<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Georgia;
panose-1:2 4 5 2 5 4 5 2 3 3;}
@font-face
{font-family:"Times New Roman \(Body CS\)";
panose-1:2 2 6 3 5 4 5 2 3 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Georgia",serif;
color:windowtext;
font-weight:normal;
font-style:normal;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style></head><body lang=EN-US link="#0563C1" vlink="#954F72"><div class=WordSection1><p class=MsoNormal><span style='font-family:"Georgia",serif'>These minutes, along with Ballot 220, have been published to the cabforum.org website.<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:"Georgia",serif'><o:p> </o:p></span></p><div><p class=MsoNormal><span style='font-size:9.0pt;font-family:Consolas;color:black'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:Consolas;color:black'>-- <br>Jos Purvis (jopurvis@cisco.com)<br>.:|:.:|:. cisco systems | Cryptographic Services<br>PGP: 0xFD802FEE07D19105 | +1 919.991.9114 (desk)</span><o:p></o:p></p></div><p class=MsoNormal><span style='font-family:"Georgia",serif'><o:p> </o:p></span></p><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:12.0pt;color:black'>From: </span></b><span style='font-size:12.0pt;color:black'>Public <public-bounces@cabforum.org> on behalf of Kirk Hall via Public <public@cabforum.org><br><b>Reply-To: </b>Kirk Hall <Kirk.Hall@entrustdatacard.com>, CA/Browser Forum Public Discussion List <public@cabforum.org><br><b>Date: </b>Sunday, 29 April, 2018 at 19:37 <br><b>To: </b>CA/Browser Forum Public Discussion List <public@cabforum.org><br><b>Subject: </b>[cabfpub] Final Minutes for CA/Browser Forum Teleconference – 5 April 2018<o:p></o:p></span></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><p class=MsoNormal><a name="_MailOriginalBody">Final Minutes for CA/Browser Forum Teleconference – 5 April 2018<o:p></o:p></a></p><p class=MsoNormal><span style='mso-bookmark:_MailOriginalBody'> <o:p></o:p></span></p><p class=MsoNormal><span style='mso-bookmark:_MailOriginalBody'>Attendees: </span><span style='mso-bookmark:_MailOriginalBody'><span lang=EN>Arno Fiedler (</span>D-TRUST</span><span style='mso-bookmark:_MailOriginalBody'><span lang=EN>), Atsushi Inaba (GlobalSign), Ben Wilson (DigiCert), Bruce Morton (Entrust), Cecilia Kam, (GlobalSign), </span>Christopher Kemmerer (SSL.com), </span><span style='mso-bookmark:_MailOriginalBody'><span lang=EN>Corey Bonnell (Trustwave),</span>Daymion Reynolds (GoDaddy), Dean Coclin (DigiCert), </span><span style='mso-bookmark:_MailOriginalBody'><span lang=EN>Dimitris </span>Zacharopoulos (HARICA), </span><span style='mso-bookmark:_MailOriginalBody'><span lang=EN>Doug Beattie (GlobalSign), Enrico Entschew (D-TRUST), Frank Corday (Trustwave), Jeremy Rowley (DigiCert), Kirk Hall (Entrust), Li-Chun Chen (Chunghwa Telecom), </span>Mads Henriksveen (BuyPass), </span><span style='mso-bookmark:_MailOriginalBody'><span lang=EN>Mike Reilly (Microsoft), Neil Dunbar (Trustcor), Robin Alden (ComodoCA), Ryan Sleevi (Google), Shelley Brewer (DigiCert), Steve Medin (DigiCert), Tim Hollebeek (DigiCert), Tim Shirley (Trustwave), </span>Trevoli Ponds-White (Amazon), Virginia Fournier (Apple), </span><span style='mso-bookmark:_MailOriginalBody'><span lang=EN>Wayne Thayer (Mozilla).</span><o:p></o:p></span></p><p class=MsoNormal><span style='mso-bookmark:_MailOriginalBody'> <o:p></o:p></span></p><p class=MsoNormal style='line-height:105%'><span style='mso-bookmark:_MailOriginalBody'>1. Roll Call<o:p></o:p></span></p><p class=MsoNormal style='line-height:105%'><span style='mso-bookmark:_MailOriginalBody'> <o:p></o:p></span></p><p class=MsoNormal style='line-height:105%'><span style='mso-bookmark:_MailOriginalBody'>2. Read Antitrust Statement <o:p></o:p></span></p><p class=MsoNormal style='line-height:105%'><span style='mso-bookmark:_MailOriginalBody'> <o:p></o:p></span></p><p class=MsoNormal style='line-height:105%'><span style='mso-bookmark:_MailOriginalBody'>3. Review Agenda. Agenda was approved.