CA/Browser Forum
Home » All CA/Browser Forum Posts » Ballot 206 –Amendment to IPR Policy & Bylaws re Working Group Formation

Ballot 206 –Amendment to IPR Policy & Bylaws re Working Group Formation

Results on Ballot 206 – Amendment to IPR Policy & Bylaws re Working Group Formation

The voting period for Ballot 206 has ended and the ballot has passed. Here are the results.

Voting by CAs – 16 votes total, including abstentions

  • 16 Yes votes: Amazon, Buypass, CFCA, Chunghwa Telecom, Cisco, DigiCert, Disig, Entrust Datacard, GDCA, GlobalSign, HARICA, Kamu Sertifikasyon Merkezi, SHECA, SSL.com, SSC, TurkTrust

  • 0 No votes:

  • 0 Abstain:

100% of voting CAs voted in favor

Voting by browsers – 5 votes total, including abstentions

  • 5 Yes votes: Apple, Comodo Security Solutions, Google, Microsoft, Mozilla

  • 0 No votes:

  • 0 Abstain:

100% of voting browsers voted in favor

Quorum requirements

Currently active members: 20

Quorum: 11

Votes cast (including abstentions): 21

Quorum met: Yes

Under Bylaw 2.2(g), a ballot result will be considered valid only when more than half of the number of currently active Members has participated. Votes to abstain are counted in determining a quorum. This requirement was met.

Bylaw 2.2(f) requires a yes vote by two-thirds of CA votes and 50%-plus-one browser votes for approval. Votes to abstain are not counted for this purpose. This requirement was met for both CAs and browsers. This requirement was met.

At least one CA Member and one browser Member must vote in favor of a ballot for the ballot to be adopted. This requirement was met

Ballot 206 passes. Congratulations and thanks to Virginia Fournier, Dean Coclin, and all the members of the Governance Change Working Group for all their hard work!

Ballot 206

Purpose of Ballot: This ballot is the result of the work done by the CA/Browser Forum (the “Forum”) Governance Reform Working Group.

The following motion has been proposed by Virginia Fournier of Apple and endorsed by Tim Hollebeek of Digicert and Jos Purvis of Cisco to amend the CA/Browser Forum Intellectual Property Rights Policy (“IPR Policy”) and Bylaws of the

CA/Browser Forum (the “Bylaws”) regarding the formation of working groups:

  • MOTION BEGINS –
  1. Amendment to IPR Policy. The IPR Policy is hereby amended to read in its entirety as set

forth on Exhibit A hereto (IPR Policy version 1.3, effective [date], 2018). In summary, the

primary purpose of the amendment to the IPR Policy is to clarify that patent licensing

obligations will be based on working group participation rather than Forum membership.

  1. Amendment to Bylaws. The Bylaws are hereby amended to read in their entirety as set

forth on Exhibit B hereto (Bylaws version 1.9, effective [date], 2018). In summary, the purpose

of the amendment to the Bylaws is to:

  • Set forth the processes required to set up and operate new Forum working groups (each, a “Chartered Working Group” or “CWG”).

  • Clarify that a CWG can create its own subcommittees without full Forum approval and according to the CWG’s own approval process.

  • Make clarifications regarding the handling of faulty ballot votes.

  • Clarify the applicable process when there’s discrepancy between proposed Guideline language in a ballot and language set forth in a redline version attached to the ballot.

  • Specify how to finalize minutes if there is no Forum meeting or teleconference within 3 weeks after publication of the draft minutes.

  • Clarify the meanings of the terms “Forum Meetings” and “Forum Teleconferences.”

  • Approve the charter for the Server Certificate Working Group, which will become the first Chartered Working Group (CWG).

  • Allow already-existing working groups (“Legacy Working Groups” or “LWG”) to continue operating under the old rules for up to 6 months, and then transition to a Chartered Working Group (CWG) with a new charter approved under Section 5.3 of the Bylaws to continue thereafter; also clearly differentiate between Legacy Working Groups and Chartered Working Groups.

  • Correct the term used to define a CAB Forum member as a “Member” rather than using various other terms to refer to the same thing throughout the document.

  • Correct non-substantive typos.

  1. Approval of Charter for Server Certificate Working Group. Pursuant to Section 5.3.1 (Formation of Working Groups) of the amended Bylaws, the charter for the Server Certificate Working Group attached hereto as Exhibit C is hereby approved.

  2. Applicability of Amendments. The amendments to the IPR Policy and the Bylaws described in this ballot shall become effective 90 days after the date on which the vote for approval is final, and shall not apply retroactively. Any Draft Guideline Ballots already in the Review Period when such amendments go into effect shall comply with the versions of the IPR Policy and the Bylaws in effect when such Review Period began.

Motion ends

The procedure for approval of this ballot is as follows:

BALLOT 206

Formal discussion period: (7 days)

Start time: 20 March 2018 2:38 PM PDT (20 Mar 2018 21:38 UTC)

End Time: 27 March 2018 8:00 PM PDT (28 Mar 2018 3:00 AM UTC)

Vote for approval (7 days)

Start time: 27 March 2018 8:30 PM PDT (28 March 2018 3:30 AM UTC)

End time: 3 April 2018 8:30 PM PDT (4 April 2018 3:30 AM)

Votes must be cast by posting an on-list reply to this thread on the Public Mail List.

A vote in favor of the ballot must indicate a clear ‘yes’ in the response. A vote against must

indicate a clear ‘no’ in the response. A vote to abstain must indicate a clear ‘abstain’ in the

response. Unclear responses will not be counted. The latest vote received from any

representative of a voting Member before the close of the voting period will be counted. Voting

Members are listed here:

In order for the ballot to be adopted, two thirds or more of the votes cast by Members in the CA

category and greater than 50% of the votes cast by members in the browser category must be

in favor, and there must be a quorum.

Pursuant to Section 2.3(d) of the Bylaws, each Member, and not the Forum, will be responsible for taking precautions to make sure such Member’s vote is submitted properly and counted. In the event that a Member’s vote on a ballot is not submitted properly, such vote shall not be valid and shall not be counted, and there shall be no appeal, revote (except in the case of a new ballot submitted to all Members) or other recourse.

Exhibit A (IPR Policy version 1.3)

CA/BROWSER FORUM Intellectual Property Rights Policy, v. 1.3 (Effective July 3, 2018)

DEFINITIONS

  1. Overview

This Intellectual Property Rights Policy describes:

a. licensing goals for CA/Browser Forum (“CAB Forum”); b. the patent licensing obligations that Members will undertake as a condition of participation in CAB Forum Working Groups, along with means of excluding specific patents from those obligations; c. the definitions of a “CAB Forum Royalty-Free License”; d. an exception handling process for situations in which the Royalty-Free status of a Guideline comes under question; e. the copyright licensing obligations that Members will undertake as a condition of participation in a Working Group; and f. the definitions of “Essential Claim” and other key terms.

  1. Licensing and Disclosure Goals for CAB Forum Guidelines

In order to promote the widest adoption of CAB Forum Guidelines, CAB Forum and its Working Groups seek to issue Guidelines that can be implemented on a Royalty-Free (RF) basis subject to the conditions of this policy. Working Groups will ordinarily not approve a Guideline if they are aware that Essential Claims exist that are not available on RF terms. Members are encouraged to bring to the attention of the applicable Working Group any known patent or pending patent applications of other organizations (Members or non-Members) that might contain Essential Claims.

  1. Patent Licensing Obligations of Participants

The following obligations shall apply to all Participants with respect to the Working Groups in which they participate.

3.1 Royalty-Free Licensing Requirements.

As a condition of participating in a Working Group, each Participant shall, subject to Section 4 below, agree to make available under a CAB Forum RF License (as defined in Section 5 below), any Essential Claims related to any Final Guideline or Final Maintenance Guideline of that particular Working Group. This requirement includes Essential Claims that the Participant owns and any that the Participant has the right to license without obligation of payment or other consideration to an unrelated third party.

3.2 Limitation on Licensing Requirements.

The affirmative act of joining a Working Group will obligate a Participant to the CAB Forum RF Licensing obligations.

  1. Review of Draft Guidelines and Licensing Exclusions

4.1 Review of Draft Specifications.

Prior to the approval of a CAB Forum Draft Guideline as a CAB Forum Final Guideline or Final Maintenance Guideline, there shall be a review period during which Working Group Participants may exclude certain Essential Claims from CAB Forum RF Licenses. The CAB Forum Chair shall initiate the Review Period by distributing to each Working Group Participant a notice of review period and a complete draft of the Draft Guideline that is the subject of such notice (“Review Notice”). Each Participant shall have sixty (60) days following the date of the receipt of such Review Notice (“Review Period”) to review such Draft Guideline and consider any licensing obligations with respect to any Essential Claims that may be encompassed by such Draft Guideline. The approval of a CAB Forum Final Maintenance Guideline shall follow the same process except that the Review Period shall be thirty (30) days.

4.2 Excluding Patents and/or Patent Applications From Royalty-Free Licensing Obligations During Review Period.

Except for Essential Claims encompassed by a Participant’s Contributions that are actually incorporated into a Final Guideline or Final Maintenance Guideline approved in accordance with the Working Group’s Guideline approval process as specified in its charter, Participants may, within the Review Period, exclude Essential Claims from the CAB Forum RF License. In such case, Participants shall be permitted to either make an election, (i) not to grant a license or (ii) to provide a license that complies with all of the requirements of Section 5.1 with the exception of subsection 5.1 f.

