<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin-top:0in;
margin-right:0in;
margin-bottom:8.0pt;
margin-left:0in;
line-height:106%;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link="#0563C1" vlink="#954F72"><div class=WordSection1><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Here are draft notes from the call July 5<sup>th</sup>. I’ll get out my notes from yesterday’s call as soon as possible.<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Present: Dean, Kirk, Ben, Peter, Robin, Moudrick, Virginia and Andrew<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Dean: Let’s start with Kirk’s suggestion where we step back a minute. Kirk sent a note last night saying we should step back and define what the problem is. <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Kirk: Yes. We need know what we are in order to know and achieve and what specific steps are taking us in that direction. I tried to lay out a week or so ago what I thought was the genesis of this, and I could be wrong, so I wanted to hear from other people. Didn't this just come up, in part, because of the code signing ballot and that issues affecting the code signing ballot didn't seem to be within the scope of the CAB Forum? And the realization that there may be issues that CAs care about that browsers don’t, and why did we get “no” votes from Google and Mozilla? And I don't think it was only because it was arguably outside the scope of the Forum. I definitely got the feeling that there was a problem with our IPR policy and in voting for the ballot, if it passed they would have to disclose IP and Google and Mozilla didn't want to do that so that's part of why they voted “no”? So that’s why it was suggested that we just go to a participation form of IP agreement so that people who want to stay away from the subject can just avoid the working group that is working on it. And then we can also change our rules so that working groups that don't have anything to do with SSL certificates can adopt their work at that level, and it does not have come up to the Forum level or be adopted by the Forum. So I was trying to think of what we were trying to do, and there was some talk about looking at the W3C structure and sort of copying it and opening the doors to potentially lots of very big projects, and I have a real concern that we just don't have the resources to operate the way that the W3C does. So I'm just curious to know what other people think that the goal is or the problem is that we’re trying to solve here.<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Dean: And Virginia, you had some comments around that that same area. Do you want to say something?<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Virginia: I had to drop off temporarily.<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Ben: Well let me chime in. Yes, I was going to say that this is the same comment as Virginia made about the W3C being too big of a model and that we don’t need a big huge infrastructure when we have a small problem. I am not an advocate of adopting something with a lot of overhead, and that's why I wouldn't want to copy the W3C policy verbatim. And Virginia has also said, why go with the W3C model because it's going to create a lot of overhead, but we don't have to have it be a lot of overhead. We can make it what we want it to be, and that's all I wanted to say.<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Kirk: Well, what do you think is the problem we’re trying to solve?<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Ben: Well, I think it is like you said, the code signing issue came up, and that there were two issues, and I'm just reiterating what I heard at the face-to-face meeting and in other discussions. There are two issues here. Just the voting structure that is part of our membership structure. I think that’s the more difficult thing to resolve, like who gets votes when, and why, and then a related thing that some members have expressed is the other one which is the IPR policy and how you scope it to be just the working group? I think if we get the pieces of the W3C model for the working group model and use that we’ll solve the IPR issue, but the bigger hurdle in my mind is how do we decide who gets to vote. <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Kirk: On the voting thing, what is the voting problem?<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Ben: It’s do you have a skin in the game? Are you a real browser? Are you a real software provider? And it also is how do we limit the number of participants? I know that's the concern of a lot of people, and we don't want to all of the sudden find that hundreds of people want to get involved, and want to have a vote, and I'm not trying to be exclusionary here, I'm just trying to be pragmatic.<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Peter: To answer your question, Mozilla’s concern is around whether the right people are voting on topics--code signing, for example. Of the current entities that are members but not CAs, none of them has been interested in code signing except Microsoft. Whereas it was indicated during the code signing development process that there were at least two other entities that theoretically have an interest in code signing whose interests are not being met because they are not members. So Mozilla’s concern was fairly straightforward, do we have the right people voting here on whether or not there should be a standard? I think the other way to look at it is they are not interested in the CAB Forum scope expanding to support a single vendor's product. I think they don't want to see the Forum used to set those standards for that one supplier.