[cabf_governance] Draft Notes of Call on 30-Aug-2016

Ben Wilson ben.wilson at digicert.com
Thu Sep 15 11:51:36 MST 2016


Here are my draft notes.  On attribution of comments between JC and Jos, I
wasn't familiar enough with their voices to tell whether it was JC or Jos,
so please forgive any mistakes in attribution.

I'll get you the other two sets of notes for the meetings before (8/16) and
after this one (9/13) shortly.

 

Thanks,

 

Ben

 

August 30, 2016 

 

In attendance: JC, Jos, Ben, Peter, Dean, Kirk, Andrew, 

 

Dean noted that we have Kirk's governance reform summary.  Kirk suggested
that we discuss the proposal that the chair of the Forum also be chair of
the web PKI or SSL group.  Gerv had sent an email to the list, and Ben
responded to Gerv saying he didn't know what people thought about voting
rights at the Forum level and asked for more feedback, but that we also
didn't want ballots to fail for lack of a quorum. 

   

Peter:  I agree with Gerv that the biggest question is how the voting split
would work in the overall Forum. There might small groups or large ones -
taking the question raised this week about these telephony certificates, or
whatever you want to call them. So it could be a huge number with a whole
bunch of PBX software vendors.  That actually gave us a great opportunity to
have a scenario where we could ask, how would this work?  

 

JC:  I have looked at a few ways to split this up, where there is an S/MIME
group, and I haven't come up with a solution that isn't gameable.

 

Kirk: That's a concern at the Forum level itself.  You could have browsers
mixed in with other non-CAs voting on things at that level-things like
bylaws, IPR policy, and creation of working groups.  

 

Peter:  I'm not worried about the Web PKI working group.  It's just the
classes that we have right now may not transfer.   

 

Jos: I think the proposal so far is great. We are getting immediately to
questions about some of the implementation details. Some of those are really
sticky, like the classes of voting on things at the Forum level.  I think
the opposite problem exists at the Forum level--that unless there are an
awful lot of non-CAs, if you continue with the CA-versus-non-CA distinction,
or if you were to eliminate classes entirely, then the non-CAs' vote gets
pretty diluted.  I think the CAs in general mostly have the same or very
similar agendas, and so at the Forum level that represents a fairly
significant voting block.  Non-CAs must be concerned about a class-less
system.

 

Kirk: We're doing this because of the recent experience where the browsers
did not think it appropriate for CAs to work on code signing.  The browser
didn't want to get pulled into IP disclosures on code signing certificates,
and so the browsers can't have it both ways. If they want to retain control,
they're going to have to remain engaged in all activities. Or if they want
to be left out because they're not interested, then they probably can't
retain as much control except over the browser-SSL issues.

 

JC:  I think the telephony certificate question is a really interesting case
study for us to look at here. On the one hand, it seems like there was some
initial advocacy for handling it under the existing EV standard, and on the
other hand there was the argument that it was a different kind of
certificate.  It seems to me like something that would have to get settled
under the new model at the Forum level.  Do we think this is an appropriate
discussion to be handled inside the web Forum or would it require its own
working group? And what happens when the working group concludes that it
doesn't actually think it is a question for them?

 

Dean:  It seems to be a different set of constituents in that particular
model.  

 

JC:  I'm not advocating for handling it in one place or another. I'm just
saying that this seems like a perfect example of a place where we would
start having those discussions at the Forum level of who is best to deal
with this question.  

 

Kirk: I think we start with the current Forum or the web PKI group, get
enough information to form a conclusion, find out which parties have a stake
in this, and then at that point we may have gathered enough information to
create a new telephony certificate working group.  

 

JC:   So would it be immediately referred to the web PKI group with a
request to look at the information, should we handle this with some sort of
ballot that would indicate how we should handle it, or should we punt it
upstairs?   I'm just curious about what would be the process for handling
that.

 

Dean:  An initial review might take place, and then quickly people would
decide whether the issue involved browsers, and if not, then they would
bring it up to the Forum level for decision.  Around the room, other issues?

