Furore over changes to licensing policy at CA/Browser Forum
The Certification Authority Browser Forum's (CA/Browser Forum) new licensing policy has caused a furore within the very organisation meant to be responsible for guidelines and best practices for SSL certification. Prominent member organisations, including cryptography specialists RSA, BlackBerry manufacturer RIM and US carrier Verizon, are missing from the latest member list, updated in August. Entrust, a founder member of the organisation, has loudly expanded on the reasons for its withdrawal, which it explains is due to the organisation allegedly forcing members to make patented technologies available licence-free. In a posting to CA/Browser Forum's public mailing list, certificate provider StartCom has responded by calling the allegation "a lie which I'm sure you are very well aware of".
The new licensing policy favours license-free standards for the certification market. The aim is to broaden the spread of technology developed by the voluntary standardisation organisation. According to the new Intellectual Property Rights (IPR) Policy document, the organisation will generally decline to ratify guidelines which require technologies that would require the payment of licensing fees. In addition, any patent claims would have to be disclosed in advance. According to paragraph 4.2, CA/Browser Forum members can, however, apply to forum members to have their patents excluded from the royalty-free licensing condition.
This fact forms the basis of StartCom CEO Eddy Nigg's criticism of Entrust. According to Nigg, Entrust's statements on one of the forum's public mailing lists, where it describes the system for excepting some patents as too administratively burdensome, are much more nuanced. Nigg was also irked by Entrust's claim that many of the 19 companies no longer listed as members are also unhappy with the new IPR policy. According to Nigg, CA/Browser Forum is currently agreeing a statement on the issue.
T-Systems, which has also vanished from the membership list, has indicated that it is happy with the licensing policy in principal. A representative told The H's associates at heise online that, "we are preparing to sign the document. The IPR policy will cover all of our subsidiaries. With 69 subsidiaries, these things just take a little longer." KDE e.V. were a little more circumspect. KDE board member Lydia Pintscher confirmed that the organisation is currently discussing its membership of the forum. She did not comment on the organisation's standpoint regarding the IPR policy itself.
The certification market is currently under pressure as the result of a series of incidents involving compromised certificates and certification authorities and of increasing options for enterprise IT departments and other users to sign their own domains and save them to a DNS secured using DNSSEC.
(Monika Ermert / djwm)