<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin-top:0in;
margin-right:0in;
margin-bottom:8.0pt;
margin-left:0in;
line-height:106%;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link="#0563C1" vlink="#954F72"><div class=WordSection1><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Here are draft notes of our call last Tuesday.<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Present: Dean, Rich, Peter, Kirk, Rich, Jeremy, Patrick, Virginia, Robin, Mike, Moudrick, Jos, Ben <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Kirk: I think on the last call we talked about, and I tried to capture what I thought were the three main alternatives and the pros and cons of each. I invited people to modify and correct. My recommendation is that we first try to either work with that document or some other documents and lay out the basic choices and directions. Perhaps this group will reach consensus on which way to go. I think it would be wise to take it back for a quick trip to the CAB Forum to say, “this is what we're thinking of” to get input from a larger group so we don't end up drafting something that then fails after a lot of work on our part. And related to that is I think we have to keep our laser focus on what problems we encountered in the past, and my analysis was twofold. One is the code signing working group had its product fail because of Mozilla and Google voted “no”. Then second, is that some people like Oracle and Adobe chose not to participate as interested parties in the code signing working group apparently because they didn't like the IPR agreement. So in my mind those two things are kind of the first things for us to diagnose. What would work to make it better? And then once we’ve got that figured out and some assurance that any of these changes will actually be approved by these people or will change how they view this in the future, once we know that, then we can draft stuff. <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>I came up with three options. These could be tweaked, and they're not the only options, but one is basically do nothing—keep the CAB Forum only for SSL certificates. Other projects have to go somewhere else and maybe form their own groups, and I think if we did that we wouldn't necessarily change the IPR policy. The second option is to change the IPR policy. It would stay as RAND-Z, but we would put in a participation element. So it's not triggered for a company, a member, or an interested party or member unless they actually participate in a project. If they are careful and choose not to participate either at the working group level or at the Forum level then they never have to disclose anything, or license or share anything. And the third option is we follow the W3C model where the Forum itself at the top group is nothing but a coordinating committee and doesn’t work on any substantive issues. All work occurs at working group levels, and we push them to a new working group. I think there's been an expression that there ought to be uniformity. At one time people were saying that we would allow different working groups to have different IPR agreements. I have heard some resistance – that it's too complicated for companies to track and stay on top of, so I think that probably we would try to find a uniform IPR agreement that would cover all those groups. <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>The open questions are: if we did any of those things would that satisfy Google and Mozilla? But if we did option two – the participation thing where they could stay out of something if they didn't want to be involved would that satisfy them? Would option three satisfy them? The separate question is with any of the options 1, 2, or 3, would they bring in people like Oracle and Adobe. Dean, I think you’re the only one who had direct contact with Oracle and Adobe. They didn't like our IPR agreement, and one important thing, a threshold question, is would they feel more like participating if we had a participation with RAND-Z, or do you want to go to RAND?<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Jeremy: I don’t think it is a relevant question because I think that the governance reform needs to happen regardless of whether it brings in new membership. I think there's a lot of topics that we prefer to discuss that don't require the involvement of those two. <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Kirk: Well one of the problems that we have discussed is that we can’t get these guys to participate, so we have treated it as a relevant problem. At least we’d like to know the answer. Do we know if there is anything we could do that would cause them to participate? <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Dean: I don’t think you’re going to get a concrete answer to that. All you can do is remove obstacles that have come up in the past, and whether we remove those obstacles and they still say, “you know, we’re really not interested this time,” you can help that by removing those obstacles so that they don't say, “no, I can't join because of that.” <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Virginia: I would like to understand what they think are obstacles and why is it important for the CAB Forum that they join. <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Jeremy: Well, I don't think that it is important for them to join. I think that's exactly what I'm saying. I don't see their participation as the important factor in this whole reformation process. It seems to be more of a red herring as far as reorganization goes. The point is to expand the scope so that we can actually discuss relevant issues such as code signing without objection.<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Rich: I just wanted really quick to say we respectfully disagree with that position. I don't think it is wise to expand our scope unless we are looking to bring in members who have a vested interest in the scope we’re moving into. I think that was a big part of Google’s and Mozilla's objections to code signing. It was that other than CAs there was nobody with skin in the game except for Microsoft on the user side of things to participate and craft the specifications. So without that I really don't see that there is anything to do. <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Jeremy: That wasn’t the reason they cited for voting “no.” They said it was out of scope. <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Peter: There were three things between the two of them. I think Opera voted against it as well. I think there were between the three they indicated a mixture of things. There were potentially IP issues, definition scope of the Forum (but I think that itself is not an issue—I think that's related to IP and other things), and I think there's also added that it’s not the objective of the CAB Forum to be the policy review board for Microsoft. The point of the Forum is to help align or come to agreement with multiple vendors. The code signing guidelines are only adopted by Microsoft, so that I think is definitely relevant. Does the CAB Forum just want to be the Microsoft policy advisory board?