<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Kirk: I agree that on the one hand do we have enough people here and on the other hand but we don't want a great set of rules where we have too many people. But do we have the right people here, and we tried to get those other people in, and they didn't, as I understand, want to join the working group because they didn't want to sign the IPR policy. So it would be good to know if we could have solved that problem by having the IPR at the working group level. And I'm not clear if Google and Mozilla would've said even then we don't want it voted on at the Forum level because that's just SSL certificates and we’re not interested in the subject. I'm not sure where they came down on that if they were been satisfied with having it handled solely at the working group level and adopted there.<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Dean: No, they would not have been satisfied. Google voted against it for two reasons—one, it was is not in the scope of the Forum, and second was, I believe, that they had intellectual property around this, <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Kirk: So it’s easy to expand the scope of the Forum and if they’re worried about the IP, then again, we could go back to them and ask whether they’d be satisfied if we went to a participation model?<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Dean: Andrew Whalley of Google isn’t on the phone, but certainly he has been participating and I think we heard about some of the reasons why the current model isn’t going to work for them at the face-to-face. Now, speaking of the face-to-face, you know we were talking about having our own governance face-to-face, and I can give you the results of that poll in a few minutes. <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Peter: I think the other thing that has been mentioned is that a number of CA members of the Forum have an interest in discussing other types of certificates and standards thereof and would prefer to not have to do yet another organization or forum. Obviously one of the solutions here, or one path, is that the CAB Forum exclusively does server authentication certificates and everything else is handled elsewhere. The reason we’re having this discussion is that I think that people want to do scope outside of that.<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Kirk: So, in the email I sent I suggested going to a participation model if that would solve the problem for a couple of the browsers. My own feeling is to keep SSL certificates at the top level and not push them down into their own group, but then change the scope so that we can have working groups work on non-SSL certificate issues and their final product is voted at the working group level, not at the Forum level, so that their work never has to come up for the browsers that don't want to participate. That would result in minimal changes that I think could accomplish this, but it wouldn't be worth going in that direction unless we found out from Google and Mozilla upfront if that's the kind of thing they’ll accept.<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Peter: Well, I think if that's the consensus then I think we need to give them something in writing that asks, is this the right direction? <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Kirk: Would that idea appeal to you if it appealed to the browsers? <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Virginia: Why would be catering to what they want?<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Kirk: Good point. This is the CA – Browser Forum and a bunch of CAs want to go in a direction that doesn’t involve browsers. So the question is, do we therefore push everything down into working groups leaving it unclear what the parent organization does. Or do we solve it a different way? And I guess why do we care about them? Well, we care because they blocked adoption of the code signing guideline by the Forum, and I think CAs would like to work not only on that, but maybe some other things using the convenience of tucking in more meetings around Forum meetings. So all I’m really trying to do is figure something out to let CAs do what they want to do and expand the scope of the Forum in a way that avoids the IP issues that two of the browsers were concerned about.<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Peter: Virginia, I think you're the only person on the call today that is representing non-CA member of the Forum. Does your organization have any interest in a scope larger than server authentication, that is what we call TLS certificates?<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Virginia: I don’t have an answer for that right now. I have a meeting to discuss it later in the week. <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Peter: OK. I think that the answer to that question from all of the current members of the browser class might be very helpful. Because I think that to Kirk's point it would be helpful to understand where the browser group wants to go and it would be very helpful to understand what options there are. The fact is that the structure is set up such that the browsers in the aggregate are equivalent to the CAs. <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Kirk: So Virginia, apart from your few meetings with Geoff, from what you’ve heard today, do you have an idea of what the problem is and what the solutions might be? <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Virginia: I don’t think I have the big picture. I still think we’re trying to solve a problem for two companies. <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Dean: That’s not it. Here is the issue. We have code signing issues that people want to work on. We have S/MIME standards for secure email that people want to work on. The same people that are currently in the Forum are referencing the same standards that we currently use in the Forum, and instead of creating a separate group that would have to reference the standards of the Forum and then have the same people and have to come up with a whole new org