4.3 Conditions and Procedure for Excluding Patents and/or Patent Applications From CAB Forum RF License.

A Participant seeking to exclude Essential Claims from the CAB Forum RF License in accordance with Section 4.2 must provide written notice of such intent to the CAB Forum Chair with a copy to the appropriate Working Group Chair and the CAB Forum public mailing list (public@cabforum.org) (“Exclusion Notice”) within the Review Period. The Exclusion Notice shall be effective upon its receipt by the CAB Forum Chair. The Exclusion Notice shall include identification of the numbered section of the Final Guideline or Final Maintenance Guideline whose implementation makes the excluded claim an Essential Claim for each of the issued patent(s) or pending patent application(s) that a Participant reasonably believes at the time may contain Essential Claims the Participant wishes to exclude from the CAB Forum RF License. For issued patents, the Exclusion Notice shall also include the patent number(s). For pending patent applications, the Exclusion Notice shall also include the title and application number(s). If an issued patent or pending patent application that may contain Essential Claims is not set forth in the Exclusion Notice, such Essential Claims shall continue to be subject to the CAB Forum RF License. For unpublished patent applications, the Exclusion Notice shall also include a copy of the patent application. In addition, Exclusion Notices shall be published at /ipr-exclusion-notices/.

4.4 Effect of Exclusion Notice.

The timing of the Exclusion Notice will determine the effect on the Participant’s CAB Forum RF License obligation as specified in Sections 4.4(a) and 4.4(b). If a Participant provides the CAB Forum Chair with a timely Exclusion Notice in accordance with Section 4.3, then:

(a) Such Participant’s CAB Forum RF License obligation shall remain in full force and effect for any Essential Claims in a Final Guideline or Final Maintenance Guideline that has been finally adopted (“Previously Adopted Final Guideline”) by the CAB Forum prior to the date on which the CAB Forum Chair receives such Participant’s Exclusion Notice (“Date of Receipt”); and

(b) Such Participant’s CAB Forum RF License obligation shall remain in full force and effect for any Essential Claims in any Draft Guideline for which a Review Period has been completed unless and to the extent that an Exclusion Notice has been given within such Review Period.

4.5 New Participant Reviews.

When a new Participant joins a Working Group, such Participant shall be permitted not less than forty- five (45) days to review the Draft Guideline then under review, and any previously adopted Final Guidelines and Final Maintenance Guideline of such Working Group for any and all Essential Claims and to commit in a separate written agreement to the CAB Forum RF License requirement, as to any Final Guidelines or Final Maintenance Guidelines or Draft Guidelines of such Working Group for which the Review Period has been completed. Failure to provide such written agreement will result in the inability to participate in the Working Group. With respect to any Working Group Draft Guideline for which a Review Period has commenced, a new Participant shall have the remainder of the Review Period in which to submit an Exclusion Notice.

  1. CAB Forum Royalty-Free (RF) License Requirements

5.1 License Requirements

With respect to Final Guidelines and Final Maintenance Guidelines developed under this policy, a CAB Forum Royalty-Free (RF) License shall mean a non-assignable, non-sublicensable license to make, have made, use, sell, have sold, offer to sell, import, and distribute and dispose of Compliant Portions (provided that such license need not extend to any part or function of a product (other than the Compliant Portion therein) in which a Compliant Portion is incorporated but that is not itself part of the Compliant Portion) of the Final Guideline or Final Maintenance Guideline that:

a. shall be available to all, worldwide, whether or not they are CAB Forum Members or Working Group Participants; b. shall extend to all Essential Claims owned or controlled by the Participant; c. may be conditioned on the licensee providing notice to a buyer of its products or services that they implement an Essential Claim of a particular entity relating to a particular CAB Forum

Final Guideline or Final Maintenance Guideline and that licensee’s right to sell the products or services to buyer, and buyer’s use of the products or services, are conditioned on the buyer’s acceptance of the same terms of the RF or RAND license granted to licensee under the CAB Forum Intellectual Property Rights Policy; d. may be limited to implementations of the Final Guideline and Final Maintenance Guideline, and to what is required by the Final Guideline and Final Maintenance Guideline; e. may be conditioned on a grant of a reciprocal RF license (as defined in this policy) to all Essential Claims owned or controlled by the licensee. A reciprocal license may be required to be available to all, and a reciprocal license may itself be conditioned on a further reciprocal license from all; f. may not be conditioned on payment of royalties, fees or other consideration; g. may be suspended with respect to any licensee when licensor is sued by licensee for infringement of claims essential to implement any CAB Forum Final Guideline or Final Maintenance Guideline; h. may not impose any further conditions or restrictions on the use of any technology, intellectual property rights, or other restrictions on behavior of the licensee, but may include reasonable, customary terms relating to operation or maintenance of the license relationship such as the following: choice of law and dispute resolution; and i. shall not be considered accepted by an implementer who manifests an intent not to accept the terms of the CAB Forum Royalty-Free License as offered by the licensor.

5.2 License Term

a. The CAB Forum RF license conforming to the requirements in this policy shall be made available by the licensor and/or its Affiliates as long as the Final Guideline or Final Maintenance Guideline is in effect. The term of such license shall be for the life of the patents in question, subject to the limitations of 5.2(b).

b. If a Final Guideline or Final Maintenance Guideline is rescinded by the CAB Forum or the Working Group that developed it, then no new licenses need be granted but any licenses granted before the Final Guideline or Final Maintenance Guideline was rescinded shall remain in effect.

5.3 Survival of CAB Forum RF License Obligation After Member Termination

A Member whose participation in the CAB Forum has terminated shall continue to be obligated to grant CAB Forum RF Licenses for (i) any Essential Claims in a Working Group’s Final Guidelines and Final Maintenance Guidelines that have been adopted by a Working Group, in which the terminated Member participated, prior to the effective date of such Member’s termination from the CAB Forum; (ii) any Essential Claims in such terminating Member’s Contributions incorporated in any Final Guideline or Final Maintenance Guidelines adopted by a Working Group in which the terminating Member participated after the effective date of such Member’s withdrawal, and (iii) any Essential Claims in any Draft Guideline for which a Review Period has been completed in a Working Group in which the Member participated.

  1. Copyrights

6.1 Coverage

All Contributions to CAB Forum are accepted on the basis of this Section 6.

6.2 Copyright License Grant

Each Working Group Participant grants to the other Participants in such Working Group an irrevocable, worldwide, perpetual, royalty-free, nontransferable, nonexclusive copyright license to (1) reproduce, modify and distribute (in any and all print, electronic or other means of reproduction, storage or transmission) its Contributions for the purpose of developing and publishing Draft Guidelines and Final Guidelines or Final Maintenance Guidelines, and (2) upon release of the Final Guideline or Final Maintenance Guidelines a license to all, worldwide, whether or not they are CAB Forum Members or Working Group Participants, to reproduce, distribute, make derivative works and display such Final Guidelines or Final Maintenance Guidelines.

6.3 Enforcement of Copyrights

Each Participant (the “Enforcing Participant”) in a Working Group shall have the right, but not the obligation, to enforce the copyright interest in that Working Group’s Final Guidelines or Final Maintenance Guidelines against an infringer. The other Participants of that Working Group shall take such actions as they deem appropriate consistent with the terms of this Agreement, to reasonably cooperate with the Enforcing Participant in its efforts to enforce such copyright interest. For the avoidance of doubt, no Participant shall be required to participate as a plaintiff in an action to enforce the copyright in a Final Guideline or Final Maintenance Guideline.

6.4 Representations and Warranties

Participants that submit Contributions, by making a Contribution to a Working Group, represent and warrant that, to the extent personally known to the individual Contributors under their control:

a. There are no limits to the Participant’s ability to make the grants, acknowledgments and agreements herein, b. The Contribution does not contain source code that is intended to be incorporated as a technical component of a Guideline, and c. The Contribution, if incorporated into a Final Guideline or Final Maintenance Guideline will not subject the Final Guideline or Final Maintenance Guideline or implementations of the Final Guideline or Final Maintenance Guideline, in whole or in part, to licensing obligations, restrictions or requirements which are inconsistent with those set forth in this Intellectual Property Rights Policy.

  1. Exception Handling

7.1. PAG Formation

In the event a patent has been disclosed that may contain an Essential Claim, but such Essential Claim is not available under a CAB Forum RF License, a Patent Advisory Group (PAG) will be launched to resolve the conflict. The PAG is an ad-hoc group constituted specifically in relation to the Final Guideline or Final Maintenance Guideline containing the conflict. A PAG may also be formed without such a disclosure if a PAG could help avoid anticipated patent problems.

7.2. PAG Formation After a Guideline Is Adopted

A PAG may also be convened in the event Essential Claims are discovered after a Guideline is issued. In this case the PAG will be open to any interested Member, though the PAG may choose to meet without the holder of the Essential Claims in question.

