[cabfpub] [EXTERNAL] Associate Member status and meeting participation by related entities

Virginia Fournier vfournier at apple.com
Tue May 29 12:22:19 MST 2018

Hi Kirk,

It’s not a problem when the person participating is an employee or officer of the entity they represent.  For example, it’s fine for an officer or employee of WebTrust, ETSI, or ICANN to participate on the entities’ behalf.  

However, if the person participating on an entity’s behalf is not an officer or employee, then we need to take a closer look at the relationship between the representative and the entity, for the reasons stated in my prior email.  For example, we couldn’t have a representative of Orange Inc. participate on behalf of Banana Inc. (unless Orange is an “Affiliate” of Banana).  This is standard contract/agency law, and should be fairly easy to sort out.  

I agree we should find out who each Associate Member’s rep is, to make sure each AM has a proper representative (such as officer/employee).  We should be careful about allowing AMs to have “as many as they like and change as often as they like,” because we’ll need to confirm the relationship for each one.

Best regards,

Virginia Fournier
Senior Standards Counsel
 Apple Inc.
☏ 669-227-9595
✉︎ vmf at apple.com <mailto:vmf at apple.com>

On May 29, 2018, at 11:35 AM, Kirk Hall <Kirk.Hall at entrustdatacard.com> wrote:

Virginia – this comes up when an officer of WebTrust (Jeff Ward, Don Sheehy) or of ETSI/ACABc (Nick Pope) participates for the Associate Member.  I think it’s sufficient if WebTrust and ETSI/ACABc have signed the IPRA.  But sometimes other auditors get involved, and we’re not sure if they are officers or representatives of the Associate Member, or not.
It’s even more uncertain with FPKI – people dial in to our calls from companies I’m not familiar with, and say they are with FPKI.  I think they are third party, private vendors who are providing services to the Federal Government in connection with the FPKI.  To my mind, if they are explicitly designated by FPKI to represent FPKI on the calls and meetings, then the IPRA signed by the FPKI/Federal Government is sufficient, but not otherwise.
ICANN has tended to be represented only by Francisco Arias, who is an employee, I think.  I don’t have experience with Tscheme on this issue.
I’d like to get clarification from each Associate Member on who their official representatives are – they can appoint as many as the like and change as often as they like, but we should have a list.
We will discuss on our Thursday call.
From: Public [mailto:public-bounces at cabforum.org <mailto:public-bounces at cabforum.org>] On Behalf Of Virginia Fournier via Public
Sent: Tuesday, May 29, 2018 10:42 AM
To: CA/Browser Forum Public Discussion List <public at cabforum.org <mailto:public at cabforum.org>>
Subject: [EXTERNAL][cabfpub] Associate Member status and meeting participation by related entities
Hi Kirk,
I’ve seen this issue come up in other standards organizations.  I am not a fan of the delegation model for IP reasons, as it becomes difficult to determine who is making a contribution (the delegator or the delegatee) and therefore who has a patent obligation, who has the right to make an exclusion, etc.
If the “related entity” is also an “Affiliate” as defined in the Bylaws, then there would be no issue.

Best regards,
Virginia Fournier
Senior Standards Counsel
 Apple Inc.
☏ 669-227-9595
✉︎ vmf at apple.com <mailto:vmf at apple.com>

On May 25, 2018, at 5:39 PM, public-request at cabforum.org <mailto:public-request at cabforum.org> wrote:
Send Public mailing list submissions to
            public at cabforum.org <mailto:public at cabforum.org>

To subscribe or unsubscribe via the World Wide Web, visit
            https://cabforum.org/mailman/listinfo/public <https://cabforum.org/mailman/listinfo/public>
or, via email, send a message with subject or body 'help' to
            public-request at cabforum.org <mailto:public-request at cabforum.org>

You can reach the person managing the list at
            public-owner at cabforum.org <mailto:public-owner at cabforum.org>

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Public digest..."

Today's Topics:

  1. Associate Member status and meeting participation by  related
     entities (Kirk Hall)


Message: 1
Date: Sat, 26 May 2018 00:39:30 +0000
From: Kirk Hall <Kirk.Hall at entrustdatacard.com <mailto:Kirk.Hall at entrustdatacard.com>>
To: CA/Browser Forum Public Discussion List <public at cabforum.org <mailto:public at cabforum.org>>
Subject: [cabfpub] Associate Member status and meeting participation
            by        related entities
            <8e85826205ef49f08c68de0da729df97 at PMSPEX04.corporate.datacard.com <mailto:8e85826205ef49f08c68de0da729df97 at PMSPEX04.corporate.datacard.com>>
Content-Type: text/plain; charset="us-ascii"

On our May 17 teleconference, we discussed the application of TUV-Austria (an ETSI auditing firm) for Associate Membership in the Forum.  There was unanimous agreement that TUV-Austria should participate in some way, but there was not consensus on what formal status the organization should have.

The Forum's past practice on admitting individual audit firms as Associate Members in their own name or as representatives of the audit scheme they follow (e.g., ETSI / ACABc) has not been consistent.  I'd like to discuss a possible Bylaws change to clarify this on our May 31 teleconference.

1.  Current Bylaw Provisions

Here are current Bylaws provisions.

