<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Jan 26, 2018 at 10:24 AM, Gervase Markham <span dir="ltr"><<a href="mailto:gerv@mozilla.org" target="_blank">gerv@mozilla.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi Ryan,<br>
<span class="gmail-"><br>
On 23/01/18 02:03, Ryan Sleevi via Public wrote:<br>
> As a possible item, or a consideration in advance, could you make sure<br>
> the document status<br>
> on <a href="https://cabforum.org/baseline-requirements-documents/" rel="noreferrer" target="_blank">https://cabforum.org/<wbr>baseline-requirements-<wbr>documents/</a> is up to date?<br>
> Your current status appears up to date, but our webpage seems a bit behind.<br>
><br>
> Similarly, <a href="https://cabforum.org/bylaws/" rel="noreferrer" target="_blank">https://cabforum.<wbr>org/bylaws/</a> is not updated with the result<br>
> of Ballot 216 - I believe we should have a Version 1.8 of the Bylaws,<br>
> based on that?<br>
<br>
</span>I've just been through and updated the dates, version numbers and ballot<br>
texts on:<br>
<a href="https://www.cabforum.org/wiki/Ballots" rel="noreferrer" target="_blank">https://www.cabforum.org/wiki/<wbr>Ballots</a><br>
back to the start of 2016 (for dates and numbers) or 2017 (for texts).<br>
<br>
As far as I can see, all completed ballots are published except two -<br>
216, as you note, which completed on 21st Dec, and 217. 217 may not have<br>
been done due to a misunderstanding/typo - the original review notice<br>
gave the end of the review period as 20th Jan, but Kirk's summary below<br>
the agenda gives 29th of Jan, so he may have thought it wasn't time yet. </blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
Do you know of any other passed ballots for which a corresponding<br>
version of the BRs, EV, NetSec or Bylaws has not been published?<br>
<br>
I agree it would be good to add the results of 216 to the Bylaws ASAP;<br>
we have started using the new process, and it's not ideal if the process<br>
is not actually in our formal published process document :-)<br>
</blockquote></div><br></div><div class="gmail_extra">Hi Gerv,</div><div class="gmail_extra"><br></div><div class="gmail_extra">I'm afraid it's not as rosy a picture as you present, and Kirk's failure to follow the Bylaws with respect to the duties of the Chair has put us in a precarious position again with respect to our IPR policy.</div><div class="gmail_extra"><br></div><div class="gmail_extra">Let's start with the Bylaws. I would cite you the current version of the Bylaws, except they have not been published or made available to members yet. The website lists Version 1.7 [1], but we've adopted a ballot since then - Ballot 216 [2] - for which no copy of the Bylaws has been made that integrates the results. However, since 217 doesn't change the relevant sections, let's visit the bylaws. There are two sections relevant to the discussion that follows, worth noting now:</div><div class="gmail_extra"><br></div><div class="gmail_extra">The Bylaws, Section 2.4(e), states (in full):</div><div class="gmail_extra">"If a Draft Guideline Ballot passes the Initial Vote, the Chair shall initiate, no later than the
3rd business day after the announcement of the Initial Vote results, the Review Period of 30 or
60 days, as applicable and as described in Section 4.1 of the IPR Policy. The Chair will initiate
the Review Period by sending the Review Notice to both the Member Mail List and the Public Mail List. The Review Notice will clearly specify the open and close dates and times (with time
zone) of the Review Period. If the Chair does not initiate the Review Period within 5 business
days after the announcement of the Initial Vote results, the Vice Chair may initiate the Review
Period, using the same process as the Chair would have been required to use."</div><div class="gmail_extra"><br></div><div class="gmail_extra">Referencing the IPR policy, Version 1.2 of the IPR policy [3], Section 4.1, states (in part):</div><div class="gmail_extra">"
The CAB Forum Chair shall initiate the
Review Period by distributing to each CAB Forum Participant a notice of review period and a
complete draft of the Draft Guideline that is the subject of such notice (“Review Notice”). Each
Participant on behalf of itself and its Affiliates shall have sixty (60) days following the date of
the receipt of such Review Notice (“Review Period”) to review such Draft Guideline and
consider any licensing obligations with respect to any Essential Claims that may be encompassed
by such Draft Guideline. The approval of a CAB Forum Final Maintenance Guideline shall
