[cabf_governance] Draft Notes of Meeting 16 August 2016

[Ben Wilson]

Here are the draft notes from the call we had a month ago.

August 16, 2016

Ben, JC, Mike, Robin, Kirk, Virginia

As a follow-up from our last meeting, Kirk circulated a proposed summary
document, which discussed the governance reform conclusions of this group.
Virginia's comments to the document are posted on the version uploaded to
Google Docs.   On Google Docs, there  is a pull-down bar for "Suggesting"
changes to the document.  

We reviewed yellow-highlighted comments from Virginia.  The first comment
was about core principles of the CA/Browser Forum.  

Ben:  Then in the last paragraph under number one, it says working groups
would have the authority to draft and finally adopt by working group ballot
all guidelines within the working group scope and working group guidelines
would not have to be readopted or approved at the Forum level.  Virginia
says she wonders if we should put some parameters around what needs to be
included in the guidelines because we won't have checks and balances of the
Forum vote and this way we would minimize the chance of having an
anything-goes guideline.  We previously talked about adding "incorporated by
reference" to the requirements of the current final guidelines to make sure
that the new guideline would be minimally acceptable.  I'm taking that
comment to mean that there might be some interest in splitting out the
Baseline Requirements into things that would apply to all types of
certificates.  Is that what you're saying there, Virginia?

Virginia:  I'm still trying to open the document.

Kirk:  I think that is what  she is saying.  Remember how we talked at the
face-to-face meeting about adopting the core requirements?  There is an
assumption that some core parts would apply to everything.  But a couple of
thoughts.  We wouldn't want a new working group of the new CAB Forum to go
crazy and violate all of the antitrust laws.  So, we'd want general
requirements on working groups. But what if one of  these working group
says,  "we're not using these trusted roots and we don't want to be bothered
with the Baseline Requirements"?  So there could be a rule that says, let
each working group do what it wants, because it is in a sense independent of
the other working groups.  

Virginia:  I do see the document now, and I was concerned about a working
group saying that  it would not follow any guidelines or laws and that it
was going to do whatever it wanted.  I think that wouldn't be acceptable.  

Kirk: I think we should say something that all working groups must comply
with applicable law including antitrust law.  

Virginia:  Aren't there guidelines that will be applicable no matter what?

Kirk:  There might be, but isn't that better for them to decide than to
predetermine it for them?   they Let's talk about data center stuff.
Normally you start by saying that it has to be universal across everything,
but maybe not.  Maybe it won't be universal for one of the other working
groups.  I trust the working group to decide for itself whether they want to
latch onto whatever it is in their new guidelines or whether they don't want
to for some really good reason.  Maybe they do a terrible job on data center
security in their guidelines or standards, but maybe the applications that
are also part of their group will say, "sorry guys, we're not going to adopt
it or approve it because we think you're too weak on these things.  

Virginia: I'm just concerned with the situation where something comes in
really wacky that might harm things that the CAB Forum is already doing.
Something entirely opposite or notwithstanding the guidelines, we'll do
whatever we want.

Kirk:  If we create these requirements, we may have a working group that
comes back and says we can't because this kind of certificate isn't subject
to that kind of thing.  I'm just wondering if we can tell in advance which
parts of the baseline requirements should always be made mandatory for
working groups even before they start.  

Virginia:  My concern is that working group will not necessarily have a
high-level view of everything that is happening in the Forum-if they don't
have to be approved at the Forum level, who is going to have that oversight?


Kirk:  I'm thinking out loud, part of the reason we're doing this is to put
these into separate working groups so that people who are not in a
particular working group don't have to comment, in fact they can't comment,
for instance, by saying you might want to strengthen this, then potentially
they have to comply with IP policy for the output of that working group.  So
I guess this is a chance we have to take.  We have to assume that the CAs
that are on each of these working groups really want any standard they come
up with to be accepted and used, and so they are probably going to be pretty
good at saying we need some security guidelines here.  I think that maybe at
this point we keep this is an open item until we get feedback from the whole
Forum, or do we want to try to impose something other than just comply with
applicable law?  Do we want to impose on working groups any others
requirements about either how they do things or any parts of the Baseline
Requirements that they need to incorporate into their work?  

