[cabfpub] Code Signing Working Group

[Ryan Sleevi]

On Fri, May 6, 2016 at 1:10 PM, Jeremy Rowley <jeremy.rowley at digicert.com>
wrote:

> Perhaps off-topic, but: how do you read the bylaws such that you think that
> working groups can be created without a ballot?
> [JR] You are correct that this is off-topic. However, for explanatory
> purposes, the bylaws do not state a ballot is the sole way a WG can be
> created.  The bylaws say a member MAY propose a WG by ballot that is open
> to
> participation by members and interested parties. Pretty sure there's a
> reason
> it's worded with the MAY instead of a SHALL or MUST. Plus, it's worded that
> way in the CAB Forum Project lifecycle document " Voting members may
> propose
> projects at any time by sending a description of the proposal to the CAB
> Forum
> mail list. The description must identify the project by name and define the
> scope". This is followed by " After the proposal is discussed during a
> Forum
> meeting, the person making the proposal forms a working group that is
> responsible for creating a working draft. Any member may join or leave a
> working group at any time." No ballot is required to form the working
> group.
>

Jeremy,

I simply must disagree with your reading of may. WG activities carry with
them IPR burdens; the may is not that you may skip a ballot, it's may that
a WG is not required, but if one is to be formed, it's formed by ballot.
You can see supporting evidence of that in the section proceeding, and with
the closing paragraph of the section you're citing (Section 5.3). The very
notion of approval, which immediately follows what you quote, shows the
need for ballots to establish that approval.

I must agree with Gerv here and object to the Forum's continued granting of
the CSWG, an improperly chartered WG, whose work product was rejected, from
continuing under the auspices of the Forum. That your argument relies on it
being a "de facto" WG - despite repeated objections by Google - shows the
danger of members relying on unchartered, non-bylaw conforming activities
as establishing precedent.


> > 3) I believe demanding early removal of the working group prior to its
> > completion is a violation of the bylaws:
>

Citation needed.


> When do you think the WG reaches "completion" of its work?
> [JR] There is no requirement a Working Group be limited in duration.
> "Never"
> is a perfectly valid expiration date.  I think the WG reaches its
> completion
> when we decide to end the WG. Pretty sure there will be a WG vote during
> the
> F2F to disband for now. I'm not necessarily in favor of the vote since
> there
> are still EV Code Signing questions we need to answer and propose in a
> ballot,
> but I'll accept disbandment if that's what the WG votes.
>

Section 5.3 "The ballot shall outline the scope of the Working Group’s
activities, including deliverables, any limitations, and Working Group
expiration date."

Please show me on a calendar on what day "never" falls on. I simply must
object to your argument that 'never' is a valid expiration date.


> The way the CAB Forum makes official documents is by voting on them. We
> voted
> on this one, and declined to make it official. Until there is some
> prospect of
> it becoming so, we should stop working on it as part of the Forum.
> [JR] Who gets to define this prospect? The bylaws permit members to propose
> ballots as they see fit. We've had several ballots where everyone knew the
> failure result before it was proposed, but we wanted to see the outcome
> anyway. I'd oppose a bylaw that required interested parties to stop work
> on a
> proposal simply because it failed the first time around or because
> prospects
> for adoption looked gloomy. Why should the WG stop working on the
> proposal? It
> seems clear from the lifecycle document that the editor can continue
> working
> on a document as long as there is interest.
>

If it was a WG, perhaps. But there's no question that there's an IPR
obligation for such activities, and as such, the burden must lay with
trying to continue the efforts, not in stopping them.


> [JR] I disagree with your scope, but that's not really important in this
> case.
> There's always a chance of something become official. Why would the CAB
> Forum
> name need to come off the document? It's an accurate name. The Forum is an
> unincorporated entity formed loosely by common interests of its members
> with
> bylaws that give guidance on how to act. I don't see the reason for any of
> these changes. I also don't understand why Mozilla is so adamant in
> removing
> the WG prior to Blibao. Could you shed some light on this?
>

Jeremy, we (Google) have repeatedly objected to continuing this WG, which
you've also ignored. Your justification for how you believe this follows
the charter is shaky at best, relying on stretching an interpretation that
flies in the face of the broader bylaws. As the CA/Browser Forum is an
industry group comprised of multiple members, it is misreprepsentative to
present such activity as a "CA/Browser Forum" activity, especially given
the repeated objections and oppositions from other browsers. You suggest an
endorsement for an activity that, at present, simply does not exist.


> Neither of these changes should have any effect on what people want to put
> in
> the document or use it for. Or, for that matter, whether they can talk
> about
> it in Bilbao.
> [JR] Doesn't it? Seems like that's exactly the intent.
>

It is inappropriate to suggest that there is consensus or support for
continuing this, especially that of browsers.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160508/1fd12bfc/attachment-0003.html>