<o:p></o:p></span></p><p class=MsoNormal style='line-height:105%'><span style='mso-bookmark:_MailOriginalBody'> <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:1.0pt;margin-right:0in;margin-bottom:1.0pt;margin-left:0in;line-height:105%'><span style='mso-bookmark:_MailOriginalBody'>4. Update on ICANN actions re WhoIs data access, response to GDPR (presented by Francisco Arias, ICANN, and Andrew Sullivan, Oracle/DYN). <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:1.0pt;margin-right:0in;margin-bottom:1.0pt;margin-left:0in;line-height:105%'><span style='mso-bookmark:_MailOriginalBody'> <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:1.0pt;margin-right:0in;margin-bottom:1.0pt;margin-left:0in;line-height:105%'><span style='mso-bookmark:_MailOriginalBody'>Francisco Arias of ICANN discussed the policy development process at ICANN, and the review of ICANN registry rules that was occurring in part to help comply with upcoming GDPR rules which will take effect May 25, 2018. The current ICANN proposal is its Proposed Interim Model, which was distributed. See </span><a href="https://www.icann.org/news/blog/data-protection-privacy-update-seeking-input-on-proposed-interim-model-for-gdpr-compliance"><span style='mso-bookmark:_MailOriginalBody'>https://www.icann.org/news/blog/data-protection-privacy-update-seeking-input-on-proposed-interim-model-for-gdpr-compliance</span><span style='mso-bookmark:_MailOriginalBody'></span></a><span style='mso-bookmark:_MailOriginalBody'> and </span><a href="https://www.icann.org/news/blog/data-protection-privacy-issues-update-more-details-published-on-icann-proposed-interim-model"><span style='mso-bookmark:_MailOriginalBody'>https://www.icann.org/news/blog/data-protection-privacy-issues-update-more-details-published-on-icann-proposed-interim-model</span><span style='mso-bookmark:_MailOriginalBody'></span></a><span style='mso-bookmark:_MailOriginalBody'>. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:1.0pt;margin-right:0in;margin-bottom:1.0pt;margin-left:0in;line-height:105%'><span style='mso-bookmark:_MailOriginalBody'> <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:1.0pt;margin-right:0in;margin-bottom:1.0pt;margin-left:0in;line-height:105%'><span style='mso-bookmark:_MailOriginalBody'>It is entirely possible that registries will be allowed to publish only “thin data” that would not show the registrant name or any contact data – that is the current proposal. Limited groups, such as law enforcement, security researchers, etc. would have access to more data, but at this point not CAs. He recommended that CAs provide their input in the process by email to the following address as soon as possible: </span><a href="mailto:gdpr@icann.org"><span style='mso-bookmark:_MailOriginalBody'>gdpr@icann.org</span><span style='mso-bookmark:_MailOriginalBody'></span></a><span style='mso-bookmark:_MailOriginalBody'>. Discussion documents will be posted here: </span><a href="https://www.icann.org/resources/pages/gdpr-legal-analysis-2017-11-17-en"><span style='mso-bookmark:_MailOriginalBody'>https://www.icann.org/resources/pages/gdpr-legal-analysis-2017-11-17-en</span><span style='mso-bookmark:_MailOriginalBody'></span></a><span style='mso-bookmark:_MailOriginalBody'> Additional updates will be published here: </span><a href="https://www.icann.org/dataprotectionprivacy"><span style='mso-bookmark:_MailOriginalBody'>https://www.icann.org/dataprotectionprivacy</span><span style='mso-bookmark:_MailOriginalBody'></span></a><span style='mso-bookmark:_MailOriginalBody'> The current ICANN plan is an “interim” plan because the ICANN board has requested guidance from the EU on how to interpret the GDPR as it applies to WhoIs data. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:1.0pt;margin-right:0in;margin-bottom:1.0pt;margin-left:0in;line-height:105%'><span style='mso-bookmark:_MailOriginalBody'> <o:p></o:p></span></p><p class=MsoNormal style='line-height:105%'><span style='mso-bookmark:_MailOriginalBody'>ICANN is also launching an RDAP pilot (the future successor to WhoIs), which will offer registries greater tools to allow differentiated access to domain registration data. He asked for CAs who are interested to volunteer for the pilot program. Further details can be found here: </span><a href="https://www.icann.org/en/system/files/correspondence/diaz-to-atallah-01aug17-en.pdf"><span style='mso-bookmark:_MailOriginalBody'>https://www.icann.org/en/system/files/correspondence/diaz-to-atallah-01aug17-en.pdf</span><span style='mso-bookmark:_MailOriginalBody'></span></a><span style='mso-bookmark:_MailOriginalBody'> </span><a href="https://www.icann.org/en/system/files/correspondence/atallah-to-diaz-01sep17-en.pdf"><span style='mso-bookmark:_MailOriginalBody'>https://www.icann.org/en/system/files/correspondence/atallah-to-diaz-01sep17-en.pdf</span><span