 

Kirk:  Voting at the Forum level might be problematic.  Let's say we have 3
working groups-SSL, S/MIME, and Code Signing, and each one of them has
outside players that do not overlap. I would hate to see a voting model at
the Forum level where you have to get a majority of four groups, where
anyone can veto a proposal.  I think that starts to get unworkable, and I
think the main reason the Forum exists is because there's CAs and there's
other people who work with or use the product of the CAs, and at least at
the Forum level, where questions are not as highly charged, questions around
bylaws and IP policy, I dread the idea that you would have to get a majority
of four groups, or five groups, or six groups, depending on how many working
groups there are, for anything to pass at the Forum level.

 

Andrew: Just some clarification on whether subcommittee's work would be
covered by the IPR.  

 

Kirk:  I thought the subcommittee would be like the working group. I would
have thought that any work of a subgroup of a working group would arguably .
just as it is now, if things that would come up with drafts we would give it
to the full Forum.  

 

Andrew:  Maybe I misunderstood the purpose. I thought that as working groups
were  effectively becoming more powerful and would have more obligations,
the subcommittees were intended to be ways to have the top level Forum spin
off some administrative tasks or look at other things that didn't require
all of the heavy weight of participation tracking that the working group
would entail.

 

Kirk: I think you're right and I think I'm right, that the subcommittees
would be pure administrative work, no IP involved.  There might be a
subcommittee on website development.  I think each working group could have
subcommittees, which today we call working groups, that would be working on
a set of standards or guidelines--a small group of people who have the time
to work on a draft of something, and when they finish, they can't adopt
anything.  They send it to the whole working group for consideration and
possible action and that is the stage where IP disclosures would have to be
made at the working group level.  

 

Virginia: I would disagree with that because a subcommittee might have one
purpose when it is initially formed, but in your example they are putting
together a specification or something, and it would need to be subject to
the IPR policy at that time. I think everything needs to be subject to the
IPR policy. 

 

Kirk:  And the only people who can be on a subcommittee are people who are
in the working group. Just as today we have various kinds of working groups,
like this one, with calls and meetings and create drafts and take them back
to the main Forum, we can have subcommittees, to have a new name, still
subject to the IPR, they can only be populated by members of the working
group and when they are finished, they bring something back for action by
the working group.  

 

Virginia:  That makes sense.

 

Andrew: I assumed that they were at the Forum level rather than at the
working group level. If they are going to be stood up by the working group,
then that makes perfect sense. 

 

Ben:  Well, I think it depends on what we call these things.  I proposed
having standing committees, and then there was a suggestion of naming them
subcommittees.  I was under the impression that the standing committees
would be at the Forum level and not subject to the IPR policy, but that a
subcommittee would be what we'd call them instead of calling them "ad hoc".
They wouldn't be working groups.  I would still think that they wouldn't be
subject to the IPR policy until they start working on something to the
extent that they want to become a working group or they need to become a
working group.

 

Virginia: So what are you thinking that the subcommittee would be working on
or would do at the Forum level?

 

Ben:  You mean the standing committee at the Forum level?  

 

Virginia:  I'm having trouble seeing what the differences are between a
standing committee and a subcommittee and a working group.   

 

Kirk: Whatever name you choose, working groups are the big deal. They can
have subcommittees, or whatever you want to call them, and they can work on
drafts, just like we do today.  If we decide to have committees of the
Forum, whatever name we give them, they would only be working on things
where no IP content was involved.  It could be website design, it could be
to review revisions to the IPR policy, it could be revisions to the bylaws,
it could be authorizing new working groups.  If we feel it's necessary to
create a committee of some sort to do the work at the Forum level, so that
it can be discussed by all Forum members together, then we can do that.  It
would be a subcommittee of the Forum itself.  And we would make sure it
wasn't getting into anything that involve any IP.  

 

Virginia:  But you just never know in advance what is going to happen.  So
we need to have a default rule that if anything is created or developed in
the course of their work at the subcommittee level that it is subject to the
IPR policy. I'm sure you've seen things happen in projects where it's
supposed to be one thing and then you see all of these additional things
that you didn't know were happening.  I think everything has to be subject
to the IPR policy.  I don't know why we wouldn't want that.

