[cabf_governance] Notes from Face-to-Face Meeting, 24-May-2016

Ben Wilson ben.wilson at digicert.com
Wed Jun 8 06:36:50 MST 2016


Here are my notes from the face-to-face meeting held in Bilbao on Tues.,
24-May-2016

 

Dean - This is the second meeting of the Governance Reform Working Group.
During the previous meeting we conducted a brainstorming session.  Minutes
have been circulated from that meeting. The idea was that we would
prioritize the list we created then. However, there was also discussion on
the WG email list that we work on scope, goals, and objectives.

 

Virginia - We need to take a step back and look and see what our objectives
are before we start tearing things apart and what we want to accomplish
before creating different  IPR policies for different working groups. The
more complicated it is, the more difficult it will be for people to
understand.  

 

Dean - Goals and objectives is our first step.  (Dean then reviewed the
minutes from the previous meeting.)  To answer the first question, the
reason for forming this working group was to look at the way the Forum does
business today.  I.e., is the forum organized the way it should be
organized, are we covering the topics that we should be covering? What are
some of the reasons why we formed this working group?

 

Moudrick - take for instance, code signing.

 

Jody - there was concern with some members of the group that we were working
outside of our original charter.

 

Jos - There are two problems: (1) how is the Forum chartered and what does
the Forum cover and (2) how is the Forum governed, how are the rules made,
and what are the rules for creating and modifying standards?

 

Dean - What are the problems that we are seeing and how do we solve those
problems? To summarize, the problem is the scope, is it the proper scope,
and how does the Forum manage itself?

 

Jody - what types of problems should the Forum be focused on? And when it is
focused on a particular issue, how does it make a decision?

 

Dean - we certainly want to keep what currently is in scope, which is the
SSL piece, and I've heard people say that they want to have code signing in
scope. Other scopes mentioned included S/MIME certificates, ...

 

Moudrick - ... and there was a generic scope, everything around
certificates.

 

Jos - The first question after scope is, should you add additional scopes?
Is it the sense of the Forum that it should be larger than it is?

 

Dean - Yes

 

Jos - Or should it be limited and if people want to deal with other scopes
then they should set up another organization to do that?

 

Dean - I think if that were the case,  we wouldn't be having this working
group, at least that is what I heard on the last call.  For consensus of the
working group, is that a fair statement? It appears there is a dissenting
position by Mr. Hall.

 

Kirk - The Forum came about because the communications between CAs and
browsers, especially about program rules, left something to be desired. The
Forum created itself over a period of years to what it is today. If we want
to keep it informal and productive I don't think we can have it much bigger
than it is today. My concern is that until recently many of us thought it
was okay to do code signing work in this group, and there was some
objection, that's fine, but to the extent that you want to do something, go
off and do the same thing that the CAB Forum did. You can create your own
rules, copy the bylaws, change the voting rules, etc.

 

Dean - Gerv, did you suggest sub-forums?

 

Gerv - I didn't think that I was suggesting it, I was summarizing what the
idea was. My understanding that the reason for dividing the CAB Forum into
sections was that people could participate in one section and not others,
and thereby take the IPR obligations of just that section. So, if the scope
of the Forum expanded, this would not have the effect of expanding the IPR
search to all members for things they didn't care to participate in.  I
thought that that was the issue causing some to have concern.   So I thought
that the idea was to split the Forum into an SSL bit, a code signing bit, an
S/MIME bit, whatever, with each to be separated from the other in an IPR
sense.

 

Dean - Let me go to Jeremy because maybe it was his idea.

 

Jeremy - That is actually what I proposed--that we separate into groups and
that the main organization be a shell,  an umbrella, and that each working
group would be responsible for its bit, as Gerv said.  Each group would be
responsible for  its own IPR, bylaws, voting rules, and even its own
membership structure. Then the main CAB Forum is just an umbrella
organization to maintain the copyright license to the documents, organizes
the meetings, and things like that.

 

Kirk - What is the advantage of this over just letting these groups form
themselves?