style='mso-bookmark:_MailOriginalBody'></span></a><span style='mso-bookmark:_MailOriginalBody'> <o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='mso-bookmark:_MailOriginalBody'>RDAP page: </span><a href="https://icann.org/rdap"><span style='mso-bookmark:_MailOriginalBody'>https://icann.org/rdap</span><span style='mso-bookmark:_MailOriginalBody'></span></a><span style='mso-bookmark:_MailOriginalBody'> <o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='mso-bookmark:_MailOriginalBody'>Pilot page: </span><a href="https://community.icann.org/display/RP/RDAP+Pilot"><span style='mso-bookmark:_MailOriginalBody'>https://community.icann.org/display/RP/RDAP+Pilot</span><span style='mso-bookmark:_MailOriginalBody'></span></a><span style='mso-bookmark:_MailOriginalBody'> <o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='mso-bookmark:_MailOriginalBody'>Six registries covering 50+ gTLDs<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='mso-bookmark:_MailOriginalBody'>Mailing list: </span><a href="https://mm.icann.org/mailman/listinfo/gtld-tech"><span style='mso-bookmark:_MailOriginalBody'>https://mm.icann.org/mailman/listinfo/gtld-tech</span><span style='mso-bookmark:_MailOriginalBody'></span></a><span style='mso-bookmark:_MailOriginalBody'> <o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='mso-bookmark:_MailOriginalBody'> <o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='mso-bookmark:_MailOriginalBody'>Andrew Sullivan said Francisco’s summary was comprehensive and accurate, but added his view that once ICANN’s Interim Policy was adopted, it was unlikely that there would be any changes. Kirk noted that CAs need access to WhoIs data for some of the domain validation methods under BR 3.2.2.4, and asked how (from a technological standpoint) some registries were able to block WhoIs access to the public but allow it to others, such as CAs. Andrew said the most common method today was by IP address whitelisting for CAs (otherwise, access might be rate-limited, etc.). However, it is unclear whether WhoIs IP whitelisting would be an acceptable control for GDPR authorities, plus it doesn’t really scale. Also, many new registries are coming, so a comprehensive approach will be necessary, perhaps with certificate-based solutions.<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='mso-bookmark:_MailOriginalBody'> <o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='mso-bookmark:_MailOriginalBody'>Kirk noted that the GDPR applies mainly to “natural persons” and not organizations, and only where there is an EU link – he asked Francisco why ICANN was effectively applying the GDPR to the entire WhoIs network, even for organizations and persons not connected with the EU. Francisco said that ICANN expected other privacy laws would emerge in other jurisdictions, and ICANN wanted to adopt a basic framework that could work for the GDPR and future privacy regulations, which are likely to be similar to the GDPR. Kirk asked what will happen to CA access on May 25 when the GDPR takes effect if there are no changes to ICANN’s Interim Plan. Francisco said again that ICANN is waiting for further guidance from the EU on how the GDPR applies to WhoIs, so that was not yet certain – ICANN had asked for a GDPR “moratorium” to apply to WhoIs records so it could have more time to come up with a solution. However, if there is no moratorium, Francisco thinks that registries will have to hide most WhoIs data from CAs starting May 25.<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='mso-bookmark:_MailOriginalBody'> <o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='mso-bookmark:_MailOriginalBody'>Kirk thanked Francisco and Andrew for their valuable information, and encouraged CAs to send comments and recommendations concerning the Interim Plan to the ICANN email address listed above, </span><a href="mailto:gdpr@icann.org"><span style='mso-bookmark:_MailOriginalBody'>gdpr@icann.org</span><span style='mso-bookmark:_MailOriginalBody'></span></a><span style='mso-bookmark:_MailOriginalBody'>. Francisco and Andrew then left the call.