follow the same process except that the Review Period shall be thirty (30) days."</div><div class="gmail_extra"><br></div><div class="gmail_extra">Note that there is an obligation of the Chair to provide a "complete draft of the Draft Guidelines that is the subject of such notice... " and that "... The approval of a CAB Forum Final Maintenance Guideline shall follow the same process ... ". The Chair has an obligation to make the full text available to members as part of the Review Notices, and that the text made available is the complete draft - not, for example, the Ballot.</div><div class="gmail_extra"><br></div><div class="gmail_extra">Further on, the Bylaws, Section 2.4(h), states (in full):</div><div class="gmail_extra"><br></div><div class="gmail_extra">"If no Exclusion Notices are filed during the Review Period with respect to a Draft Guideline
Ballot, then the results of the Initial Vote are automatically deemed to be final and approved,
and Draft Guidelines then become either Final Guidelines or Final Maintenance Guidelines, as
designated in the Draft Guidelines Ballot. The Chair will notify both the Member Mail List and
the Public Mail List of the final approval within 3 business days, as well as update the Public
Website of Final Guidelines and Final Maintenance Guidelines within 10 business days of the
close of the Review Period. "<br></div><div class="gmail_extra"><br></div><div class="gmail_extra">It's very important to note here - until the Chair has performed their duty, the Balloted documents are Draft Guidelines - and are not Final Guidelines or Final Maintenance Guidelines.</div><div class="gmail_extra"><br></div><div class="gmail_extra">The failure of the Forum to make its Bylaws available - even to its Members - creates a significant challenge in seeing both the legitimacy of its actions and the legitimacy of the Chair. It's deeply troubling that these have not been updated.<br></div><div class="gmail_extra"><br></div><div class="gmail_extra"><br></div><div class="gmail_extra">Let us now look to the Baseline Requirements [4]. As of time of this e-mail, the Website lists the "Current Version" as BR 1.5.1, adopted in Ballot 197. It lists versions 1.5.2 [5], 1.5.3 [6], and 1.5.4 [7] as pending IPR review, the results of Ballots 190 [8], 214 [9], and 215 [10] respectively. As you note, no copy has been available that integrates the results of Ballot 217. [11]. Further, you can see that the "Notice of Review Period" for Ballots 190 [12], 214 [13], 215 [14], and 217 [15] fail to meet the requirements of the Bylaws Section 2.4(e) or the IPR Policy, Section 4.1.</div><div class="gmail_extra"><br></div><div class="gmail_extra">With respect to Ballot 217, the Chair has failed to perform their duties under the Bylaws, Section 2.4(h), which is to notify the Member Mail List and the Public Mail List as to whether or not any Exclusion Notices were filed (within 3 business days), in addition to the long-standing failure to update the Public Website of the Final Guidelines and Final Maintenance Guidelines within 10 business days of the close of the Review Period.</div><div class="gmail_extra"><br></div><div class="gmail_extra"><br></div><div class="gmail_extra">The same problems are similarly exhibited by the EV Guidelines [16]. The current version listed is 1.6.6, adopted from Ballot 192. Listed as pending IPR Review is 1.6.7 [17], the result of Ballot 207 [18]. The notice of Review Period [19] similarly shows a non-adherance to the Bylaws and IPR Policy, and having completed on November 23, 2017, the Chair has failed their duties under the Bylaws, Section 2.4(h) to provide notice within 3 business days as to the result of the Exclusion Notices, and within 10 days to ensure that the Public Website is updated with these Final Maintenance Guidelines.</div><div class="gmail_extra"><br></div><div class="gmail_extra"><br></div><div class="gmail_extra">While the failure of the Chair to follow the Bylaws is problematic, it is further problematic when considering Section 2.2 of the Baseline Requirements. Using version 1.5.1 [20] as the basis, given that it's stated as the "Current Version", CAs must "represent that [they] will adhere to the latest published version." Given that, per the Bylaws, version 1.5.2 and subsequent are still Draft Guidelines, and not Final Maintenance Guidelines, this creates a way for which CAs may reasonably be confused as to the requirements imposed on them, and to their obligations and expectations. Given that versions such as 1.5.2 address critical security holes, we find it unacceptable for this situation to have gone on so long.