[cabfpub] Ballot 110 - Motion to Adopt Version 1.1 of the Bylaws

Håvard Molland haavardm at opera.com
Mon Jan 20 15:39:58 UTC 2014

On 18. jan. 2014 03:40, Ryan Sleevi wrote:
> On Fri, Jan 17, 2014 at 6:26 PM, Ben Wilson <ben at digicert.com 
> <mailto:ben at digicert.com>> wrote:
>     Ryan,
>     See my responses inline below.
>     Thanks,
>     Ben
>     *From:*public-bounces at cabforum.org
>     <mailto:public-bounces at cabforum.org>
>     [mailto:public-bounces at cabforum.org
>     <mailto:public-bounces at cabforum.org>] *On Behalf Of *Ryan Sleevi
>     *Sent:* Friday, January 17, 2014 5:37 PM
>     *To:* Ben Wilson
>     *Cc:* CABFPub
>     *Subject:* Re: [cabfpub] Ballot 110 - Motion to Adopt Version 1.1
>     of the Bylaws
>     While I realize it's not at ballot review period, a few thoughts,
>     given the time constraints being operated in:
>     1) I'd prefer to not change the "Purpose of the Forum" (Section
>     1.1) at this time.
>     BTW: That's fine.  I just didn't like the current wording because
>     it was written as if we'd just finished version 1.0 of the EV
>     Guidelines.
> Yup. I'd love to see this iteratively refined, I just wouldn't want to 
> hold up the IG aspects.
>     2) Section 2.1 ("authenticate digitally signed code") is still a
>     much greater increase of scope of the work of the members. I'd
>     prefer if we could leave that for broader discussion. While I'm
>     aware of the "Code Signing WG" discussions, this change in
>     definitions has the effective quality of allowing/encouraging
>     vendors with no/limited stake in the SSL/TLS ecosystem to vote on
>     changes to the BRs / EVGs, and vice versa. I'm sure you can
>     recognize at it's face, that has some degree of undesirability,
>     and effectively changes the "CA/Browser Forum" to the "CA/ISV Forum"
>     BTW: I disagree that we're calling it the "ISV" forum under the
>     proposed language, but in any event I'm fine with reverting the
>     title to "Browser Member".  I also thought that the wording was
>     sufficient to limit potential browser concerns, but here is a
>     start on revised language that could make it a little more clear
>     in its restrictions:
>     (3) _Browser Member_: The member organization:
>     (A) manages a root store AND
>     (B) is a major global provider of a hardware or software product
>     that is:
>     (i) used by the general public as a browser or computing platform,
>     (ii) used to browse the Web securely or authenticate digitally
>     signed code, AND
>     (iii) able to verify the digital signatures on certificates used
>     with the product (i.e. by processing the chain to a root
>     certificate managed within the member's root store).
>     However, if browser members still have strong opposition to the
>     proposed wording, or this alternative above, I'd rather delete it
>     from the proposal now than have the ballot fail, but I would hope
>     you could see the importance of it to CAs who must deal with
>     public key stores.
> I'd love to deal with this in a separate ballot, since it doesn't 
> really tie to the Invited Guests discussion. I certainly can 
> understand how it was originally part of a general clean-up, whereas 
> now we're at a point of just trying to get a bylaws revision in place 
> before the next F2F.
I would also like to have this definition in a separate ballot. Opera 
(from 15+), like Google's Chrome, uses the rootstore on the OS and we do 
not explicitly decide which certificates are present in the rootstore. 
We do, however, take many decisions on top of the rootstores that are 
relevant  to cabforum, like blacklisting,  how certificates are verified 
and how they are presented to the user.