 

Jeremy - Trademark-they would all be able to use the CAB Forum trademark.
There has been interest from non-browser trust stores to join the group.
However, you have nearly the same people interested in these topics so you
have convenience. It would be easier to plan meetings at the main level.

 

Jody -  The CAB Forum  could also address issues that cross working groups,
like eIDAS, etc.   

 

Jos - If multiple  working groups  claim that something is within their
scope, the CAB Forum could mediate, and say "no," that it belongs with this
group or that group.

 

Jeremy - ... or create a new group, like in the eIDAS example.  You can spin
up working groups and decommission them as needed.

 

Kirk - With regard to logistics, if there were code signing group, and
people only wanted to go to that meeting, would they want to come all the
way to Bilbao just for a two-hour meeting?

 

Jeremy - I think there are very few people who would be doing that, and we
have call-in information if they wanted to participate.

 

Jos - I can say that for Cisco we are looking at this to see whether it is
the right venue for other trust mechanisms, for IOT, etc. or do we need to
go somewhere else?

 

Kirk - Let me mention two other logistics things.  We're barely able to
manage running the CAB Forum as it is, we might have to hire staff, because
on a volunteer basis it would be too difficult to set up meeting times,
meeting rooms, and track IPR agreements. Point 2 - take code signing for
example, and the scope of the CAB Forum would increase to cover the world,
and I've heard objections from Google and Mozilla that the scope of the
Forum cannot be expanded.

 

Jeremy - They have objected to having code signing in this group, but they
haven't objected to the umbrella organization concept.

 

Gerv - No objection if it is compartmentalized. One thing the governance
working group could do is develop a draft proposal about which issues will
be handled at each level.  Another idea is that things should be shared
unless there is a reason not to. There is no need to have three copyright
policies when one will do. We should try to have as many things common as
possible for ease of administration.  In fact, administration could be
easier because three people could be responsible for each of the smaller
groups and one person responsible overall.

 

Jeremy - It would alleviate the burden on the chair because working group
chairs would be responsible for day-to-day operations.  

 

Virginia - We're definitely not in favor of splitting the CA/Browser Forum
into different subgroups with different IPR policies. It would be too
difficult to administrate and maintain.

 

Gerv - It wouldn't have to have different policies, it could just have
provincialization.  You would not have IPR obligations if you were not
involved in the group.  You would have  the same policy, but you would not
be within the scope of the policy if you were not contributing to the group.


 

Virginia - I think that would be fine.  That is how the W3C works.  If you
don't participate in a working group, you don't incur patent obligations
with respect to that group. It would have to be the same IPR policy across
the entire CAB Forum.  

 

Jeremy - I think we could come up with a way to have three different
policies across the entire Forum.  One of the problems we're running into is
that all of the  organizations that cannot accept a RAND-Z policy but  can
accept RAND can't join.  So working groups should be able to accept a RAND-Z
or a RAND policy.  

 

Ryan - From the Google perspective, we share the same concerns as Virginia.
We prefer a single IPR policy.

 

Dean - So that appears to go against breaking up into separate groups
because we thought we'd be able to have a separate IPR policy for the  code
signing group.

 

Jeremy - If you compartmentalize it, it does create shields.  People who do
not join the code signing working group would not have to do disclosures.

 

Peter-I agree with Virginia and Ryan. If there is not a single IPR policy,
then there is no good reason to have it within the CAB Forum.  I also don't
think that an unincorporated association can have trademarks. That does not
seem to be sufficient to build an umbrella organization. Members should be
able to join individual working groups and have IPR obligations at that
level.

 

Jeremy- There are three other reasons besides the IPR policy:  the synergy
among all of the certificate types, the trademark issues, and the
convenience of management. With regard to the IPR policy, you could have two
templates from which to choose. The working group could pick which one--
RAND or RAND-Z. They couldn't define their own.  That way you have
uniformity with the IPR policy.

 

Kirk- Who gets to serve on the parent board? Only CAs and browsers?  If so,
then parties that are only members of a single working group would have no
representation. And let's say that browsers at the parent level say that
they do not want a code signing working group, for whatever reason, there
could be a mismatch between the parent organization that decides the scope
of a working group or a charter in a way that makes people wanting the
subgroup unhappy.