structure, let's use the structure that is already in place. Let’s use the standard that we have already contributed to, and let’s come up with these other working groups and teams to work on these other problems. Then currently some of the browsers don't care about those problems, so we’re trying to figure out a way where some of the same people in this group can work on these issues without worrying about what people who don't care about these problems have to say. <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Kirk: So I think it's mainly the IP problem, I think it's not so much about the scope of the bylaws. I'm willing to accommodate them if it will avoid working groups getting vetoed in the future. <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Virginia: We have make sure that it is in the best interests of the CAB Forum as a whole, and not just fixing the issue so that those two companies will be happy.<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Ben: I agree with Dean. It's not just doing it for those two companies. It’s because we work on more or less a consensus basis, and sometimes the majority wants something, 20 of us vote for it and 2 vote against it, and we have to somehow get past that especially with the voting rights that the browsers have. They have a veto because of the limited number of browsers and in the end a browser can block any kind of proposal. All that is required to block something is a simple majority, or even if it's a stalemate or tie that blocks us from moving forward. That's become, in my mind, a problem, and if we can somehow get past that by addressing these members, which are Google and Mozilla's issues, then we can move forward, but right now, and that's not to say that Apple itself would be a problem in the future in voting against something that we want to do, so it's not just solving just two members, it's even those potential future members, and like Dean said, sometimes we want to talk about things that are of interest to everyone, but we don't want to have to go out and create another organization just to do that. <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Dean: We talked about having a face-to-face meeting and as you know we sent out a poll, and I have the results here, and right now the most “yes” votes is on Tuesday, July 19, … or August 10, …. <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Kirk: There were two organization that would not participate in the code signing working group because they didn't like the IPR agreement and that was Cisco and Oracle? <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Peter: Adobe I believe.<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Kirk: Cisco and Adobe? Adobe and Oracle?<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Peter: The two that were identified as code signing users were Adobe and Oracle.<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Kirk: Do we know what would make them happy? In terms of if we change our IP agreement? Did they give us any indication of what they would sign and then participate?<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Dean: They didn’t like the RAND-Z model.<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Jeremy: Well, somebody brought up on another call that they actually do participate in other groups with a RAND model and RAND-Z model as well, but they had said originally that they wouldn’t join groups with RAND-Z models, so maybe it’s just the scope issue, but I am not 100% sure which way, but I do think that Dean’s point still stands that there are people who do have an interest in the community, people who are looking at client certificates and code signing certificates as well as SSL certificates. Bringing all of this together is part of the objective, not necessarily just for those two companies, but we have other people that would like to discuss these things in addition to SSL certificates. <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Kirk: Is there anybody that we know of who insists on a RAND-Z model as opposed to a different model?<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Jeremy: Yes. Mozilla. <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Kirk: Would Mozilla go with a participation model?<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Jeremy: I don’t know if they would push for a RAND policy.<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Kirk: Does the participation model end up being a RAND-Z model? People were worried that … they could say, “I have nothing to do with this working group and yet I now can be forced to disclose IP that I have or as a consequence face a RAND-Z policy, and I don’t want to do that.” <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Peter: That’s participation. The model for participation is using the term “participation” with a capital “P”, as roughly defined by W3C, which basically means that the IPR policy only kicks in under a certain set of circumstances that is defined as participation. It still can be a RAND-Z policy, which is what Mozilla requires. Mozilla has stated they want everything under RAND-Z, and I think actually some other members may also prefer RAND-Z over the other option, which is essentially, if you don't have RAND-Z you have the problem that you can end up with standards that the only way to implement is to pay licensing fees, etc.. <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Kirk: So why don’t we just keep our RAND-Z policy but layer over it working groups that are not working on SSL certificates a participation threshold? And because it’s not SSL, it does not have to come back to the Forum level. So, working group on code signing, if you don't participate in it, then you never have RAND-Z apply to you and the final product is adopted in the working group, and the working group is a participation plus RAND-Z policy? <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Jeremy: