[cabfpub] Code Signing Working Group

[Jeremy Rowley]

Inline

On 06/05/16 15:35, Jeremy Rowley wrote:
> 2) Creation of the working group by ballot is merely permissive, not
> required. When creating the working group, I intentionally did not
> ballot the creation to ensure it wasn't required.

Perhaps off-topic, but: how do you read the bylaws such that you think that
working groups can be created without a ballot?
[JR] You are correct that this is off-topic. However, for explanatory 
purposes, the bylaws do not state a ballot is the sole way a WG can be 
created.  The bylaws say a member MAY propose a WG by ballot that is open to 
participation by members and interested parties. Pretty sure there's a reason 
it's worded with the MAY instead of a SHALL or MUST. Plus, it's worded that 
way in the CAB Forum Project lifecycle document " Voting members may propose 
projects at any time by sending a description of the proposal to the CAB Forum 
mail list. The description must identify the project by name and define the 
scope". This is followed by " After the proposal is discussed during a Forum 
meeting, the person making the proposal forms a working group that is 
responsible for creating a working draft. Any member may join or leave a 
working group at any time." No ballot is required to form the working group.

> Plus, it's a defacto working
> group now considering how long the working group has continued.

As noted before, I have no interest in arguing about the circumstances of its
creation. The question is: once the document was voted down, what do we do
now?
[JR] That question has been the WG's primary topic since the vote. "What now?" 
Various options discussed during the calls included amending the requirements,
abandoning the requirements, moving the requirements to a different group, or 
continuing to work on the requirements until the governance reform finalized. 
I believe we've decided to wait and see how the governance pans out.

> 3) I believe demanding early removal of the working group prior to its
> completion is a violation of the bylaws:

However, I would note that the fact that it was not balloted means that there
is no definition of "its completion". That is one of the reasons we require a
ballot, with certain things as part of it, to create WGs.

When do you think the WG reaches "completion" of its work?
[JR] There is no requirement a Working Group be limited in duration. "Never" 
is a perfectly valid expiration date.  I think the WG reaches its completion 
when we decide to end the WG. Pretty sure there will be a WG vote during the 
F2F to disband for now. I'm not necessarily in favor of the vote since there 
are still EV Code Signing questions we need to answer and propose in a ballot, 
but I'll accept disbandment if that's what the WG votes.

> "Members shall not use their
> participation in the Forum either to promote their own products and
> offerings or to restrict or impede the products and offerings of other
> Members."

I am not attempting to impede or restrict anyone's product or offering.
CAs are still free to issue code signing certificates, and (now that we have
freed the document) anyone is free to make it part of their system
requirements. Who is being restricted from doing anything, other than putting
the "CAB Forum" label on their activities or document?
[JR] Non-members? This is a question of trademark law and best referred to 
in-house or external counsel.

> 5) Mozilla is claiming the document is solely intended for the Microsoft.
> This is not the case. We have asked other interested parties to review
> the document and would like their participation. Mozilla itself is
> free to adopt the document if desired.  The document is a general
> document and not Microsoft specific.

The way the CAB Forum makes official documents is by voting on them. We voted
on this one, and declined to make it official. Until there is some prospect of
it becoming so, we should stop working on it as part of the Forum.
[JR] Who gets to define this prospect? The bylaws permit members to propose 
ballots as they see fit. We've had several ballots where everyone knew the 
failure result before it was proposed, but we wanted to see the outcome 
anyway. I'd oppose a bylaw that required interested parties to stop work on a 
proposal simply because it failed the first time around or because prospects 
for adoption looked gloomy. Why should the WG stop working on the proposal? It 
seems clear from the lifecycle document that the editor can continue working 
on a document as long as there is interest.

> 7) Procedurally, we've always permitted members to add their own
> interests to the agenda. Dean regularly calls for agenda updates.
> Although members have always been free to add agenda items, there
> isn't a precedent for members to remove agenda items of other members.
> The bylaws don't explicitly prohibit removing items from the agenda.
> However, unlike the working group, there isn't precedent for doing so.
> I object on a procedural basis to unilateral removal of the agenda item.

I think that Code Signing is outside the scope of the Forum. However, I can
see we might want to have a discussion about Code Signing in general, and
would not object to the general topic being on the agenda.
However, that's not what's happening here - an official Working Group is
working on a document with the CAB Forum name on it, and it's being used
outside the forum as such, even though there is no chance within the current
structure of that document becoming official. That needs to change. The group
working on it needs to become unofficial, and the CAB Forum name needs to come
off the document.
[JR] I disagree with your scope, but that's not really important in this case. 
There's always a chance of something become official. Why would the CAB Forum 
name need to come off the document? It's an accurate name. The Forum is an 
unincorporated entity formed loosely by common interests of its members with 
bylaws that give guidance on how to act. I don't see the reason for any of 
these changes. I also don't understand why Mozilla is so adamant in removing 
the WG prior to Blibao. Could you shed some light on this?

Neither of these changes should have any effect on what people want to put in
the document or use it for. Or, for that matter, whether they can talk about
it in Bilbao.
[JR] Doesn't it? Seems like that's exactly the intent.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4964 bytes
Desc: not available
Url : https://cabforum.org/pipermail/public/attachments/20160506/7921e5cc/attachment.bin