 

Jeremy- If the members of the parent group decide not to create a working
group, then I don't think there is a problem to solve.

 

Kirk- What if 100% of the CAs vote yes and 51% of browsers vote no?

 

Jeremy- That is getting down into the minutiae.

 

Jos - If you expanded this to include multiple certificate areas, then you
would have to structure the governance of that organization much more
broadly, and I wouldn't call it the CA/Browser Forum.  It would have to be a
digital certificate standards group that covers a much larger scope and then
the governance of that group would have to be very carefully structured. I
agree that it would be problematic because those wanting the code signing
working group would ask why it can be vetoed by a group of browsers.

 

Ryan- it does come up in the W3C where a working group cannot be formed on
the basis of the objections that are raised. This will definitely have to be
addressed in the governance structure of the umbrella organization.

 

Jeremy - we would have to determine membership at the parent level and
create rules around voting.

 

Andrew - it would be good to put together a set of truly, truly baseline
requirements at the top level, part of which were technical requirements
which would allow each of the subgroups to operate technically independently
as well such that in Internet of things, or whatever, group could come up
with their own standards. I would want assurance that anything they decide
isn't going to affect users of Google products. This would mean addressing
at the top level those things that are common across all certificate types.

 

Kirk -the CA/Browser Forum was formed because there was a common set of
requirements, browser root store requirements, and a defined group of
participants, CAs and browsers. With the Internet of things, probably lots
and lots of people will want to be involved. That may be difficult to bring
in under CAB Forum umbrella.

 

Jeremy - it depends on how you scope it. You could have trust stores and
CAs.

 

Jos  - those are issues brought up during the formation of a working group.
Your trust stores are going to change, we see that already. It depends on
how many manufacturers decide to create a device that will trust
certificates. Like I said, we are trying to find out which is the best
venue.

 

Dean- Virginia, have we answered your questions about goals and objectives?

 

Virginia - there has been a lot of discussion about it, but can we narrow it
down to some bullet points of what we are trying to accomplish?

 

Kirk - I think a few meetings ago we talked about the need to review
governance of the CAB Forum as it exists, and then came up with subgroups. I
don't think this working group was created solely on the basis of subgroups.
I thought we were going to review our bylaws to see what could be fixed or
improved.

 

Dean - I think this was created because of the code signing situation.

 

Ryan - yes. Not only code signing, but there have been several variations
proposed to  redefine the browser category of membership to expand it to
root store operators.  

 

Dean - remember the sequence of events. The code signing the ballot was in
December and then we had the Scottsdale meeting in February and the
governance working group was formed in March. We held our first meeting a
few weeks ago.  Recently, Richard sent us a PowerPoint for the governance
reform working group, which you should all have. Let's take a look at what
that is.  Slide 4 notes that there are more parties interested than just CAs
and browsers. The idea put forth in Scottsdale was an umbrella organization
with subgroups.

 

Richard - working group documents would have the name of the working group.

 

Peter - back to Virginia's question, what are we trying to accomplish here?
There is one key thing-some members have an interest of raising issues
outside of SSL certificates, which creates IPR concerns among other members.
The CAB Forum currently has no way for a member to opt out. As scope
increases in an organization that has an "active" IPR policy it becomes very
challenging for those members because it is impossible to be a member of
that organization when they are not participating in all subgroups.  For
example, let's say that the code signing working group changes its scope to
include document signing. Under current policy, every organization has to
decide whether to ignore this and simply license all of its intellectual
property for whatever the working group decides to do.  

 

Jeremy - We also have the EV Code Signing Guideline, which is orphaned.
There needs to be a way for people to update that document. 

 

Dean - I want to better understand Google's and Apple's objections to
multiple IPR policies.  

 

Virginia - Different patent policies are difficult to track internally and
it becomes confusing to the people who track and to  the engineers who have
to figure out which patent policy applies.  

 

Ryan - That was the advice we got from our counsel.  It's not unprecedented.
For example, the OASIS organization's technical committees (TCs) allow
different IPR policies, but even in OASIS the TCs are limited to a set of
allowed policies.  However, in OASIS there is less likelihood of overlap
whereas with the CA/Browser Forum dealing with certificates, that is more
likely. So we would prefer a W3C model or a participation model such as the
IETF.  An OASIS model would have to justify its cost.

