[cabf_governance] CABF as a formal organization

Fiedler, Arno Arno.Fiedler at BDR.de
Wed Dec 7 02:52:52 MST 2016

Hello Dean,
thanks for the information.
In my personal opinion its fine, If the CA/B-Forum wants to stay an „informal organization“,
So I suggest keeping it as it is, based on the “Letter of Intent”.

Viele Grüße

Arno Fiedler
Business Services und eGovernment

Bundesdruckerei GmbH
Kommandantenstraße 18 · 10969 Berlin · Deutschland

Tel. :    + 49 30 25 98 - 3009
Mobil: + 49 172 3053272

arno.fiedler at bdr.de · www.bundesdruckerei.de<http://www.bundesdruckerei.de>

Sitz der Gesellschaft: Berlin · Handelsregister: AG Berlin-Charlottenburg HRB 80443. USt.-IdNr.: DE 813210005
Aufsichtsratsvorsitzender: Willi Berchtold
Geschäftsführer: Ulrich Hamann (Vorsitzender), Christian Helfrich

This message is intended only for the use of the individual or entity to which it is addressed, and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, or the employee or agent responsible for delivering the message to the intended recipient, we hereby give notice that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this message in error, please delete the message and notify us immediately.
Diese Nachricht kann vertrauliche und gesetzlich geschützte Informationen enthalten. Sie ist ausschließlich für den Adressaten bestimmt. Wenn Sie nicht der beabsichtigte Adressat sind, möchten wir Sie hiermit darüber informieren, dass das Weiterleiten, Verteilen oder Kopieren dieser Mail nicht gestattet ist. Wenn Sie diese Mail irrtümlicherweise erhalten haben, informieren Sie uns bitte schnellstmöglich und löschen Sie bitte die Mail.

Von: Dean Coclin [mailto:Dean_Coclin at symantec.com]
Gesendet: Dienstag, 6. Dezember 2016 20:55
An: Iñigo Barreira; 'Moudrick M. Dadashov'; 'CA/Browser Forum Governance WG List'; Fiedler, Arno
Betreff: RE: [cabf_governance] CABF as a formal organization

This topic was discussed again today in our working group meeting. One thing Virginia pointed out is that ETSI requires that partners have an IP agreement which is substantially the same as the one ETSI uses. Unfortunately the CABF IP is much different and given the difficulties it took us to get agreement on that, there is little motivation for changing it.  Hence it was recommended that CABF not become a formal organization as there was little benefit but many downsides to doing so.


From: Iñigo Barreira [mailto:inigo at startssl.com]
Sent: Thursday, December 01, 2016 5:39 AM
To: 'Moudrick M. Dadashov' <md at ssc.lt<mailto:md at ssc.lt>>; Dean Coclin <Dean_Coclin at symantec.com<mailto:Dean_Coclin at symantec.com>>; 'CA/Browser Forum Governance WG List' <govreform at cabforum.org<mailto:govreform at cabforum.org>>; 'Fiedler, Arno' <Arno.Fiedler at BDR.de<mailto:Arno.Fiedler at BDR.de>>
Subject: RE: [cabf_governance] CABF as a formal organization


As indicated ETSI can include in their standards mentions to other documents/standards and have no relation with them, just for info.
For this particular case, and due to the mutual benefit of working together (ETSI and CABF), the mínimum that could be signed was a Letter of Intent (which basically means nothing) but with the aim of signing a MoU to collaborate together (ETSI has some of these with ISO, CEN, …) and have a better stability (as said at the moment is done on a voluntary basis).
We´ve been asking ETSI to change this, to try to adopt any other option, etc. but we end up in the same cul de sac.

So, for your question, to have a much formal agreement, ETSI needs the CABF to be “legal”. AFAIK, the LoI was signed by Tim Moses which represented Entrust and with the Entrust office address.

From: Moudrick M. Dadashov [mailto:md at ssc.lt]
Sent: jueves, 1 de diciembre de 2016 11:16
To: Iñigo Barreira <inigo at startssl.com<mailto:inigo at startssl.com>>; 'Dean Coclin' <Dean_Coclin at symantec.com<mailto:Dean_Coclin at symantec.com>>; 'CA/Browser Forum Governance WG List' <govreform at cabforum.org<mailto:govreform at cabforum.org>>; 'Fiedler, Arno' <Arno.Fiedler at BDR.de<mailto:Arno.Fiedler at BDR.de>>
Subject: Re: [cabf_governance] CABF as a formal organization

Thanks, Iñigo

one more (eIDAS) :

(67) "<..> However, in order for website authentication to become a means to boosting trust, providing a better experience for the user and furthering growth in the internal market, this Regulation should lay down minimal security and liability obligations for the providers and their services. To that end, the results of existing industry-led initiatives, for example the Certification Authorities/Browsers Forum — CA/B Forum, have been taken into account.".

