<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin-top:0in;
margin-right:0in;
margin-bottom:8.0pt;
margin-left:0in;
line-height:106%;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:8.0pt;
margin-left:.5in;
mso-add-space:auto;
line-height:106%;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
p.MsoListParagraphCxSpFirst, li.MsoListParagraphCxSpFirst, div.MsoListParagraphCxSpFirst
{mso-style-priority:34;
mso-style-type:export-only;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
mso-add-space:auto;
line-height:106%;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
p.MsoListParagraphCxSpMiddle, li.MsoListParagraphCxSpMiddle, div.MsoListParagraphCxSpMiddle
{mso-style-priority:34;
mso-style-type:export-only;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
mso-add-space:auto;
line-height:106%;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
p.MsoListParagraphCxSpLast, li.MsoListParagraphCxSpLast, div.MsoListParagraphCxSpLast
{mso-style-priority:34;
mso-style-type:export-only;
margin-top:0in;
margin-right:0in;
margin-bottom:8.0pt;
margin-left:.5in;
mso-add-space:auto;
line-height:106%;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:770246525;
mso-list-type:hybrid;
mso-list-template-ids:-936886306 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l1
{mso-list-id:1001589271;
mso-list-type:hybrid;
mso-list-template-ids:1869410196 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l1:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l1:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l1:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l1:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l1:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l1:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l1:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l1:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l1:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal" style="margin-bottom:0in;margin-bottom:.0001pt">After our Governance WG call yesterday, I had a few more ideas.<o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom:0in;margin-bottom:.0001pt"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-bottom:0in;margin-bottom:.0001pt">First, I think we heard the following comments from Andrew Whalley about Google’s past concerns (with some suggested solutions from me following in the right column). Andrew, if I misunderstood
anything I apologize.<o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom:0in;margin-bottom:.0001pt"><o:p> </o:p></p>
<table class="MsoTableGrid" border="1" cellspacing="0" cellpadding="0" style="border-collapse:collapse;border:none">
<tbody>
<tr>
<td width="468" valign="top" style="width:233.75pt;border:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt">
<p class="MsoNormal" align="center" style="margin-bottom:0in;margin-bottom:.0001pt;text-align:center;line-height:normal">
<b>Google Concerns<o:p></o:p></b></p>
</td>
<td width="468" valign="top" style="width:233.75pt;border:solid windowtext 1.0pt;border-left:none;padding:0in 5.4pt 0in 5.4pt">
<p class="MsoNormal" align="center" style="margin-bottom:0in;margin-bottom:.0001pt;text-align:center;line-height:normal">
<b>Kirk suggested solution / response<o:p></o:p></b></p>
</td>
</tr>
<tr>
<td width="468" valign="top" style="width:233.75pt;border:solid windowtext 1.0pt;border-top:none;padding:0in 5.4pt 0in 5.4pt">
<p class="MsoListParagraph" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:16.85pt;margin-bottom:.0001pt;mso-add-space:auto;text-indent:-.25in;line-height:normal;mso-list:l0 level1 lfo1">
<![if !supportLists]><span style="mso-list:Ignore">1.<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>The Code Signing WG went beyond the Forum’s Purpose as stated in Bylaw 1.1, which is limited to this: “Members of the CA/Browser Forum have worked closely together in defining the guidelines and means of implementation for best practices
<u>as a way of providing a heightened security for Internet transactions</u> and <u>
creating a more intuitive method of displaying secure sites to Internet users</u>.”<o:p></o:p></p>
</td>
<td width="468" valign="top" style="width:233.75pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt">
<p class="MsoNormal" style="margin-bottom:0in;margin-bottom:.0001pt;line-height:normal">
CAs have an interest in all types of certificates, not just SSL server certificates, and it is very convenient to work on these other certificate issues at Forum meetings. The Purpose can be amended to allow a broader scope for the Forum. Browsers do not
need to participate in any WG that does not interest them.<o:p></o:p></p>
</td>
</tr>
<tr>
<td width="468" valign="top" style="width:233.75pt;border:solid windowtext 1.0pt;border-top:none;padding:0in 5.4pt 0in 5.4pt">
<p class="MsoListParagraph" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:16.85pt;margin-bottom:.0001pt;mso-add-space:auto;text-indent:-.25in;line-height:normal;mso-list:l0 level1 lfo1">
<![if !supportLists]><span style="mso-list:Ignore">2.<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>The Code Signing WG’s product will only be used by a single application (here, Microsoft), and so does not belong as a Forum activity.<o:p></o:p></p>
</td>
<td width="468" valign="top" style="width:233.75pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt">
<p class="MsoNormal" style="margin-bottom:0in;margin-bottom:.0001pt;line-height:normal">
Again, CAs have an interest in all types of certificates, not just SSL server certificates, and working on broader projects in the Forum’s WGs is very convenient.
