[cabf_governance] Preliminary thoughts on Governance Working Group

Kirk Hall Kirk.Hall at entrust.com
Fri May 20 17:21:29 MST 2016

I'd like to share a few preliminary thoughts for our Governance Working Group meeting on Tuesday.  My thoughts are not set in stone, and I'd like to hear what other people think.

Also - for the part of the discussion relating to the CA-Browser Forum itself (possible governance changes), I created the attached Grid with excerpts from the Bylaws on what we have today.  This may help us focus on what changes, if any, we want to make to the Forum's own rules.

1. I am dubious about converting the Forum into an umbrella organization that is somehow responsible for multiple other organizations (Code Signing, Document Signing, etc.).  First, we really don't have the infrastructure to run a complex organization like that - no paid staff, no offices, etc.  Setting up all the meetings, keeping membership lists and email accounts, filing all the different IPR policies, etc. would be a much bigger chore.

2.  Where and when would meetings be held?  I think I heard the suggestion that extra meetings could be scheduled before and after regular Forum meetings - but that creates logistics issues.  Let's say there are 10 or 20 new parties who want to attend the Code Signing or Document Signing group who are not members of the Forum.  Will they want to come a long distance just to attend a one-hour meeting?  Will Forum members want to extend their meetings to 4 or 5 days to add in new groups?  Will we find hotels and meeting places big enough to accommodate all these extra people?  In contrast, if we let new groups form on their own, they can set the time and place of their own meetings to suit their needs (see 6 below).

3. I think we would also be causing problems for ourselves by giving ultimate control over the scope and mission, bylaws, voting rules, IPR policy, etc. of each of these subgroups to all the Forum members as a whole.  Many Forum members will not be involved in some subgroups at all - my old company, Trend Micro, did not participate in the Code Signing Working Group, nor did most of the browsers.  Why should non-participants have any say in how one of these subgroup constitutes itself, what IPR policy it chooses, what voting rules it chooses, etc.

4. Also relevant to 3 above - some subgroups will have non-CAs and non-browsers who want to participate as full members (and that will probably be appropriate for some of the new subgroups) - yet they will not be members of the parent Forum organization, and won't be able to vote on issues involving their own subgroup at the parent Forum level.  I think that could create problems over time.

5. I think we could tie ourselves up in knots with IPR policy issues by linking all these subgroups under the Forum - if guidelines are drafted in a particular subgroup, will non-members of the subgroup have to do anything relating to the IP created by that subgroup?  Declare any proprietary IP they have?  If the final work of a subgroup has to be approved  or published in any way by the parent Forum, will that enmesh the IP policies of the two groups?  If the parent Forum does not have to approve and does not own or publish any final product of a subgroup - then why is the parent Forum involved?  What value would the Forum be adding (other than some overlapping members).

6. Those of us who were involved when the Forum started in 2005 remember that it was a very informal gathering of CAs and browsers set up to talk about common issues - initially no rules or structure.  I think that's how any new group (not "subgroup" - this would not be under the Forum's jurisdiction) on code signing, document signing, etc. could start out - just set a meeting and send out invitations to people who have expressed interest (and put out information so other interested people can ask to be invited).  Start with a meeting or two on what issues need to be discussed, who should participate as primary members and how other public involvement can occur, what the group's name should be, etc.  Then, if the new group wants to, it can copy some parts of the Forum's Bylaws and IPR policy, and change it at will (for example, maybe voting is by all members in a group, but you need 60% or 67% to pass something so you know you have consensus).  The new group can declare itself formed and start its business without any approval from the Forum.

Finally of late the Forum has had problem reaching consensus among CAs and browsers, and I'm concerned that this inability to reach consensus could affect the ability of new groups on code signing, document signing, etc. to form and proceed under the Forum's jurisdiction.  So in my opinion, it's better to let each group be self-formed and self-governing.

I will be eager to hear other people's ideas on Tuesday.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/govreform/attachments/20160521/759636c5/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Governance Grid and Bylaw sections (5-20-2016).pdf
Type: application/pdf
Size: 312028 bytes
Desc: Governance Grid and Bylaw sections (5-20-2016).pdf
Url : https://cabforum.org/pipermail/govreform/attachments/20160521/759636c5/attachment-0001.pdf 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Governance Grid and Bylaw sections (5-20-2016).docx
Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document
Size: 19200 bytes
Desc: Governance Grid and Bylaw sections (5-20-2016).docx
Url : https://cabforum.org/pipermail/govreform/attachments/20160521/759636c5/attachment-0001.bin 

More information about the Govreform mailing list