Minutes for CA/Browser Forum Teleconference – January 11, 2018
Attendees: Arno Fiedler (D-TRUST), Atsushi Inaba (GlobalSign), Ben Wilson (DigiCert), Bruce Morton (Entrust), Cecelia Kam (GlobalSign); Corey Bonnell (Trustwave),Curt Spann (Apple), Daymion Reynolds (GoDaddy), Devon O’Brien (Google), Dimitris Zacharopoulos (HARICA), Doug Beattie (GlobalSign), Enrico Entschew (D-TRUST), Fotis Loukos (SSL.com), Frank Corday (Trustwave), Gervase Markham (Mozilla), Jos Purvis (Cisco), Kirk Hall (Entrust), Li-Chun Chen (Chunghwa Telecom), Michele Coon (OATI), Mike Reilly (Microsoft), Neil Dunbar (Trustcor), Patrick Tronnier (OATI), Peter Bowen (Amazon), Peter Miscovic (Disig), Rich Smith (ComodoCA), Rick Andrews (DigiCert), Robin Alden (ComodoCA), Ryan Sleevi (Google), Shelley Brewer (DigiCert),Tim Hollebeek (DigiCert), Tim Shirley (Trustwave), Virginia Fournier (Apple), Wayne Thayer (Mozilla).
- Roll Call
- Read Antitrust Statement
- Review Agenda. Agenda was approved.
- Approval of Minutes from teleconference of Dec. 14, 2017. The Minutes with corrections of two typographical errors were approved and will be posted to the Public list. The Minutes for the Taipei Face-to-Face Minutes of Oct. 4-5, 2017 were automatically approved on Dec. 27, 2017 under Bylaw 5.1(a) and were posted to the Public list on Dec. 29, 2017.
- Governance Change Working Group. Ben stated he had sent an email the prior day with bullet points on what will be in Ballot 206, the comprehensive change to the Forum’s governance rules, and asked if there were any questions. Dimitris noted he had sent comments and edits relating to the charter for the new Web Server Working Group that still needed to be discussed. Kirk asked what the WG’s plan was for proceeding. Virginia said once the Web Server Working Group charter was completed, the whole package would be put forward as a pre-ballot for a limited period, then proceed to a seven-day discussion period and a vote after nearly a year of work.
Kirk asked if the anticipated changes to the Forum’s IPR Agreement would be included, and Virginia said yes, as well as certain changes to the Bylaws. Ryan said the Forum members would need enough time to evaluate the ballot, particularly the changes to the IPR Agreement which have to be signed by members and therefore reviewed by counsel. Virginia said the IPR Agreement changes were the same as what was distributed to the members some months ago, and Ryan said that would make it easier to review the ballot in a shorter time period.
Virginia said she didn’t think a point-by-point discussion of the summary in Ben’s email from the prior day was a good use of time, and it would be better to discuss offline or via the Public list. There were no further comments.
- Policy Review Working Group update. Ben said the WG would have a call in the next hour. Dimitris said there was no update.
- Network Security Working Group update. Tim said the WG’s most recent work focused on two areas for improvement: (a) eliminating some of the current requirements relating to passwords, and instead moving toward NIST’s recommendations on password security, and (b) adding a requirement of secure two-factor authentication. There may be one or two ballots in the near future, as these issues overlap. Ben said he had posted a red-lined version of the Network Security Requirement edits on GitHub so WG members could all contribute to the work.
- Validation Working Group update. Tim said the WG had started reviewing Ballot 218 (which was also being discussed on the Public list), and there had been good discussions. The WG is also looking at a possible new domain validation method proposed by Doug similar to Method 9, but dealing with renewal of certificates on existing websites (rather than issuance of new certificates to a site) by using existing certificates on the sites to prove domain control rather than issuing non-functioning “test” certificates that would be placed on the sites. Finally, the WG is working on updating the validation methods for IP addresses under BR 126.96.36.199 so we can eliminate the current “any other method” option.
- Status of BoltN Hosting Limited application for CABF membership as a browser. Kirk said he had been in communication with BoltN Hosting Limited, and suggested it defer its application to join the Forum as a browser until its new browser had completed product launch and could be evaluated; BoltN agreed to this approach.