<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Kirk: That’s why we wanted to bring in Oracle and Adobe. <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Jos: I think it is important to remember that scope for this is larger than just code signing. Let's pause for a moment to think about S/MIME and let's think about IOT. There's plenty more out there besides code signing, but obviously code signing is an important part of this discussion because it has come up in the past. There are plenty of other beyond-the-current-scope agenda items that need addressing that also have to do with certificate management and would bring in other participants. I’d be surprised if Apple and Mozilla for example didn’t have at least some interest in email signing since they do it, and I think that there were a couple of others that came up during previous meetings, so I think we would have other users that are interested in. So I think it is important not to put blinders and not rat-hole entirely on code signing.<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Kirk: I think that’s a fair point. Code signing is what led to us looking at governance again, but you’re right, it is a bigger issue. <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Andrew: Communication with Adobe and Oracle to find out details of the objections of how we could change to accommodate them might be a model for others. I'm not sure we would want to just accept any changes that they would like, but it is no difference to us. Hearing from their lawyers I think will be interesting. <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Rich: That was my point as well. It wasn't specific to code signing, or Oracle and Adobe specifically, it is important go through this whole exercise and completely rework our forum. We need to get some outside input on parties that may be interested in joining other than Oracle and Adobe. Let's approach some of the groups that deal with S/MIME as well see so we’re not just spinning our wheels and we end up going through this for months, develop a new policy, split the Forum up, and we still have something that nobody wants to deal with, and we’re right back here at square one. <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Jeremy: We’d at least have the scope extended to discuss client certificates and code signing certificates. <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Rich: If the goal is to bring out other members in the discussion, I see no point in completely revamping the Forum. <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Jeremy: I don’t think you can do it that way. <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Peter: I think that this also goes into what we output. When we look at option three, especially the discussion on how we create working groups, and option 2, it sounds like one of the things that needs to be in the bylaws or is functionally going to be a requirement is multiple non-CA members. In other words, whenever a working group is proposed there would have to be at least two non-CA members proposing to join that working group-- if the objective here is to not have the Forum simply be a customer advisory board for various organizations.<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Jeremy: But it really is a customer advisory board for various organizations. We work on stuff for Mozilla, we work on stuff for Microsoft, stuff for Google and Apple.<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Peter: There are certain organizations, for example US federal PKI, have their own policy working groups that define what their policy is. They are adopting the CAB Forum shared certificate policy. The question is whether the CAB Forum is ever an appropriate venue to do a certificate policy for a single PKI? <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Kirk: The main reason we do this is that all of the CAs come together and meet up in the CAB Forum. It was for our convenience, and it was great that we had one company that was interested. I don’t buy off on the idea that to have a working group on a subject we have to have another party there if it's useful to CAs by themselves and does no harm at all to the browsers who are not interested, then why shouldnt we be able to meet and do it? <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Jeremy: I agree.<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Kirk: Now one possibility I think I may have written for option two is the non-SSL certificate issues that are resolved as the product out of a working group cannot come back the CAB Forum itself for approval. That way, if browsers aren’t interested in it, they don't even have to vote on it at the Forum level. <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Peter: So back to what are we trying to solve. It sounds like there is not a desire to solve the advisory board objection, but that we want to provide a vendor-neutral venue for discussion of shared standards or common issuance practices or something like that for CAS. With all deference to our colleagues the browsers what I'm hearing is the statement that the CAs want to create a shared policy that could be adopted by browsers but they also want the ability to create products that are outbound, e.g. certificates that represent car serial numbers or something like that.<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Kirk: Yes. One of the points that people made about code signing was there is no standard. So a bad guy could get rejected at a CA with more rigorous standards and look for another CA with easier standards, so that was one of the things we were trying to accomplish here.