3.1         Associate Members
The Forum may enter into associate member relationships with other organizations when the CA/Browser Forum determines that maintaining such a relationship will be of benefit to the work of the Forum.  In the past, entities qualifying as Associate Members have included the AICPA/CICA WebTrust Task Force, the European Telecommunications Standards Institute, Paypal, the Internet Corporation for Assigned Names and Numbers, tScheme, the U.S. Federal PKI, and CAs applying for membership but awaiting full qualification under Section 2.1.  Participation as an Associate Member is by invitation only.  In order to become an Associate Member, an organization must sign a mutual letter of intent, understanding, or other agreement and the Forum's IPR Agreement, unless this latter requirement is waived in writing by the Forum based on overriding policies of the Associate Member's own organization IPR rules.  Associate Members may attend face-to-face meetings, communicate with Forum Members on member
 lists, and access Forum wiki content.  Associate Members are not entitled to vote except on special straw polls of the Forum (e.g. when selecting meeting dates, locations, etc.)

3.2  Interested Parties

Any person or entity that wishes to participate in the Forum as an Interested Party may do so by providing their name, affiliation (optional), and contact information, and by agreeing to the IPR Agreement attached as Exhibit A (indicating agreement by manual signing or digitally signing the agreement).

Interested Parties may participate in Forum activities in the following ways:
(a)  By becoming involved in Working Groups,
(b)  By posting to the Public Mail List, and
(c)   By participating in those portions of Forum Teleconferences and Forum Meetings to which they are invited by the Forum Chair relating to their areas of special expertise or the subject of their Working Group participation.
Interested Parties are required to comply with the provisions of the IPR Agreement and these Bylaws.  Interested Parties may lose their status as Interested Parties by vote of the Members, in the Members' sole discretion.

The biggest differences between Associate Member (AM) and Interested Party (IP) status are that AMs can participate on all Forum teleconferences, attend all meetings, and receive mailings on the Management@ list (which is generally limited to meeting logistics and review of draft Minutes).  The Chair can invite IPs to participate in specific portions of teleconferences and meetings as warranted.

2.  Associate Members and their related entities

There are three main Associate Members who often have their own members or related entities participate in teleconferences and meetings, and not always at the specific invitation of the Chair: (1) WebTrust, (2) ETSI/ACABc, and (3) Federal PKI.  Some of the related entities of these AMs have been individual audit firms for WebTrust and ETSI/ACABc, and various government agencies and outside contractors for FPKI.

Clearly the actual officers or representatives of an AM (like Jeff Ward and Don Sheehy for WebTrust, and Arno Fiedler and Nick Pope for ETSI) should be allowed to participate for those organizations without invitation by the Chair.  The situation has sometimes been less clear for FPKI, as the exact governing structure for that name appears to be a "network" and not an entity:

What is the Federal PKI?  https://fpki.idmanagement.gov/#what-is-the-federal-pki <https://fpki.idmanagement.gov/#what-is-the-federal-pki>
The Federal PKI is a network of hundreds of certification authorities (CAs) that issue:
*       PIV credentials and person identity certificates
*       PIV-Interoperable credentials and person identity certificates
*       Other person identity certificates
*       Enterprise device identity certificates
The participating Certification Authorities and the Policies, Processes, and Auditing of all the participants is referred to as the Federal Public Key Infrastructure (FPKI).
The FPKI includes US federal, State, Local, Tribal, Territorial, international governments, and commercial organizations who work together to provide services for the benefit of the federal government.

Deborah Gallagher signed our IPR Agreement in 2013 as "Chair, Federal PKI Policy Authority".

How should other audit firms like TUV-Austria or WebTrust qualified auditors who want to attend meetings or calls be classified?  Clearly they must first sign our current IPR Agreement, but do they attend as "Associate Members" under the status of their supervising organization, or do they attend only as Interested Parties who need the invitation of the Chair each time?  And how do we treat the various related entities who work on the FPKI network?

3.  Suggested Approach

The situation has not been abuses in the past, but we should create a clearer set of rules.  In my opinion, we should delegate to the existing Associate Members which related entities can participate on a regular basis, without the specific invitation of the Chair in each case.

I suggest we add a sentence to Bylaw 3.1 - Associate Members that allows Associate Members themselves to designate representatives of related entities to participate in teleconferences and attend meetings under the status of the designating Associate Member (but in their own name, not the name of the Associate Member), and only after signing the current IPR Agreement.  This would allow, for example, WebTrust to authorize participation by individual auditors who are not actual WebTrust officers, the same for ETSI/ACABc, and possibly the same for FPKI.  We would first have to determine who actually speaks for FPKI as a "network" and would have the authority to designate representatives of related entities who could participate under FPKI's Associate Member status.

To do this, we could add the following new paragraph at the end of Bylaw 3.1 - Associate Members:

Associate Members may designate representatives of their related entities (including their members or network members) to participate in Forum teleconferences and meetings on an ongoing or on a limited basis with the same rights as an Associate Member, and may remove such designations at any time.  The related entities must sign the Forum's applicable IPR Agreements and must participate in their own names and not as representatives of the Associate Members who designated them.  In the event that too many related entities are designated by an Associate Member in the Chair's opinion, the Chair may limit the number of related entities that an Associate Member may designate under this provision.

We will discuss this on our May 31 teleconference.  I welcome other ideas.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20180526/c26cf304/attachment.html <http://cabforum.org/pipermail/public/attachments/20180526/c26cf304/attachment.html>>


Subject: Digest Footer

Public mailing list
Public at cabforum.org <mailto:Public at cabforum.org>
https://cabforum.org/mailman/listinfo/public <https://cabforum.org/mailman/listinfo/public>


End of Public Digest, Vol 73, Issue 144

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20180529/f35875fb/attachment-0001.html>

More information about the Public mailing list