[cabf_governance] CABF as a formal organization

Moudrick M. Dadashov md at ssc.lt
Thu Dec 1 03:15:45 MST 2016


Thanks, Iñigo

one more (eIDAS) :

(67) "<..> /However, in order for website authentication to become a 
means to boosting trust, providing a better experience for the user and 
furthering growth in the internal market, this Regulation should lay 
down minimal security and liability obligations for the providers and 
their services. To that end, the results of existing industry-led 
initiatives, for example the Certification Authorities/Browsers Forum — 
*CA/B Forum*, have been taken into account./".

Still curious what is the problem, does ETSI need Forum's "formal 
representative", formal address of presence?

Thanks,
M.D.


On 12/1/2016 11:59 AM, Iñigo Barreira wrote:
>
> Hi,
>
> For this particular question I think Sonia already explained in the 
> email below. ETSI and CABF have been collaborating for a long time but 
> “using” external parties, such as Arno and myself.
>
> But mentioning CABF documents to be used for this type of certificates 
> does not mean any formal relationship, because in the development of 
> those documents, ETSI has not taken part, similarly to the ETSI 
> standards in which CABF neither took part. So, basically the CABF 
> accepts what ETSI produces and ETSI accepts what CABF produces but 
> without involving in the development. They just mention.
>
> I´m not familar with legal stuff, but what Sonia tried to explain is 
> that if the CABF is a formal entity, then in the development of the 
> ETSI standards, people of the CABF (as being a legal entity) can 
> participate in the development (this is done indirectly by me and 
> Arno) and viceversa (and this has been repeteadly asked ETSI and 
> always the same answer). So, it must not be that easy.
>
> In any case, and regarding collaboration, well, personally I´m 
> applying (with the help of Arno and some others) all the changes 
> agreed in the CABF for the BRs and EVGs in the ETSI standards to 
> be/have the most updated documents, but of course, this is on a 
> voluntary basis (BTW, this is quite common in ETSI) and the problem 
> could be if any of us (Arno, myself, Nick, …) decide to change/move/go 
> for whatever reason and then, as there´s no formal agreement, maybe 
> all the work is lost or none is able to take it over.
>
> We´re also providing different final draft versions to check, when 
> they go for public comment.
>
> And yes, this has been discussed for a long time, I also remember not 
> talking only about Delaware, but also Norway (Bjorn Vermo said it was 
> quite easy and cheap), Switzerland, Luxembourg, etc. (BTW, all of them 
> somehow opaque J) and none wanted to manage, pay, etc. (this was 
> before entities such as CASC appeared) so maybe now´s the time taking 
> into account that we´re too many now and for example this year F2F 
> meetings have congregated about 50 people each, which is difficult to 
> manage.
>
> From the ETSI poin of view, would be easier, and also for Arno and I 
> for example, because, with that MoU, ETSI can assign resources to 
> control/maintain/manage all related to the CABF and not only because 
> we (some at ETSI ESI) decide to update the documents.
>
> Well, I´m afraid I haven´t solved anything, but at least, hopefully, 
> you have a better insight of the situation.
>
> regards
>
> *From:*Dean Coclin [mailto:Dean_Coclin at symantec.com]
> *Sent:* miércoles, 30 de noviembre de 2016 20:59
> *To:* CA/Browser Forum Governance WG List <govreform at cabforum.org>; 
> Inigo Barreira (inigo at startcomca.com) <inigo at startcomca.com>; Fiedler, 
> Arno <Arno.Fiedler at BDR.de>
> *Cc:* Moudrick M. Dadashov <md at ssc.lt>
> *Subject:* RE: [cabf_governance] CABF as a formal organization
>
> These are good points Moudrick and I’ll leave it to Arno/Inigo to respond.
>
>
> Dean
>
> *From:*Govreform [mailto:govreform-bounces at cabforum.org] *On Behalf Of 
