[cabf_governance] DigiCert's Proposal for Governance Reform

Virginia Fournier vfournier at apple.com
Fri Jul 22 15:53:18 MST 2016 

Hi Ben,

Thanks for elaborating on this.  The model is getting closer to something we could support.

One issue that we’ll need to discuss is how we would track “participation” and “formally joining a working group.”  This is the kind of overhead I was inquiring about - who would manage this?


Best regards,

Virginia Fournier
Senior Standards Counsel
 Apple Inc.
☏ 669-227-9595
✉︎ vmf at apple.com <mailto:vmf at apple.com>





On Jul 22, 2016, at 3:38 PM, Ben Wilson <ben.wilson at digicert.com> wrote:

Why would the CAB Forum make these changes?  What’s the impetus?  What would the benefits be to the Forum and the members?
 
As Certification Authorities, we issue X.509v.3 certificates for server authentication, code signing, secure email, client authentication, document signing, IOT device authentication, and a number of other, similar, public PKI purposes.  From time to time we encounter questions about what are the best industry practices when issuing and managing these types of certificates.  One venue, which has proven useful when discussing server authentication certificate issues, is the CAB Forum.  
 
The CAB Forum already has an established infrastructure.  It has a wiki, an email server, a website, a GitHub repository, a telephone bridge, a set of Bylaws, an IPR Policy, member representatives,  and finally and most importantly, a reputation with CAs and application software providers.   These are all valuable resources that can be leveraged and used to discuss other certificate types used in public PKI.
 
An explicit broadening of the allowed scope (DigiCert believes that the scope has always included other types of certificates) will allow CAs and others to move forward more efficiently in these other areas of public PKI.
How do you envision the IPR policy working in the model you’ve described?   Would there be one CAB Forum IPR policy, or an IP policy for each working group (there were objections to having multiple IP policies)
There would be one IPR Policy based on a participation model or as Peter Bowen noted, it would be more appropriate to call it a “working-group-membership-based IPR policy”-- if you stay silent on calls or take no action during working group meetings you are still deemed to be participating.  For example, a Member would be deemed  to  “participate”  if  it or  its  representative:  (1)  formally  joins  a working  group  as  a  listed  participant;  or  (2)  makes  a  Contribution  to  a Working Group; or (3) attends more than one (1) meeting of a Working  Group  (in  person  or  by  telephone)  within  a  one-year  period.  [Source:  https://www.sdcard.org/join/pdf/ippolicy32909.pdf <https://www.sdcard.org/join/pdf/ippolicy32909.pdf>]   The terms and conditions of the IPR Policy would be limited in scope to and binding relative to each Working Group in which a member participates.  [Source:   http://www.gs1.org/docs/ip/GS1_Intellectual_Property_Policy.pdf <http://www.gs1.org/docs/ip/GS1_Intellectual_Property_Policy.pdf>] 
How would the “Forum” activities be funded and staffed?
No funding or staffing needed.  The proposal consists of minor definitional, organizational, structural, and procedural changes.  There are no new activities that aren’t already accounted for in existing CAB Forum documents and procedures.  
Why should CAB Forum accommodate the requests of specific companies/members?
The proposal does not seek to accommodate any specific company, member, or group of members (except CAs as a whole).  A participation-based model is a necessary outcome of the desired changes outlined in our answer to the first question above.  It isn’t an accommodation to any particular member—Google and Mozilla were simply the members who raised the issue first—i.e. that a participation model for the IPR would enable a broadening of scope, which is what CAs in the Forum desire.
Where do you see browsers fitting into the equation?
Browsers would be entitled to vote at both the Forum level and the Working Group level.  At the Forum level browsers would be a subset of “application software supplier” now used in the Baseline Requirements and defined in the BRs as “A supplier of Internet browser software or other relying-party application software that displays or uses Certificates and incorporates Root Certificates.”  At the Working Group level, nothing would change – browsers would still have the same voting rights on matters involving the EV Guidelines and the  Baseline Requirements.
 
  <>
From: vfournier at apple.com [mailto:vfournier at apple.com] 
Sent: Wednesday, July 20, 2016 5:09 PM
To: Ben Wilson <ben.wilson at digicert.com>
Cc: Govreform at cabforum.org
Subject: Re: [cabf_governance] DigiCert's Proposal for Governance Reform
 
Hi Ben,
 
Thanks for sending this.  I haven’t digested your suggested model in detail yet, but I have some questions.
  