Still curious what is the problem, does ETSI need Forum's "formal representative", formal address of presence?

On 12/1/2016 11:59 AM, Iñigo Barreira wrote:

For this particular question I think Sonia already explained in the email below. ETSI and CABF have been collaborating for a long time but “using” external parties, such as Arno and myself.
But mentioning CABF documents to be used for this type of certificates does not mean any formal relationship, because in the development of those documents, ETSI has not taken part, similarly to the ETSI standards in which CABF neither took part. So, basically the CABF accepts what ETSI produces and ETSI accepts what CABF produces but without involving in the development. They just mention.
I´m not familar with legal stuff, but what Sonia tried to explain is that if the CABF is a formal entity, then in the development of the ETSI standards, people of the CABF (as being a legal entity) can participate in the development (this is done indirectly by me and Arno) and viceversa (and this has been repeteadly asked ETSI and always the same answer). So, it must not be that easy.

In any case, and regarding collaboration, well, personally I´m applying (with the help of Arno and some others) all the changes agreed in the CABF for the BRs and EVGs in the ETSI standards to be/have the most updated documents, but of course, this is on a voluntary basis (BTW, this is quite common in ETSI) and the problem could be if any of us (Arno, myself, Nick, …) decide to change/move/go for whatever reason and then, as there´s no formal agreement, maybe all the work is lost or none is able to take it over.
We´re also providing different final draft versions to check, when they go for public comment.

And yes, this has been discussed for a long time, I also remember not talking only about Delaware, but also Norway (Bjorn Vermo said it was quite easy and cheap), Switzerland, Luxembourg, etc. (BTW, all of them somehow opaque ☺ ) and none wanted to manage, pay, etc. (this was before entities such as CASC appeared) so maybe now´s the time taking into account that we´re too many now and for example this year F2F meetings have congregated about 50 people each, which is difficult to manage.
From the ETSI poin of view, would be easier, and also for Arno and I for example, because, with that MoU, ETSI can assign resources to control/maintain/manage all related to the CABF and not only because we (some at ETSI ESI) decide to update the documents.

Well, I´m afraid I haven´t solved anything, but at least, hopefully, you have a better insight of the situation.


From: Dean Coclin [mailto:Dean_Coclin at symantec.com]
Sent: miércoles, 30 de noviembre de 2016 20:59
To: CA/Browser Forum Governance WG List <govreform at cabforum.org><mailto:govreform at cabforum.org>; Inigo Barreira (inigo at startcomca.com<mailto:inigo at startcomca.com>) <inigo at startcomca.com><mailto:inigo at startcomca.com>; Fiedler, Arno <Arno.Fiedler at BDR.de><mailto:Arno.Fiedler at BDR.de>
Cc: Moudrick M. Dadashov <md at ssc.lt><mailto:md at ssc.lt>
Subject: RE: [cabf_governance] CABF as a formal organization

These are good points Moudrick and I’ll leave it to Arno/Inigo to respond.


From: Govreform [mailto:govreform-bounces at cabforum.org] On Behalf Of Moudrick M. Dadashov via Govreform
Sent: Friday, November 18, 2016 5:31 AM
To: CA/Browser Forum Governance WG List <govreform at cabforum.org<mailto:govreform at cabforum.org>>
Cc: Moudrick M. Dadashov <md at ssc.lt<mailto:md at ssc.lt>>
Subject: Re: [cabf_governance] CABF as a formal organization

Please, if I may, a couple more questions:

1) Why in some cases CA Browser Forum has been recognized by ETSI a "real entity" (e.g. see ETSI EN 319 412-4 V1.1.1 (2016-02) Electronic Signatures and Infrastructures (ESI); Certificate Profiles; Part 4: Certificate profile for web site certificates):
(a) "The present document aims to maximize the interoperability of systems issuing and using certificates both in the European context under the Regulation (EU) No 910/2014 [i.3] and in the wider international environment, also by meeting requirements from CA Browser Forum.";

(b) The following referenced documents are necessary for the application of the present document.
      [2] CA/Browser Forum: "Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates".
      [3] CA/Browser Forum: "Guidelines for The Issuance and Management of Extended Validation Certificates".

whereas for a "formal partnership" the recognition above doesn't apply?

2) Wouldn't it be appropriate for ETSI (with the assistance of Commission?) to take internal arrangements to recognize the forum a "formal partner"?

On 11/17/2016 9:53 PM, Virginia Fournier via Govreform wrote:
Hi - some additional things to think about:

1.  Do the benefits of a “formal partnership" with ETSI outweigh the risks Kirk has outlined below?  What are those benefits from a CAB Forum standpoint? What would CAB Forum get that they aren’t already getting?

