[cabfpub] Draft Agenda for CA/Browser Teleconference of Jan. 25, 2018 at 11 am Eastern

Ryan Sleevi sleevi at google.com
Fri Jan 26 16:22:33 UTC 2018

On Fri, Jan 26, 2018 at 10:24 AM, Gervase Markham <gerv at mozilla.org> wrote:

> Hi Ryan,
> On 23/01/18 02:03, Ryan Sleevi via Public wrote:
> > As a possible item, or a consideration in advance, could you make sure
> > the document status
> > on https://cabforum.org/baseline-requirements-documents/ is up to date?
> > Your current status appears up to date, but our webpage seems a bit
> behind.
> >
> > Similarly, https://cabforum.org/bylaws/ is not updated with the result
> > of Ballot 216 - I believe we should have a Version 1.8 of the Bylaws,
> > based on that?
> I've just been through and updated the dates, version numbers and ballot
> texts on:
> https://www.cabforum.org/wiki/Ballots
> back to the start of 2016 (for dates and numbers) or 2017 (for texts).
> As far as I can see, all completed ballots are published except two -
> 216, as you note, which completed on 21st Dec, and 217. 217 may not have
> been done due to a misunderstanding/typo - the original review notice
> gave the end of the review period as 20th Jan, but Kirk's summary below
> the agenda gives 29th of Jan, so he may have thought it wasn't time yet.

> Do you know of any other passed ballots for which a corresponding
> version of the BRs, EV, NetSec or Bylaws has not been published?
> I agree it would be good to add the results of 216 to the Bylaws ASAP;
> we have started using the new process, and it's not ideal if the process
> is not actually in our formal published process document :-)

Hi Gerv,

I'm afraid it's not as rosy a picture as you present, and Kirk's failure to
follow the Bylaws with respect to the duties of the Chair has put us in a
precarious position again with respect to our IPR policy.

Let's start with the Bylaws. I would cite you the current version of the
Bylaws, except they have not been published or made available to members
yet. The website lists Version 1.7 [1], but we've adopted a ballot since
then - Ballot 216 [2] - for which no copy of the Bylaws has been made that
integrates the results. However, since 217 doesn't change the relevant
sections, let's visit the bylaws. There are two sections relevant to the
discussion that follows, worth noting now:

The Bylaws, Section 2.4(e), states (in full):
"If a Draft Guideline Ballot passes the Initial Vote, the Chair shall
initiate, no later than the 3rd business day after the announcement of the
Initial Vote results, the Review Period of 30 or 60 days, as applicable and
as described in Section 4.1 of the IPR Policy. The Chair will initiate the
Review Period by sending the Review Notice to both the Member Mail List and
the Public Mail List. The Review Notice will clearly specify the open and
close dates and times (with time zone) of the Review Period. If the Chair
does not initiate the Review Period within 5 business days after the
announcement of the Initial Vote results, the Vice Chair may initiate the
Review Period, using the same process as the Chair would have been required
to use."

Referencing the IPR policy, Version 1.2 of the IPR policy [3], Section 4.1,
states (in part):
" The CAB Forum Chair shall initiate the Review Period by distributing to
each CAB Forum Participant a notice of review period and a complete draft
of the Draft Guideline that is the subject of such notice (“Review
Notice”). Each Participant on behalf of itself and its Affiliates shall
have sixty (60) days following the date of the receipt of such Review
Notice (“Review Period”) to review such Draft Guideline and consider any
licensing obligations with respect to any Essential Claims that may be
encompassed by such Draft Guideline. The approval of a CAB Forum Final
Maintenance Guideline shall follow the same process except that the Review
Period shall be thirty (30) days."

Note that there is an obligation of the Chair to provide a "complete draft
of the Draft Guidelines that is the subject of such notice... "  and that
"... The approval of a CAB Forum Final Maintenance Guideline shall follow
the same process ... ". The Chair has an obligation to make the full text
available to members as part of the Review Notices, and that the text made
available is the complete draft - not, for example, the Ballot.

Further on, the Bylaws, Section 2.4(h), states (in full):

"If no Exclusion Notices are filed during the Review Period with respect to
a Draft Guideline Ballot, then the results of the Initial Vote are
automatically deemed to be final and approved, and Draft Guidelines then
become either Final Guidelines or Final Maintenance Guidelines, as
designated in the Draft Guidelines Ballot. The Chair will notify both the
Member Mail List and the Public Mail List of the final approval within 3
business days, as well as update the Public Website of Final Guidelines and
Final Maintenance Guidelines within 10 business days of the close of the
Review Period. "

It's very important to note here - until the Chair has performed their
duty, the Balloted documents are Draft Guidelines - and are not Final
Guidelines or Final Maintenance Guidelines.