That is more complicated, and it doesn’t really solve the problem because you still have the nonparticipation-based application of the IPR to the SSL group, and people like Adobe and Oracle don't care about SSL. <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Kirk: But that would be done in working groups. <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Peter: Just to clarify, there are basically two things that have been proposed. One is to push the SSL work down into a new working group and have an umbrella group called the CAB Forum. So there would be a separate code signing working group. I’ll call that Option A. Option B is similar except for the SSL working stays at the CAB Forum level. You prefer Option B, is that correct? <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Kirk: That’s a part of it, and also I think the CAB Forum as it is has done some really important work and it has a name, and reputation, and so forth. The problem is the other stuff that we want to do at the working group level, and if we can just keep it quarantined at the working group level and solve the problem of Mozilla and Google where they say that it has to come to the Forum level to be approved, and we don't want that because of the RAND-Z policy, then change our rules so non-SSL stuff stays in a working group, and Mozilla and Google can avoid any RAND-Z problems if we just clarify that there is a participation model at the working group level, and if you didn't participate in a working group, you don't have to disclose anything once the working group adopts its final product. That is what I was trying to maintain.<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Peter: Let’s pretend we create a group called the PKI Forum, and I know that has already been used, but that the CAB Forum becomes one group within there, and then there's a code signing forum, a client forum, etc. All that really is in play there is the name, CA Browser Forum and the value of that.<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Kirk: One more thing- we as CAs and browsers would lose control because at the top level it’s not just going to be CAs and browsers, I expect. Then they could come up with a bunch of rules that apply to us at the SSL forum or modify the SSL working group, and I don't really want to lose control.<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Peter: Your concern is that if there was a different umbrella group, then the SSL group might not be the controlling group, and therefore might end up subject to changes and the new parent might say, oh well no grandfathering and the new rules apply.<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Kirk: Yes. They could say we all decided to change the IPR policy for all working groups, here it is, take it or leave it. Or we’re going to change the voting rules for every working group. So we don't know what a new parent organization that is not just like the current one with CAs and browsers will do. I just don't see the benefit of going in that direction if we can refer to ring-fence the non-SSL stuff in working groups but keep the parent organization more or less the same. Maybe we should develop some questions for Mozilla and Google and some for Adobe and Oracle that asked, “what would you do if?” and see what their answers are. Then we’d know whether making certain changes will solve our problems or not. It would be really a waste of our time to spend months on this and then find out that some of the key players wouldn’t be satisfied.<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Jeremy: I don't think that's true, though, because like we said, it's more than about Oracle and Adobe, it's about being able to discuss code signing and S/MIME and having that separate from the SSL discussions so that we can have all the right players.<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Kirk: That would be included—we would expand the scope of the Forum, but the non-SSL work would happened through working groups. So that would definitely be part of what they would be asked, would you go along with this or would you still object?<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Andrew: Hello everybody sorry for joining late. <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Dean: Thanks for joining Andrew. We’re discussing something that we can use Google's input on.<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Kirk: Let me summarize. Before you got on the call I asked maybe we should ask some of the players who have expressed a concern in the past about how we’re structured and what we’re doing. If a set of changes would satisfy them or not because if we went through all of the changes in organization and so forth and that wasn't sufficient and that would be a waste time. So my thinking was I’d like to keep the SSL issues at the CAB Forum level and not create a new SSL working group under a governing organization at the top level that would no longer be just CAs and browsers. I want to keep that part the same. I would keep RAND-Z for SSL certificate issues. But change our bylaws so that the Forum can also work through working groups on non-SSL issues and those groups would have some form of participation barrier meaning you're not required to do any disclosure on anything, on any issue being worked on in a non-SSL working group, and the non-SSL working groups would then have a RAND-Z policy also on a participation basis for work done in a working group, and when they finished a product they can adopt it at a working group level and it does not have to come to the CAB Forum level for endorsement by ballot. So, for example, if we would have had that in place, code signing work would have been done in a code signing working group that would be application providers that use code signing and CAs that issue the certificates, and when they finished they will be subject to a RAND-Z policy based on their participation at that working group level only, and when they finished they’d adopt the code signing guideline at the working group only and would not come up to the CAB Forum level for a vote or anything and therefore would not trigger any RAND-Z disclosures by members of the CAB Forum itself who did not participate in the working group. Do you think that would satisfy Google’s concerns from what we went through recently?