7.3. PAG Procedures

7.3.1. PAG Formation Timing

The PAG will be convened by a Chair who shall be elected by the PAG and who must not be affiliated with the company owning the Essential Claim that is the subject of the PAG. The timing for convening the PAG is at the discretion of the Chair. In some cases, convening a PAG before a specific patent disclosure is made may be useful. In other cases, it may be that the PAG can better resolve the licensing problems when the specification is at the Review Period level.

7.3.2. Possible PAG Conclusions

After appropriate consultation, the PAG may conclude:

a. The initial concern has been resolved, enabling the work on the Guideline to continue. b. The CAB Forum should be instructed to consider designing around the identified claims. c. The PAG should seek further information and evaluation, including and not limited to evaluation of the patents in question or the terms under which CAB Forum RF License requirements may be met. d. The project relating to the Draft Guideline in question should be terminated. e. The Final Guideline or Final Maintenance Guideline should be rescinded. f. Alternative licensing terms should be considered.

  1. Definition of Essential Claims and Other Key Terms

8.1. Essential Claims

“Essential Claims” shall mean all claims in any patent or patent application in any jurisdiction in the world that would necessarily be infringed by implementation of any Normative Requirement in a Final Guideline or Final Maintenance Guideline. A claim is necessarily infringed hereunder only when it is

not possible to avoid infringing it because there is no non-infringing alternative for implementing a Normative Requirement of a Final Guideline or Final Maintenance Guideline. Existence of a non- infringing alternative shall be judged based on the state of the art at the time the guideline is adopted as a Final Guideline or Final Maintenance Guideline. If a Normative Requirement in a Final Guideline or Final Maintenance Guideline may be fulfilled by any of a list of specified alternatives, then for determination of whether a claim is an Essential Claim, each of the specified alternatives should be considered independently as if it were the only method for fulfilling that requirement.

8.2. Limitations on the Scope of Definition of Essential Claims

The following are expressly excluded from and shall not be deemed to constitute Essential Claims:

a. any claims other than as set forth above even if contained in the same patent as Essential Claims; and b. claims that would be infringed only by: portions of an implementation that are not specified in the Normative Requirements of the Final Guideline or Final Maintenance Guideline, or enabling technologies that may be necessary to make or use any product or portion thereof that complies with the Final Guideline or Final Maintenance Guideline and are not themselves expressly set forth in the Final Guideline or Final Maintenance Guideline (e.g., semiconductor manufacturing technology, compiler technology, object-oriented technology, basic operating system technology, and the like); or c. the implementation of technology developed elsewhere and merely incorporated by reference in the body of the Final Guideline or Final Maintenance Guideline. d. design patents and design registrations.

8.3. Other Key Definitions

a. “Affiliate” means an entity that directly or indirectly controls, is controlled by or is under common control with, another entity. Control for the purposes of this policy shall mean direct or indirect beneficial ownership of more than fifty percent of the voting stock, or decision-making authority in the event that there is no voting stock, in an entity.

b. “CAB Forum Royalty-Free (RF) License” refers to the license described in Section 5 of this policy.

c. “Compliant Portion” means only those specific portions of a product (hardware, software or combinations thereof) that implement and are compliant with all Normative Requirements of the Final Guideline or Final Maintenance Guideline (as applicable to such portions that are adopted) and that are within the bounds of the Scope.

d. “Contribution” means material, including Draft Guidelines, Draft Guideline text, and modifications to other Contributions, made verbally or in a tangible form of expression (including in electronic media) that is provided by a Participant in the process of developing a Draft Guideline for the purpose of incorporating such material into a Draft Guideline or a Final Guideline or Final Maintenance Guideline. For a verbal contribution to be deemed a Contribution hereunder it must be memorialized within approved meeting minutes of the CAB Forum.

e. “Draft Guideline” means a version of a CAB Forum guideline that has not been approved as a Final Guideline or Final Maintenance Guideline, regardless of whether or not the Draft Guideline has been published.

f. “Final Guideline” is any version of a Draft Guideline that the Working Group Participants have agreed is a final version of such Draft Guideline pursuant to the Working Group process for approving Final Guidelines.

g. “Final Maintenance Guideline” is an errata to or amendment of an existing CAB Forum Final Guideline.

h. “Member” means an entity that is a member of the CAB Forum, together with its Affiliates.

i. “Normative Requirements” means those portions of the Final Guideline or Final Maintenance Guideline that are expressly identified as required for compliance with the Final Guideline or Final Maintenance Guideline including those portions of an optional or alternative portion of the Final Guideline or Final Maintenance Guideline that are identified as required for compliance with such optional or alternative portion. For clarity, those portions of the Final Guideline or Final Maintenance Guideline, including any portions of an optional or alternative portion thereof, which are designated by the terms “must”, “shall”, “mandatory”, “normative” or “required” are expressly identified as being required for compliance.

j. “Participant” means a Member who is participating in one or more Working Groups of the CAB Forum, together with its Affiliates. Interested Parties and Associate Members are “Participants” for purposes of any Working Group(s) in which they may be participating, but they do not gain any CAB Forum membership privileges (such as voting rights) thereby.

k. “Scope” means those protocols, communication and network interface protocols, application program interfaces, service provider interfaces, physical dimensions and characteristics, data structures and any other hardware and/or software interface technologies solely to the extent disclosed in and required by a Final Guideline or Final Maintenance Guideline for the implementation of systems and methods for managing public/private keys and their associated certificates for securing or managing public/private keys and the implementation of systems and methods for obtaining and validating the accuracy and currency of data in support of certificate issuance, renewal and revocation. The Scope shall include only architectural and interconnection requirements of the Final Guideline or Final Maintenance Guideline and shall not include any implementation examples contained in the Final Guideline or Final Maintenance Guideline unless the Final Guideline or Final Maintenance Guideline expressly states that such implementation examples are to be included within the Scope of the license set forth in Section 5.1.

l. “Working Group” means a working group that has been approved by the CAB Forum or Working Group in accordance with the Bylaws. Working Groups may be either “Legacy” (as defined in Section 5.3.4 of the Bylaws) or “Chartered” (as defined in Section 5.3.1(a) of the Bylaws), and they may designate their own Subcommittees, as described in Section 5.3.1(e) of the Bylaws.

8.4 Transfer of Essential Claims

Any transfer by Participant to an unaffiliated third party of a patent having Essential Claims shall be subject to the terms and conditions of this Intellectual Property Rights Policy. A Participant may choose the manner in which it complies with this Section, provided that any agreement for transferring or assigning Essential Claims includes a provision that such transfer or assignment is subject to existing licenses and obligations to license imposed on the Participant by standards bodies, specification development organizations, or similar organizations (or language of similar import).

Exhibit B – Bylaws

  1. CA/BROWSER FORUM – PURPOSE, STATUS, AND ANTITRUST LAWS

1.1 Purpose of the Forum:

The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of leading Certificate Issuers (as defined in Section 2.1(a)(1) and (2) below) and vendors of Internet browser software and other applications that use certificates (Certificate Consumers, as defined in Section 2.1(c) below).

Members of the CA/Browser Forum have worked closely together in defining the guidelines and means of implementation for best practices as a way of providing a heightened security for Internet transactions and creating a more intuitive method of displaying secure sites to Internet users.

1.2 Status of the Forum and Forum Activities

The Forum has no corporate or association status, but is simply a group of Certificate Issuers and Certificate Consumers that communicates or meets from time to time to discuss matters of common interest relevant to the Forum’s purpose. The Forum has no regulatory or industry powers over its members or others. Other than those rights and responsibilities found in the Forum’s Intellectual Property Rights (IPR) Policy, Forum “membership” or other participation status does not convey any legal status or rights, but is intended simply as a guide to the levels of participation in Forum activities.

1.3 Intellectual Property Rights Policy; Antitrust Laws and Regulations; Goal; Conduct

Forum Members, Associate Members, and Interested Parties must comply with the then-current IPR Policy and all applicable antitrust laws and regulations during their Forum activities.

The historic goal of Forum activities (including development of proposed requirements and guidelines and voting on all matters) has been to seek substantial consensus among Forum Members before proceeding or adopting final work product, and this goal will remain for the future. Members shall not use their participation in the Forum either to promote their own products and offerings or to restrict or impede the products and offerings of other Members.

The Chair will read an antitrust compliance statement at the start of all Forum Meetings (and on other occasions, as the Chair deems necessary) in substantially the following form:

“As you know, this meeting includes companies that compete against one another. This meeting is intended to discuss technical standards related to the provision of existing and new types of digital certificates without restricting competition in developing and marketing such certificates. This

meeting is not intended to share competitively-sensitive information among competitors, and therefore all participants agree not to discuss or exchange information related to:

(a) Pricing policies, pricing formulas, prices or other terms of sale;

(b) Costs, cost structures, profit margins,

(c) Pending or planned service offerings,

(d) Customers, business, or marketing plans; or

(e) The allocation of customers, territories, or products in any way.”

  1. FORUM MEMBERSHIP AND VOTING

2.1 Qualifying for Forum Membership

(a) All Forum members must participate in at least one CWG (as defined in Section 5.3.1 below), and meet at least one of the following criteria:

(1) Certificate Issuer: The member organization operates a certification authority that has a current and successful WebTrust for CAs audit or ETSI EN 319 411-1 or ETSI TS 102 042 or ETSI TS 101 456 audit report prepared by a properly-qualified auditor, is a member of a CWG, and that actively issues certificates to end entities, such certificates being treated as valid by a Certificate Consumer Member. Applicants that are not actively issuing certificates but otherwise meet membership criteria may be granted Associate Member status under Bylaw Sec. 3.1 for a period of time to be designated by the Forum.