<o:p></o:p></span></p><p class=MsoNormal style='line-height:105%'><span style='mso-bookmark:_MailOriginalBody'> <o:p></o:p></span></p><p class=MsoNormal style='line-height:105%'><span style='mso-bookmark:_MailOriginalBody'>5. Approval of Minutes. The following draft Minutes were approved, and will be posted to the Public list:<o:p></o:p></span></p><p class=MsoNormal style='margin-left:.5in;line-height:105%'><span style='mso-bookmark:_MailOriginalBody'>a. Revised Minutes from teleconference of February 8, 2017 (Emailed by Kirk March 23 with further revisions to Sec. 9)<o:p></o:p></span></p><p class=MsoNormal style='margin-left:.5in;line-height:105%'><span style='mso-bookmark:_MailOriginalBody'> <o:p></o:p></span></p><p class=MsoNormal style='margin-left:.5in;line-height:105%'><span style='mso-bookmark:_MailOriginalBody'>b. F2F Minutes from March 7-8, 2018 (Emailed by Kirk March 23, as amended by Li-Chun’s email dated April 3)<o:p></o:p></span></p><p class=MsoNormal style='margin-left:.5in;line-height:105%'><span style='mso-bookmark:_MailOriginalBody'> <o:p></o:p></span></p><p class=MsoNormal style='margin-left:.5in;line-height:105%'><span style='mso-bookmark:_MailOriginalBody'>c. Minutes from teleconference of March 22, 2017 (Emailed by Kirk March 23 as amended by Dimitris email April 1).<o:p></o:p></span></p><p class=MsoNormal style='line-height:105%'><span style='mso-bookmark:_MailOriginalBody'> <o:p></o:p></span></p><p class=MsoNormal style='line-height:105%'><span style='mso-bookmark:_MailOriginalBody'>6. Governance Change Working Group – Implementation Plans for Ballot 206. Kirk congratulated Virginia, Dean, and other members of the WG for bringing Ballot 206 to a successful conclusion. Dean noted that all Forum Members need to sign the updated IPR Agreement now that Ballot 206 has passed, and said the WG had set up a site on the wiki where members can download the new agreement and upload signed copies. They have 90 days to do this, or they will lose their voting rights until the IPR Agreement has been signed. <o:p></o:p></span></p><p class=MsoNormal style='line-height:105%'><span style='mso-bookmark:_MailOriginalBody'> <o:p></o:p></span></p><p class=MsoNormal style='line-height:105%'><span style='mso-bookmark:_MailOriginalBody'>Ben said the WG needs to correct an outdated reference to ETSI nomenclature, and with Dimitris’ help the WG will correct that. Virginia noted that the new working group model will go into effect on July 3, 2018, and that it was a good time for people to start developing charters for new working groups and getting them pre-approved under the new model - that way they can be ready to go by July 3rd. Ben said the members needed to start now in preparing for the new policies and procedures we have adopted.<o:p></o:p></span></p><p class=MsoNormal style='line-height:105%'><span style='mso-bookmark:_MailOriginalBody'> <o:p></o:p></span></p><p class=MsoNormal style='line-height:105%'><span style='mso-bookmark:_MailOriginalBody'>7. Policy Review Working Group update. Ben and Dimitris said there was no update, but that the WG would meet again right after the Forum’s teleconference.<o:p></o:p></span></p><p class=MsoNormal style='line-height:105%'><span style='mso-bookmark:_MailOriginalBody'> <o:p></o:p></span></p><p class=MsoNormal style='line-height:105%'><span style='mso-bookmark:_MailOriginalBody'>8. Network Security Working Group update. Ben said the WG was working on better defining critical terms such as Certificate Issuing Systems, Certificate Systems, etc. in the Network Security Guidelines – defining what it is and scope so that other requirements will become clearer. The WG will use a matrix approach for this. Tim has created a spreadsheet where things are categorized by requirements – what zones, if publicly accessible, etc. More work is needed.<o:p></o:p></span></p><p class=MsoNormal style='line-height:105%'><span style='mso-bookmark:_MailOriginalBody'> <o:p></o:p></span></p><p class=MsoNormal style='line-height:105%'><span style='mso-bookmark:_MailOriginalBody'>9. Validation Working Group update. Wayne said the WG did three things on its last call. (1) Get more organized – this was discussed, and a Trello board was created to figure out priorities. (2) Work on the recent all-day Validation Working Group Summit at the F2F, organizing the findings and suggestions by validation method, etc. so amendments and additions can be considered. (3) Ask how to get validation method improvements going. It is unlikely that Method 1 will be coming back, but instead there are concrete proposals for substitute methods (labelled A, B, C, etc. to promote discussion). Tim said these proposals will also be added to the Trello board.