>     3) Why the removal of the transparency requirements in Section 5.2
>     for WGs? This is not at all desirable - although the modifications
>     to Section 5.2(c) are.
>     BTW: The current language requires that EVERYTHING (even things
>     that are not currently being done, like the creation of agendas
>     and minutes for working groups) be posted to the public list --
>     for some people, the amount of email traffic on the public list is
>     already bad. Read Section 5.2(e) where "important" working group
>     updates are addressed.  Otherwise, as the responsible executive
>     interpreting the bylaws I will have to start telling everyone that
>     they must prepare agendas and minutes and that all emails and
>     every single interim draft, agenda and all minutes will now need
>     to be posted to the public list, and then we'll just eliminate the
>     WG lists.
> I for one would welcome the enhanced transparency, and see it as a 
> feature, even as I'm already deluged in e-mail.
>     4) Why are Invited Guests at the sole discretion of
>     Chair/Vice-Chair, whereas Interested Parties go through Forum/WG
>     consent? If anything, Invited Guests represent the greatest
>     "threat" to members, in that they've not executed any IPR
>     Agreement for any of the discussions they are present in.
>     BTW:  If someone represents such a threat, we just won't invite
>     them---problem solved.  However, we will likely run into
>     situations where we value the input of someone, or we want their
>     individual expertise, and for one reason or another they cannot
>     sign the agreement in time (because of employment situation, legal
>     advice, or whatever), then we will have to "pass" on having that
>     person attend, and then maybe we'll miss out on valuable
>     information.  If we invite [fill-in-the-blank] as our "invited
>     guest", I want to have sufficient discretion on whether to require
>     them to sign the IPR Agreement.  I would hope that attendees would
>     we able to identify when an invited guest is trying to submarine
>     us with some great idea (albeit contained in an undisclosed
>     patent), and hopefully the Chair or Vice Chair, who we elect as
>     our trusted representative will be smart enough to exercise his or
>     her discretion appropriately.   If we do change this, then we'll
>     need something appropriate to take its place---I'm fine if someone
>     comes up with a simplified voting process that can also
>     accommodate last-minute guest speaker replacements, etc.
>     Thanks again for your comments.
>     Cheers,
>     Ben
> When I used such a loaded term as "threat", I do not ascribe malicious 
> intent. I simply mean that, for the members, every one of these IGs - 
> and their contributions - does represent a threat to anything produced 
> by a Standards Defining Organization or (as in the CA/B Forum's case) 
> "similar" organizations. That is the unfortunate situation that we 
> find ourselves in with respect to IPR.
> I would definitely feel more comfortable seeing us put the same rigor 
> as applied to members / associates, and simply present it to the 
> Forum, especially when attendance-without-IPR-agreement is an entirely 
> dangerous can of worms, no matter how well-intentioned or well-meaning 
> the IG is. The further nuance is that an IG is, presumably, a natural 
> person, whereas the IPR agreement is with legal persons - typically, 
> corporations. The distinction is that no matter how good the IG is, 
> they may be employed by an organization that does not share the same 
> values, and thus that presents a 'risk'.
> Anyways, I think these are the foundations of a series of good 
> changes, I just think they will trigger a variable level of 
> engagement, and for expediency, it might be best to just ballot the 
> minimal set of changes for the F2F, and perhaps simultaneously ballot 
> "the rest" for further discussion. Just $.02 from dealing with code 
> and "minimal patches" / "one commit, one bug".
>     On Fri, Jan 17, 2014 at 3:49 PM, Ben Wilson <ben at digicert.com
>     <mailto:ben at digicert.com>> wrote:
>     I am seeking two endorsers.
>     On 17 January 2014, Ben Wilson of DigiCert made the following
>     motion, endorsed by _____ of _______ and ______ of __________:
>     --Motion Begins--
>     Be it resolved that the CA / Browser Forum adopts the attached
>     "CA-Browser Forum Bylaws v. 1.1- Draft for Ballot 110" as its
>     Bylaws, effective as of 4 February 2014.
>     --Motion Ends--
>     The review period for this ballot shall commence at 2100 UTC on 20
>     January 2014 and will close at 2100 UTC on 27 January 2014. Unless
>     the motion is withdrawn during the review period, the voting
>     period will start immediately thereafter and will close at 2100
>     UTC on 3 February 2014.
>     Votes must be cast by posting an on-list reply to this thread. A
>     vote in favor of the ballot must indicate a clear 'yes' in the
>     response. A vote against the ballot must indicate a clear 'no' in
>     the response. A vote to abstain must indicate a clear 'abstain' in
>     the response. Unclear responses will not be counted. The latest
>     vote received from any representative of a voting member before
>     the close of the voting period will be counted.
>     Voting members are listed here: https://cabforum.org/members/. In
>     order for the motion to be adopted, two thirds or more of the
>     votes cast by members in the CA category and more than one half of
>     the votes cast by members in the browser category must be in
>     favor. Quorum is currently six (6) members-- at least six members
>     must participate in the ballot, either by voting in favor, voting
>     against, or by abstaining for the vote to be valid.
>     _______________________________________________
>     Public mailing list
>     Public at cabforum.org <mailto:Public at cabforum.org>
>     https://cabforum.org/mailman/listinfo/public
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140120/49bbc7e9/attachment-0003.html>

More information about the Public mailing list