 

Jos - if the IPR policy were uniform, would that solve the problem of
dividing the CAB Forum into working groups?

 

Ryan - it is not an objection to dividing working groups, but a request for
a unified IPR policy in doing so.

 

Jos - could we table the IPR policy question, make division into working
groups and decide about scope first, and agree that this will be done with a
uniform IPR policy, and then come back to it at a future date?

 

Peter - Amazon is in a similar situation with Apple and Google, that is with
respect to administration.  With regard to tabling the IPR question, that
needs to be resolved first, the IPR policy would need to be separable among
working groups.

 

Virginia - generally we do not have a problem with working groups under the
CAB Forum umbrella if there is a single IPR policy, but dividing into
separate groups with separate policies is something that we cannot support.

 

Jeremy - are we fine with revising the IPR policy in connection with
governance reform if we don't move to a different policy? Do we just keep
this one?

 

Dean - I don't think it is off the table.

 

Jeremy - because one of the reasons was that we wanted to allow Adobe and
Oracle to get involved.

 

Ryan - I suspect that there is some confusion on the IPR policy, and we want
to get some feedback from Adobe and Oracle .

 

Jeremy - because they won't join with a RAND-Z

 

Dean - is that an ultimatum?

 

Jeremy - that is what they have said.

 

Ryan - the triggers for the IPR policies are different for the W3C.  When
Entrust  withdrew it was because there was a concern that there was so much
activity.  So I would like to find out whether that is the concern of Adobe
and Oracle. If the IPR policy were just scoped to the working groups they
participate in, would that change their position?

 

Dean - now W3C is RAND-Z, right?  And they participate.  So I think the
issue is scope, not RAND vs. RAND-Z.

 

Ryan - we need to get feedback from them.  If there were separable activity
scope, basically the W3C model, would that address their concerns?

 

Jos - let's assume that Adobe and Oracle refused to join for whatever
reason, would that preclude the creation of working groups?

 

Jeremy - no, but they are important constituencies.

 

Jos - the question of whether to have working groups at all is being
overshadowed by the question about what to do with the IPR policy, so I was
just trying to set those two out separately.

 

Gerv - there are basically two approaches to standardizing technology, etc.,
that lead to  RAND-Z and RAND.  Changing from RAND Z to RAND would be a
retrograde in my opinion.

 

Ben - we need to keep narrowing down on the goals and objectives and we need
to get them written down so that later on when somebody asks we can give
them an answer.

 

Dean - isn't one of the goals broader participation? For example automotive
manufacturers, payment processors, etc.?

 

Kirk - I am not opposed if you want to go in this direction, but I don't
know that people have considered that this would be a massive change.  The
CAB Forum parent organization would be limited to doing administrative tasks
with the bulk of the work being done in working groups. Would there be an
SSL certificate working group?

 

Ben/Dean - yes

 

Kirk - so everything would be pushed down to a working group, so why would
anything have to come back up to the parent organization?

 

Tim - I don't think that would have to occur, but since these are all
certificates, there would be questions such as, how do you audit conformance
to RFC 5280? It is not going to depend on your certificate type. That would
be appropriate for the parent group. Things such as the appropriate EKUs for
a particular certificate type so they do not conflict with another
certificate type, that would be another matter for the parent.

 

Kirk - who gets to decide? Would it be the working group or the parent?

 

Jeremy - it would have to be at the top level

 

Ryan - one uniformity is RFC 5280, another uniformity is scope.  The EKU
goes back to the scope question. There are short term, immediate things of
value to the people in this room-code signing, S/MIME/email, and possibly
time stamping, as the ETSI people will attest.  IOT and automotive would be
aspirational, but we want  a structure that  accommodates both.  

 

Jos - who gets to participate in the overarching board is going to be a
fundamental question.  

 

Dean - a representative from each, just like a congress.  