<o:p></o:p></span></p><p class=MsoNormal style='line-height:105%'><span style='mso-bookmark:_MailOriginalBody'> <o:p></o:p></span></p><p class=MsoNormal style='line-height:105%'><span style='mso-bookmark:_MailOriginalBody'>10. Ballot Status - Discussion of ballots (See Ballot Status table at end of Agenda). There was no discussion.<o:p></o:p></span></p><p class=MsoNormal style='line-height:105%'><span style='mso-bookmark:_MailOriginalBody'> <o:p></o:p></span></p><p class=MsoNormal style='line-height:105%'><span style='mso-bookmark:_MailOriginalBody'>11. Bylaws Clarification – Form of audit required for CA Membership and Associate Membership. <o:p></o:p></span></p><p class=MsoNormal style='line-height:105%'><span style='mso-bookmark:_MailOriginalBody'> <o:p></o:p></span></p><p class=MsoNormal style='line-height:105%'><span style='mso-bookmark:_MailOriginalBody'>Kirk noted that the Forum’s Bylaws were somewhat unclear on what form of “audit” was required for a CA to become a Member, or an Associate Member, and suggested the members decide on that issue and then amend the Bylaws to make them clearer. The two options are a Point in Time (PIT) audit, also known as a “readiness” audit (before a CA begins operations), or a Period of Time (POT) audit, also known as a “performance” audit. Kirk noted that our Bylaws currently require a CA to submit the link to its latest “performance” audit (which would be a POT audit), but in the past it appears the Forum has also accepted PIT audits.<o:p></o:p></span></p><p class=MsoNormal style='line-height:105%'><span style='mso-bookmark:_MailOriginalBody'> <o:p></o:p></span></p><p class=MsoNormal style='line-height:105%'><span style='mso-bookmark:_MailOriginalBody'>Wayne thought a PIT audit was acceptable for membership, and was allowed under the Bylaws. Ryan thought either a PIT or POT audit was acceptable for membership, and noted that ETSI audits are effectively only POT audits (Arno agreed on that last point). Dimitris noted that browsers accepted PIT audits with a CA’s root store inclusion application. Ryan said that only Microsoft accepted PIT audits for root store inclusion, while other browsers required POT audits to be in the root store, so considering all the other Forum membership requirements that effectively requires a CA applying for membership to have a POT audit. Dimitris said he prefers that CA member applicants present a POT audit, which he noted can cover an operational period of as short as two months.<o:p></o:p></span></p><p class=MsoNormal style='line-height:105%'><span style='mso-bookmark:_MailOriginalBody'> <o:p></o:p></span></p><p class=MsoNormal style='line-height:105%'><span style='mso-bookmark:_MailOriginalBody'>Kirk thanked the members for their input. Because there are different viewpoints, he said he will post an online poll to gather the point of view of more members, and then bring back a proposal for Bylaws clarifications.<o:p></o:p></span></p><p class=MsoNormal style='line-height:105%'><span style='mso-bookmark:_MailOriginalBody'> <o:p></o:p></span></p><p class=MsoNormal style='line-height:105%'><span style='mso-bookmark:_MailOriginalBody'>12. Allowing people to the Forum’s Github site if they haven’t signed the IPR Agreement. <o:p></o:p></span></p><p class=MsoNormal style='line-height:105%'><span style='mso-bookmark:_MailOriginalBody'> <o:p></o:p></span></p><p class=MsoNormal style='line-height:105%'><span style='mso-bookmark:_MailOriginalBody'>Kirk noted that one company wanted to have the status of an Interested Party and participate in Forum discussions on issues, but didn’t want to sign our standard IPR Agreement for technical reasons. The company then said it assumed it was ok for it to continue to post comments on the Forum’s GitHub page, where draft ballots and other documents are posted for group review. Kirk said that he had a high opinion of the company, but he wasn’t comfortable in letting people who had not signed the Forum’s IPR Agreement post material to our GitHub page as this could defeat the purpose of the IPR Agreement (which is to promote participation in developing guidelines which would not be hampered by IP claims, and where all participants would grant royalty-free licenses to any IP they have included in the guidelines). In theory, someone could post content to the GitHub page that included its secret IP, then later sue all the Forum members for IP infringement.