(2) Root Certificate Issuer: The member organization operates a certification authority that has a current and successful WebTrust for CAs, or ETSI EN 319 411-1102042 or ETSI TS 102 042 or ETSI TS 101 456 audit report prepared by a properly-qualified auditor, is a member of a CWG, and that issues certificates to subordinate CAs that, in turn, actively issue certificates to end entities such certificates being treated as valid by a Certificate Consumer Member. Applicants that are not actively issuing certificates but otherwise meet membership criteria may be granted Associate Member status under Bylaw Section 3.1 for a period of time to be designated by the Forum.

(3) Certificate Consumer: The member organization produces a software product, such as a browser, intended for use by the general public for relying upon certificates and is a member of a CWG.

(b) Applicants should supply the following information:

(1) Confirmation that the applicant satisfies at least one of the membership criteria (and if it satisfies more than one, indication of the single category under which the applicant wishes to apply).

(2) The organization name, as you wish it to appear on the Forum Web site and in official Forum documents.

(3) URL of the applicant’s main Web site.

(4) Names and email addresses of employees who will participate in the Forum mail list.

(5) Emergency contact information for security issues related to certificate trust.

Applicants that qualify as Certificate Issuers or Root Certificate Issuers should supply the following additional information:

(6) URL of the current qualifying performance audit report.

(7) The URL of at least one third party website that includes a certificate issued by the Applicant in the certificate chain.

(8) Links or references to issued certificates that demonstrate compliance with all applicable certificate, CRL, and OCSP requirements.

(c) An Applicant shall become a Member once the Forum has determined by consensus among the Members during a Forum Meeting or Forum Teleconference that the Applicant meets all of the requirements of subsection (a) or, upon the request of any Member, by a Ballot among the Members. Acceptance by consensus shall be determined or a Ballot of the Members shall be held as soon as the Applicant indicates that it has presented all information required under subsection (b) and has responded to all follow-up questions from the Forum and the Member has complied with the requirements of Section 5.5.

2.2 Ending Forum Membership

Members may resign from the Forum at any time. Resignation does not prevent a Member from potentially having continuing obligations, under the Forum’s IPR Policy or any other document.

(a) Certificate Consumer: A Certificate Consumer Member’s membership will automatically cease if any of the following become true:

  1. it is not a member of any CWG;
  2. it stops providing updates for its membership-qualifying software product; or
  3. six months have elapsed since the last such published update.

(b) Certificate Issuer or Root Certificate Issuer: A Certificate or Root Certificate Issuer Member’s membership may be suspended if any of the following become true:

  1. it is not a member of any CWG;
  2. it fails to pass its membership-qualifying audit;
  3. its membership-qualifying audit is revoked, rescinded or withdrawn;
  4. fifteen months have elapsed since the end of the audit period of its last successful membership-qualifying audit; or
  5. it is no longer the case that its currently-issued certificates are treated as valid by at least one Certificate Consumer member.

Any Member who believes one of the above circumstances is true of any other Member may report it on the Public Mail List. The Chair will then investigate, including asking the reported Member for an explanation or appropriate documentation. If evidence of continued qualification for membership is not forthcoming from the reported Member within five working days, the Chair will announce that such Member is suspended, such announcement to include the clause(s) from the above list under which the suspension has been made.

A suspended Member who believes it has now re-met the membership criteria under the relevant clauses shall post evidence to the Public Mail List. The Chair will examine the evidence and unsuspend the member, or not, by public announcement. A Member’s membership will automatically cease six months after it becomes suspended if the Member has not re-met the membership criteria by that time.

While suspended, a Member may participate in Forum Meetings, Forum Teleconferences, and on the Forum’s discussion lists, but may not propose or endorse ballots or take part in any form of voting. Votes cast before a Member’s suspension is announced will stand.

2.3 General Provisions Applicable to all Ballots

The following rules will apply to all ballots, including Draft Guideline Ballots (defined in Section 2.4).

(a) Only votes by Members shall be accepted.

(b) Only one vote per Member company shall be accepted; representatives of Affiliates shall not vote.

(c) A representative of any Member can call for a proposed ballot to be published for discussion and comment by the membership. Any proposed ballot needs two endorsements by other Members in order to proceed. The discussion period then shall take place for at least seven but no more than 14 calendar days before votes are cast. The proposer of the ballot will designate the length of the discussion period, and each ballot shall clearly state the start and end dates and times (including time zone) for both the discussion period and the voting period.

(d) Upon completion of the discussion period, Members shall have exactly seven calendar days for voting on the proposed ballot, with the deadline clearly communicated in the ballot and sent via the Public Mail List. All voting will take place via the Public Mail List. Votes not submitted to the Public Mail List by the end of the voting period (as specified in the ballot) will not be considered valid, and will not be counted for any purpose. Each Member, and not the Forum, will be responsible for taking precautions to make sure such Member’s vote is submitted properly and counted. In the event that a Member’s vote on a ballot is not submitted properly, such vote shall not be valid and shall not be counted for any purpose, and there shall be no appeal, revote (except in the case of a new ballot submitted to all Members) or other recourse.

(e) Members may vote yes, no, or abstain on a ballot. Only votes that indicate a clear ‘yes’ or ‘no’ response to the ballot question shall be considered (i.e. votes to abstain and votes that do not indicate a clear ‘yes’ or ‘no’ response will not figure in the calculation of item (f), below).

(f) Members fall into two categories: Certificate Issuers (including Certificate Issuers and Root Certificate Issuers), as defined in Section 2.1(a)(1) and (2) and Certificate Consumers (as

defined in Section 2.1(a)(3)). In order for a ballot to be adopted by the Forum, two-thirds or more of the votes cast by the Members in the Certificate Issuer category must be in favor of the ballot, and at least 50% plus one of the votes cast by the Members in the Certificate Consumer category must be in favor of the ballot. At least one Member in each category must vote in favor of a ballot for the ballot to be adopted.

(g) A ballot result will be considered valid only when more than half of the number of currently active Members has participated. The number of currently active Members is the average number of Member organizations that have participated in the previous three Forum Meetings and Forum Teleconferences.

(h) The Chair will tabulate and announce the results within 3 business days of the close of the voting period.

(i) The Chair may delegate any of his/her duties under this Section 2.3 and Section 2.4 to the Vice Chair as necessary, or the Vice Chair may otherwise execute the duties and obligations of the Chair as provided in Section 4.1(a) of these Bylaws.

2.4 Requirements for Draft Guideline Ballots

This section applies to any ballot that proposes a Final Guideline or a Final Maintenance Guideline (a “Draft Guideline Ballot”), all as defined under the Forum’s IPR Policy. Draft Guideline Ballots must comply with the following rules in addition to the requirements set forth in Section 2.3 above.

(a) A Draft Guideline Ballot will clearly indicate whether it is proposing a Final Guideline or a Final Maintenance Guideline. If the Draft Guideline Ballot is proposing a Final Guideline, such ballot will include the full text of the Draft Guideline intended to become a Final Guideline. If the Draft Guideline Ballot is proposing a Final Maintenance Guideline, such ballot will include a redline or comparison showing the set of changes from the Final Guideline section(s) intended to become a Final Maintenance Guideline, and need not include a copy of the full set of guidelines. Such redline or comparison shall be made against the Final Guideline section(s) as they exist at the time a ballot is proposed, and need not take into consideration other ballots that may be proposed subsequently, except as provided in Section 2.3(j) below. In the event there is a conflict between the text of a Final Guideline or Final Maintenance Guideline included in a Draft Guideline Ballot (the “Ballot Version”), and the text in the redline/comparison copy of the Final Guideline or Final Maintenance Guideline attached to the Draft Guideline Ballot (the “Redline Version”), the Ballot Version shall in all cases take precedence over the Redline Version. In addition, the Ballot Version shall be the official text used for implementation should the Draft Guideline Ballot pass. If a discrepancy between the Redline Version and the Ballot Version is discovered during the Draft Guideline Ballot discussion or voting periods, a corrected copy of the Redline Version shall be submitted to the Public Mail List for reference; this corrected Redline Version shall not affect the Draft Guideline Ballot text, the discussion period, or the voting period.

(b) As described in Section 2.3(c), there will be a discussion period of at least seven but no more than 14 calendar days before votes are cast on a Draft Guideline Ballot, with the start and end dates of such discussion period clearly specified in the ballot.

(c) As described in Section 2.3(d), upon completion of such discussion period, Members shall have exactly seven calendar days to vote on a Draft Guideline Ballot, with the deadline clearly communicated in the ballot sent via the Public Mail List. All voting will take place via the Public Mail List. Votes not submitted to the Public Mail List will not be considered valid, and will not be counted for any purpose. The Chair may send an email to the Public Mail List reminding Members of when the voting period opens and closes.

(d) The Forum (via the Chair) will tabulate and announce the results within 3 business days of the close of the initial voting period (the “Initial Vote”). If the Draft Guidelines Ballot does not pass the Initial Vote, the ballot will stop.