JC:   I guess so, but this seems like something that we can just leave, if
at the Forum level there is concern that the working group isn't doing what
their supposed to be chartered to do, then whatever process we used to
charter a working group could just be used to re-charter one.  

Kirk: Or even terminate if we think that it's too late for re-chartering.  

JC:  I don't think we need a bigger tool than that, certainly there's no
bigger tool.  But if a working group is failing because they're either not
following the Baseline Requirements or whatever it should be obvious and
then we re-charter them or something or someone proposes rechartering or
disbanding.  

Ben:  I'm with Kirk on the idea of not trying to split out the different
guidelines that would be applicable to all working groups.  I think that if,
for two reasons--one is that if we want to minimize the changes and make
incremental changes, and I think it would be quite a burden to try and do
the work where you'd split it out, and then it orphans the part that has
been split out without a real working group for those sections unless we
create a special working group.  The other reason is that I see the SSL
Baseline Requirements as the flagship of the Forum even after this
reorganization.  In other words, when changes are made to the Baseline
Requirements you would want these other working groups to follow suit.  For
instance, the code signing working group would then amend their guidelines
to incorporate by reference the changes that the SSL group made to the
Baseline Requirements.  This approach is not without risk, but it's risk
worth taking.

JC:  I'm a proponent of us eventually having a "baseline" Baseline
Requirements, but I don't think we need to accomplish that through a
governance reform.  I think we just need to lay the groundwork where we can
have that at a later discussion. I agree it would be a separate working
group that works on the bases, but that's just theoretical-we don't need to
figure that out now. I imagine that once we have more visibility into what
really is common among the groups that it would be a much easier task
anyway.  

 

Kirk:  One other thing we can do in the charge or when we charter the
working group is we can put in their statement that an output should include
appropriate security considerations for this kind of certificate.   So we
can remind the working group about these issues.  

 

Ben: The next comment, which is in 2, it says, "The bylaws would define for
each working group who could participate as a working group member. This
would include all CAs and browsers who meet current Forum membership
requirements plus other parties with skin in the game defined as either
producers or consumers of the product that is subject to the working group's
work."  Virginia has commented, what about application software vendors?  I
can put a slash (/) here so it reads, "browsers/application software
vendors", but I'm not sure whether we agreed on a certain term to refer to
them, and somebody had another suggestion to replace the acronym for
application software supplier.  

 

Kirk:  With the original language I was trying to be inclusive and say that
if you are already in the Forum as a browser we assume automatically you can
join and participate in any of these working groups and that we would come
up with additional criteria for additional kinds of people who could
participate in particular working groups, but there might be different rules
for the working groups, and actually I'm not sure that browsers who don't
use code signing, for example, that they should automatically be able to be
members of the code signing working group.   Maybe again it should only be
applications that use code signing certificates--use or process code signing
certificates.  When we do create a charge for the scope of a new working
group I think we have a section in it that says who is eligible to
participate - CAs that produce this kind of certificate plus applications
that use or process them - to be a member of the  group.  You can also
participate as an interested party, but you don't get vote.   I think we
would define it on a working group by working group basis in the charge for
that working group.

Ben: So what if, where it says, "as either," we said "provided that they are
producers or consumers of the product that is the subject of the working
group"?

Kirk:  Or do a rewrite that says "working group members will be CAs and
applications that use or consume the product that the working group is
working on." 

Mike:  Suppose a software vendor doesn't consume or produce the subject
matter of a working group when the working group is created but later on it
does or wants to, how would they .

Kirk:  I do think we need to broaden it to "applications that currently do
or have concrete plans to or interest in using or producing and consuming."


Kirk:  Forget what I said that browsers are automatically in - use or plan
to use or consume the subject of the working group.  

Ben:  Number 2 again, which should be a number 3.  The comment is that we
need to have a discussion about the legal consequences of this so that
everyone understands. We could have members in one working group suing
members in another working group for patent infringement.  Also the specs
may not end up being 100% royalty-free.  This is why W3C has an
across-the-board royalty-free patent license for essential claims in
addition to the working group participation-based patent license.  Let's
think about the difference in consequential loss membership licenses etc. 

