The little-known industry group Certification Authority Browser (CA/B) Forum is suddenly becoming better known, as the bickering of the powerful companies associated with it gets louder as they squabble over intellectual property rights, part of a process in redefining how the group functions.
CA/B Forum, which takes up complex technology issues associated with public-key infrastructure (PKI) and digital certificates, a few years ago came up with what's called the "Extended Validation certificate," which requires a much tighter verification process to prove the identity of the entity requesting the certificate. That was certainly a crowning achievement. But since August, CA/B Forum, comprised mainly of browser makers and CAs that issue certificates, has melted down from 49 to 33 members as only those companies willing to sign off on the intellectual property rights (IPR) agreement document the group devised are allowed to stay on as members.
According to members quarrelling over it, the new IPR document basically stipulates that members must disclose all patents related to PKI and digital certificates they have in order to retain the right to claim licensing royalties for any technologies the CA/B Forum comes up with in the future around it. In other words, the idea is put your cards on the table before new technology gets developed.
"Legally, we can't comply with it," Jon Callas, chief technology officer at Entrust, says about the IPR document. Entrust felt it had to resign from the CA/B Forum because its internal legal department couldn't approve the CA/B legal document it was asked to sign.
The problem, according to Callas, is that Entrust, privately owned by private equity firm Thoma Bravo, can't make assurances about everything affiliated with the private-equity firm, much of which it might not even know about. Entrust, a founding member that played a big role in creating the EV certificate, "wants to be involved" in the CA/B Forum, Callas says.
Besides Entrust, other companies known to have resigned their memberships include IdenTrust, RSA, RIM and Verizon Cybertrust. These declined to sign the IPR agreement, acknowledges Dean Coclin, senior director of business development at Symantec. He says T-Systems, based in Germany, had also balked at the IPR agreement but now appears likely to sign it.
Symantec is believed to have about 38% global share of the general SSL certificate market, and about 65% of the EV certificate market; for its part, Entrust is believed to have 1.2% and 2.47% respectively, according to Netcraft. The year-over-year overall market growth in SSL certificates is said to be more than 20%, with the EV certificate market growing at about 33%.
"We all want Entrust back in the Forum," says Coclin. "They had a problem with the way 'affiliate' is defined." He adds that an attempt at reconciliation is being made. Entrust had chaired the group, but with the departure of Entrust, the group now has two acting co-chairs, Symantec and DigiCert.
Remaining CA/B Forum members that have agreed to the IPR include Microsoft, Google, Apple, Mozilla, Opera, PayPal and GoDaddy, according to Coclin. He says the group is considering how it could alter the IPR document to satisfy Entrust, but he admits after reviewing this IPR issue for two years, the group is suffering from some "IPR fatigue."
"As long as you've disclosed the patents, you're not required to give a royalty-free license," says Coclin about the basic concept behind the IPR, that no one in the group should be "holding back" from disclosing patents they have that could somehow be relevant to future work the CA/B Forum does.
The intellectual-property legal debate is just one topic that's roiled the CA/B Forum as it seeks to create a more formal organizational structure to what has been a loosely defined group of members that have been meeting biweekly in conference calls over the past six years, according to Coclin.
But even as the group tries to ride out the turbulence wrought by change, it's still trying to put forward constructive work accomplishments.
For one thing, it's put out what's called "Baseline Requirements" that certification authorities are asked to follow, and face audits each year from what's called "WebTrust" principals that audit them. A number of security breaches have struck the CAs over the past two years, and in an attempt to improve security, the group just published what it calls "network security controls" documents that CAs must follow. But Coclin admits the documents are hardly comprehensive, and the topic is going to be looked at more carefully in the future.
Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: @MessmerE. Email: email@example.com.