 

Ryan - if a root store does not get a requirement into the baseline
requirements, then it puts it in the root store requirements. It is still an
effective program requirement, it is just not in the baselines.
Specifically, with the base document it may be that a requirement is
presented to the parent group and one of the constituencies hates the idea.
The conflict resolution structure needs to allow subgroups to do what they
want. And the requirement does not make it into the common base document.
While not ideal, this approach is functionally similar to what happens with
root store programs today.

 

Kirk - I am not sure how much time people in the room and on the phone have
spend on this stuff. Why don't we give each group a packet of template
documents for bylaws etc.? Why does it have to be correlated by the CAB
Forum?

 

Jeremy - why not?  

 

Kirk - it's a massive problem.

 

Ryan - three participants have stated their preference for a uniform IPR
policy. With three separate groups, each with their own IPR policy, it would
create another logistical nightmare. Why restructure?  It creates a
framework for that participation to occur.

 

Jeremy - look at the code signing baseline requirements.  The reference the
baseline requirements throughout. With separate organizations you are going
to have no coherency.

 

Jody - you are also going to have confusion among the industry. How will
someone know who to talk to about a particular development in the industry?
With a CAB Forum umbrella organization, they could start here and then get
directed in the right way.

 

Peter - what I hear here is a discussion about the scope of the parent
organization.  I expect that the current organization would do nothing
except approve the charter of a new working group. That is the only vote
that would occur. Even if we wanted to do common requirements for RFC 5280,
that would be done in a common requirements working group. We have to keep
IPR generating activity outside of the umbrella group.

 

Gerv - The umbrella organization should also be responsible for shutting
down working groups.

 

Kirk - we should develop a list of the responsibilities that the parent
group has, what will the membership of the parent group be, filter it out.
I'm not sure you want to call it the CAB Forum.  It's probably not just CAs
and Browsers that would have the interest in all of the subjects.

 

Jeremy - I think we keep it as CAB Forum, just like what you said it is a
well-known name.

 

Dean --- Alright why don't we try to move on, that was a good discussion on
the goals, objectives and problems that we have faced.

 

Kirk - Did I hear a central demand that there has to be a common IPR Policy
among all the groups?

 

Dean - We said we'd also set that aside though while we look at the details
of the working groups and how this will be structured. Microsoft, Google,
Apple, Opera, and Mozilla, too, might have representation in working groups
other than SSL. Also other players could come in like Adobe who'd be
interested in document signing and Ford, interested in IOT, and they might
be only members in one group. Groups could nominate people to be on the main
forum body, which you'd have participation from each of the groups and come
up with a formula to make it equal. How do working groups submit members to
the Forum level?

 

Jeremy - If the main group is only scheduling and the creation and
dissolution of working groups, then I don't see why we couldn't have all the
members of the working group be representatives in the main group.
Otherwise you run into duplicates.

 

Dean - all of those details have to be figured out; how many
representatives? Who are the representatives? Can they be duplicated? All
those types of issues we need to capture that. 

 

Ben- I'd like to see 1 vote per member at the upper level at the management
level where we don't do any special voting status at the CAB Forum or the
Umbrella organization, where you have no representative body, board member,
steering committee/management committee, etc.

 

Jeremy - I think you want to have a board so that the chair is alleviated of
some of the responsibilities.

 

Ben- You might want to have it that way, a board consisting of chairs of the
working groups.

 

Jos - If you just said the board would consist of the chairs of the working
groups would then self-select a chair.

 

Virginia - If the IT Policy is based on the W3C, we might want to look at
the process document and some other documents from the W3C. They have
already done some of this work and talk about who's on the board and where
they come from.

 

Richard - If some browser does not support code signing, then they should
not be a member of the code signing working group.

 

Robin - If you applied the same logic to CAs you might say, well if a CA
doesn't issue Code signing certificates they couldn't join our discussion
about Code signing Certificates. But they might be at the point of issuing
Code signing certificates so they might want to be involved. 

 

Ryan - if you think about the structure of the current voting member ship.
We have CAs, we have browsers, and we have definitions for both. Would
working groups define their participatory models and how does that work with
the parent organization. Let's say there is a Code Signing work group, would
they have voting rules for CAs and for code signing vendors. If there was it
would address your problem. Would a browser meet whatever definition of Code
Signing vendor, and if not are they just an interested party?