> *Moudrick M. Dadashov via Govreform
> *Sent:* Friday, November 18, 2016 5:31 AM
> *To:* CA/Browser Forum Governance WG List <govreform at cabforum.org 
> <mailto:govreform at cabforum.org>>
> *Cc:* Moudrick M. Dadashov <md at ssc.lt <mailto:md at ssc.lt>>
> *Subject:* Re: [cabf_governance] CABF as a formal organization
>
> Please, if I may, a couple more questions:
>
> 1) Why in some cases *CA Browser Forum* has been recognized by ETSI a 
> "real entity" (e.g. see ETSI EN 319 412-4 V1.1.1 (2016-02) /Electronic 
> Signatures and Infrastructures (ESI); Certificate Profiles; Part 4: 
> Certificate profile for web site certificates/):
>
> (a) "/The present document aims to maximize the interoperability of 
> systems issuing and using certificates both in the European context 
> under the Regulation (EU) No 910/2014 [i.3] and in the wider 
> international environment, also by meeting requirements from *CA 
> Browser Forum*./";
>
> (b) /The following referenced documents *_are necessary_* for the 
> application of the present document.
>       [2] CA/Browser Forum: "Baseline Requirements for the Issuance 
> and Management of Publicly-Trusted Certificates".
>       [3] CA/Browser Forum: "Guidelines for The Issuance and 
> Management of Extended Validation Certificates".
> /
> whereas for a "formal partnership" the recognition above doesn't apply?
>
> 2) Wouldn't it be appropriate for ETSI (with the assistance of 
> Commission?) to take internal arrangements to recognize the forum a 
> "formal partner"?
>
> Thanks,
> M.D.
>
> On 11/17/2016 9:53 PM, Virginia Fournier via Govreform wrote:
>
>     Hi - some additional things to think about:
>
>     1.  Do the benefits of a “formal partnership" with ETSI outweigh
>     the risks Kirk has outlined below?  What are those benefits from a
>     CAB Forum standpoint? What would CAB Forum get that they aren’t
>     already getting?
>
>     2.  How would CAB Forum’s IPR Policy need to change to be
>     “compatible” with ETSI’s policy?  ETSI’s IPR policy is quite a bit
>     different from the CAB Forum’s policy.
>
>     http://www.etsi.org/images/files/ipr/etsi-ipr-policy.pdf
>
>     3.  Is CAB Forum prepared to charge fees for participation and to
>     have a governing board who’s responsible for all of the overhead,
>     budget, corporate responsibilities, legal matters, etc.?
>
>     Best regards,
>
>     Virginia Fournier
>
>     Senior Standards Counsel
>
>      Apple Inc.
>
>     ☏669-227-9595
>
>     ✉︎ vmf at apple.com <mailto:vmf at apple.com>
>
>     On Nov 16, 2016, at 9:23 PM, Kirk Hall via Govreform
>     <govreform at cabforum.org <mailto:govreform at cabforum.org>> wrote:
>
>     Thanks, Dean.  I don’t feel strongly about this, but I have been
>     through this before with another organization.
>
>     People say “we need to be a real entity” so they decide to
>     incorporate.  What form – if a non-profit corporation, then you
>     have to meet certain government criteria, and maybe file with the
>     IRS to gain non-profit status.
>
>     Where?  Someone’s home state or province?  Delaware?  Who will be
>     the registered contact people?  Then you have to figure out how to
>     pay the annual filing fees and fees for a registered agent.  Oh,
>     yeah – you need articles of incorporation, officers, etc.  And you
>     probably have to file an annual tax return, state and federal. 
>     And then after a couple of years, everyone forgets and someone who
>     is no longer active is still listed as President or Secretary. And
>     maybe the corporation gets dissolved for non-compliance.
>
>     Then there is the issue of being sued – in one sense, no big deal
>     if the corporation has no assets, just don’t respond to the
>     lawsuit (of course, a lawyer needs to look at this and advise the
>     corporation - $$), the person suing (to stop something, or for
>     damages) gets a default judgment, and the CABF as a corporation is