Virginia: The issue is that now that  licensing will be working group by
working group, instead  of  an overall license for everything in CAB Forum,
you could have a situation where someone in the code signing group decides
to sue someone the S/MIME working group.  People in one working group don't
have a license to something in another working group because there is no
longer an overall license.  

Kirk:  Is that true today?  For example, if someone has to grant a
royalty-free license today, is it only granted to members of the CAB Forum
and not to the world?   

Ben:  No, I think it's a worldwide royalty-free license.

Virginia: Now it's to anyone in the world.  But if we change it to
participation-based, . you know, I  thought we were doing that because some
potential members didn't want to have to license patents in every working
group.  

Kirk:  I thought it was because they didn't want to research their patents
for every working group.   Today, if our IPR policy says that once you've
triggered this and you have to give a royalty-free license to somebody,
you're giving it to everybody, whether they are in the Forum or not.  If
that's what our current policy is, then I want to continue that in the new
Forum so that if you're in the code signing working group and it is
triggered, then you have to grant a royalty-free license to everyone in the
world, including everyone in other working groups.   

Virginia:  But you could have a scenario where someone in another working
group has a license to  the patents in that working group, but they have
other patents that they haven't licensed, and they could sue people in that
other working group.  

Kirk:  I see where they've never declared it.  You can always get around the
license by declaring it, right?  But they never had the trigger where they
had to declare it because they were not participating in the working group.


Virginia:  Right. 

Kirk:  So what should we do about that? 

Virginia:  Some standards organizations have a provision that says if they
are sued, if a member is sued by another member, then any licenses that  the
member being sued has given the other  member are suspended.  So the  member
that  is suing no longer has licenses from the member that has granted the
licenses, as long as they're being sued.  

JC:  Like the  Apache open-source approach. 

Virginia:  Another possibility is their membership is terminated if they sue
anyone in CAB Forum.  So someone like Google wouldn't be granting a license,
but they would have a disincentive to sue anyone in CAB Forum.   

Ben:  I think that  we already have something in section 5.1 of the IPR
Policy that is similar.  We say, "it may be suspended with respect to any
licensee when licensor is sued by licensee for infringement of claims
essential to implement a guideline."   So we could see if we have to amend
section  5.1.g., or maybe make it more broad because it's too narrow now,
but that is a valid issue.

Virginia:  So, it wouldn't be just the CAB Forum final guideline.  We'd have
to reword it to pertain to any guideline.  

Kirk:  I like the idea that you're a member of any working group and if you
sue somebody for IP infringement, somebody in a working group where you
didn't participate, any royalty-free licenses that the defendant has ever
granted are cancelled as to the plaintiff.  

Virginia:  I could draft some language for that.  And there may be
objections to that, because that may be one reason why some members want
separate working groups, because they want to reserve those IP rights to be
able to sue for infringement.   But I think we have to have some
disincentive for CAB Forum members not to sue each other.   

Kirk:  And again, if you're going to sue,  why should you get the  benefit
of a free license.  

Ben:  Next comment down the sentence reads, "we need to define participation
clearly but it would start with those members and interested parties who
sign up for a particular working group."  The comment is, "I think for easy
administration 'signing up' needs to be the definition of 'participation'.
Potential members would have to click a button to join and cannot contribute
or be added to a mailing list until they have officially clicked to join." 

Kirk:  I think that makes perfect sense.  

Ben: The only part about that is that we don't have the programming ability
to, .  I guess we can edit or add something in the Wordpress webpage to
allow people to join, but we could also require that they somehow notify the
working group or somehow that they get listed either on the public website
or on the wiki.  But by the act of putting their name on the list in the
wiki that that is enrollment for participation.  We would just have to
figure out how to track it in a table if they withdraw from participating.

Virginia: The problem is that it's not foolproof.  Somebody could be lurking
in the working group without actually viewing that, and then say, "oh well,
I wasn't really participating because I didn't go through that process."
Then they'd claim that they didn't grant a royalty-free license.  So it
needs to be structured so that you can't participate in the group unless
you've done a certain thing.  