 

Jos - Would working groups have to follow the same model that already exists
for membership or could they define it individually? 

 

Ryan - exactly, and figuring out how that model will look for these
different use cases.

 

Dean - well that goes back to the W3C Process model doesn't it?

 

Ryan - This is where it's different from the W3C model. In the W3C model
every member organization has equal voting, and its consensus, which is not
quite majority. There's this whole larger process for formal objections and
overriding objections. It's a very different model, there are parts that are
similar and parts that are different. 

 

Our position for Google is, if there is this split and SSL becomes a working
group, our goal is still to make sure participants still have skin in the
game for addressing the SSL ecosystem concerns. The current division of CAs,
Browsers, and the voting structure is one we'd like to see going forward. 

 

Dean - where would you see someone like Oracle who has a root store but
isn't really an SSL, so you see them more on code signing?

 

Jos - If you had that, Oracle would need to submit a membership application
to each of the working groups they are interested in. Each of those working
groups would have to make that decision about Oracle, but it's not mutually
exclusive. If they apply for the Code Signing working group ., yes, you have
skin in the game.

 

Dean - So if you're Oracle which group would you join?

 

Jos - All of the above, why would I not join as many as are useful to me?

 

Dean - That's what I'm trying to figure out.

 

Jos - I can't speak for Cisco as a whole, but I think Cisco would be
interested in several of these.

 

Kirk - Here is a thought experiment, let's say the parent organization says
we're now going to authorize a new working group on whatever you want. Would
it be the Parent Organization that says, "we are hereby defining who has
skin in the game, these are the types of members of the working group who we
think would be permitted to join." Would that decision be made by the parent
organization, or would you say, "this hereby creates a new working group and
you guys go figure out what kinds of people or companies you'll have as
members"?

 

Moudrick - I think the first step would be to neutralize the scope. Now it's
SSL as a direct example.

 

Kirk - Let's say it's IOT, would it be the parent that would say, "these are
the 5 categories of organizations that have skin in the game and can join"?

 

Jeremy - I think it's the working group.

 

Moudrick   - I tend not to list any specific protocols 

 

Dean - you need the parent to make it broad.  With an IOT working group you
charter it, and then the working group can say, "we're going to work on
every IOT device except for cars, that's going to be separate. Cars aren't
going to be included in this group-- that needs to be in a separate working
group."

 

Ryan - its Pros and Cons right? You can imagine that an IOT work group wants
to form but they only want to deal with one specific IOT protocol. There's
10-20 protocols dealing with IOT and their scope may just be Alljoyn, which
is a protocol for IOT. The working group is then like, we accept anyone who
is developing Alljoyn applications or it might be device manufacturing is
one category and Alljoyn consumers is another category. I feel like it has
to be the work group, and so that is the question so should the parent
organization intervene? If the work group is being exclusionary?

 

Kirk - I have two related thought experiments. One is, suppose at the first
meeting 200 organizations show up and they all qualify, do we care? No.  Do
we understand that we will be creating a situation that suddenly the
informal way we've been doing things isn't going to work for a sub group?
The second thing is what you started to allude to, what if the parent
organization and some of the related sub groups see one sub group doing
really ugly stuff. Going in a really ugly direction, a small group has taken
control and start pushing their own standard, and potentially some legal
liability out of that. The parent group should at least think about that.
Do you want to isolate yourself from the actions of sub groups or take
responsibility and intervene in some way?

 

Jos - one of the responsibilities of that parent organization is that they
vote to destroy, spin-out, or vote to lay down, or however you want to turn
it diplomatically. At that level there may be a "yeah, we think this working
group is not part of our scope anymore." For whatever reason that shell
organization says, "we're bubbling you out, get going."

 

Kirk - suppose they adopt a standard in the working group that the parent
organization, you didn't even ask our approval, we hate this so much that it
is disowned? 