<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Andrew: Does that imply that you can be a voting member of a working group but not of the top level? <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Kirk: Yes. That’s the actual rule today. Non CABF members and members of working groups participate with Forum members who are on the working group though the one difference would be the voting at the working group level would be much more important because that is where final adoption of a working group product would happen if it is not related SSL certificates.<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Ben: So let me pose a question? Let's say Adobe is a member of the code signing or S/MIME working group and an issue for SSL comes up at the top level. Would they have a vote on that issue? <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Kirk: No. They would not be a CAB Forum member. <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Jeremy: Let’s say it’s not an SSL issue. Let’s say it is deciding where the next meeting is. So would Adobe not get a vote because they are not members of the main forum? Or let’s say they wanted to vote on a membership application or for the creation of a new working group to discuss document-signing certificates. <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Kirk: They can offer an opinion, but no, they don’t get a vote. <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Peter: So you’re proposing a new class of member, which is a working-group-only member, because we have interested parties but working groups don't actually have formal votes today because they are done at the Forum level. You are basically proposing a second-class member, a working-groups-only member, not of the actual CAB Forum, therefore things like the IPR policy apply to them, but they also don't have a chance to vote on anything that is actually at the CAB Forum level. <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Kirk: So I wouldn't say this is a new class of membership. It’s a new set of voting rules for certain decisions that are pushed down to the working group level and let them be decided there. We would have to decide if it is a majority vote, is it two-thirds of all the working group members, that is one of the issues. Actually, we’d be empowering them because if they are interested parties today they don't really get to vote and now they’d get to vote on things that are in the areas of interest where they signed up to participate.<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Peter: The most important thing is that they are not CAB Forum members. <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Jeremy: I don’t think this is any easier to set up than creating the umbrella organization so I would think that is an alternative proposal to where there's the umbrella organization that gets to decide these things with separate working groups under it where what we decide what the membership of the organization is.<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Peter: To paraphrase Kirk, he said, I don't want the current SSL stuff being pushed down because we don't want some other group putting rules on how we do it. I would expect that any other working group is going to have that exact same feeling. Put another way, why is SSL a first class citizen and every other working group has to be second class? <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Kirk: But don't forget we’re only doing any of this because of CAs. This is basically a CA issue. If Adobe and Oracle get an equal vote on a working group for code signing or anything do you think they care about the issues that are going on at the CAB Forum level? <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Peter: I don't think this is only about Adobe and Oracle. If you look at Adobe it operates a trust list that is used today for document signing. I think you'll find that there's a large number of entities that issue certificates that are not eligible to be Forum members today, so the definition of CA is going to have to change because there are audit schemes that apply to CAs that do not issue SSL certificates that do issue some other types of certificates that may be in these new working groups. <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Moudrick: I agree with Peter and just want to add something more. Today in our bylaws we have three membership groups which are issuing CAs, root CAs and browsers. What if we add a fourth membership group which would be the signer group, or whatever we want to call it, organizations that produce a different kind of software? In that case we will have more generic issuing or root CA group not just bound to SSL alone and also have those who are interested in using these certificates. Of course, it will be a separate problem how we organize the voting because of the different interests of the SSL and non-SSL group. But I think we will have the existing structure and just add that one more group, then focus on the voting thing. <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Kirk: This makes me wonder why are we trying to keep these other groups in the Forum? Let’s just give them a copy of our bylaws and our IPR and tell them to go form yourself. It really can be hard to keep all these disparate groups with different interests all in a single organization. <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Virginia: That’s my concern as