(e) If a Draft Guideline Ballot passes the Initial Vote, the Chair shall initiate, no later than the 3rd business day after the announcement of the Initial Vote results, the Review Period of 30 or 60 days, as applicable and as described in Section 4.1 of the IPR Policy. The Chair will initiate the Review Period by sending the Review Notice to both the Member Mail List and the Public Mail List. The Review Notice will clearly specify the open and close dates and times (with time zone) of the Review Period. If the Chair does not initiate the Review Period within 5 business days after the announcement of the Initial Vote results, the Vice Chair may initiate the Review Period, using the same process as the Chair would have been required to use.

(f) The Review Period will continue to the end of the 30- or 60-day period, as applicable, regardless of the number of Exclusion Notices filed pursuant to the IPR Policy during such period, if any. No later than 3 business days after the conclusion of the applicable Review Period, the Chair will distribute any Exclusion Notices submitted in accordance with Section 4.2 (Review of Draft Specifications) of the IPR Policy via the Public Mail List; provided, however, that the Chair may distribute such Exclusion Notices earlier.

(g) In addition to following the process for submitting Exclusion Notices set forth in Section 4 of the IPR Policy, Members will also send Exclusion Notices to the Public Mail List as a safeguard.

(h) If no Exclusion Notices are filed during the Review Period with respect to a Draft Guideline Ballot, then the results of the Initial Vote are automatically deemed to be final and approved, and Draft Guidelines then become either Final Guidelines or Final Maintenance Guidelines, as designated in the Draft Guidelines Ballot. The Chair will notify both the Member Mail List and the Public Mail List of the final approval within 3 business days, as well as update the Public Website of Final Guidelines and Final Maintenance Guidelines within 10 business days of the close of the Review Period.

(i) If Exclusion Notice(s) are filed during the Review Period (as described in Section 4.3 of the IPR Policy), then the results of the Initial Vote are automatically rescinded and deemed null and void, and;

(i) A Patent Advisory Group (PAG) will be formed, in accordance with Section 7 of the IPR Policy, to address the conflict. The PAG will make a conclusion as described in Section 7.3.2 of the IPR Policy, and communicate such conclusion to the rest of the Forum, using the Member Mail List and the Public Mail List; and

(ii) After the PAG provides its conclusion, if the proposer and endorsers decide to proceed with the Draft Guidelines Ballot, and:

(A) The proposer and endorsers do not make any changes to the Draft Guidelines Ballot, such ballot must go through the steps described in Sections 2.4(b) through (d) above, replacing the “Initial Vote” with a “Second Vote.” If a Draft Guidelines Ballot passes the Second Vote, then the results of the Second Vote are deemed to be final and approved. Draft Guidelines then become either Final Guidelines or Final Maintenance Guidelines, as designated in the Draft Guidelines Ballot. The Chair will notify both the Member Mail List and the Public Mail List of the approval, as well as update the public website of Final Guidelines and Final Maintenance Guidelines; or

(B) The proposer and endorsers make changes to the Draft Guidelines Ballot, a new Draft Guidelines Ballot must be proposed, and must go through the steps described in Sections 2.3(a) through (i) above.

(j) If a ballot is proposed to amend the same section of the Final Guidelines or the Final Maintenance Guidelines as one or more previous ballot(s) that has/have not yet been finally approved, the newly proposed ballot must include information about, and a link to, any such previous ballot(s), and may include provisions to avoid any conflicts relating to such previous ballots.

  1. OTHER FORUM PARTICIPATION

3.1 Associate Members

The Forum may enter into associate member relationships with other organizations when the CA/Browser Forum determines that maintaining such a relationship will be of benefit to the work of the Forum. In the past, entities qualifying as Associate Members have included the AICPA/CICA WebTrust Task Force, the European Telecommunications Standards Institute, Paypal, the Internet Corporation for Assigned Names and Numbers, tScheme, the U.S. Federal PKI, and CAs applying for membership but awaiting full qualification under Section 2.1. Participation as an Associate Member is by invitation only. In order to become an Associate Member, an organization must sign a mutual letter of intent, understanding, or other agreement and the Forum’s IPR Agreement, unless this latter requirement is waived in writing by the Forum based on overriding policies of the Associate Member’s own organization IPR rules. Associate Members may attend face-to-face meetings, communicate with

Forum Members on member lists, and access Forum wiki content. Associate Members are not entitled to vote except on special straw polls of the Forum (e.g. when selecting meeting dates, locations, etc.)

3.2 Interested Parties

Any person or entity that wishes to participate in the Forum as an Interested Party may do so by providing their name, affiliation (optional), and contact information, and by agreeing to the IPR Agreement attached as Exhibit A (indicating agreement by manual signing or digitally signing the agreement).

Interested Parties may participate in Forum activities in the following ways:

(a) By becoming involved in CWGs,

(b) By posting to the Public Mail List, and

(c) By participating in those portions of Forum Teleconferences and Forum Meetings to which they are invited by the Forum Chair relating to their areas of special expertise or the subject of their CWG participation.

Interested Parties are required to comply with the provisions of the IPR Agreement and these Bylaws. Interested Parties may lose their status as Interested Parties by vote of the Members, in the Members’ sole discretion.

3.3 Other Parties

The public may follow the Forum’s activities by reading all postings on the Public Mail List and the Public Web Site. Questions or comments to the Forum may be sent to Questions Mail List.

  1. OFFICERS AND FINANCES

4.1 Officers

(a) Term of office: The Forum will elect a Chair and Vice Chair, each to serve for a two-year term. The Vice Chair has the authority of the Chair in the event of any absence or unavailability of the Chair, and in such circumstances, any duty delegated to the Chair herein may be performed by the Vice Chair. For example, the Vice Chair will preside at Forum Meetings and Forum Teleconferences in the Chair’s absence. The offices of Chair and Vice Chair may only be filled by Forum Member representatives.

No person may serve as Chair for more than a two-year period or be elected to Vice Chair upon expiration or termination of the person’s service as Chair, but a person is eligible to be elected as Chair again after having vacated the position as Chair for at least two years.

(b) Manner of conducting nominations: At least sixty (60) days prior to the expiration of the current Chair’s term or upon his/her early termination as Chair, the Chair or Vice Chair will announce through the management mailing list that nominations are open for the office of Chair and the Vice Chair will automatically be nominated as the next Chair, but Forum Members may nominate

themselves or others to be additional candidates as Chair. A Vice Chair may decline the nomination to the office of Chair and/or indicate an intent to seek nomination for re-election to the office of Vice Chair. The nomination period for Chair will last for at least one week but no longer than four weeks. Upon the close of the nominations for Chair, the nomination period for the office of Vice Chair shall immediately open. The nomination period for Vice Chair will last for at least one week but no longer than four weeks.

(c) Manner of holding officer elections: If a single individual is nominated for a position, the Forum will hold a ballot to confirm appointment of the nominee. For the confirmation ballot, each Member is entitled to a single vote regardless of the number of participating Member representatives or whether the Member is categorized as a Certificate (or Root Certificate) Issuer or a Certificate Consumer. If multiple votes are received from a Member’s representatives, the last vote submitted during the voting period is considered the Member’s vote. The single nominee is considered confirmed if a majority of the Members who vote are in favor of the appointment, regardless of the number of votes cast and irrespective of whether 2/3 of the Certificate (or Root Certificate) Issuers or 1/2 of the Certificate Consumers approve appointment of the nominee.

If more than one candidate is nominated for Chair or Vice Chair, the Forum will announce an election ballot to determine which candidate will fill the position. Within two weeks after the close of the nomination period, the Chair or Vice Chair will establish an election committee and announce the election ballot on the management mailing list along with the ballot start date, ballot end date, and a description of the voting process. The Chair or Vice Chair will appoint the election committee by selecting at least two volunteers who have a reputation for independence, preferably individuals without voting rights in the Forum and that participate as Associate Members. The election committee is responsible solely for tallying Member votes in connection with the election ballot. The description must include the email address(es) where Members will send their vote, which should be the email addresses of the election committee.

For election ballots, each Member is entitled to a single vote regardless of the number of participating Member representatives or whether the Member is categorized as a Certificate (or Root Certificate) Issuer or a Certificate Consumer. If multiple votes are received from a Member’s representatives, the last vote submitted during the voting period is considered the Member’s vote. Within two weeks after the election ballot closes, the election committee will compile the votes, ensure that only one vote is counted per Member, confirm the results with other members of the election committee, and publish the ballot results by sending an email to the Public Mail List. The election committee will not include any votes submitted before or after the voting period when compiling the votes. The ballot results email will contain only the following information: a short description of the ballot purpose, the total number of votes submitted during the ballot period, and the name of the nominee receiving the most votes. The election committee may include other language as necessary to accurately describe the ballot and any concerns the election committee had with the ballot, provided that such language does not disclose how individual Members voted. The election committee will treat the votes of individual Members as confidential information. The nominee receiving the most votes is appointed to the applicable position, regardless of the number of votes cast and irrespective of whether 2/3 of the Certificate (or Root Certificate) Issuers or ½ of the Certificate Consumers voted for the nominee. If the election ballot results in a tie among the candidates receiving the most votes, the Chair or Vice Chair will call for another election ballot that includes only the two tying candidates.

