[cabfpub] Arguments in favor of Trend Micro governance proposal

[kirk_hall at trendmicro.com]

To:          CA/Browser Forum Members and members of the public:

Trend Micro has re-posted its original governance proposal (without changes from the last round of voting) as part of the run-off election with Digicert, and has also responded to certain clarifying questions.

We want to present a brief critical analysis / pros and cons of the Trend Micro proposal versus the Digicert proposal as we see it for your consideration, and we have recommended that Digicert do the same.

First, many thanks to Digicert for its hard work on a thoughtful, well-considered new governance approach.

Here are the drawbacks to the Digicert proposal, as Chris Bailey and I see them.

1.        The Digicert proposal allows "Interested Parties" (IPs, like PayPal and others) to vote on new mandatory rules for CAs, which could significantly affect CA operations and increase costs with no corresponding benefit to the public.  IPs might have their own corporate or personal agendas, might attempt to impose new burdens on CAs to make their own product offerings easier or less expensive for them, etc.

Examples of new CA requirements promoted by IPs could include increasing mandatory CA liability and/or insurance for cert issuance, changing certificate vetting or certificate profiles to require additional vetting or breaking common user applications, outlawing common and useful types of certs, etc.  While Trend Micro welcomes comments and suggestions from IPs through new Working Groups, we believe that only CAs and browsers together should vote on the mandatory rules that are imposed on the CAs by the browsers through their trusted root programs.


2.        The Digicert proposal requires annual membership fees (suggested at $2,000) that could be burdensome on smaller and non-North American CAs, including those who can't travel to every face-to-face meeting, and may reduce the number of Forum Members.  Trend Micro believes there should be no mandatory fees so that we can encourage maximum CA membership and participation.


3.        Likewise, the Digicert annual membership fees would apply to IPs as well (even those who only participate in Working Groups), and are high enough ($2,000) to discourage many potential IPs who might want to be involved in the Forum.  Under the Trend Micro proposal, IPs can participate in Working Groups for free, which will attract a larger number of IPs, including especially individuals and smaller companies with an interest in online security.

4.        The Digicert proposal gives greater rights to Members who pay a higher membership fee (specifically, the $10,000 membership fee necessary to serve on in the Board).  Many current Forum Members may find it difficult to justify a $2,000 annual expense to maintain their current general membership, and will not be able to pay $10,000 to be a Board member.

Trend Micro believes all Forum Members - big and small - should have equal voting rights in the Forum, and that it would be a mistake to create greater membership rights (i.e., Board membership, with a separate right to vote for or against ratification of a matter after it has already been approved by the Forum Members) for those Forum Members who pay more.  We expect many smaller CA Members, especially non-North American Members, will not be willing to pay for Board membership.  By keeping equality among all Forum Members and not creating a Board with extra powers is more is in keeping the Forum's past goal of requiring "substantial consensus" among all CAs and browsers to adopt mandatory CA standards.

5.        The Digicert proposal does not state the maximum size of the Board, so we assume it can include all Forum Members who pay the required annual fee of $10,000 for Board membership.  However, we note that only 17 Members total voted on the first round of governance reform.  Assuming these 17 Members plus PayPal sign up for membership under the Digicert proposal, we would only have 18 Members total.  If, for example, 10 of these Members choose to pay the $10,000 annual fee to be on the Board, we would have a very lopsided organization - we would have a Board of 10 members (with special powers to ratify or block all previous actions of the Forum), and 8 additional Members who do not have Board rights.  So the 8 Members not on the Board could feel like second class citizens - the Members who are on the Board get to vote twice on every matter, bur regular Members only get to vote once.  This is not a healthy dynamic.

6.        Finally, the Digicert proposal adds expense (what would the Forum do with $100,000+ in annual dues?) and extra procedural steps for every project.  Our current Forum structure has been very functional, fairly efficient (and has seriously addressed ideas and suggestions from IPs), and low cost - why change that?

We recommend adoption of the Trend Micro governance proposal instead because (1) it allows for openness and public participation by Independent Parties in Working Groups without requiring them to pay a $2,000 membership fee, (2) it preserves the present voting system for imposing new mandatory requirements on CAs (CAs and browsers only) so third parties can't impose their own rules on CAs, (3) it keeps the Forum's activities more streamlined, without adding extra layers of approval or complicated new voting rules, (4) it treats all Member equally - small and non-North American CAs have the same participation and voting rights as the larger CAs and browsers,  (5) it keeps Forum costs to a minimum, and does not require smaller CAs or Independent Parties to pay $2,000 or $10,000 to participate, and (6) the current structure has been efficient in handling numerous important projects over the past seven years, with an impressive work product (EVGL, BRs, etc.).  By choosing the Trend Micro governance proposal, the Forum is likely to encourage participation by the maximum number of international and smaller CAs and Independent Parties as possible, which will be good for CA standards and good for the industry.

Kirk R. Hall
Operations Director, Trust Services
Trend Micro
+1.503.243.5405


TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://cabforum.org/pipermail/public/attachments/20120913/8e9423f0/attachment.html