well. <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Jeremy: I think it’s not because although there are other members, it’s primarily the same players over and over again. If you look at the trust list for Adobe there are a couple of new ones or a few additional members that we would add, but for the most part the people discussing it are all the same set of CAs. So from an organization standpoint and administrative standpoint it’s just easier to have these be the same group, and I think that most members are probably interested in having these discussions and being part of these discussions and having them here rather than in a different group. <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Peter: It’s not just the Adobe trust list, there's also groups working on the EU trust list, since we’re past July 1<sup>st</sup>, eIDAS, and in that manner maybe Kirk is right. The other option is to do this in reverse-- yet another group gets created and if later it turns out there is synergy we can merge them. There's nothing to say that the meetings can't be held/set with CAB Forum meetings. There is nothing to say that the CAB Forum can't choose a meeting location, and in many cases have a different group find space in the same general geographic vicinity on an adjacent day. I don't think that's a huge challenge in most cases.<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Kirk: Look at our schedule today. We have a few days of already jam-packed meetings. And if there is a whole bunch of the people in code signing, they are not going to want to come to one of our meetings for a two-hour segment on code signing. So I'm not convinced that these multiple groups as a logistical matter can meet in the same time same place, but that remains to be seen. <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Jeremy: It happens with IETF though. You have people coming out for a few meetings where they have an interest, and I think there's a precedent there that that's exactly what people want to do. <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Andrew: And there is a precedent in our guest speakers who do exactly that. <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Kirk: I’m just saying that if any of these new groups that are non-SSL really take off and have a lot of stuff they want to work on, it will affect the logistics of hotel rooms, it will affect the logistics of meeting times and places, and I don't know about you, but I don't want to spend five days away on back-to-back meetings. I might prefer that code signing meetings occur at a different time and place than SSL meetings. <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Jeremy: I still think that most members will be the same. I think you will add a couple but I don't think it is going to change. There is no evidence of that.<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Peter: So, what is the path forward? I’ve heard a couple of options. 1- do nothing, we don't change anything, the CAB Forum stay as is and essentially stays as an SSL-only group.<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Andrew: And what goes along with that is we jettison the code-signing-specific parts of the documents we already have.<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Peter: Yes, we would also want to jettison the EV Code Signing document. So I think that is option one. Then the other option is to allow the CAB Forum to expand in scope. Is there enough support for option two? <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Jeremy: We could do a poll. The only way you’ll find out the feelings of the entire CAB Forum is with a poll to decide which way you want to go. I think the way forward is going to be similar to how we did the governance reform before where you can have a group of proposals that get whittled down. The first step in the poll is to see if there's interest in doing this. <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Andrew: Well, wasn’t that the creation of this working group?<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Jeremy: I think what we do is a poll of the different options. One choice is do nothing and do just a reform of the SSL group with working groups. The other is to form an umbrella organization and find out roughly which way the Forum wants to go, and then proceed with that. <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Peter: And then I would actually pose a third which is not quite status quo, but jettison the EV CS. <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Jeremy: I would like to keep it to two options.<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Peter: I would propose three options. Is there anybody that sees the status quo of code signing not being in the CAB Forum but the EV CS being in? <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Jeremy: Well, I don’t think that all of us agree that code signing is not in the scope of the CAB Forum. I think that the fact that we worked on the EV CS guidelines in the CAB Forum shows that code signing is in the scope of the CAB Forum despite what other people feel. There hasn’t been a ballot to exclude it.<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Andrew: It is, but we might want to change it. The other thing about the proposal to not push down SSL to working group might be an interesting half-way house, or at least a first step. If we create a mechanism whereby people could join a code signing working group, who are not members of the top-level forum, it would provide a mechanism for those people to join, see if anybody does. It wouldn't destroy the SSL top level. We wouldn’t be doing huge amounts of bylaw changes that affect our current work. And it wouldn't preclude shaking out how that would work in the future. I don’t think the two options are mutually exclusive. <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal><o:p> </o:p></p></div></body></html>