<o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom:0in;margin-bottom:.0001pt;line-height:normal">
When CAs drafted the EVGL in 2006-2008, there were NO applications committed to implementing them – they were a “spec” project by CAs seeking to improve internet security by creating new, higher standards, and after the EVGL were completed all the major browsers
signed on. <o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom:0in;margin-bottom:.0001pt;line-height:normal">
<o:p> </o:p></p>
<p class="MsoNormal" style="margin-bottom:0in;margin-bottom:.0001pt;line-height:normal">
Likewise, to date there have been no common, minimum standards for Code Signing certs, meaning bad guys who are blocked by one CA from getting a Code Signing cert can just go to another and get a Code Signing cert. This is an attempt by CAs to raise the bar,
not an attempt to write a standard for one application (here, Microsoft). The CAs will now push other applications (e.g., Oracle, Adobe) to adopt the Code Signing requirements in the future, just as happened with the EVGL.<o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom:0in;margin-bottom:.0001pt;line-height:normal">
<o:p> </o:p></p>
<p class="MsoNormal" style="margin-bottom:0in;margin-bottom:.0001pt;line-height:normal">
CAs should be allowed to work on projects like this in the Forum. If a browser is not interested, it does not need to participate.<o:p></o:p></p>
</td>
</tr>
<tr>
<td width="468" valign="top" style="width:233.75pt;border:solid windowtext 1.0pt;border-top:none;padding:0in 5.4pt 0in 5.4pt">
<p class="MsoListParagraph" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:16.85pt;margin-bottom:.0001pt;mso-add-space:auto;text-indent:-.25in;line-height:normal;mso-list:l0 level1 lfo1">
<![if !supportLists]><span style="mso-list:Ignore">3.<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>Google had concerns that adoption of the Code Signing guidelines would trigger a requirement to disclose or license possible conflicting IP, which Google did not want to do.<o:p></o:p></p>
</td>
<td width="468" valign="top" style="width:233.75pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt">
<p class="MsoNormal" style="margin-bottom:0in;margin-bottom:.0001pt;line-height:normal">
This can be fixed by amending our IPR agreement to a “participation” RAND-Z model, so those CAs or browsers who do not participate in a project do not have to make any IP disclosure.<o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom:0in;margin-bottom:.0001pt;line-height:normal">
There is another easier fix discussed below – simply put non-SSL cert issues in WGs only, and only require IP disclosure by members of the WG (and do not require approval by the Forum itself of any non-SSL cert requirements created by a WG).<o:p></o:p></p>
</td>
</tr>
<tr>
<td width="468" valign="top" style="width:233.75pt;border:solid windowtext 1.0pt;border-top:none;padding:0in 5.4pt 0in 5.4pt">
<p class="MsoListParagraph" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:16.85pt;margin-bottom:.0001pt;mso-add-space:auto;text-indent:-.25in;line-height:normal;mso-list:l0 level1 lfo1">
<![if !supportLists]><span style="mso-list:Ignore">4.<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>[Unrelated issue] Google wants to be certain that voting on new requirements in a WG only occurs with people and organizations which have “skin in the game” – otherwise, requirements could be set by people and organizations who don’t
have to live with the results.<o:p></o:p></p>
</td>
<td width="468" valign="top" style="width:233.75pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt">
<p class="MsoNormal" style="margin-bottom:0in;margin-bottom:.0001pt;line-height:normal">
See solution below – allow anyone to participate in a WG if they sign the updated IPR, but only allow organizations involved in the industry to vote on adoption of new requirements.<o:p></o:p></p>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal" style="margin-bottom:0in;margin-bottom:.0001pt"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-bottom:0in;margin-bottom:.0001pt">As to <u>point 3</u> – the current disclosure requirements of our current IPR policy – this can be resolved by moving to a “participation” based RAND-Z IPR. However, we have been told this
is complicated and involves a lot of work. An easier solution would be to change our rules as follows:<o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom:0in;margin-bottom:.0001pt"><o:p> </o:p></p>
<p class="MsoListParagraphCxSpFirst" style="margin-bottom:0in;margin-bottom:.0001pt;mso-add-space:auto;text-indent:-.25in;mso-list:l1 level1 lfo2">
<![if !supportLists]><span style="font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]>Work on SSL server certificate issues will occur in appropriate WGs and also at the Forum level, and will be adopted by votes of Forum members at the Forum level and trigger our current IP disclosure requirements. There would
be no change to our current RAND-Z IPR agreement, and all members would have to make IP disclosures or licensing as in the past.<o:p></o:p></p>
<p class="MsoListParagraphCxSpMiddle" style="margin-bottom:0in;margin-bottom:.0001pt;mso-add-space:auto">
<o:p> </o:p></p>
<p class="MsoListParagraphCxSpMiddle" style="margin-bottom:0in;margin-bottom:.0001pt;mso-add-space:auto;text-indent:-.25in;mso-list:l1 level1 lfo2">
<![if !supportLists]><span style="font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]>However, <u>non</u>-SSL server certificate issues would be worked on ONLY in WGs created by the Forum for that purpose, and any requirements or guidelines would be approved
<u>only</u> at the WG level. The output would <u>not</u> come to the Forum level for re-adoption.