Why would the CAB Forum make these changes?  What’s the impetus?  What would the benefits be to the Forum and the members?
How do you envision the IPR policy working in the model you’ve described?   Would there be one CAB Forum IPR policy, or an IP policy for each working group (there were objections to having multiple IP policies)?
How would the “Forum” activities be funded and staffed?
Why should CAB Forum accommodate the requests of specific companies/members?
Where do you see browsers fitting into the equation?
 


Best regards,
 
Virginia Fournier
Senior Standards Counsel
 Apple Inc.
☏ 669-227-9595
✉︎ vmf at apple.com <mailto:vmf at apple.com>
 
 
 

 
On Jul 20, 2016, at 12:08 PM, Ben Wilson <ben.wilson at digicert.com <mailto:ben.wilson at digicert.com>> wrote:
 
DigiCert’s preferred model for governance reform of the CA/Browser Forum is working-group-centric as it emphasizes the importance of working groups in the areas of membership, voting, and IPR obligations.  
 
While the two underlying themes to our discussions about governance reform lately have been entitlement to vote and the over-inclusive scope of the IPR policy, we should not oversimplify the reasons for seeking governance reform. They go beyond the factors that caused the code signing ballot to fail.  Additional requests of members have included:  one organization where activities are coordinated, self-regulation in the industry, and a legally recognized structure (i.e. sufficient enough for the Forum to receive an EV certificate).  These additional requests should be accommodated if possible.
 
DigiCert favors a resolution that moves the current membership and voting criteria to a “Server Certificate Working Group” leaving membership at the Forum level of the organization responsible for administration and maintenance of the Forum.  While the purpose of the Forum as a whole would be to address standards applicable to CAs issuing digital certificates, the scope of activities at the Forum level would be limited to scheduling meetings, creating/eliminating working groups, harmonizing the work product of working groups, maintaining the website, and maintaining the IPR policy.  For these purposes, the Bylaws would create “Standing Committees” formed to work and  advise Forum membership on areas delegated to Standing Committees in the Bylaws.  There would be no Executive Committee—each member at the Forum level would  have one vote, but membership in a working group would not entitle that company to membership at the Forum level.   Membership at the Forum level would not require participation in any working group.    
 
Similar to today’s membership criteria, membership at the Forum level would be limited to CAs and software companies of a certain size that manage root stores.  (The name of the CA/B Forum doesn’t need to change – the meaning of “CA/B” can be historic.)  Each working group would be responsible for creating and maintaining its own membership rules and voting rules.  As stated above, the membership criteria and voting rights in the Server Certificate Working Group would be the same as they are today for the Forum as a whole.  Additional working groups would be the Code Signing Working Group and the Client Certificate Working Group.  DigiCert proposes that membership in the Code Signing Working Group be limited to those CAs that issue code signing certificates and those software providers actively engaged in maintaining trust stores for code signing.  Membership in the Client Certificate Working Group would be similarly limited to CAs that issue certificates for S/MIME, digital signature, and client authentication and to software providers that process those certificates.  However, these are just suggestions and membership in each working group would be decided by the working group itself. Voting rules could be established by each of those working groups once they convene.
 
This two-layer structure is important for implementation of a working-group approach to IPR obligations.  Votes by membership at the upper, Forum level of the organization should not encumber the intellectual property rights of members.  Segregating administrative-management activities at the Forum level with Standing Committees from standards-adopting activities in Working Groups provides a clear guide for members and their legal counsel to follow when evaluating the IPR consequences of Forum participation.  Conversely, the proposal to preserve voting on server-certificate issues at the Forum level does not resolve the IPR concerns that have been previously expressed. 
 
 
<CABForum.pdf>_______________________________________________
Govreform mailing list
Govreform at cabforum.org <mailto:Govreform at cabforum.org>
https://cabforum.org/mailman/listinfo/govreform <https://cabforum.org/mailman/listinfo/govreform>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/govreform/attachments/20160722/71f26d6f/attachment-0001.html

More information about the Govreform mailing list