Last week the Certificate Authority / Browser Forum (CA/B) voted down a motion to extend a deadline for its members to sign an intellectual property rights agreement (IPR). Signing this agreement is mandatory to retain membership. Those who had not signed by August 1st are no longer members of the CA/B Forum. Entrust, CyberTrust (Verizon), and Research In Motion (RIM) are among the CAs who did not, or would not sign the IPR. They’re all out.
What’s so important about the IPR is that it enables CAs and browsers to work together as an industry to develop improved Internet security standards without infringing on any particular organization’s intellectual property rights. This transparent, collaborative workgroup will help drive innovation to better secure data in transit over the Internet.
As a result of their inaction, the CA’s mentioned above will not have a role in forging a more secure future for businesses, governments and consumers worldwide. Whether its because their corporate owners fear that transparency will hurt their valuation, or if the CA has historically never actively participated in the CA/B Forum – it sends a message – security, long-term investment in security is not a top priority.
As a large company we had a lot to lose in signing the IPR, as did other companies that signed, including Microsoft, Apple and Google. We believe that transparency and collaboration for the common good outweigh internal fears over patent exposure – which can all be found though the U.S. Patent Office.
I find it disappointing to see other CAs tout their unwavering commitment to security in their marketing materials, yet decide to sit on the sidelines when the time comes to step up and work as an industry to improve SSL security practices. Talking the talk is fine, but in the Certificate Authority business you must walk the talk, continually invest in your network security infrastructure, and always innovate to provide superior security products, even when it means working with the competition. That’s what it means to be committed to security.
My team strongly believes that it is critical, for a CA that is in any way serious about security, to maintain an active membership in the CA/B Forum. Membership expresses a demonstrable commitment to work with other companies, many of them competitors, in effort to make the world a better place. It shows a sincere commitment to security on the web and it helps move the industry forward. As the largest security member of the forum we had the most to lose by signing the IPR, but we believe in the goals that the CA/B Forum is trying to achieve in the spirit of transparency.
Here’s a list of current CA/B Forum members