<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Peter: Right, but code signing has a shared relying party, maybe not relying party, but code signing falls within some sort of PKI, right? Adobe, or I guess Adobe doesn't really choose, but Microsoft, for example, when they're choosing who to include as trusted issuers. There could be situations where CAs just decide that they want to offer some product in what browsers might consider to be a private shared PKI, but you'll have a common policy root set up where it says, if you want to trust that kind of certificate, here is this common policy. That sounds like it could be in scope. <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Kirk: Well, the guidelines don't apply to browsers either. The browsers are only participating to provide their input because they do rely on SSL server certificates and display them and so forth, but they don’t follow those guidelines. We found a new thing that was useful for CAs and probably the public that happened to chain to trusted roots, although they don’t have to, and the browsers that don't rely on code signing certificates said we don’t want to participate in this, but otherwise I think it was a pretty good project for the Forum to be working on, and the fact that one browser said we do rely on this, I don't think that should have poisoned the output and caused other browsers to say, well, we’re going to veto it because we don’t rely on it. <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Jeremy: I think the perception is that it was one browser, but actually it is many CAs that are working on this. So saying that only one member is interested is incorrect because the CAs were interested not just one browser.<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Andrew: Doing generally useful things because they are useful butts up against the scope of the Forum. With the code signing working group we don’t take issue with that. It’s that we need to find more of a way that that sort of work would fit inside a wider scope. <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Dean: It was clear that the people that voted against it thought that that the work product was fine, they just thought that the venue was the wrong place.<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Peter: Andrew, seeing as you also represent a vote against it, if the bylaws changed to expand the scope, does that resolve your issue?<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Andrew: That would remove one of the blockers. The other two are whether you have skin in the game and the IPR issues. It all goes together. What I was really getting at is just because something is useful for some people doesn’t mean that the Forum is currently constituted to address it. <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Peter: By skin in the game, you're referencing a non-CA / relying party representative involved?<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Andrew: Yes. The example is usually a software vendor that does not issue SSL certificates. You can imagine a CA that only issues code signing certificates and not SSL certificates voting on something that didn’t affect them at all. <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Kirk: So skin in the game is a concern that too many people who don't have skin in the game might participate as opposed to too few people who ought to be there? When you say skin in the game you're afraid that some people might get involved who don't actually have a stake in the outcome and shouldn’t vote, is that right?<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Andrew: Correct. There’s also the question about would it be the correct thing to have only one software vendor in a working group? I’ll have to think about that. <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Kirk: So we developed the EV guidelines before any browser committed to doing anything about it, so I strongly think that if CAs want to create a new product and they go out and proselytize for applications not just browser applications to recognize, then I think we should be allowed to do that. We can easily change the scope broaden it. So I am curious, was the IP issue on voting on this at the Forum level would then trigger a mandatory disclosure requirement by everyone and that was something Google didn't want to do on the code signing issue, is that a fair statement?<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Andrew: I believe it was, but unfortunately I was not involved at the time. <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Kirk: If we had a participation model so Google could say, we’ll just not to participate, would that solve the issue?<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Andrew: I think so.<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Dean: This was before your time as well, but when we had the last governance reform meetings back 3 to 4 years ago Paypal with Google's backing actually was advocating to have everyone, any interested party, become a voting member of the Forum and that approach was rejected, so this seems like a change of direction from what it was a few years ago. Am I right?<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Jeremy: Not all CAs rejected it, but Google was one of the primary parties looking for general public involvement and widespread membership. <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Andrew: I just want to change tack and see what people’s opinion was on option two as a steppingstone for option three. Would we want to consider a short-term, medium-term, long-term objective? I could see option two occurring and not precluding a future option three. <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Kirk: Would you be saying that we’re committed one day to move to three, or that we just keep the door open to moving to three?<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Andrew: Just to keep the door open. My thinking is that under the cons of section 3 there is the concern that after 11 successful years of doing this model we through everything up in the air and what comes down isn’t as efficient and we want to get the kinks worked out. Taking code signing or S/MIME or something that is not a working group and setting it up in the model of option two would allow the procedures to settle in, to figure out what it means to administer a participation-only working group and not interrupt the day-to-day working of the top level of the Forum and then it would provide an opportunity for everybody to look at what it is like having run the model for a year or so with changes before we moved to option 3 for the entirety of the organization. It’s just a thought that wouldn’t inextricably commit us to option 3. <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Kirk: It makes sense. If we don't get any extra participation by making these changes to the IPR agreement there is a question in my mind about whether option three is worth trying. <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Peter: I think we’re supporting three as well because trying to sort out the IPR situation in option two seems very challenging. Option three appears to have a clean IPR solution, whereas two is much less clear. <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Kirk: Wouldn’t it be the same IPR policy under