</div><div class="gmail_extra"><br></div><div class="gmail_extra">This is not the first time we've raised the matter either [21], and to date, the Chair has to date ignored their responsibilities or performed them improperly. While the minutes of the most recent call are not yet available, I believe the minutes will further reflect that the Chair was unwilling to commit to performing their duties, as required under the Bylaws. This is deeply troubling - to the ability of the Forum to function, certainly, but also because of the way it disadvantages other CAs, including non-member CAs, in which it creates compliance ambiguities, and introduces unnecessary security risks into the ecosystem. This should be a concern to all members of the Forum, for the reasons I've highlighted.</div><div class="gmail_extra"><br></div><div class="gmail_extra">[1] <a href="https://cabforum.org/bylaws/">https://cabforum.org/bylaws/</a></div><div class="gmail_extra">[2] <a href="https://www.mail-archive.com/public@cabforum.org/msg05833.html">https://www.mail-archive.com/public@cabforum.org/msg05833.html</a></div><div class="gmail_extra">[3] <a href="https://cabforum.org/wp-content/uploads/CABF-IPR-Policy-v.1.2.pdf">https://cabforum.org/wp-content/uploads/CABF-IPR-Policy-v.1.2.pdf</a></div><div class="gmail_extra">[4] <a href="https://cabforum.org/baseline-requirements-documents/">https://cabforum.org/baseline-requirements-documents/</a></div><div class="gmail_extra">[5] <a href="https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.5.2.pdf">https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.5.2.pdf</a></div><div class="gmail_extra">[6] <a href="https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.5.3.pdf">https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.5.3.pdf</a></div><div class="gmail_extra">[7] <a href="https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.5.4.pdf">https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.5.4.pdf</a></div><div class="gmail_extra">[8] <a href="https://cabforum.org/2017/09/19/ballot-190-revised-validation-requirements/">https://cabforum.org/2017/09/19/ballot-190-revised-validation-requirements/</a></div><div class="gmail_extra">[9] <a href="https://cabforum.org/2017/09/27/ballot-214-caa-discovery-cname-errata/">https://cabforum.org/2017/09/27/ballot-214-caa-discovery-cname-errata/</a></div><div class="gmail_extra">[10] <a href="https://cabforum.org/2017/10/04/ballot-215-fix-ballot-190-errata/">https://cabforum.org/2017/10/04/ballot-215-fix-ballot-190-errata/</a></div><div class="gmail_extra">[11] <a href="https://www.mail-archive.com/public@cabforum.org/msg05834.html">https://www.mail-archive.com/public@cabforum.org/msg05834.html</a></div><div class="gmail_extra">[12] <a href="https://cabforum.org/pipermail/public/2017-September/012103.html">https://cabforum.org/pipermail/public/2017-September/012103.html</a></div><div class="gmail_extra">[13] <a href="https://cabforum.org/pipermail/public/2017-September/012191.html">https://cabforum.org/pipermail/public/2017-September/012191.html</a></div><div class="gmail_extra">[14] <a href="https://cabforum.org/pipermail/public/2017-October/012253.html">https://cabforum.org/pipermail/public/2017-October/012253.html</a></div><div class="gmail_extra">[15] <a href="https://cabforum.org/pipermail/public/2017-December/012657.html">https://cabforum.org/pipermail/public/2017-December/012657.html</a></div><div class="gmail_extra">[16] <a href="https://cabforum.org/extended-validation/">https://cabforum.org/extended-validation/</a></div><div class="gmail_extra">[17] <a href="https://cabforum.org/wp-content/uploads/EV-V1_6_7.pdf">https://cabforum.org/wp-content/uploads/EV-V1_6_7.pdf</a></div><div class="gmail_extra">[18] <a href="https://cabforum.org/2017/10/23/ballot-207-asn-1-jurisdiction-ev-guidelines/">https://cabforum.org/2017/10/23/ballot-207-asn-1-jurisdiction-ev-guidelines/</a></div><div class="gmail_extra">[19] <a href="https://cabforum.org/pipermail/public/2017-October/012411.html">https://cabforum.org/pipermail/public/2017-October/012411.html</a></div><div class="gmail_extra">[20] <a href="https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.5.1.pdf">https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.5.1.pdf</a></div><div class="gmail_extra">[21] <a href="https://cabforum.org/pipermail/public/2017-December/012578.html">https://cabforum.org/pipermail/public/2017-December/012578.html</a></div></div>