 

JC:  The model that we're going to adopt was that all of the participants
are going to adopt an IPR policy for the working group that they are
participating in and all of the IPR policies for all of the working groups
are going to be uniform.  Is there any situation that anyone can come up
where somebody participating at the Forum level then would not have signed
the Forum-level IPR agreement?  

 

Virginia: It would be one IPR agreement and one IPR policy.

 

JC:  Right. So activity at the Forum level would function the way it does at
the working group.  That is, if there's stuff to be done at the Forum level
that requires a committee that that is automatically considered
participating?  

 

Virginia:  I think that's fine, but I think that someone was saying that
that should be excluded.  

 

Peter:  I think that there is slight confusion here, just based on the
history of the CAB Forum as compared to other standards groups.

 

Kirk:    I think that you are all correct, Virginia is correct that it is a
one IPR policy. We just need to make sure there are clear triggers in there
so you are not required to make disclosure on the work of a working group
unless you are a member of the working group.

 

Peter: Right, the point is if a group of a parent Forum wants to get
together to discuss something, does not make it a working group

 

Kirk:    Right, it has to be officially charged, and created by ballet at
the Forum level.

 

Peter: Right

 

Kirk:    So again, I agree with everything, if by chance something happens
at the Forum level that involves IP, I'm not sure we'll recognize it. Then a
request for disclosure would go out and all members of the Forum will have
to respond to that. Any work that is adopted at the working group level the
notice would go out and only formal members of the working group would have
to make disclosure.

 

Andrew: In the rest of the document, we take pains to specify what is/isn't
covered by bits of the IPR. Then there are subcommittees where it's not
stipulated at all. So I think we're looking for clarification in that.

 

Kirk:    I would say that any subcommittee, if that's the term we use, is
subject to the same IPR requirements of the working group that it is
attached to or the Forum if it's attached to the Forum.

 

Andrew:         I think that's great.

 

Peter: Anyone else need any clarification on that?

 

Virginia:         I share the concerns about the voting structure and I had
submitted some comments on the document before. I don't know if those have
been incorporated.

 

Ben:   Those were. When I sent them out I'm pretty sure that those were.

 

Kirk: Do you want to go over any that were omitted?

 

Virginia:         I don't think I've seen the updated document. Was it on
the Google page?

 

Ben:   It's on the Google page, when I imported it, it imported your
comments. It was the version you had sent us that I imported.

 

Virginia:         In some cases, I just made comments and didn't change
anything. So were those comments addressed?

 

Ben:   That's what we should do, we should address all those comments. I
think it'd be better that I opened everything up on my screen to make sure
none of them got deleted. You had 12 comments to the document, but there
aren't 12 here. Ok, let's just read the comments out. 

 

Virginia:         The first comment I had was regarding the working group
guidelines would not have to be re-adopted at the Forum level. That they
would only be adopted at the working group level. I was wondering if we
should put some parameters around what needs to be included in the
guidelines because we won't have the checks and balances in the Forum vote.
This way we will minimize the chance of having "anything goes" guidelines.
During the last meeting (I don't know when that was) we talked about
incorporating by reference certain requirements from the current final
guidelines to make sure a new guideline would be minimally acceptable. My
concern was that the guideline said you don't have to follow any of the
final guideline just do what you want kind of thing. I know it's unlikely
that a working group would say that, but it is a guideline that contradicts
another guideline, are we concerned about that? Shouldn't there be some
requirements that the minimal requirements that would be acceptable?

 

Kirk:    One thought is, when we create a charter for a new working group,
we can be specific on things we want them to work on. We can throw in,
consistent with other existing standards. Suppose the CA and the non-browser
applications who are on that group basically want to change it. As long as
it's a guideline they're willing the work on for their world, do we care
that much? If they do something stupid, then the guideline won't be used by
anyone.

 

Andrew:         The only thing we would care about is if there aren't
technical constraints meaning that their world is really their world and it
wouldn't affect anyone.

 

Virginia:         I have a couple questions; what are you talking about the
requirements for the charter? This comes from the working group itself, I'm
not sure you what you mean. Do you mean like in the Bylaws? Or somewhere we
say that we authorize such a group to be set and it has to include this,
this, and this?