<o:p></o:p></p>
<p class="MsoListParagraphCxSpLast" style="margin-bottom:0in;margin-bottom:.0001pt;mso-add-space:auto">
<o:p> </o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt">
We would slightly modify our current IPR agreement so that the disclosure/licensing requirement would apply
<u>only</u> to participants of the (non-SSL server certificate) WGs, but would not apply to any Forum members who were not members of the WG. We would also clarify that creation of a non-SSL server certificate WG at the Forum level would not itself trigger
any disclosures/licensing under our current IPR policy. <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt">
<o:p> </o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt">
Choosing this method would avoid the need to track “participation” on an issue or a new set of requirements – instead, we would only be required to track “membership” of non-SSL WGs – all non-SSL WG members would have to comply with the IPR disclosure requirements
upon adoption of new requirements at the WG level.<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt">
<o:p> </o:p></p>
<p class="MsoNormal" style="margin-bottom:0in;margin-bottom:.0001pt">As to <u>point 4</u> – our current Bylaws allow anyone to participate as a Working Group Interested Party if they sign our IPR agreement (whether or not they have “skin in the game”). However,
we have not specified any voting rules for WGs – it hasn’t been important in the past, as WG proposals today are only approved at the Forum level.
<o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom:0in;margin-bottom:.0001pt"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-bottom:0in;margin-bottom:.0001pt">We could solve the skin in the game problem by enacting new rules that the only WG members who can vote on adoption or approval of requirements or amendments are people representing organizations
that either <u>issue</u> the types of certificates covered by the requirements or applications that
<u>use</u> or <u>recognize</u> the certificates – other WG members can talk and suggest language in the WGs, but can’t vote on adoption. That allows full public participation at the WG level, but ensures that only parties who are issuing the certs in question
or using the certs will be voting on requirements. We would need new voting rules for WGs, such as requiring approval of 2/3 of the “industry” members of a WG for adoption of requirements, as we can’t use the current voting rules (2/3 of CAs, 51% of browsers)
at the WG level because there may not be any browsers working on some WGs.<o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom:0in;margin-bottom:.0001pt"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-bottom:0in;margin-bottom:.0001pt">Finally, we still don’t know exactly why Oracle and Adobe were unwilling to participate with the Code Signing WG – it seemed to relate to our IPR policy, but we don’t have specifics. We won’t
be able to solve this problem by moving to a “participation” based IPR policy (or “membership” based IPR policy looking at WG membership), as Oracle and Adobe clearly would be participating as members of a WG and would have to comply with whatever our IPR
policy is. If, for example, they prefer a RAND to a RAND-Z policy, we probably can’t satisfy them.<o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom:0in;margin-bottom:.0001pt"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-bottom:0in;margin-bottom:.0001pt"><u>Dean</u> – can you ask Oracle and Adobe for more information on their prior objections?<o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom:0in;margin-bottom:.0001pt"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-bottom:0in;margin-bottom:.0001pt">In any event – please consider this new structure as a way to keep non-SSL certificate issues within the current Forum (albeit only at the WG level) and helping to bring in more participation
by other organizations and the public.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>