requirements - Public Draft<o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal style='margin-bottom:12.0pt'><o:p> </o:p></p><div><p class=MsoNormal>On Tue, Aug 26, 2014 at 3:43 PM, Dean Coclin <<a href="mailto:Dean_Coclin@symantec.com" target="_blank">Dean_Coclin@symantec.com</a>> wrote:<o:p></o:p></p><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I’m glad the extensive work of the group over the past year and a half was acknowledged up front. But I’m deeply disappointed in the rest of the contents of this email. </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>“…</span><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Google has serious reservations endorsing this…”</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>The concern is duly noted however the time for expressing such concern was at the time of formation of the working group, not a year later nor at the time of the publication of the draft. For the record, the Code Signing Working Group was chartered by the members of the CA/B Forum and no objection was noted at that time. It is not some rogue working group that was self-formed. In addition, the working group attracted outside participants who worked on the document’s development. These parties were “users” or “relying parties” and were not affiliated with any platform.</span><o:p></o:p></p></div></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Dean,<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>I don't think it's fair nor accurate to count abstinations as votes of confidence or necessity in the working group.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>For example, please see the recent discussion by TrendMicro, based on discussions with other members during past F2F, which would have preferred to see a myriad number of working groups constructed within the CA/Browser Forum at the discretion of the Chair and Vice Chair - vis-a-vis, <a href="https://cabforum.org/pipermail/public/2014-July/003553.html">https://cabforum.org/pipermail/public/2014-July/003553.html</a><o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Now, either one of two things is true. Either we continue, based on the arguments by a number of Forum members, that formation of a WG does not mean endorse support for the activities, or we take the view you seem to be positing here that members that disagree with the hypothetical final product of a yet-to-be-formed WG object to even exploring the formation of such a WG.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>We had hoped that, as our past comments supported, the WG would recognize the unsuitability of the scope of their activities to the Forum's bylaws. However, that has not happened, hence this remark.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><div><div><p class=MsoNormal>Perhaps you can help refresh my memory, as I'm having a hard time trying to find the Ballot responsible for chartering the Code Signing Working Group.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Here are the historical details I've been able to gather, based on the information available on the CA/Browser Forum's website.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>According to <a href="https://cabforum.org/category/certificates/code-signing/">https://cabforum.org/category/certificates/code-signing/</a> , the Code Signing WG was chartered on/around April 22, 2013.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>However, the ballot archives - in particular, <a href="https://cabforum.org/category/ballots/page/3/">https://cabforum.org/category/ballots/page/3/</a> - which shows the ballots several months before and after this period, do not refer to the formation of a Code Signing WG. Nor does it seem to appear within the Ballots approved in 2013 - <a href="https://cabforum.org/ballots/">https://cabforum.org/ballots/</a> - nor those in 2012.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Indeed, the only reference I can find towards the CA/Browser Forum agreeing towards any creation of a Code Signing Working Group is this summary - <a href="https://cabforum.org/pipermail/public/2013-March/001316.html">https://cabforum.org/pipermail/public/2013-March/001316.html</a><o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><p class=MsoNormal>"He noted that at the face-to-face meeting in Mountain View, we had decided to start a code signing authentication working group to try to address some of the issues that have come up with code signing authentication."<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Unfortunately, for the life of me, I cannot find the minutes of that F2F in <a href="https://cabforum.org/category/minutes">https://cabforum.org/category/minutes</a> , which was hosted by Mozilla in February 2013, nor does such voice voting seem to have been consistent with our Bylaws (Adopted November 23, 2012). I hope you can provide publicly available details where we missed the time most opportune to express our concerns, but as you can see below, this is certainly not a new set of concerns.<o:p></o:p></p></div></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal> <o:p></o:p></p></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt'><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Google’s announcement of a “no” vote prior to a review and comment period does nothing to enhance Internet security, a primary goal of this document. In fact, I would characterize this declaration as self-serving because the results of the working group may not apply directly to Google’s own platform. Google seems to be more concerned with how and where this document is created rather than improving Internet security. Trying to form yet another group just to focus on code signing would be cumbersome and most likely wouldn’t result in a different document. The public comment period affords others that could not participate the opportunity to provide additional viewpoints, comments, and criticisms which we welcome. If Google doesn’t want to participate for philosophical reasons, the declaration should be to “Abstain”, not to say “No”. A “no” vote indicates disagreement with the document, which I believe Google doesn’t want to bother reviewing. That's perfectly fine and it is recognized that not every member is concerned with or votes on every particular issue. But the appropriate vote (when the time comes) is to abstain.</span><o:p></o:p></p></div></div></blockquote><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Respectfully, you're well aware that accepting this document as an activity of the Forum implies a number of things:<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>- All activity on this will be subject to the Forum's IPR policies<o:p></o:p></p></div><div><p class=MsoNormal>- Our current bylaws do not provide a definition for other vendors of such products, which do not produce Web Browsers used by the general public, and thus would either need to change or, by very definition, be exclusionary.