(d) Duties: The Chair and Vice Chair shall exercise their functions in a fair and neutral manner, allowing all Members equal treatment for their comments and proposals, and shall not favor one side over another in any matter (except that the Chair and Vice Chair may indicate their own position during discussion and voting on the matter). The Chair and Vice Chair shall have no personal liability for any activities of the Forum or its Members or Interested Parties.

The Chair or the Vice Chair may sign correspondence, applications, forms, Letters of Intent, and Memoranda of Understanding relating to projects with standards bodies, industry groups, and other third parties, but shall have no personal liability therefor.

4.2 Finances

Because the Forum has no corporate status, it will not maintain funds or banking accounts. The costs of operating Forum websites or mailing lists will be covered by voluntary contributions from Members (who may seek voluntary contributions from other Members to help defray such costs). Members may propose other group activities which they propose to sponsor (e.g., research projects, etc.) which require funding and may seek voluntary contributions from other Members for such activities.

Forum Meetings may be held from time to time upon the voluntary sponsorship of one or more Members. The sponsor of a Forum Meeting may suggest a fixed cost per meeting participant as reimbursement to the sponsor to cover (a) the cost of meeting rooms and refreshments, and (b) the cost of any meeting dinner or other group activity. Sponsors will be encouraged to announce any suggested per-participant fixed cost reimbursement amount in advance of the Forum Meeting for participant planning purposes, and will provide a statement or invoice to each participant upon request after the Forum Meeting for submission to the participant’s accounting department. All per-participant reimbursements shall be paid directly to the sponsor.

Interested Parties will not be required to pay anything for their participation in Forum activities, but must cover their own expenses for participation in any CWG meetings.

  1. FORUM ACTIVITIES

5.1 Member Mail List and Member Web Site

The Forum shall maintain a Member Mail List and Member Web Site that are not accessible by the public. The following matters may be posted to the Member Mail List and Member Web Site:

(a) Draft minutes of Forum meetings (both virtual and in-person, and including any sub-groups or committees) will be posted to the Member Mail List to allow Members to make sure they are being correctly reported.

Minutes will be considered final when approved at a subsequent Forum Meeting or Forum Teleconference; provided, however, that if there is no Forum Meeting or Forum Teleconference scheduled within 3 weeks of the publication of the draft minutes, then any Member may request that the Chair or Vice Chair submit the minutes for approval via the Member Mail List. Final minutes will then be posted to the Public Mail List and Public Web Site. The Chair will, upon request, make redactions of any part of the public copy of the minutes identified as private or sensitive by either the information discloser or a member mentioned or affiliated with the subject of the information.

(b) Nominations for officer positions, Forum Meeting and Forum Teleconference scheduling issues, and discussion of Forum financial issues.

(c) Security incidents if, in the opinion of the Members, discussion on the Public Mail List could reasonably be detrimental to the implementation of security measures by Members.

(d) Proposed responses to questions sent to the Questions Mail List.

(e) Matters which, in the opinion of the Members, require confidentiality.

Members have discretion about which mailing list they use, but are strongly encouraged to use the Public Mail List for matters other than those listed above.

Members are strongly discouraged from posting the text of Member Mail List messages to the Public Mail List without the permission of the author or commenter.

5.2 Public Mail List and Public Web Site

The Chair shall appoint a List Manager who shall maintain a Public Mail List. Members and Interested Parties may post to the Public Mail List in compliance with these Bylaws. Anyone else is allowed to subscribe to and receive messages posted to the Public Mail List, which may be crawled and indexed by Internet search engines.

The Chair shall appoint a Webmaster. The Webmaster shall post instructions on the Public Web Site for subscribing to the Public Mail List.

The following materials shall be posted to the Public Mail List or Public Web Site:

(a) Draft and final agendas for LWG and CWG meetings, Forum Meetings and Forum Teleconferences (including any sub-groups or committees). (b) Final minutes of Forum Meetings and Forum Teleconferences (including minutes of any sub- groups or committees), and minutes of all LWG and CWG teleconferences and meetings. (c) Messages formally proposing a Forum ballot (including ballots to establish, extend, modify, or terminate LWGs (as applicable) and CWGs), individual votes, vote and quorum counts, and messages announcing ballot outcomes and voting breakdowns. (d) Initial and final drafts of Forum requirements, guidelines, and recommendations after the drafter has had an opportunity to receive and respond to initial Member comments. (e) Initial and final drafts of CWG charter documents, guidelines, and recommendations after the drafter has had an opportunity to receive and respond to initial Working Group member comments.

5.3 Working Groups

5.3.1 Formation of Chartered Working Groups

(a) Members who desire to form a new “Chartered” Working Group (CWG) shall propose a charter by ballot pursuant to Section 2.1 above. A CWG typically consists of Certificate (or Root Certificate)

Issuer participants and Certificate Consumer participants, but is not required to include both. A CWG shall allow for the participation of Interested Parties and Associate Members.

(b) The charter shall outline the scope of the CWG’s activities and other important information. A template for Working Group charters is attached to these Bylaws as Exhibit C. A Working Group may deviate from the template, provided that the charter must include at least the following information:

  1. Scope of the Working Group
  2. Anticipated Working Group end date, if any
  3. Initial chairs and contacts for the Working Group
  4. Type(s) of Members eligible to participate in the Working Group (e.g., Members, Interested Parties, and Associate Members)
  5. Voting structure for the WG
  6. Summary of the work that the WG plans to accomplish
  7. Summary of major deliverables and guidelines for the Working Group
  8. Primary means of communication to be used by the Working Group (see subsection (d) below)
  9. Mandatory applicability of the IPR Policy

(c) After the charter is approved, the CWG MAY elect a new Chair by majority vote of the CWG’s members, or as otherwise specified in the charter. The CWG Chair will send an invitation to the Public Mail List for an initial CWG meeting and will solicit eligible Members, Associate Members and Interested Parties (as specified in the charter) with expertise and interest in the CWG’s subject matter to participate in the CWG. In order to participate in a Working Group, a party must have agreed to the IPR Policy Agreement and formally declared participation. Each CWG Chair shall be responsible for ensuring that all parties attending the respective CWG meetings have signed the IPR Policy Agreement and have formally declared their participation in the CWG via the mechanism designated by the Forum prior to attending.

(d) Each CWG may establish its own means for their communications, as provided in the charter, but such means should be managed in the same fashion as the Public Mail List and employed by the CWG with a similar level of transparency as appropriate to their nature with public archives for written methods of communication. CWGs may meet by teleconference or have face-to-face meetings as provided in the charter, but the Forum shall not be responsible for the expenses of any such teleconferences or meetings.

(e) CWGs may establish any number of subcommittees within its own Working Group to address any of such CWG’s business (each, a “Subcommittee”). A CWG-created Subcommittee needs to be approved by the CWG itself according to the approval process set forth in the CWG charter, but approval of the Forum is not necessary. Subcommittees must exist under an approved CWG.

5.3.2 Rechartering, Extending and Dissolving Working Groups

(a) Rechartering. CWGs may only amend their charters via the ballot procedure described in Section 2.3 above. After Forum approval of an amended CWG charter, the new charter takes effect immediately, or as specified in the amending ballot. This amendment process does not itself require an Interim WG Chair to be appointed, unless specified in the amending ballot.

(b) Extending. Unless extended, a CWG will expire on the date specified in its charter, if any. To extend a CWG charter, the Forum Chair may, at the Forum Chair’s discretion, conduct a 14-day poll

(yes/no regarding the extension) of the Forum, initiated through the Public List. If no objection is made to the extension during the poll, the extension is deemed approved. If an objection (“no” vote) is made during the poll, an extension shall be determined using the ballot procedure described in Section 2.3 above. This provision may only be used to continue the work of the CWG under the existing charter and scope.

(c) Dissolving. The Forum can dissolve a CWG via a ballot following the Forum’s regular voting rules in Section 2.3 above. The Forum may not dissolve a CWG prior to the end date specified in its charter, if any, without a such a ballot.

5.3.3 Output of Working Groups (a) CWGs may adopt Final Guidelines and Final Maintenance Guidelines within the scope of their charters and according to the provisions (including voting processes) of the CWG’s charter. All Final Guidelines and Final Maintenance Guidelines must be posted on the Public Mail List.

(b) Final Guidelines and Final Maintenance Guidelines developed by a CWG do not need to be approved by the Forum at large.

5.3.4 Legacy Working Groups

Any “Legacy” Working Groups (“LWG”) in existence when this Bylaws v.1.8 is approved by the Forum shall have the option of (a) converting to a Subcommittee under a CWG pursuant to Section 5.3.1(e), (b) immediately terminating, or (c) continuing in effect without change for 6 months following such approval. For an LWG to continue beyond such 6 months, it must have a charter approved as described in Section 5.3.1 above, as if it was a new Working Group.

5.4 Forum Teleconferences and Forum Meetings

From time to time the Forum will hold Forum Teleconferences and Forum Meetings among the Members and Associate Members, who may participate in person or (where feasible) by teleconference. Interested Parties and others may be invited by the Chair, in the Chair’s discretion, to participate in those portions of Forum Teleconferences and Forum Meetings that are relevant to their expertise or their participation in a CWG.