 

Virginia - you have to have a specific criteria for those things like who is
going to be admitted into a working group and if the CAB Forum wants to
disown a working group they have a criteria for that. It can't be like, yeah
well today I didn't like and tomorrow I will. That's where you get into the
political situations, of those 200 people in the group you were talking
about and 10 don't meet the criteria, then that answers the question. You
also can't determine the criteria around what they really want Oracle and
Cisco to join so let's right the criteria so they did it. The criteria has
to be what's right for CAB Forum or the working group, and not, we really
want Oracle to join so let's write the criteria this way.

 

Kirk - Another thought experiment, a couple years ago we went through a
governance discussion round, we were beaten up a lot for not letting the
public or anyone who wants to participate. I don't want to revisit that, but
are we likely to hear the same arguments in this new expanded scope where
someone says, skin in the game, well what about me? I follow this closely
and I represent the public. I believe in the skin in the game, but I don't
think all should have an equal vote as Google. People have different levels
of skin in the game.

 

Virginia - There was an example of this with the W3C that was trying to
extend a charter and the EFF didn't like the technology and so they flooded
the voting to block the charter.  So having skin in the game is a good
criterion.

 

Gerv - I think transparency and participation are important concepts to
preserve.  We need to decide whether the current rules are correct or
whether we need to develop new transparency and participation rules.

 

Virginia - We need to ensure that people are invested in the working group
and that everyone understands what the criteria are for joining the working
group.

 

Dean - There is a lot of overhead we're looking at. There will be more as we
expand and grow, and so fees should not be off the table.  

 

Ryan - Maybe as a result of these thought experiments we narrow the scope to
just code signing and S/MIME and say that is all we can fit in today?

 

Gerv - On the matter of a fee, we've said that several times in the past,
and we haven't had to institute a fee yet. We should look at it when we
start having trouble hosting meetings.  

 

Kirk -  Here is another thought experiment.  Let's assume there is an IOT
working group with 200 people who all have skin in the game, and they're all
there. If you have a 12-member CAB Forum board with 1-2 representatives from
each group, and it, for good reason, rejects a request to change its scope,
it will look quite out of balance to have a group of 200 denied by a
12-member board. Maybe then they would break off on their own.

 

The group debated whether perceived efficiencies would be outweighed by
separate working group meetings.

 

Kirk - why don't we just expand the scope?  

 

Ryan - we would still have concerns about the IPR Policy and voting.

 

Kirk - what is the concern about voting?

 

Ryan - it goes back to having skin in the game, SSL standards, the
definition of the browser voting category, etc.. There are lots of ways
voting on standards can fail--vote stacking, etc., and when it comes to code
signing, etc.

 

Dean - we're just trying to figure out the right framework and there are
valuable participants who we would like to get to participate.  I would like
to propose that our next two meetings be telephonic meetings, and I'd like
to have another face-to-face meeting with just the working group at a
location TBD, probably in the July-August timeframe.  We'll work those
details out during our next call.  Is there consensus that we start with
code signing and S/MIME? 

 

Kirk - What would have had to change for Google with regard to its position
on the code signing ballot?  

 

Ryan - two issues the IPR policy and voting.  .

 

Kirk - So no requirements should go to the main Forum for voting because
then they would be subject to the IPR policy.  

 

Andrew - my thought experiment involves the situation where a working group
thinks that something only applies to them, but it actually has much wider
implications. Suppose the code signing group decides that it will not
require any identity validation.  

 

Dean - my hope would be that there would be certain documents that would be
uniform across the Forum.  

 

Ryan - If you want to solicit public comments, then we don't require that
they sign the IPR Agreement. To answer the question about the opportunity to
speak up when you are not in a working group, I think there are ways to
resolve it in a way that we'd be happy with. For instance, if there is any
path to receive public comment, we can probably go there. 

 

Jos - It might be delegated to a common standards working group.  You're
then bound to the IPR policy for that working group which has different
triggers.  

 

Meeting adjourned.   

 

 

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/govreform/attachments/20160608/9b2baeb9/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4954 bytes
Desc: not available
Url : https://cabforum.org/pipermail/govreform/attachments/20160608/9b2baeb9/attachment-0001.bin 


More information about the Govreform mailing list