<o:p></o:p></p></div><div><p class=MsoNormal>- Activity and participation by the public is, as per our bylaws, restricted. Just like the SSL policies affect site operators as much as it affects CAs and Browsers, so to would Code Signing policies affect both Users and Developers, who by our very Bylaws cannot participate in this working group.<o:p></o:p></p></div><div><p class=MsoNormal>- That our very nature of voting would need to be restructured.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>This was discussed extensively six months ago, during our Mountain View F2F, and we expressed similar concerns then as well as now.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>As you may not recall, given the expressions of surprise by CAs at our hour and a half discussion of SHA-1 in that same F2F, this was discussed at <a href="https://cabforum.org/2014/02/19/2014-02-19-minutes-of-mountain-view-f2f/#Bylaws-Revisions">https://cabforum.org/2014/02/19/2014-02-19-minutes-of-mountain-view-f2f/#Bylaws-Revisions</a><o:p></o:p></p></div><div><p class=MsoNormal>It has also been discussed at <a href="https://cabforum.org/2013/10/24/2013-10-24-minutes/">https://cabforum.org/2013/10/24/2013-10-24-minutes/</a><o:p></o:p></p></div><div><p class=MsoNormal>It has also been discussed at <a href="https://cabforum.org/pipermail/public/2013-October/002248.html">https://cabforum.org/pipermail/public/2013-October/002248.html</a><o:p></o:p></p></div><div><p class=MsoNormal>We have previously expressed this concern during Ballot 117, for which we recorded a "Nay" vote.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div></div><div><div><p class=MsoNormal> <o:p></o:p></p></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt'><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>“…</span><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>this is largely constrained to Microsoft's requirements. For a document that strives to benefit "large operating system vendors that utilize code signing certificates," it only affects one in practice, and that's seriously concerning.”</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I’d like to correct this misconception. Microsoft is not the only large operating system software vendor. Oracle’s Java platform could be another beneficiary and this document is being sent to Oracle for review and comment. In addition, Adobe operates several platforms that require signing and they will directly receive the draft. Then there are smaller ecosystems like Intel which could adopt all or parts of this. It is anticipated that these and other groups will provide input so the draft can be enhanced.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>“…</span><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>this model is not the model of most modern code signing systems, including Apple's iOS and OS X platforms, Mozilla's Firefox extensions mechanisms, or Google's Android and Chrome platforms.”</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I don’t think you meant it but let’s be clear: “modern” does not equal secure, especially when Android is mentioned in this context. Every code signing model can stand improvements and although this document may not be directly useful to so called “modern” code signing systems, concepts developed by the working group when it comes to things like authentication, private key protection or revocation can be applied to these environments.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>It is well known that most CAs issue SSL and code signing certificates as part of their business model. The fact that the parties of the CA/Browser forum can agree on a Code Signing Baseline Requirements document says that the forum has come a long way in working together to promote a secure code signing ecosystem.</span><o:p></o:p></p></div></div></blockquote><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>The Forum was able to agree on a notion of EV Code Signing in the past. However, only one vendor has deployed this, and worse, other CAs that participated in the drafting and development of this document have no means for inclusion within the programs using these policies (e.g. excluding Symantec and DigiCert), and have likewise expressed concern.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Though I hesitate towards the term "secure code signing ecosystem", I welcome Microsoft's attempts to improve their Authenticode system, with the feedback of CAs, and am encouraged that CAs believe this may be of use to other systems. However, as stated above, and has been stated repeatedly in the past, we do not believe the CA/Browser Forum is an effective Forum for that.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Ballots 87, 90 and 94 have shown there is exceptional resistance towards greater participation, which we view as essential, and the above proposals with respect to Bylaws Amendments equally raise serious concerns about how the SSL Baseline Requirements, which we view as the essential work product of the Forum, are also constructed and decided.<o:p></o:p></p></div><div><p class=MsoNormal> <o:p></o:p></p></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt'><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>“…</span><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>I'm sure it represents a significant amount of time, effort and discussion to come to this current state.”</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>You can say that again, and I’m sorry if I sound a bit exasperated in this email. But that’s what happens when a group of 20 companies spends a significant amount of time and effort toward a goal which we believed to be a common one.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I guess I should be glad that Google has stated its intent up front so we know what to expect after the review and not be hit with surprises later. But for the sake of the security of the ecosystem and the health of the general Internet which we have been working to improve over the past year and a half, I would urge a vote other than no.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Thanks,<br>Dean Coclin</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>CSWG co-chair</span><o:p></o:p></p></div></div></blockquote><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>We've stated as much, repeatedly, in the past, so I'm sorry that you feel surprised.<o:p></o:p></p></div></div></div></div></div></body></html>