Intellectual property rights squabble erupts in industry group

The little-known industry group Certification Authority Browser (CA/B) Forum is suddenly becoming better known, as the bickering of the powerful companies associated with it gets louder as they squabble over intellectual property rights, part of a process in redefining how the group functions.

CA/B Forum, which takes up complex technology issues associated with public-key infrastructure (PKI) and digital certificates, a few years ago came up with what's called the "Extended Validation certificate," which requires a much tighter verification process to prove the identity of the entity requesting the certificate. That was certainly a crowning achievement. But since August, CA/B Forum, comprised mainly of browser makers and CAs that issue certificates, has melted down from 49 to 33 members as only those companies willing to sign off on the intellectual property rights (IPR) agreement document the group devised are allowed to stay on as members.

RELATED: New NIST encryption guidelines may force feds to replace old websites

According to members quarrelling over it, the new IPR document basically stipulates that members must disclose all patents related to PKI and digital certificates they have in order to retain the right to claim licensing royalties for any technologies the CA/B Forum comes up with in the future around it. In other words, the idea is put your cards on the table before new technology gets developed.

"Legally, we can't comply with it," Jon Callas, chief technology officer at Entrust, says about the IPR document. Entrust felt it had to resign from the CA/B Forum because its internal legal department couldn't approve the CA/B legal document it was asked to sign.

The problem, according to Callas, is that Entrust, privately owned by private equity firm Thoma Bravo, can't make assurances about everything affiliated with the private-equity firm, much of which it might not even know about. Entrust, a founding member that played a big role in creating the EV certificate, "wants to be involved" in the CA/B Forum, Callas says.

Besides Entrust, other companies known to have resigned their memberships include IdenTrust, RSA, RIM and Verizon Cybertrust. These declined to sign the IPR agreement, acknowledges Dean Coclin, senior director of business development at Symantec. He says T-Systems, based in Germany, had also balked at the IPR agreement but now appears likely to sign it.

Symantec is believed to have about 38% global share of the general SSL certificate market, and about 65% of the EV certificate market; for its part, Entrust is believed to have 1.2% and 2.47% respectively, according to Netcraft. The year-over-year overall market growth in SSL certificates is said to be more than 20%, with the EV certificate market growing at about 33%.

"We all want Entrust back in the Forum," says Coclin. "They had a problem with the way 'affiliate' is defined." He adds that an attempt at reconciliation is being made. Entrust had chaired the group, but with the departure of Entrust, the group now has two acting co-chairs, Symantec and DigiCert.

Remaining CA/B Forum members that have agreed to the IPR include Microsoft, Google, Apple, Mozilla, Opera, PayPal and GoDaddy, according to Coclin. He says the group is considering how it could alter the IPR document to satisfy Entrust, but he admits after reviewing this IPR issue for two years, the group is suffering from some "IPR fatigue."

"As long as you've disclosed the patents, you're not required to give a royalty-free license," says Coclin about the basic concept behind the IPR, that no one in the group should be "holding back" from disclosing patents they have that could somehow be relevant to future work the CA/B Forum does.

The intellectual-property legal debate is just one topic that's roiled the CA/B Forum as it seeks to create a more formal organizational structure to what has been a loosely defined group of members that have been meeting biweekly in conference calls over the past six years, according to Coclin.

But even as the group tries to ride out the turbulence wrought by change, it's still trying to put forward constructive work accomplishments.

For one thing, it's put out what's called "Baseline Requirements" that certification authorities are asked to follow, and face audits each year from what's called "WebTrust" principals that audit them. A number of security breaches have struck the CAs over the past two years, and in an attempt to improve security, the group just published what it calls "network security controls" documents that CAs must follow. But Coclin admits the documents are hardly comprehensive, and the topic is going to be looked at more carefully in the future.

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: @MessmerE. Email:

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ellen Messmer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place