>     dissolved.   Then what?
>
>     On the other hand, if the CABF becomes a corporation, we can get
>     an EV cert at last! J
>
>     *From:*Govreform [mailto:govreform-bounces at cabforum.org]*On Behalf
>     Of*Dean Coclin via Govreform
>     *Sent:*Wednesday, November 16, 2016 8:22 PM
>     *To:*Govreform at cabforum.org <mailto:Govreform at cabforum.org>
>     *Cc:*Dean Coclin <Dean_Coclin at symantec.com>
>     <mailto:Dean_Coclin at symantec.com>
>     *Subject:*[cabf_governance] FW: CABF as a formal organization
>
>     As discussed on the last call, there was interest in having the
>     forum become a formal organization. Below is the reason from ETSI,
>     for discussion on the next call.
>
>     Dean
>
>     *From:*Sonia Compans
>     *Sent:*Wednesday, November 16, 2016 11:18 PM
>     *To:*Dean Coclin
>     *Cc:*arno.fiedler at outlook.com <mailto:arno.fiedler at outlook.com>;
>     Xavier Piednoir
>     *Subject:*RE: CABF as a formal organization
>
>     Hi Dean,
>
>     This was even faster than I expected as I could get the feedback
>     from our External Relations officer quickly (Xavier Piednoir, here
>     in copy).
>
>     Let me explain the potential benefits of CAB Forum becoming a
>     legal entity, at least from the ETSI viewpoint.
>
>     For several years now, ETSI and CAB Forum have had some kind of
>     collaboration for policies for website certificates resulting in
>     ETSI standards building on CAB Forum specifications and ETSI
>     scheme being recognized by CAB Forum. As CAB Forum has so far not
>     been a legal entity, ETSI and CAB Forum signed a Letter of Intent
>     (in 2009) which only allows exchanging informational material and
>     no having technical collaboration. So far the collaboration has in
>     fact taken place thanks to common members, i.e. Izenpe.
>
>     If CAB Forum becomes a legal entity, ETSI and CAB Forum could set
>     up a formal partnership and sign a Memorandum of Understanding or
>     a cooperation agreement.
>
>     An MoU would allow formal technical collaboration with nomination
>     of CAB Forum observers in ETSI TC ESI  and vice-versa, with
>     exchange of working documents and drafts, technical discussions,
>     joint promotion through e.g. workshops, literature.
>
>     A cooperation agreement allows all what is possible with an MoU
>     plus creating joint specifications, incorporation of text from the
>     other party, adoption of publicly available specifications  in to
>     ETSI Technical Specifications or Technical Reports. This level
>     requires the compatibility of the Partner’s IPR Policy with ETSI’s.
>
>     I hope this helps and we would be interested in knowing the
>     outcome of CABF discussions.
>
>     Best regards
>
>     *Sonia Compans******–*Technical Officer
>
>     *ETSI*●www.etsi.org <http://www.etsi.org/>●_sonia.compans at etsi.org
>     <mailto:sonia.compans at etsi.org>_
>
>     Phone: +33 (0)4 92 94 43 36●Mobile: +33 (0)6 67 15 58 49
>
>     This email may contain confidential information and is intended
>     for the use of the addressee only. Any unauthorized use may be
>     unlawful. If you receive this email by mistake, please advise the
>     sender immediately by using the reply facility in your email
>     software. Thank you for your co-operation.
>
>     _______________________________________________
>     Govreform mailing list
>     Govreform at cabforum.org <mailto:Govreform at cabforum.org>
>     https://cabforum.org/mailman/listinfo/govreform
>
>
>
>     _______________________________________________
>
>     Govreform mailing list
>
>     Govreform at cabforum.org <mailto:Govreform at cabforum.org>
>
>     https://cabforum.org/mailman/listinfo/govreform
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/govreform/attachments/20161201/df8ad3a9/attachment-0001.html>


More information about the Govreform mailing list