The failure of the Forum to make its Bylaws available - even to its Members
- creates a significant challenge in seeing both the legitimacy of its
actions and the legitimacy of the Chair. It's deeply troubling that these
have not been updated.

Let us now look to the Baseline Requirements [4]. As of time of this
e-mail, the Website lists the "Current Version" as BR 1.5.1, adopted in
Ballot 197. It lists versions 1.5.2 [5], 1.5.3 [6], and 1.5.4 [7] as
pending IPR review, the results of Ballots 190 [8], 214 [9], and 215 [10]
respectively. As you note, no copy has been available that integrates the
results of Ballot 217. [11]. Further, you can see that the "Notice of
Review Period" for Ballots 190 [12], 214 [13], 215 [14], and 217 [15] fail
to meet the requirements of the Bylaws Section 2.4(e) or the IPR Policy,
Section 4.1.

With respect to Ballot 217, the Chair has failed to perform their duties
under the Bylaws, Section 2.4(h), which is to notify the Member Mail List
and the Public Mail List as to whether or not any Exclusion Notices were
filed (within 3 business days), in addition to the long-standing failure to
update the Public Website of the Final Guidelines and Final Maintenance
Guidelines within 10 business days of the close of the Review Period.

The same problems are similarly exhibited by the EV Guidelines [16]. The
current version listed is 1.6.6, adopted from Ballot 192. Listed as pending
IPR Review is 1.6.7 [17], the result of Ballot 207 [18]. The notice of
Review Period [19] similarly shows a non-adherance to the Bylaws and IPR
Policy, and having completed on November 23, 2017, the Chair has failed
their duties under the Bylaws, Section 2.4(h) to provide notice within 3
business days as to the result of the Exclusion Notices, and within 10 days
to ensure that the Public Website is updated with these Final Maintenance

While the failure of the Chair to follow the Bylaws is problematic, it is
further problematic when considering Section 2.2 of the Baseline
Requirements. Using version 1.5.1 [20] as the basis, given that it's stated
as the "Current Version", CAs must "represent that [they] will adhere to
the latest published version." Given that, per the Bylaws, version 1.5.2
and subsequent are still Draft Guidelines, and not Final Maintenance
Guidelines, this creates a way for which CAs may reasonably be confused as
to the requirements imposed on them, and to their obligations and
expectations. Given that versions such as 1.5.2 address critical security
holes, we find it unacceptable for this situation to have gone on so long.

This is not the first time we've raised the matter either [21], and to
date, the Chair has to date ignored their responsibilities or performed
them improperly. While the minutes of the most recent call are not yet
available, I believe the minutes will further reflect that the Chair was
unwilling to commit to performing their duties, as required under the
Bylaws. This is deeply troubling - to the ability of the Forum to function,
certainly, but also because of the way it disadvantages other CAs,
including non-member CAs, in which it creates compliance ambiguities, and
introduces unnecessary security risks into the ecosystem. This should be a
concern to all members of the Forum, for the reasons I've highlighted.

[1] https://cabforum.org/bylaws/
[2] https://www.mail-archive.com/public@cabforum.org/msg05833.html
[3] https://cabforum.org/wp-content/uploads/CABF-IPR-Policy-v.1.2.pdf
[4] https://cabforum.org/baseline-requirements-documents/
[5] https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.5.2.pdf
[6] https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.5.3.pdf
[7] https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.5.4.pdf
[9] https://cabforum.org/2017/09/27/ballot-214-caa-discovery-cname-errata/
[10] https://cabforum.org/2017/10/04/ballot-215-fix-ballot-190-errata/
[11] https://www.mail-archive.com/public@cabforum.org/msg05834.html
[12] https://cabforum.org/pipermail/public/2017-September/012103.html
[13] https://cabforum.org/pipermail/public/2017-September/012191.html
[14] https://cabforum.org/pipermail/public/2017-October/012253.html
[15] https://cabforum.org/pipermail/public/2017-December/012657.html
[16] https://cabforum.org/extended-validation/
[17] https://cabforum.org/wp-content/uploads/EV-V1_6_7.pdf
[19] https://cabforum.org/pipermail/public/2017-October/012411.html
[20] https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.5.1.pdf
[21] https://cabforum.org/pipermail/public/2017-December/012578.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20180126/208f3863/attachment-0003.html>

More information about the Public mailing list