[cabf_governance] Thought on governance changes for CABF
Virginia Fournier
vfournier at apple.com
Wed Jun 29 11:40:50 MST 2016
Why would we be solving for Google? As Kirk previously mentioned, we need to determine what the question is before we answer it. In other words, we need to answer the question “Where do we want to go” before mapping out how to get there. A map to Kansas isn’t going to be very helpful if we want to go to Paris. And just because Google wants to go to Kansas doesn’t mean that’s where we should go.
Best regards,
Virginia Fournier
Senior Standards Counsel
Apple Inc.
☏ 669-227-9595
✉︎ vmf at apple.com <mailto:vmf at apple.com>
On Jun 29, 2016, at 11:37 AM, Ben Wilson <ben.wilson at digicert.com> wrote:
The current definition of “Participant” is “all entities and their Affiliates that are members of the CAB Forum”. This scopes the applicability of the IPR Policy too broadly. If we define “Participant” as “anyone who joins a Working Group”, then we can work from there to clean up other parts of the IPR Policy. That solves one of the two problems identified by Google (and others). Then, to solve the other identified problem (skin-in-the-game / alignment of interests with voting powers) we would need to revise the bylaws (edit sec. 2.1 Qualifying for Forum Membership, move subsection 2.2(f) Member Categories to sec. 5.3 Working Groups, and also edit sec. 5.3 to describe the new working group structure).
<>
From: vfournier at apple.com [mailto:vfournier at apple.com]
Sent: Wednesday, June 29, 2016 11:06 AM
To: Ben Wilson <ben.wilson at digicert.com>
Cc: Kirk Hall <Kirk.Hall at entrust.com>; Govreform at cabforum.org
Subject: Re: [cabf_governance] Thought on governance changes for CABF
For what purpose?
Virginia M Fournier
Sent from my iPhone
Please excuse itypos and brevity.
On Jun 29, 2016, at 8:29 AM, Ben Wilson <ben.wilson at digicert.com <mailto:ben.wilson at digicert.com>> wrote:
I think we need to start from the IPR Policy by making strategic edits to it; starting with Section 8.3(h) – the definition of “Participant”.
From: govreform-bounces at cabforum.org <mailto:govreform-bounces at cabforum.org> [mailto:govreform-bounces at cabforum.org <mailto:govreform-bounces at cabforum.org>] On Behalf Of Virginia Fournier
Sent: Tuesday, June 28, 2016 7:43 PM
To: Kirk Hall <Kirk.Hall at entrust.com <mailto:Kirk.Hall at entrust.com>>
Cc: Govreform at cabforum.org <mailto:Govreform at cabforum.org>
Subject: Re: [cabf_governance] Thought on governance changes for CABF
In addition, any “proposal” needs to take into consideration what’s right for the CAB Forum long-term, and not what will get certain companies to join or what will get a particular WG approved right now. So we need to look at the big picture, and not for a band-aid solution for "Google and Mozilla don’t like what we have today."
Best regards,
Virginia Fournier
Senior Standards Counsel
Apple Inc.
☏ 669-227-9595
✉︎ vmf at apple.com <mailto:vmf at apple.com>
On Jun 28, 2016, at 6:00 PM, Kirk Hall <Kirk.Hall at entrust.com <mailto:Kirk.Hall at entrust.com>> wrote:
Before we can come up with a proposal that is a “solution” to something, I think the WG needs to reach agreement on what the problem is.
From prior calls and minutes, I thought the problem was our current RAND-Z IPR agreement. Google and Mozilla did not want the Code Signing Guidelines to be approved because that would trigger IP disclosure or licensing (and I assume the two browsers didn’t want to do that), and at least one application didn’t want to join because of our RAND-Z IPR agreement. But you indicate you want to keep the RAND-Z form for the Forum and also all Working Groups. Don’t you think that will just extend the current problem?
How would you define the current problem that we addressing – not “what is your proposal” (save that for later), but what is the problem that requires action by this WG?
From: Jeremy Rowley [mailto:jeremy.rowley at digicert.com <mailto:jeremy.rowley at digicert.com>]
Sent: Tuesday, June 28, 2016 3:30 PM
To: Kirk Hall <Kirk.Hall at entrust.com <mailto:Kirk.Hall at entrust.com>>; Govreform at cabforum.org <mailto:Govreform at cabforum.org>
Subject: RE: Thought on governance changes for CABF
I think this is more complicated than simply creating a structure above the CAB Forum that functions as a master organization with administrative authority. You’d keep the CAB Forum structure as the SSL working group under the structure and permit each group to create its own voting structure. The IPR would flow from the top down as a RAND-Z participation-based policy, same as your suggestion.
From: govreform-bounces at cabforum.org <mailto:govreform-bounces at cabforum.org> [mailto:govreform-bounces at cabforum.org <mailto:govreform-bounces at cabforum.org>] On Behalf Of Kirk Hall
Sent: Tuesday, June 28, 2016 3:06 PM
To: Govreform at cabforum.org <mailto:Govreform at cabforum.org>
Subject: [cabf_governance] Thought on governance changes for CABF
Based on prior Governance WG meeting notes and some discussions we have had, I want to put forward what could be a simpler approach to dealing with open issues.