5.5 IPR policies

As a requirement for membership, Members must execute and return to the Chair the IPR Agreement attached as Exhibit A before participating in any CWG. As the IPR Policy is amended from time to time, Members will be required to execute and return a new IPR Agreement within 90 days of the Forum’s written request; if a Member fails to execute and return the new IPR Agreement within such 90-day period, then the Member’s Forum membership shall default to an Associate Membership until the agreement is signed and returned.

As a requirement for participation in any CWG as an Associate Member or Interested Party, Associate Members and Interested Parties must execute and return to the Chair the IPR Agreement attached as Exhibit A before participating in any CWG. As the IPR Policy is amended from time to time, Associate Members and Interested Parties will be required to execute and return a new IPR Agreement within 90 days of the Forum’s written request; if an Associated Member or Interested Party fails to execute and

return the new IPR Agreement within such 90-day period, its participation in Forum calls, meetings, activities, and events shall be suspended until the agreement is signed and returned.

  1. MISCELLANEOUS

6.1 Posting and Amendment of the Bylaws

The current version of the Bylaws shall be posted to the Public Web Site. These Bylaws may be amended by subsequent ballot(s) of the Members.

6.2 Procedure for Dealing with Questions and Comments

The Forum procedure for dealing with questions and comments sent to the Questions Mail List shall be as follows. The Chair shall appoint a Questions List Coordinator. The responsibilities of the Questions List Coordinator are:

(a) If practical, within 24 hours send an acknowledgment to the questioner indicating that the question or comment has been received and that a response will provided as soon as is practical. (b) Coordinate discussion using the Member Mail List until consensus has been achieved. (c) Post the proposed response to the Member Mail List indicating that Members have 24 hours to object. (d) If no objections are received before the deadline expires, then send the response to the questioner. (e) If consensus cannot be achieved, or one or more objections are received, then the matter should be dealt with in the next Forum Meeting or Forum Teleconference.

6.3 Interpretation of Bylaws

Nothing in these Bylaws is intended to supersede or replace anything in the IPR Policy. In the event of a conflict between these Bylaws and the IPR Policy, the IPR Policy shall govern.

6.4 Code of Conduct

All Members shall abide by the CAB Forum Code of Conduct, which is attached to these Bylaws as Exhibit B.

DEFINITIONS

Affiliate: An entity that directly or indirectly controls, is controlled by, or is under common control with, another entity. Control for the purposes of these Bylaws shall mean direct or indirect beneficial ownership of more than fifty percent of the voting stock, or decision-making authority in the event that there is no voting stock, in an entity.

Forum Meetings: Face-to-face plenary meetings of Members as scheduled from time to time, and does not include meetings such as Working Group, subgroup, committee, or PAG meetings.

Forum Teleconferences: Teleconference plenary meetings of Members as scheduled from time to time, and does not include meetings such as Working Group, subgroup, committee, or PAG meetings.

Member: A Member of the Forum or a representative of the Member (depending on context).

Member Mail List: The email list-serv maintained by the Forum for communications by and among Forum Members. The Member Mail List is not available to Interested Parties or Other Parties.

Member Web Site: The password-protected web site available only to Members (currently called the CA/Browser Forum Wiki).

Public Mail List: The public email list-serv currently located at public@cabforum.org and maintained by the Forum for communications by and among Members and Interested Parties. The Public Mail List may be read by Other Parties, but Other Parties may not post to the Public Mail List.

Public Web Site: The web site available only to Members, Interested Parties, and Other Parties (currently located at cabforum.org). A Forum Member will be appointed as Webmaster and will control all postings to the Public Web Site.

Questions Mail List: The email list-serv currently located at questions@cabforum.org maintained by the Forum for communications from the public to the Forum.

Exhibit A – CAB Forum IPR Policy Agreement

This CAB Forum IPR Policy Agreement (the “Agreement”) constitutes a binding contract amongst all participants who make Contributions during the process of developing a Draft Guideline for the purpose of incorporating such material into a Draft Guideline or a Final Guideline of the CA / Browser Forum.

In consideration of the mutual promises herein, Participant agrees on his/her/its behalf, and on behalf of any Affiliates (as that term is defined in the CAB Forum Intellectual Property Rights Policy (the “IPR Policy”)), to abide by the terms of the IPR Policy, incorporated herein by reference. Participant acknowledges that some of its obligations under the IPR Policy may survive the termination of this Agreement, as more fully described in the IPR Policy.

The party signing this Agreement intends that it shall take effect as an instrument under seal. If such party is not a natural person, the individual signing this Agreement for the Participant represents and warrants that he or she has the authority to enter into this Agreement on behalf of the Participant.

The Participant represents and warrants that either: (a) it has the authority to enter into this Agreement on behalf of all of its Affiliates; or (b) it has no Affiliates; or (c) each of its Affiliates has executed and delivered to the CAB Forum a countersignature to this Agreement, indicating that it consents to this Agreement, and agrees to enforce this Agreement’s terms as to any of such Affiliate’s Intellectual Property, including such terms as may properly be changed by the CAB Forum by notice to the Participant under this Agreement.

PARTICIPANT

By: (Signature)

Print Name

Title:

Participant Organization Name (if entity) Date:

EXHIBIT B – CAB Forum Code of Conduct (the “Code”)

The CAB Forum (the “Forum”) is comprised of a global group of professionals with differences in language, skills, expertise, experience, and backgrounds. To maintain a professional and productive environment, it is necessary for Members of the Forum to follow the letter and spirit of this Code. This Code applies to all official Forum activities, such as meetings, teleconferences, mailing lists, conferences, and other Forum functions. The Forum is committed to maintaining a professional and respectful environment.

All Member representatives are expected to behave in a collegial and professional manner in accordance with this Code. Members will familiarize their representatives with this Code and require them to comply with the letter and spirit of this Code.

I. Conduct. The Forum is committed to providing a friendly, safe, and welcoming environment for all, regardless of gender, gender identity and expression, sexual orientation, disability, personal appearance, body size, race, ethnicity, age, religion, nationality, or other similar characteristic. The Forum recognizes and appreciates that its participants have diverse languages, backgrounds, experience, and expertise, and expects that all participants will be treated with respect by all other participants.

(a) In connection with official Forum activities, all Forum participants shall:

• Be polite, kind, and courteous to other participants, refraining from insulting remarks on the perceived intelligence or ability of others. • Treat fellow Forum participants with respect, professionalism, courtesy, and reasonableness. • Respect that people have differences of opinion, and that there is seldom unanimous agreement on a single “correct” answer. Be willing to compromise and agree to disagree.

(b) In connection with official Forum activities, all Forum participants shall refrain from conduct such as:

• Threatening violence towards anyone. • Discriminating against anyone on the basis of personal characteristics or group membership. • Harassing or bullying anyone verbally, physically, or sexually. • Launching barbs at others. [Note: a “barb” is an obviously or openly unpleasant or carping remark.] • Touching another person in a physically inappropriate way. • Deliberately intimidating or stalking another person (in-person, online, or by other means). • Inappropriately disrupting or impeding official Forum events, including meetings, talks, and presentations. For purposes of this Code, “inappropriate disruption” would include aggressive, violent, and abusive conduct that prevents an official Forum event from occurring or proceeding. • Spamming, trolling, flaming, baiting, and other similar behavior inappropriately directed towards an individual. • Advocating for, or encouraging, any of the above behavior.

(c) All Forum participants should promote the rules of this Code and take action to bring discussions back into compliance with the Code whenever violations are observed.

(d) Forum participants should stick to ideological, conceptual discussions and avoid engaging in offensive or sensitive personal discussions, particularly if they’re off-topic; such personal discussions can lead to unnecessary arguments, hurt feelings, and damaged trust.

II. Moderation. These are the policies for upholding the Code.

(a) Resist the urge to be defensive. Remember that it’s your responsibility to clearly communicate your message to your fellow participants. Everyone wants to get along and we are all in the Forum first and foremost because we want to talk about standards and everything that involves. Other participants will be eager to assume good intent and forgive as long as you have earned their trust. Participants should inform the Chair, Vice Chair, and/or a Working Group Chair immediately if they feel they have been, or are being, harassed or made uncomfortable by a Forum member. Intimidation, personal attacks, and retaliation of any kind will not be tolerated. Any Forum participant may report, in good faith, a perceived violation of the Code to the Forum Chair or Vice Chair, or to a Working Group Chair (each, a “Code Liaison”). One or more Code Liaison(s) will work with the reported Forum participant to determine whether a violation of the Code has occurred and, if so, how to resolve it. Resolution may also include appropriate executives from the Forum participant’s Member company, as appropriate. If the reported Forum participant, Member executives, and the Code Liaison(s) are unable to resolve the issue, any of the foregoing may request the assistance of a reasonably acceptable independent third party (such as an Interested Party or WebTrust) to assist with the resolution. (d) Members agree to take appropriate action in the event any of their Member representatives violate the Code. Such action could include warning, reprimanding, suspending, removing or replacing the Member representative who has violated the Code, depending on the severity of the violation. Depending on the number and severity of violations, the Forum may impose consequences such as excluding a Member representative from certain meetings, removing a Member representative from a mailing list, and suspending a Member representative from certain Forum activities. Adapted from the WHATWG Code of Conduct [https://wiki.whatwg.org/wiki/Code_of_Conduct], the W3C Code of Ethics and Professional Conduct [https://www.w3c.org/Consortium/cepc/], and the Citizen Code of Conduct [citizencodeofconduct.org].”

