[cabf_governance] Thought on governance changes for CABF

Jeremy Rowley jeremy.rowley at digicert.com
Tue Jun 28 15:30:25 MST 2016

I think this is more complicated than simply creating a structure above the
CAB Forum that functions as a master organization with administrative
authority. You'd keep the CAB Forum structure as the SSL working group under
the structure and permit each group to create its own voting structure.  The
IPR would flow from the top down as a RAND-Z participation-based policy,
same as your suggestion.


From: govreform-bounces at cabforum.org [mailto:govreform-bounces at cabforum.org]
On Behalf Of Kirk Hall
Sent: Tuesday, June 28, 2016 3:06 PM
To: Govreform at cabforum.org
Subject: [cabf_governance] Thought on governance changes for CABF


Based on prior Governance WG meeting notes and some discussions we have had,
I want to put forward what could be a simpler approach to dealing with open


The Problems Presented So Far


The problems presented so far seem to be some combination of the following:


1.       The Code Signing Working Group was chiefly of interest to CAs -
browsers (as browsers) were not interested.  After the CSWG was started, two
browsers noted it had not been created by a ballot (as our Bylaws require)
and its work seemed to be beyond the CABF's scope.  The two browsers also
seemed uncomfortable about adoption of the code signing guidelines at the
Forum level because that would have triggered IP disclosures and/or free
licenses under our current RAND-Z IPR agreement.


2.       There is also a desire by some to add other working groups to deal
with certificate matters, even if these WGs are not of interest to browsers.
The reason is that the major CA players are already participating in the
CABF, so this would be the most efficient way to add other non-SSL server
cert certificate issues that CAs are interested in.  This would also allow
other non-CA, non-browser parties with an interest to participate on broader
issues at the WG level.  However, some possible participants (e.g., Oracle)
do not want to sign our current RAND-Z IPR policy.


3.       One proposal is to push all issues to the WG level, including the
creation of a new SSL server certificate WG that does the work of the CABF
today.  The CABF (top organization) would just be a shell that coordinates
the work of all the WGs.  It's not clear if the membership of the CABF (top
organization) would stay the same as today (CAs and browsers only), or would
be modified (e.g., 2 people from each WG, etc.).


4.       There is a possible desire for "greater transparency" at the WG
level.  Given that anyone can sign up today to be on a WG to participate and
know what's happening, I'm guessing this "greater transparency" maybe means
detailed public minutes of meeting notes.  I'm not sure if it would also
mean allowing the posting of comments from non-WG members, as that would
raise the IP issues (meaning, it's potentially dangerous to allow posts from
people who have not signed the WG's IP policy).


5.       Finally, at the start of this discussion there was a desire among
some to allow each WG to adopt its own IP policy, but later sentiment seems
to be that there should be a common IP policy across the CABF and all WGs.
There seems to be interest in using something like the W3C's "participation"
IPR agreement format.


Possible Path Forward


Here is a possible path forward that would be easier to implement than a
complete reorganization of the CABF and WGs, and which reflects my own
personal preferences (which may differ from others).


1.       Move to a W3C format "participation" IPR Agreement (maybe even copy
W3C's exactly so participants who have already signed the W3C agreement
don't have to talk to their legal departments to join a WG), and use this
participation form of IPR at both the CABF level and at all WG levels.


2.       Copy W3C's rules about how a participant declares its participation
/ non-participation, withdraws, etc. and rules on keeping attendance lists
on calls and meetings, minutes, etc.


3.       Keep issues relating to SSL server certificates at the CABF Forum
level (same as today), and don't push down to a new WG.  The Forum was
formed discussion of SSL issues among CAs and browsers, and it seems natural
to keep it for that purpose (and to coordinate the work of new WGs that work
on other certificate issues that don't concern the browsers).


4.       The WGs are already open to anyone who wants to participate, so
long as they sign the current IPR.  If the IPR is changed to the W3C format,
some new participants (e.g., Oracle) may be willing to sign and join certain


5.       Change our bylaws so that the final product of WGs that are not
working on SSL server certificate related issues can simply be adopted on
their own by WG ballot - the results don't need to be adopted by Ballot at
the CABF level.  For example, Code Signing Guidelines could be adopted at
the "CABF Code Signing WG" level, and carry that name.  We would need to
create new voting rules at the WG level (e.g., require 2/3 approval of all
participants at WG level, etc.), but otherwise our current rules on WG
probably don't need much change.


6.       Creating new WGs would still happen at the CABF level by Ballot.
We would have to clarify that voting to create a WG is not by itself
"participation."  The CABF could also terminate a WG if its work was
finished, or if there are problems at the WG level.  If the CABF dislikes
the final approved product for some reason, it could vote to remove the CABF
name from the final product.


7.       Change our bylaws to expand the general purpose of the CABF to
include a broader scope at the WG level.  Here is a possible modification
(new language is in bold and underscored):


1.1         Purpose of the Forum:


The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary
gathering of leading certification authorities (CAs) and vendors of Internet
browser software and other applications.  Others, including members of the
public, are able to participate in working groups relating to trusted and
non-trusted certificates.

Members of the CA/Browser Forum have worked closely together in defining the
guidelines and means of implementation for best practices as a way of
providing a heightened security for Internet transactions and creating a
more intuitive method of displaying secure sites to Internet users.  In
addition, other issues related to trusted and non-trusted certificates may
be addressed at the working group level, subject to the procedural rules
stated in these Bylaws.


8.       Finally, consider whether to allow general postings by the public
to one or more lists (at the CABF list level, or at individual WG list
levels) even without signing a "participation" IPR agreement.  (I personally
would not want to mix in general postings from the public with the
Management or Public lists, as there is a benefit to seeing responses from
Forum or Working Group members only, and it would be too hard to read
through a combined list that includes general postings from the public.) 


Some combination of these changes could get us to where we want to be
without completely reorganizing the current CA-Browser Forum.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/govreform/attachments/20160628/f04208f1/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4964 bytes
Desc: not available
Url : https://cabforum.org/pipermail/govreform/attachments/20160628/f04208f1/attachment-0001.bin 

More information about the Govreform mailing list