 

Kirk:    I'm just saying that there will be parameters as to what this
working group can and can't do in the charter that's approved to set them
up, it won't cover every contingency.

 

Virginia:         In what charter to set them up?

 

Kirk:    I'm sorry the ballot, the ballot is at the Forum level that creates
the new working group, they will all be created by a specific ballot. We'll
have a description of what is the purpose of the new working group and so we
can put some constraints and some requirements but once we let go they can
probably go in any direction they want.

 

Virginia: Right, we've talked about the CAB Forum brand, so if they come up
with something stupid they can harm the CAB Forum brand. I'd think there
would be some concern about that.

 

Kirk:    We could always decommission that working group, but if a bunch of
CAs were in it, and approved, they might not vote to decommission it.

 

Andrew:         One thing that might be useful is putting together a
template, or questions that would need to be addressed by a ballot creating
a working group. That would be one way to address the technical constraints
concern is that part of the formation of a working group the ballot would
define the minimum the technical constraints that would allow the working
group to be in its own time box, if you will.

 

Virginia:         Is there an action item there?

 

Andrew:         Yeah, I'll have a go at drafting up an outline of a ballot
to create a working group.

 

Kirk:    Virginia, what do you want to do about it? You've stated the
problem well, I guess, that the more the Forum level gets involved with the
decisions of a working group that everyone in the working group has to vote
on the standards of that working group. Which is what we were trying to
avoid. How do we avoid that?

 

Virginia:         I think that what we're talking about is putting
parameters in the ballot, that would be voted on to establish the working
group that would give some boundaries to what the working group would do. In
turn that would give some idea of what that working group is going to do so
that they wouldn't have the flexibility to go off and do something crazy.

 

Kirk:    Ok, sounds good.

 

Virginia:         Andrew offered to go off and draft an outline of the
ballot, I'd be happy to take a look at what he does and flesh it out a bit.

 

Kirk:    Sounds good.

 

Virginia:         My next comment in section 2 of the document, talks about
the Bylaws that define for each working group who could participate as a
working group member. This would include all CAs and Browsers, my comment
was to add "and application software vendors". I think it should be that
category of non CAs.

 

Kirk:    As I'm thinking about it, it wouldn't really be the Bylaws it would
be the ballot creating a working group that would outline what kind of
people can participate in that working group.

 

Peter: The charter for that working group, if you will. Should include the
definition of who has skin in the game.

 

Ben:   In the last call we struck browsers and went to other parties to be
defined with skin in the game. As either producers of consumers of products
or that use the certificate type that is the subject of the working group's
work.

 

Virginia:         So that change has already been made?

 

Ben:   Yes, your comment from before is still in the document online and
that other change has been made.

 

Virginia:         This is the second section 2, as I was thinking about the
different members participating in different working groups. I was going to
try and draft some language about this. This is the member that doesn't
participate in a certain working group, using its patents to sue another
member in CAB Forum. Because it's not subject to an IPR policy in another
working group. We talked about having some language that could be very harsh
or not so harsh. The very harsh could be; if you sue another CAB Forum
member on a patent that pertains to one of the CAB Forum's specifications
then you are automatically terminated from CAB Forum. Or you are required to
grant a license on RAND terms. We had talked about the termination language.

 

Kirk:    Well, Virginia you had another one, which was; any RAND licenses
you've received are cancelled.

 

Peter: I have a question on that, seeing as we just made the decision to
split to allow members to not participate in working groups. I'm a little
confused how that aligns with the concept of prohibiting them from suing. I
kind of get the termination option, if you want to sue then you don't get to
participate.  Like Ben said you have to do a RAND license or you lose your
other licenses, it's confusing to me how those two align.

 

Virginia:         Because it's a cultural thing, if you're going to be in
CAB Forum and your purpose is to sue other members then that is not good
citizenship.

 

Peter: No, I'm fine with the termination. My question is more the proposal
that essentially if you sue, you have to grant RAND. At that point you're
basically saying you're moving the IPR RAND into RAND.

 

Virginia:         In W3C it's royalty free, other standards organizations do
something similar. We can do whatever we want.