Exhibit C – CAB Forum Charter Template

[insert name] Working Group Charter

The mission of the [insert name] Working Group is to: [Insert short summary of what WG will do.] End date: (e.g., December 31, 2019)

Initial Chair(s):

Initial Team Contact(s):

Meeting Schedule: (e.g., conference call 1st Thursday of the month, F2F once per year) Type(s) of Members Eligible to Participate: (e.g., CAs and Browsers)

Voting Structure for WG: (e.g., 2/3 of CAs, ½ of Browsers)

  1. Working Group Scope

1.1 Summary of Working Group Goals and Objectives

[Describe goals and objectives of WG. What is the purpose of the WG, what do you hope to accomplish, why is this group important/necessary? Will this group leverage any existing work or collaborate with other groups?] 1.2 Success Criteria

• Prepare a ballot to create guidelines for the [insert name] Working Group. • In order to advance to Final Guidelines or Final Maintenance Guidelines, each specification is expected to have [e.g., at least x independent implementations of each feature defined in the specification]. • Work with Forum to have guidelines for the [insert name] Working Group be approved and adopted.

1.3 Minimum Requirements

Each WG must meet the following minimum requirements:

• Comply with all applicable laws, rules and regulations. • Comply with the CAB Forum IPR Policy and Bylaws.

• Follow RFC 3647 and other technical requirements regarding the preparation of minutes and the use of public mailing lists. • [Any other requirements applicable to this specific WG?]

1.3 Out of Scope

[What is out of for this WG, what are items that this WG will not work on? For example, solving world hunger, fixing global warming, boiling the ocean] 2. Summary of Work

2.1 Guidelines

The Working Group will deliver the following: [Draft of guidelines for WG review] [Draft of ballot for approval of guidelines] [Ballot approval of guidelines] [Final or Final Maintenance] Guidelines: [describe] [describe]

2.2 Other Deliverables

The Working Group may work on related deliverables and non-normative documents, such as: [describe] [describe]

2.3 Milestones

The initial milestones for the [Final or Final Maintenance] Guidelines are as follows. Such milestones may be modified or replaced by consensus of the Working Group members. [developmental milestone 1]

[developmental milestone 2]

[developmental milestone 3]

[developmental milestone 4]

  1. Dependencies and Liaisons

3.1 CAB Forum Groups

This Working Group will coordinate with, and seek guidance from, the following other CAB Forum Working Groups (if applicable): [specify] [specify]

3.2 External Groups

This Working Group will coordinate with, and seek guidance from, the following outside organizations: [IETF?]

[W3C?]

[specify]

  1. Participation

To be successful, the [insert name] Working Group is expected to have [insert #] or more active participants for its duration. The Working Group participants are expected to contribute an appropriate number of hours per week towards the Working Group’s activities.

  1. Communication

Most Working Group teleconferences will focus on discussion of particular specifications, and will be conducted on an as-needed basis. This group conducts its work primarily on [insert name of mailing list], which is available [to members only/to the public.] Information about the group will be available via the [CAB Forum website].

  1. Decision Process

This Working Group will seek to make decisions when there is consensus and with due process. The expectation is that, typically, the Chair or other participant makes an initial proposal, which is then refined in discussion with the Working Group participants, and consensus emerges with little formal voting being required. However, if a decision is necessary for timely progress, but consensus is not achieved after careful consideration of the range of views presented, the Chair(s) should put the question out for voting within the WG (using email and/or web-based survey techniques) according to Section 2 (Forum Membership and Voting) of the Forum Bylaws and record a decision, along with any objections. The matter should then be considered resolved unless and until new information becomes available.

  1. IPR Policy

This Working Group is subject to the CAB Forum Intellectual Rights Policy v.1.3 Effective July 3, 2018 (the “IPR Policy”). To promote the widest adoption of the CAB Forum Guidelines, CAB Forum seeks to issue Final Guidelines and Final Maintenance Guidelines that can be implemented, according to the IPR Policy, on a CAB Forum Royalty-Free License basis. For information about exclusion of Essential Claims, see Section 4 of the IPR Policy.

  1. About this Charter

This charter for the [insert name] Working Group has been created according to Section 5.3.1 of the Bylaws of the CAB Forum. In the event of a conflict between this charter and any provision in either the Bylaws or the IPR Policy, the provision in the Bylaws or IPR Policy shall take precedence.

Exhibit C – Charter for Server Certificate Working Group

Server Certificate Working Group Charter

Upon approval of the CAB Forum by ballot, the Server Certificate Working Group (“Working Group”) is created to perform the activities as specified in this Charter, subject to the terms and conditions of the CA/Browser Forum Bylaws and Intellectual Property Rights (IPR) Policy, as such documents may change from time to time. The definitions found in the Forum’s Bylaws shall apply to capitalized terms in this Charter.

SCOPE: The authorized scope of the Server Certificate Working Group shall be as follows:

  1. To specify Baseline Requirements, Extended Validation Guidelines, Network and Certificate System Security Requirements, and other acceptable practices for the issuance and management of SSL/TLS server certificates used for authenticating servers accessible through the Internet.

  2. To update such requirements and guidelines from time to time, in order to address both existing and emerging threats to online security, including responsibility for the maintenance of and future amendments to the current CA/Browser Forum Baseline Requirements, Extended Validation Requirements, and Network and Certificate System Security Requirements.

  3. To perform such other activities that are ancillary to the primary activities listed above.

OUT OF SCOPE: The Server Certificate Working Group will not address certificates intended to be used primarily for code signing, S/MIME, time-stamping, VoIP, IM, or Web services. The Server Certificate Working Group will not address the issuance, or management of certificates by enterprises that operate their own Public Key Infrastructure for internal purposes only, and for which the Root Certificate is not distributed by any Application Software Supplier.

Anticipated End Date: None.

Initial chairs and contacts: Chair, Kirk Hall, kirk.hall@entrustdatacard.com; Vice Chair, Ben Wilson, ben.wilson@digicert.com; terms to run concurrently with their terms as Chair and Vice Chair of the Forum, respectively, unless otherwise voted upon by the Working Group.

Members eligible to participate: The Working Group shall consist of two classes of voting members, the Certificate Issuers and the Certificate Consumers. The CA Class shall consist of eligible Certificate Issuers and Root Certificate Issuers meeting the following criteria:

(1) Certificate Issuer: The member organization operates a certification authority that has a current and successful WebTrust for CAs audit, or ETSI TS 102042, ETSI 101456, or ETSI EN 319 411-1 audit report prepared by a properly-qualified auditor, and that actively issues certificates to Web servers that are openly accessible from the Internet, such certificates being treated as valid when using a browser created by a Certificate Consumer Member. Applicants that are not actively issuing certificates but otherwise meet membership criteria may be granted Associate Member status under Bylaw Sec. 3.1 for a period of time to be designated by the Forum.

(2) Root Certificate Issuer: The member organization operates a certification authority that has a current and successful WebTrust for CAs, or ETSI TS 102042, ETSI TS 101456, ETSI EN 319 411-1 audit report prepared by a properly-qualified auditor, and that actively issues certificates to subordinate CAs that, in turn, actively issue certificates to Web servers that are openly accessible from the Internet, such certificates being treated as valid when using a browser created by a Certificate Consumer Member. Applicants that are not actively issuing certificates but otherwise meet membership criteria may be granted Associate Member status under Bylaw Sec. 3.1 for a period of time to be designated by the Forum.

(3) A Certificate Consumer can participate in this Working Group if it produces a software product intended for use by the general public for browsing the Web securely.

The Working Group shall include Interested Parties and Associate Members as defined in the Bylaws.

Voting structure: In order for a ballot to be adopted by the Working Group, two-thirds or more of the votes cast by the Certificate Issuers must be in favor of the ballot and more than 50% of the votes cast by the Certificate Consumers must be in favor of the ballot. At least one member of each class must vote in favor of a ballot for it to be adopted. Quorum is the average number of Member organizations (cumulative, regardless of Class) that have participated in the previous three Server Certificate Working Group Meetings or Teleconferences (not counting subcommittee meetings thereof). For transition purposes, if three meetings have not yet occurred, quorum is ten (10).

Summary of the work that the WG plans to accomplish: As specified in Scope section above.

Summary of major WG deliverables and guidelines: As specified in Scope section above.

Primary means of communication: listserv-based email, periodic calls, and face-to-face meetings.

IPR Policy: The CA/Browser Forum Intellectual Rights Policy, v. 1.3 or later, SHALL apply to all Working Group activity.

Latest releases
Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.6 - Ballot SMC08 - Aug 29, 2024

This ballot sets a date by which issuance of certificates following the Legacy generation profiles must cease. It also includes the following minor updates: Pins the domain validation procedures to v 2.0.5 of the TLS Baseline Requirements while the ballot activity for multi-perspective validation is concluded, and the SMCWG determines its corresponding course of action; Updates the reference for SmtpUTF8Mailbox from RFC 8398 to RFC 9598; and Small text corrections in the Reference section

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).