The Problems Presented So Far
The problems presented so far seem to be some combination of the following:
1. The Code Signing Working Group was chiefly of interest to CAs – browsers (as browsers) were not interested. After the CSWG was started, two browsers noted it had not been created by a ballot (as our Bylaws require) and its work seemed to be beyond the CABF’s scope. The two browsers also seemed uncomfortable about adoption of the code signing guidelines at the Forum level because that would have triggered IP disclosures and/or free licenses under our current RAND-Z IPR agreement.
2. There is also a desire by some to add other working groups to deal with certificate matters, even if these WGs are not of interest to browsers. The reason is that the major CA players are already participating in the CABF, so this would be the most efficient way to add other non-SSL server cert certificate issues that CAs are interested in. This would also allow other non-CA, non-browser parties with an interest to participate on broader issues at the WG level. However, some possible participants (e.g., Oracle) do not want to sign our current RAND-Z IPR policy.
3. One proposal is to push all issues to the WG level, including the creation of a new SSL server certificate WG that does the work of the CABF today. The CABF (top organization) would just be a shell that coordinates the work of all the WGs. It’s not clear if the membership of the CABF (top organization) would stay the same as today (CAs and browsers only), or would be modified (e.g., 2 people from each WG, etc.).
4. There is a possible desire for “greater transparency” at the WG level. Given that anyone can sign up today to be on a WG to participate and know what’s happening, I’m guessing this “greater transparency” maybe means detailed public minutes of meeting notes. I’m not sure if it would also mean allowing the posting of comments from non-WG members, as that would raise the IP issues (meaning, it’s potentially dangerous to allow posts from people who have not signed the WG’s IP policy).
5. Finally, at the start of this discussion there was a desire among some to allow each WG to adopt its own IP policy, but later sentiment seems to be that there should be a common IP policy across the CABF and all WGs. There seems to be interest in using something like the W3C’s “participation” IPR agreement format.
Possible Path Forward
Here is a possible path forward that would be easier to implement than a complete reorganization of the CABF and WGs, and which reflects my own personal preferences (which may differ from others).
1. Move to a W3C format “participation” IPR Agreement (maybe even copy W3C’s exactly so participants who have already signed the W3C agreement don’t have to talk to their legal departments to join a WG), and use this participation form of IPR at both the CABF level and at all WG levels.
2. Copy W3C’s rules about how a participant declares its participation / non-participation, withdraws, etc. and rules on keeping attendance lists on calls and meetings, minutes, etc.
3. Keep issues relating to SSL server certificates at the CABF Forum level (same as today), and don’t push down to a new WG. The Forum was formed discussion of SSL issues among CAs and browsers, and it seems natural to keep it for that purpose (and to coordinate the work of new WGs that work on other certificate issues that don’t concern the browsers).
4. The WGs are already open to anyone who wants to participate, so long as they sign the current IPR. If the IPR is changed to the W3C format, some new participants (e.g., Oracle) may be willing to sign and join certain WGs.
5. Change our bylaws so that the final product of WGs that are not working on SSL server certificate related issues can simply be adopted on their own by WG ballot – the results don’t need to be adopted by Ballot at the CABF level. For example, Code Signing Guidelines could be adopted at the “CABF Code Signing WG” level, and carry that name. We would need to create new voting rules at the WG level (e.g., require 2/3 approval of all participants at WG level, etc.), but otherwise our current rules on WG probably don’t need much change.
6. Creating new WGs would still happen at the CABF level by Ballot. We would have to clarify that voting to create a WG is not by itself “participation.” The CABF could also terminate a WG if its work was finished, or if there are problems at the WG level. If the CABF dislikes the final approved product for some reason, it could vote to remove the CABF name from the final product.
7. Change our bylaws to expand the general purpose of the CABF to include a broader scope at the WG level. Here is a possible modification (new language is in bold and underscored):
1.1 Purpose of the Forum:
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of leading certification authorities (CAs) and vendors of Internet browser software and other applications. Others, including members of the public, are able to participate in working groups relating to trusted and non-trusted certificates.
Members of the CA/Browser Forum have worked closely together in defining the guidelines and means of implementation for best practices as a way of providing a heightened security for Internet transactions and creating a more intuitive method of displaying secure sites to Internet users. In addition, other issues related to trusted and non-trusted certificates may be addressed at the working group level, subject to the procedural rules stated in these Bylaws.
8. Finally, consider whether to allow general postings by the public to one or more lists (at the CABF list level, or at individual WG list levels) even without signing a “participation” IPR agreement. (I personally would not want to mix in general postings from the public with the Management or Public lists, as there is a benefit to seeing responses from Forum or Working Group members only, and it would be too hard to read through a combined list that includes general postings from the public.)
Some combination of these changes could get us to where we want to be without completely reorganizing the current CA-Browser Forum.
_______________________________________________
Govreform mailing list
Govreform at cabforum.org <mailto:Govreform at cabforum.org>
https://cabforum.org/mailman/listinfo/govreform <https://cabforum.org/mailman/listinfo/govreform>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/govreform/attachments/20160629/cf7e913a/attachment-0001.html
More information about the Govreform
mailing list