two and three? Participation with RAND-Z? <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Jeremy: But participation becomes weird when you have an administrative group that includes the SSL group with the code signing and client groups under it. So that's also one of the reasons we do like option three better because it opens the door to additional participation that doesn't necessarily have to happen right at the reformation stage. It permits people to come and join in working groups to be created as new problems arise instead of having to have this strange side situation where the SSL certificate community controls all of the other communities that are using PKI. We already know that the client certificate community is probably bigger than the SSL community yet it would be the small portion controlling the big portion. <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Kirk: That is why we want option 1. <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Jeremy: Because most of the players are the same--it's just that the interests are different. For example, most of the European CAs primarily issue client certificates instead of SSL certificates, so they are here at Forum meetings and are interested in the SSL portion. If 99% of the players are the same, let’s just revise it and make sure that they can participate in the things they really want to.<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Kirk: With option 1, the other organization could schedule its meetings back-to-back with the Forum. You still get that efficiency of being in the same place. <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Jeremy: You find that a lot of the synergy that that happens between us naturally as we are just talking. When we are talking about digital certificates there's a lot of things that go on and as we already see with trying to define what an SSL certificate is. There's a lot of interplay between the various types and so it would be nice to have a forum that can address those synergies and those interoperability issues. That is why we support option three over the other two. <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Peter: The other thing I said in email is I would strongly encourage that regardless of if we go with option three, which we support, but also even if the decision is for option two, I think the word “participate” is far too confusing for people. It essentially turns into a legally defined term. It’s far too easy to assign a different definition to “participate” in the meaning like the dictionary definition rather than that, we need to make sure to substitute in the specific definition that is intended. For example, I think there's confusion about what happens if you stay silent on calls or don't think because you are not participating, and I think with what comes with the IPR agreement it is important to understand that. With the W3C agreement and many other standards groups, even if you fail to do any action, you are participating. So I think that we need to because the buses it appears I would strongly encourage that that term gets changed simply so that it is not unclear to people and that you are still subject to the agreement even simply by joining. In other words, you don't join any calls and you don't do anything, but you are still subject to the agreement.<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Kirk: So I know we need if we go to a participation model, we clearly are in favor of having the agreement be very clear, and on that I think Virginia knows a lot about that as do other people, so I think that it almost goes without saying that, yes, if we go to the participation model we will have to be very clear what that means, and I thought we would follow a model set by somebody else. So I'm concerned about resources. We don't favor model three, but if it gets adopted, do you think we can do it with the existing resources and no budget and no staff? <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Peter: I do. To me model three, other than a minor procedural change, doesn't appear to be any different than what we currently do from a staffing-requirements perspective. It has a major legal potential difference that isn't going to involve staffing. <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Kirk: And explain the benefits again of pushing SSL down into its own working group and maybe explain who would be in the parent group making the coordinating decisions.<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Peter: So I think in our view the only thing that the parent group does outside of the kind of actions that we've already mentioned kind of happen on the management list. The doodle poll, where do we want to meet, what dates, and stuff like that. The parent group, I believe, would only approve creation of a new working group and presumably they may determine that a working group needs to cease. I think those would be the only two actions that would come into play. They would specifically never approve any technical standard, that would be explicitly excluded. So the difference between number one and number three is almost administrative. All three working groups would have the same IPR policy and it is a working-group-membership-based IPR policy, which is what the W3C calls “participation.” And the biggest advantage versus number one is the fact that you are only joining once. There's one signing of the IPR policy and administratively, everybody who joins the Forum … it might even be that the voting action, kind of what Google had apparently mentioned prior to my participation … there might even be no such thing as an interested party. It is purely members, and each working group would have voting members under it, but possibly it could be that everyone who signed the IPR policy is a voting member at that top level. Again because the only two things that I think would ever come into play are the creation and dissolution of working groups.<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Jos: I would put forward that actually depending on how you structured it, modifications to the IPR policy itself might fall under that group, but again that’s probably not a huge overhead if we don’t change it that much.<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Peter: Right. IPR policy and bylaw changes would be the other two things that would be there at that level.