- Individual Participation in the Forum as an Interested Party. Kirk noted that in response to the application of an individual to become an Interested Party, some members had raised a question about whether individuals should be able to participate as Interested Parties, or should be required to participate on behalf of their disclosed employer for IPR reasons. Kirk said the Forum had traditionally allowed Interested Parties to be individuals or organizations, and there was no reason to delay acceptance of the individual who wanted to join. He then provided an overview of the current Bylaws (which appear to allow participation as individuals) and the Forum’s Intellectual Property Rights Agreement (IPRA).
Kirk offered the opinion that the IPRA and related one-page agreement that all Members and Interested Parties had to sign were ambiguous, but appeared to be drafted with a focus on organizations joining as Members and Interested Parties. This meant that individuals joining as Interested Parties might not have the same IPR obligations as organizations, and the Forum’s objectives in its IPRA might not be fully met and Members might not be fully protected when individuals joined as Interested Parties. He asked the Members if they had any concern about that, or were satisfied and preferred to leave things as they were.
Ryan stated that he disagreed with Kirk’s overview and conclusions, and believed the IPRA worked whether an Interested Party was an individual or organization as the IPRA applies to “Participants” and both individuals and organizations who participate would be “Participants”. He said all SDOs (standards developing organizations) allow people to participate as individuals, and the Forum should not examine applications or put barriers in front of individuals who want to be Interested Parties.
Kirk said he was not sure that individuals who participate as Interested Parties have any obligation to respond to Review Notices after ballots or disclose any related intellectual property claims their companies had. Peter said that was by design, then clarified that “by design” he meant that no Participant had to disclose anything in response to a Review Notice so long as they were willing to provide a royalty free license for any undisclosed Essential Claims they had. Kirk said he wasn’t sure that individuals participating as Interested Parties would be providing royalty free licenses for intellectual property held by their employers even if they failed to respond to a Review Notice – probably not – and asked if that was a problem to the Members.
Tim said that all Interested Parties, including individuals, agree to representations and warranties under IPRA Sec. 6.4, including a representation that no contribution made by the Interested Party would subject the Members to licensing obligations inconsistent with the IPRA, so any individual who participates as an Independent Party would be under obligation to get approval from an employer before contributing any intellectual property of the employer. He suggested the Forum should add a notice or warning to that effect when individuals apply to participate as Interested Parties, and suggest they get their employers to sign the one page agreement for their own protection.
Ryan said again that there is a difference between Participants and Members, and the IPRA applies to all “Participants” which includes all Interested Parties. On the question of individuals who participate and make a contribution that is part of their employer’s intellectual property, and whether that licenses the intellectual property, every SDO has to deal with that question. He said that under our IPRA, Interested Parties can exclude contributions during the Review Notice period, not just Members.
Tim again suggested the Forum add some text to warn individuals about their obligations as Interested Parties under the IPRA. Kirk said he was not certain he agreed with all the interpretations of the IPRA that had just been discussed – he would need to re-read the documents – and so could not draft such language himself. He asked Tim if he could draft the recommended language, and Tim agreed.
- F2F meeting dates – London, June 2018. Robin noted he had posted a Doodle poll as to three possible sets of meeting dates in June, and 30 members had voted. The most favored dates were June 5-7, 2018, and so that will be the dates for our June F2F meeting. More information will be provided later.
Gerv asked Peter if Amazon had any more information (e.g., hotels, etc.) for the next F2F meeting in Herndon, VA on March 6-8, 2018. Peter said he would post information to the wiki soon.
- Ballot Status – Discussion of ballots (See Ballot Status table at end of Agenda). There was no discussion.
- F2F Meeting Schedule: Kirk reviewed the current schedule for future F2F meetings in 2018-2020. He noted that both GDCA and OATI had offered to host the October 2019 meeting, but that GDCA had been the first to offer so OATI agreed to host in June of 2020 instead. HARICA’s offer to host in June 2019 and is tentative, so if HARICA decides not to host, OATI could host instead. Mike also offered for Microsoft to host a future meeting in 2020. Here is the current schedule.
2018: March 6-8 – Herndon, VA (Amazon), June – London (Comodo), October – Shanghai (CFCA)
2019: Feb-March – Cupertino, CA (Apple), June – Greece (HARICA, tentative), October – Guangzhou (GDCA)
2020: Feb-March [Open], June – Minneapolis (OATI), October [Open]
- Any Other Business. There was no other business.
- Next call: Jan. 25, 2018 at 11:00 am Eastern Time