 

Peter: What you are saying is that if you are suing you have to grant
royalty free?  I guess the thing I'm trying to understand is that presumably
and I don't want to make assumptions on any member's part. Let's say you own
IP and you don't join a working group because you believe your IP is
relevant and you don't want to participate at all. So you won't be subject
to the IPR agreement. That working group goes off and creates something that
reads on your IP. At that point you're saying, well I guess you'd be able to
sue a non-member of the Forum but anyone who is a member you can't sue them.

 

Virginia:         I see your point, it's a little tougher for CAB Forum
because it doesn't have the same royalty free obligations that W3C. I still
think there is a way that we can, we need to have a disincentive for members
to sue other members.

 

Peter: Right, I think the termination is a reasonable state. I'm just having
a hard time rationalizing both sides. We're saying, presumably you have the
right to exclude patents. Let's go off today's model, I have patent 123 that
reads on section 2. Another member goes and implements something that uses
that invention. Now what? Today if someone has excluded something they can
sue you. That's the reason we allow exclusion. Given the CAB Forum that we
have a concept has never attempted to establish a PAG and edit our
standards. Presumably, that's the current state of things. We have had
people put in exclusions.

 

Virginia:         I understand the exclusions, but it seems like you want to
retain a member's right to sue other members?

 

Peter: I'm just asking what is the logic here.

 

Virginia:         The logic is if a member sues another member they are
penalized. It's not the kind of conduct or misbehavior that we want to
encourage.

 

Peter: Why do we allow exclusion?

 

Virginia:         Exclusion is different, I'm not sure why you are
connecting those. When you do an exclusion you're saying you're not going to
license these patents on certain terms. You're not saying you're going to
sue everybody if they use these patents.

 

Peter:            So what you're presenting is that a member can exclude,
and say I reserve the rights granted through a patent but then they can't
enforce those rights?

 

Kirk:    I think I sympathize with Peter's point, that what we set up to
date is a way someone can preserve IP and say don't go there because I've
got something. I do think there should be punishment for someone who goes
the next step and sues someone else. The easy one is exclusion from the
Forum, the next easy one is any RANDz licenses you got from anyone else are
cancelled as to you. I'm not sure we can go much further and say, no you
have to license this thing you already disclosed and made exception for. 

 

Peter: The difference here from W3C has a history of when they receive an
exclusion notice, then they modify their specification. Where a CAB Forum
through observation, does not even investigate whether the exclusion notice
causes the portion of the specification.

 

JC:     Generally speaking we are getting disclosures after the fact.

 

Virginia:         That's problematic, we will discuss that later this week. 

 

Dean: We definitely want to keep track of where our discussion has been. We
have 3 more calls from now until October and I'm hoping we can get to a
place we can all agree on. That by the time we get to the face-to-face there
will be other people in attendance and want to ask questions. We want to
have clear ideas we can present to the Forum.

 

Virginia: In the second section 2, I made a comment about signing up for a
working group, we have to have a way that we can track who is signed up for
the working group. We have to have a way of tracking if a certain member has
accepted the agreement. Is there a fool-proof way we can use, especially
because the IPR agreement and IPR policy attaches? When a person
participates in a working group they have to do that before they participate
in the working group.

 

Ben: We were talking about a public list that would be on the WIKI or the
website but we need to have some sort of tracking of the date when they
joined and when they left. Hopefully they won't join and leave, join and
leave.

 

Virginia:         It would be a problem because when they join they would
have an exclusion opportunity, when they leave, and when they come back they
have one as well.

 

JC:     I asked a rep at W3C they don't have a policy but they force people
to wait 6 months if they leave.

 

Jos:    I've been thinking about that as a possibility, that there isn't a
penalty for leaving and coming back and leaving and coming back. So having a
mandatory waiting period for 6 months to be the penalty.

 

Virginia:         Makes sense.

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/govreform/attachments/20160915/21e67827/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4974 bytes
Desc: not available
Url : https://cabforum.org/pipermail/govreform/attachments/20160915/21e67827/attachment-0001.bin 


More information about the Govreform mailing list