<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Andrew: Something to keep in mind is potential technical de-confliction between working groups’ products. So, imagine we had a payments terminal working group who said it was absolutely in our best interests to carry on with SHA1. And everyone said, yes, but what you’re just proposing allows a payment terminal certificate to be pivoted into any other kind of certificate at all. That would be problematic. One could imagine bylaws saying that any technical standards created by a working group must be technically distinct using whatever constraint mechanism. That might be something else that the top level would consider to make sure that working group products remain independent. <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Peter: That could be within the scope, but I am very hesitant to have anything technical though at that top level. I could see that there could be a working group that defines … because part of it is that you're assuming that they’re shared roots in that case. So when you day you could turn X into Y, that assumes that the issuer is trusted for both, and I think that it is not necessary to de-conflict everything simply because PKI is not a global system. <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Andrew: Indeed. It’s mostly getting ahead of the situation where something goes wrong and puts web browser users at risk. The CA could say, “but we’re following the exact letter of this other working group’s requirements.” And yes, using separate roots would be a fine way of technically constraining them.<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Peter: I see where you're going with that, but I think part of the answer is that today if you want to place a root there are numerous independent trust stores who each have their own rules, and many of them have their own contract, and if a CA wants to include a root in multiple trust stores they have to de-conflict those policies or find how they can build their own policy that complies with all of them. I think that if two working groups build policies then it's really up to the people implementing them as policies to have to de-conflict them. I think it's entirely possible--undesirable but possible--that two Frum working groups create two standards that cannot technically be issued under the same CA. I can imagine standard one that says “all certificate signed must use elliptic curves and compressed points, etc.: and number two says, “all certificates under the standard must use RSA.” There would be no way to issue under the same CA. <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Andrew: It’s more realizing than if you have a system where software vendors are all trusting simply based on, “is this root included? Yes/No.” Then you have the possibility for cross-contamination but between certificate types. It may be that every working group’s product needs to have a section which explains why or how its certificates can be distinguished by relying parties. But we see all sorts of things like OCSP responding signatures being able to be turned into CA certificates, and those sorts of things.<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Peter: Back to the original question—we have Kirk’s email on the three methods. Where do we want to take this?<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Dean: A couple things we want to do since we have the face-to-face coming up in August. One of the things that we want to do is create an agenda that uses the input from what we've been discussing. We need to craft an agenda that can be productive for the day and with desired outcomes for the day. We want to use it to address everyone’s concerns here. We want to look at everyone’s proposals. Virginia what is open that we haven’t addressed?<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Virginia: I still don’t understand why we are considering making a change. It seems we asking what do Google, Mozilla, Adobe, and Oracle want, but I don't understand what their issues are and why it would be important for them to be members, and why we need to make a change? I think those issues need to be addressed and we need to have a convincing reason why we need to choose an option to change before we pick one of the options. It seems to be a foregone conclusion to some that we need to make a change and that we need to pick one of these options, but I’m still at square one trying to figure out why we are considering a change at this point.<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Dean: Okay, so let’s get back to that right away now because it is important to discuss. So, I think the reasons we’re looking at making a change are: one, getting more participation, getting the right participation in the areas of focus that we want to be looking at, for example, at present, code signing, S/MIME, document signing, IOT devices, etc. So increased participation and the right participation is one of the areas, and when we say participation, we can have participation today, right? We have interested parties and associate members. Those people can’t vote, therefore it was argued the last time we had these meetings, was that these people would be reluctant to participate if they didn’t have a voice or vote in this. <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Virginia: Do we know who we want to participate and why they aren’t participating? I don’t think it works to guess, “well, they’re probably not participating because we don’t have this.” On these calls I've heard some kinds of vague reasons, like, “oh, I talked to them and that won’t work,” but I haven't heard any specific reasons. Like, what does Oracle not like? What does Adobe not like?<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Dean: So, for example, in code signing, there are only a few application software suppliers in the ecosystem for code signing. You’ve got Microsoft, Oracle, Adobe, and a few others. There is not that many that rely on code signing certificates. So, when we were doing the code signing baseline requirements we canvassed those application software suppliers to ask them to participate and join and to get feedback because we want this document to be applicable to more than just Microsoft. And the feedback we got, specifically from Oracle who owns Java, is that they could not participate under the current IPR rules. That was feedback number one. <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Virginia: But do we know what specifically about the IPR rules would keep them from participating. <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Dean: I wish Jeremy was in line them with the details, but Ben, do you recall if it had to do with the RAND versus RAND Z?<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Ben: Well, I think Virginia does have some valid points and that we would need to probably go back and get some specific feedback from them. And I think on previous calls we said, “well, yeah, let's go back and get some,” but we just have gotten around to doing that. <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Virginia: So I think that is critical to have prior to the face-to-face because we need to react to specific feedback instead of just saying, we think that it is this or that, and then we’re adjusting something that may or may not be correct.