Kirk:  We can definitely keep the working group membership list on the
public, on the CAB Forum website or on the wiki, at a minimum, and it will
be up to  the chair of each working group to see that if you are not on that
list you can't participate in any of the activities.  

Ben:  This whole paragraph is on the same topic and the comments are
similarly related.  Do we want to add a sentence in here later on that
signing up would consist of both and then take some of Virginia's comments
and put it into a sentence?

Kirk:  That's fine.  We'll just say there will be a master membership
sign-up list and no one can participate unless they're on the list. 

Virginia:  How will we manage it?  I guess one way is that we take roll at
the beginning of a call, and if they are not on the list, they can't
participate.  But what if someone calls in and lurks?   Do you continue the
call?

Kirk:  We can limit who gets the phone number, but listening in concerns me
less than contributing.  If they contribute, then presumably we know who
they are.   While we're on that point, someone said if you are not an
interested party, then you can listen in and then run out and file a patent.
I'm not sure that will realistically happen.  I don't want to go off topic,
so I think if we have a master sign-up list and if the chair of each working
group makes sure that no one gets to participate unless they're on the list,
probably for now that's good enough to keep participation limited.

Ben: The next comment is "we may have to limit input from Forum members who
have not signed up to a particular the working group." Virginia points out
that this is a "must" so we should say "we will limit, or we will not
permit, input"  . meaning that the member could not submit ideas or comments
to a working group until the member signs up as a participant of the working
group and becomes subject to the IPR for that working group.

JC:   That's how the W3C works and there's a public list and the public list
can be public. 

Ben:  Well. That raises another question.  Are working groups going to have
two lists?  One would be the public list and the other the working group
list?  

Kirk:  Let's discuss interested parties.   We have invited interested
parties, like WebTrust and ETSI, but does anybody in the world who wants to
sign the IPR get to participate in any and all of these working groups?   

Ben:  Maybe they get to be on the list that  is only the working group.  The
lists are public and under the current bylaws all of new lists are supposed
to be searchable on the Internet and they are, and I guess that doesn't, .
but if we are changing to a working group model, there is nothing preventing
us from closing the working group list, unless there are some members who
feel strongly about the public and an open dialogue of what goes on in the
Forum.  There's no reason why we couldn't change it to be more restrictive
of how much information gets leaked out from what a working group is working
on. 

Kirk:  So I'm not clear what your issue is.  Is your issue that someone can
sign up as an interested party and steal ideas?  You're talking about two
lists, and I'm not clear about what the two lists are.

Ben:  I'm just still concerned that because the lists are  public, anyone
can go out and file a patent on something they read on the list.

JC:  Mozilla would definitely want it to remain public.  The concern exists
today, and I don't know that it gets any worse by having additional working
groups.

Ben: Alright, I just thought I'd raise the issue.   On the next topic, I've
gone in already and where it says, "RAND Z" I replaced it with "a
royalty-free policy" which I think is what Virginia's comment was.  It's
that we don't really have a RAND-Z policy.  When we've been talking about it
in the past we've used the word "RAND Z", but since we don't use the words
"reasonable and non-discriminatory" it's not a RAND Z policy but a
royalty-free policy.  So now it says should be maintained by the Forum and
continue with a royalty-free policy.

Virginia: It was based on the W3C policy, and royalty-free is what they
have.  They don't have RAND-Z either.  So I think that what we have is what
was intended.

Ben:  Then there are some changes in pink, in my version, which I didn't
have any problem with.  The next comment was "however the Forum itself would
not adopt any guidelines or requirements and no work at the Forum level
would ever come under the IPR policy.  All members at the working group
level CA browser service would automatically members of the Forum level as
well.  And then the question is about interested parties.  I don't think
interested parties are "members" of the Forum.

Kirk:  Yes.  I agree.  We created that role so people could comment on and
work on substantive guidelines that we we'll be working on at the working
group level now.  It's not going to be happening at the Forum level.  I
would not let interested parties participate at the Forum level.