2.  How would CAB Forum’s IPR Policy need to change to be “compatible” with ETSI’s policy?  ETSI’s IPR policy is quite a bit different from the CAB Forum’s policy.

3.  Is CAB Forum prepared to charge fees for participation and to have a governing board who’s responsible for all of the overhead, budget, corporate responsibilities, legal matters, etc.?

Best regards,

Virginia Fournier
Senior Standards Counsel
 Apple Inc.
☏ 669-227-9595
✉︎ vmf at apple.com<mailto:vmf at apple.com>

On Nov 16, 2016, at 9:23 PM, Kirk Hall via Govreform <govreform at cabforum.org<mailto:govreform at cabforum.org>> wrote:

Thanks, Dean.  I don’t feel strongly about this, but I have been through this before with another organization.

People say “we need to be a real entity” so they decide to incorporate.  What form – if a non-profit corporation, then you have to meet certain government criteria, and maybe file with the IRS to gain non-profit status.

Where?  Someone’s home state or province?  Delaware?  Who will be the registered contact people?  Then you have to figure out how to pay the annual filing fees and fees for a registered agent.  Oh, yeah – you need articles of incorporation, officers, etc.  And you probably have to file an annual tax return, state and federal.  And then after a couple of years, everyone forgets and someone who is no longer active is still listed as President or Secretary.  And maybe the corporation gets dissolved for non-compliance.

Then there is the issue of being sued – in one sense, no big deal if the corporation has no assets, just don’t respond to the lawsuit (of course, a lawyer needs to look at this and advise the corporation - $$), the person suing (to stop something, or for damages) gets a default judgment, and the CABF as a corporation is dissolved.   Then what?

On the other hand, if the CABF becomes a corporation, we can get an EV cert at last!  ☺

From: Govreform [mailto:govreform-bounces at cabforum.org] On Behalf Of Dean Coclin via Govreform
Sent: Wednesday, November 16, 2016 8:22 PM
To: Govreform at cabforum.org<mailto:Govreform at cabforum.org>
Cc: Dean Coclin <Dean_Coclin at symantec.com><mailto:Dean_Coclin at symantec.com>
Subject: [cabf_governance] FW: CABF as a formal organization

As discussed on the last call, there was interest in having the forum become a formal organization. Below is the reason from ETSI, for discussion on the next call.

From: Sonia Compans
Sent: Wednesday, November 16, 2016 11:18 PM
To: Dean Coclin
Cc: arno.fiedler at outlook.com<mailto:arno.fiedler at outlook.com>; Xavier Piednoir
Subject: RE: CABF as a formal organization

Hi Dean,

This was even faster than I expected as I could get the feedback from our External Relations officer quickly (Xavier Piednoir, here in copy).

Let me explain the potential benefits of CAB Forum becoming a legal entity, at least from the ETSI viewpoint.
For several years now, ETSI and CAB Forum have had some kind of collaboration for policies for website certificates resulting in ETSI standards building on CAB Forum specifications and ETSI scheme being recognized by CAB Forum. As CAB Forum has so far not been a legal entity, ETSI and CAB Forum signed a Letter of Intent (in 2009) which only allows exchanging informational material and no having technical collaboration. So far the collaboration has in fact taken place thanks to common members, i.e. Izenpe.
If CAB Forum becomes a legal entity, ETSI and CAB Forum could set up a formal partnership and sign a Memorandum of Understanding or a cooperation agreement.
An MoU would allow formal technical collaboration with nomination of CAB Forum observers in ETSI TC ESI  and vice-versa, with exchange of working documents and drafts, technical discussions, joint promotion through e.g. workshops, literature.
A cooperation agreement allows all what is possible with an MoU plus creating joint specifications, incorporation of text from the other party, adoption of publicly available specifications  in to ETSI Technical Specifications or Technical Reports. This level requires the compatibility of the Partner’s IPR Policy with ETSI’s.

I hope this helps and we would be interested in knowing the outcome of CABF discussions.

Best regards

Sonia Compans  – Technical Officer
ETSI ● www.etsi.org<http://www.etsi.org/> ● sonia.compans at etsi.org<mailto:sonia.compans at etsi.org>
Phone: +33 (0)4 92 94 43 36 ● Mobile: +33 (0)6 67 15 58 49
This email may contain confidential information and is intended for the use of the addressee only. Any unauthorized use may be unlawful. If you receive this email by mistake, please advise the sender immediately by using the reply facility in your email software. Thank you for your co-operation.
Govreform mailing list
Govreform at cabforum.org<mailto:Govreform at cabforum.org>


Govreform mailing list

Govreform at cabforum.org<mailto:Govreform at cabforum.org>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/govreform/attachments/20161207/091a0895/attachment-0001.html>

More information about the Govreform mailing list