<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Dean: That's fine. I think that we can get data. We have records that we can go back and find. So, the second reason that participation was lacking in the past, and this is the evidence that we had from PayPal who at the time was participating, was that interested parties weren't really interested in doing all this work and participating, attending calls, and everything when they had no vote in the issue. So the lack of a vote was another issue for not participating.<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Virginia: So, if they want to vote, why didn’t they become members? <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Dean: Because the way the Forum was structured, they were not a CA or a browser and therefore they could not become a member, and that is the way it works today. If you’re not a CA or a browser, you can’t vote.<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Andrew: Just one more thing about the question whether we wanted to make any change. I would say that option one would include jettisoning the EV code signing requirements and really just draw a very clear line around the Forum scope of being TLS only, and that leaves the EV code signing guidelines open to being adopted by another organization. So that was one reason why I think we need to choose one of the options to clarify the scope and handle the code signing.<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Dean: It’s all outlined in your memo, right?<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Andrew: Yes. We do have a few more spots if you want to use the chair’s prerogative to invite anybody else. … <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Dean: As Andrew said, the EV guidelines. Getting a home for the EV guidelines is another reason because right now they're out of scope of the current Forum and it's a Forum document. <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Kirk: People can participate that are interested parties at the working group level under option two, if we make final decision on the standard, leave it at, for non-SSL issues, leave it at the working group level, then they can vote and they’re just as important as everybody else. So, we can solve that one without going all the way to option three.<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Dean: I'm still back where Virginia is, and just trying to answer some basic questions. She asked, why are we making this change and what are the issues. And so I've laid out a few things here. Is there more that we need to lay out there?<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Peter: Regardless of getting more participation, there is a desire of CAs to be able to do things outside of the scope of SSL certificates, and I believe that there is value in doing it within the same organization and under the same IPR agreement for some CAs and for other organizations as well, but I think that if it is a separate organization, even with a duplicated IPR agreement (that simply searches and replaces the term “CAB Forum” with “Code Signing Forum” or something), that is more work for some organizations. So how do we expand the scope within the organization has value to some members today. Conversely, some of our browser members have indicated that they don't want organizations if they don’t have appropriate skin in the game. They don't feel that they should be voting on it because they don't have skin in the game. So I think that that is the number one driver of this. If we happen to be able to get additional members representing skin in the game for other things, great, but I think we heard solidly today that there are a number of members who see it valuable to just have a CA industry consortium or a venue for CAs to develop new products that they would each sell independently, but that meet a common need.<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Dean: It is rare for CAs to work on products that don't work with other things. So for CAs to get together and work on something without the other party that is affected by whatever CAs do wouldn’t be productive.<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Peter: Well, that was the argument that that was what EV certificates were. <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Kirk: All I said was that if you build it they will come. Sometimes CAs have an idea and better to proceed and develop the standards and then try to sell it to the people you think will buy it. So I think Peter and I are in agreement on that.<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Dean: Okay, I’m going to outline this stuff because we keep rehashing some of this over and over again. I want to outline this on paper and address the issues from the beginning and then we have to get to the next phase which is, OK, here are the options which Kirk has nicely outlined for us, and there might be some hybrid approaches, there might be some modifications that we want to do, and then get to something that we can discuss at the face-to-face. At the end of the face-to-face we should be able to say, “okay this is the option we think it's going to work the best given all these issues, all of these inputs that we’re getting, here is the option that works the best that we can recommend. We don’t have to come to a final conclusion that day, but at least we should be able to put a stick in the ground and say this the one we think is the best one at this point. <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Kirk: The reason we’re rehashing some of these things is that some people have made up their minds that it's only for that, and other people are saying, “are you sure?” So I'm not sure I agree that it has been useless rehashing.<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Virginia: Dean, if we could include the specific feedback we’ve received from Microsoft, Oracle, Adobe, Google, and Mozilla, somewhere I think it would be very helpful. Not just that they don't like it, but what their specific feedback was so that we can take that into consideration as well.<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:black'>Peter: And we’d love to get any feedback that your organization would like to provide, good or bad, as well. For example, things you do or don't want to see, I think we will welcome that feedback as well.<o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p></div></body></html>