Ben:  The next comment is, "voting rules would be uniform at the working
group and Forum level and would be essentially the same as today. At the
working group level guidelines would be adopted upon approval of two-thirds
of the CA members and a majority of non-CA members, browsers and other
members."  Then it says, aggregated together 

Kirk:  At the Forum level, yes, they'd be aggregated.  It would be non-CAs.

Ben:  . of the  aggregate non-CA members, aggregated browsers and other
members.  

Kirk:  It might be better to say non-CA members, because there may be no
browsers in the working group.

Ben:  That's right.  At the Forum level most actions such as amendment of
the bylaws including creation of new working groups would require approval
of two-thirds of the CA members and a majority of the non-CA members,
browsers and other members.  So that's where it would be aggregated too.

Virginia:   Hypothetically, what if it's a working group that the CAs don't
care about, why would we need two-thirds of the CA member vote?

Kirk:  True, I just question if any working groups would get authorized if
no CAs were interested in the subject. The whole reason we're doing this, is
CAs had proposed spinning off S/MIME and code signing to brand new groups.
The CAs said, it's convenient for us, we're all here and don't want to have
to have a new group.

Virginia: If that did happen (once in a blue moon), we could address the
voting at the time. If there needed to be a different voting structure.

Ben:  I think this is just a general high-level thing, it will eventually
get written in stone.  Next comment in what's now six, the first sentence;
we discussed whether to create a new channel for input by the public. Those
who don't want to sign the IPR agreement or become interested parties, such
as a new listserv with a click-through agreement that all IP included in a
posting would be contributed to the public domain. Similar to the W3C model.
However, at this point the consensus was that a new channel is not needed
and those who want to participate should sign the IPR agreement and become
interested parties. This simplifies the patent licensing model and pedigree.


Ben: It does seem simple, and I'm not saying I'm an advocate for creating
this. I know that Gerv in the past has said he wanted to have a simplified
click-through IPR agreement. This would help resolve things like the
questions list. If you're going to submit a question, if it's really a
contribution then maybe that's.

Virginia: We could make the IPR agreement a click-through. They just have to
click through it to join as an interested party, rather than signing it.

Ben: Yeah

Virginia: To have everybody subject to the same thing makes it easier than
having to go back later and figure out whether it is public domain or if
it's subject to IPR agreement or what was this? It's just easier to have
everyone subject to the same thing. There is no reason why we couldn't have
people just click to agree to the IPR agreement. Just have it be the same
agreement and no opportunity to negotiate. I don't know how often it gets
negotiated but I think it's never. They can just click through it and be
done in 10 seconds.

Kirk: Which is a good idea, would that be true for full members or only
interested parties?

Virginia: We could do it for both, the only thing is that we need to be able
to keep accurate and complete records of who clicked. We would need to keep
track of who clicked through the agreement and when? If there is any
question later, we could go back and look at those records. We could
certainly do it for full members and interested parties.

Kirk: I'm thinking that for members who get to vote, getting signed pdf's.
Because they have the gravity of your company actually signs this thing and
it wasn't just a click-through saying oh yeah I have authority for my
company.

Ben: I think that was all of the comments that we have received.

Kirk: I had one more, which is; the chair of the forum should automatically
be the chair of the web working group.

JC:  Why is that? Other than that's the way it is today, what's the
rationale for that?

Kirk: There won't be much to do as chair of the Forum under this new scheme,
just to give the chair something to do and it did start out as an SSL
organization. Just a suggestion, I don't care if other people want them to
be separate, they can be separate, too.  Do we want to make mention that
working groups can create, are they task forces or sub committees? To me
task forces are for one issue where you address it and have a report. Where
sub committees sound like they can go on forever. I would mildly suggest
subcommittee but I don't feel strongly about it.

Ben: I like subcommittee.

Kirk: On the question about the chair being the chair of the web group, why
don't you at least put that as something for discussion.

Ben: I will put it up here where it talks about the web working group.

Meeting adjourned.

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/govreform/attachments/20160919/d791293c/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4974 bytes
Desc: not available
Url : https://cabforum.org/pipermail/govreform/attachments/20160919/d791293c/attachment-0001.bin