[cabf_governance] Thought on governance changes for CABF

Mon Jul 4 16:40:20 MST 2016

On our Tuesday call, before we jump into specifics of a proposal can we spend some time trying to define what the “problem” is that we are addressing?  And what exactly we are trying to do to address the problem?

In my opinion, we need to reach consensus on that as a first step before working on any proposals.

From: Kirk Hall 
Sent: Tuesday, June 28, 2016 6:01 PM
To: 'Jeremy Rowley' <jeremy.rowley at digicert.com>; Govreform at cabforum.org
Subject: RE: Thought on governance changes for CABF

Before we can come up with a proposal that is a “solution” to something, I think the WG needs to reach agreement on what the problem is.

>From prior calls and minutes, I thought the problem was our current RAND-Z IPR agreement.  Google and Mozilla did not want the Code Signing Guidelines to be approved because that would trigger IP disclosure or licensing (and I assume the two browsers didn’t want to do that), and at least one application didn’t want to join because of our RAND-Z IPR agreement.  But you indicate you want to keep the RAND-Z form for the Forum and also all Working Groups.  Don’t you think that will just extend the current problem?

How would you define the current problem that we addressing – not “what is your proposal” (save that for later), but what is the problem that requires action by this WG?

From: Jeremy Rowley [mailto:jeremy.rowley at digicert.com] 
Sent: Tuesday, June 28, 2016 3:30 PM
To: Kirk Hall <Kirk.Hall at entrust.com <mailto:Kirk.Hall at entrust.com> >; Govreform at cabforum.org <mailto:Govreform at cabforum.org> 
Subject: RE: Thought on governance changes for CABF

I think this is more complicated than simply creating a structure above the CAB Forum that functions as a master organization with administrative authority. You’d keep the CAB Forum structure as the SSL working group under the structure and permit each group to create its own voting structure.  The IPR would flow from the top down as a RAND-Z participation-based policy, same as your suggestion.

From: govreform-bounces at cabforum.org <mailto:govreform-bounces at cabforum.org>  [mailto:govreform-bounces at cabforum.org] On Behalf Of Kirk Hall
Sent: Tuesday, June 28, 2016 3:06 PM
To: Govreform at cabforum.org <mailto:Govreform at cabforum.org> 
Subject: [cabf_governance] Thought on governance changes for CABF

Based on prior Governance WG meeting notes and some discussions we have had, I want to put forward what could be a simpler approach to dealing with open issues.

The Problems Presented So Far

The problems presented so far seem to be some combination of the following:

1.       The Code Signing Working Group was chiefly of interest to CAs – browsers (as browsers) were not interested.  After the CSWG was started, two browsers noted it had not been created by a ballot (as our Bylaws require) and its work seemed to be beyond the CABF’s scope.  The two browsers also seemed uncomfortable about adoption of the code signing guidelines at the Forum level because that would have triggered IP disclosures and/or free licenses under our current RAND-Z IPR agreement.

2.       There is also a desire by some to add other working groups to deal with certificate matters, even if these WGs are not of interest to browsers.  The reason is that the major CA players are already participating in the CABF, so this would be the most efficient way to add other non-SSL server cert certificate issues that CAs are interested in.  This would also allow other non-CA, non-browser parties with an interest to participate on broader issues at the WG level.  However, some possible participants (e.g., Oracle) do not want to sign our current RAND-Z IPR policy.

3.       One proposal is to push all issues to the WG level, including the creation of a new SSL server certificate WG that does the work of the CABF today.  The CABF (top organization) would just be a shell that coordinates the work of all the WGs.  It’s not clear if the membership of the CABF (top organization) would stay the same as today (CAs and browsers only), or would be modified (e.g., 2 people from each WG, etc.).

4.       There is a possible desire for “greater transparency” at the WG level.  Given that anyone can sign up today to be on a WG to participate and know what’s happening, I’m guessing this “greater transparency” maybe means detailed public minutes of meeting notes.  I’m not sure if it would also mean allowing the posting of comments from non-WG members, as that would raise the IP issues (meaning, it’s potentially dangerous to allow posts from people who have not signed the WG’s IP policy).

5.       Finally, at the start of this discussion there was a desire among some to allow each WG to adopt its own IP policy, but later sentiment seems to be that there should be a common IP policy across the CABF and all WGs.  There seems to be interest in using something like the W3C’s “participation” IPR agreement format.

Possible Path Forward

Here is a possible path forward that would be easier to implement than a complete reorganization of the CABF and WGs, and which reflects my own personal preferences (which may differ from others).

1.       Move to a W3C format “participation” IPR Agreement (maybe even copy W3C’s exactly so participants who have already signed the W3C agreement don’t have to talk to their legal departments to join a WG), and use this participation form of IPR at both the CABF level and at all WG levels.

2.       Copy W3C’s rules about how a participant declares its participation / non-participation, withdraws, etc. and rules on keeping attendance lists on calls and meetings, minutes, etc.

3.       Keep issues relating to SSL server certificates at the CABF Forum level (same as today), and don’t push down to a new WG.  The Forum was formed discussion of SSL issues among CAs and browsers, and it seems natural to keep it for that purpose (and to coordinate the work of new WGs that work on other certificate issues that don’t concern the browsers).

4.       The WGs are already open to anyone who wants to participate, so long as they sign the current IPR.  If the IPR is changed to the W3C format, some new participants (e.g., Oracle) may be willing to sign and join certain WGs.

5.       Change our bylaws so that the final product of WGs that are not working on SSL server certificate related issues can simply be adopted on their own by WG ballot – the results don’t need to be adopted by Ballot at the CABF level.  For example, Code Signing Guidelines could be adopted at the “CABF Code Signing WG” level, and carry that name.  We would need to create new voting rules at the WG level (e.g., require 2/3 approval of all participants at WG level, etc.), but otherwise our current rules on WG probably don’t need much change.

6.       Creating new WGs would still happen at the CABF level by Ballot.  We would have to clarify that voting to create a WG is not by itself “participation.”  The CABF could also terminate a WG if its work was finished, or if there are problems at the WG level.  If the CABF dislikes the final approved product for some reason, it could vote to remove the CABF name from the final product.

7.       Change our bylaws to expand the general purpose of the CABF to include a broader scope at the WG level.  Here is a possible modification (new language is in bold and underscored):

1.1         Purpose of the Forum:

The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of leading certification authorities (CAs) and vendors of Internet browser software and other applications.  Others, including members of the public, are able to participate in working groups relating to trusted and non-trusted certificates.

Members of the CA/Browser Forum have worked closely together in defining the guidelines and means of implementation for best practices as a way of providing a heightened security for Internet transactions and creating a more intuitive method of displaying secure sites to Internet users.  In addition, other issues related to trusted and non-trusted certificates may be addressed at the working group level, subject to the procedural rules stated in these Bylaws.

8.       Finally, consider whether to allow general postings by the public to one or more lists (at the CABF list level, or at individual WG list levels) even without signing a “participation” IPR agreement.  (I personally would not want to mix in general postings from the public with the Management or Public lists, as there is a benefit to seeing responses from Forum or Working Group members only, and it would be too hard to read through a combined list that includes general postings from the public.) 

Some combination of these changes could get us to where we want to be without completely reorganizing the current CA-Browser Forum.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/govreform/attachments/20160704/a85754ff/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4044 bytes
Desc: not available
Url : https://cabforum.org/pipermail/govreform/attachments/20160704/a85754ff/attachment-0001.bin 