<o:p></o:p></span></p><p class=MsoNormal style='line-height:105%'><span style='mso-bookmark:_MailOriginalBody'> <o:p></o:p></span></p><p class=MsoNormal style='line-height:105%'><span style='mso-bookmark:_MailOriginalBody'>Ryan asked if there was any difference between allowing the public to post to GitHub versus sending a message to the Forum’s questions@ email box. Kirk said he thought there was a difference – GitHub access could be ongoing and extensive, while a comment or question posted to questions@ was usually limited (and a member of the public who abused questions@ posting privileges could be blocked). Virginia said allowing general public posting on the Forum’s GitHub page concerned her as not complying with the Forum’s IP goals.<o:p></o:p></span></p><p class=MsoNormal style='line-height:105%'><span style='mso-bookmark:_MailOriginalBody'> <o:p></o:p></span></p><p class=MsoNormal style='line-height:105%'><span style='mso-bookmark:_MailOriginalBody'>Ryan said he agreed in principal, but noted GitHub is useful because it allows valuable public feedback on proposals – and the Forum has solicited feedback from the public in the past via its questions@ mailbox. Virginia thought there was a difference – questions@ were very general comments, while GitHub was more specific.<o:p></o:p></span></p><p class=MsoNormal style='line-height:105%'><span style='mso-bookmark:_MailOriginalBody'> <o:p></o:p></span></p><p class=MsoNormal style='line-height:105%'><span style='mso-bookmark:_MailOriginalBody'>Tim said there was virtually nothing posted by the public in the GitHub pages, and any comments posted by the public had been minor. The suggestions from the company in questions had been helpful, and an error in draft Ballot 219 had been corrected as a result. The better approach is for members to keep their eyes open, and if a member of the public posts something IPR-constrained via GitHub or questions@, then the Forum can ask that person to sign the IPR Agreement before continuing. Ryan said there were other ways of limiting GitHub in the future based on the process, if needed. Virginia noted that other standards organizations like W3C face the same issues and had generally required participants to sign their IPR Agreement to participate. She recommended the Forum be proactive on this issue and take steps so members of the public could not post to GitHub unless they have signed the Forum’s IPR Agreement.<o:p></o:p></span></p><p class=MsoNormal style='line-height:105%'><span style='mso-bookmark:_MailOriginalBody'> <o:p></o:p></span></p><p class=MsoNormal style='line-height:105%'><span style='mso-bookmark:_MailOriginalBody'>Kirk noted there was no clear agreement on the issue, and asked those members who do participate on the GitHub page to be alert to the issue and take steps if necessary to head off an IP problem<o:p></o:p></span></p><p class=MsoNormal style='line-height:105%'><span style='mso-bookmark:_MailOriginalBody'> <o:p></o:p></span></p><p class=MsoNormal style='line-height:105%'><span style='mso-bookmark:_MailOriginalBody'>13. Any Other Business. There was no other business.<o:p></o:p></span></p><p class=MsoNormal style='line-height:105%'><span style='mso-bookmark:_MailOriginalBody'> <o:p></o:p></span></p><p class=MsoNormal style='line-height:105%'><span style='mso-bookmark:_MailOriginalBody'>14. Next call: (1) April 19, 2018 <i>[RSA Week]</i> or (2) <i><u>skip</u></i> until May 3, 2018? <o:p></o:p></span></p><p class=MsoNormal style='line-height:105%'><span style='mso-bookmark:_MailOriginalBody'> <o:p></o:p></span></p><p class=MsoNormal style='line-height:105%'><span style='mso-bookmark:_MailOriginalBody'>Kirk noted the next scheduled date for the CABF teleconference was April 19, right in the middle of RSA 2018 week which many members will be attending. He asked if the Forum should skip the April 19 call, and hold its next call on May 3. There were opinions on both sides. Kirk said he would post an online poll to get a broader sample, and then decide whether or not to skip the April 19 call.<o:p></o:p></span></p><p class=MsoNormal style='line-height:105%'><span style='mso-bookmark:_MailOriginalBody'> <o:p></o:p></span></p><p class=MsoNormal style='line-height:105%'><span style='mso-bookmark:_MailOriginalBody'>15. Adjourn<o:p></o:p></span></p><p class=MsoNormal><span style='mso-bookmark:_MailOriginalBody'> <o:p></o:p></span></p></div></body></html>