Security Experts:

Dispute Over Intellectual Property Rules Divides CA/Browser Forum

Authentication vendor Entrust recently caused a stir when they announced they were leaving the CA/Browser Forum that it co-founded after a dispute tied to the group's proposed rules governing intellectual property and patent licensing.

The CA/Browser Forum is an industry consortium of browser vendors and certificate authorities, and has published guidelines dealing with issues such as issuing and managing extended validation certificates. In the aftermath of breaches at certificate authorities last year, the group also published rules for managing publicly-trusted certificates.

SSL/TLS Certificate Standards

The disagreement regarding the intellectual property policy went public when Entrust issued a press release explaining its decision for leaving, despite being involved in the industry consortium for several years.

At the center of the controversy is the group's recently published Intellectual Property Rights (IPR) Policy Agreement, which so far has been signed by more than 30 members and lays out rules to allow members a royalty-free license of patents that touch on proposed standards. To Entrust, the policy is too expansive and would require them to give free, worldwide licenses to all patents used in Forum documents even if Entrust was not involved in writing a particular document, Entrust CTO Jon Callas explained in a blog post last week.

In comments today to SecurityWeek, he added that the rules also hurt companies like Entrust because it is owned by Thoma Bravo, a private equity firm with an extensive IP portfolio.

"There are two parts of the policy that forced us to leave," said Callas. "One of them is that the policy applies to all companies that are owned together. We are owned by a private equity firm, and have no legal authority to enter into an agreement for those other companies. This applies to other firms that are subsidiaries of larger organizations, or to firms that are backed by private equity or venture capital."

According to the CA/B Forum, the policy was developed over the course of two years with input from forum members. 

"The IPR policy itself includes not only mechanisms that seek to balance the interests of patent holders and implementers, but also protections common among standards setting organizations with royalty-free policies, such as the ability to exclude a patent from royalty-free licensing. See Section 4.2 of https://www.cabforum.org/IPR_Policy_V1.pdf," a spokesperson for the forum said.

Among the forum members who have signed the policy is Symantec. Dean Coclin, Symantec's senior director of business development, told SecurityWeek that the policy is meant to ensure there can be widespread deployment of future standards without fear of possible IP infringement. In addition, he said, there is a mechanism by which members can exclude certain patents from royalty-free licensing requirements, though Callas said the exclusion mechanism is "unclear and inconsistent."

"Before the policy took effect, the Forum had many discussions about what the correct interpretation is," he said. "Unfortunately, we didn't come to a resolution before the effective date of the policy. That lack of resolution is part of why we didn't sign."

While Coclin stated that the forum would welcome Entrust back, he also said there is a sense of "IPR fatigue" that has set in for those who have been discussing the policy for nearly two years. He added that originally, there were 49 companies listed as members prior to Aug. 1. Of those companies, eight of them have never been involved in the organization. Of the remaining 41, 33 have signed the policy, he said.

"There's been some numbers thrown out saying that, you know, 40 percent of the members didn’t sign," Coclin said. "That's totally not true. It's really a fairly small number at this point in time."

Callas however called it "a fact" that almost 40 percent of the CA/B Forum have parted ways with the organization.

"We believe that the present policy is unduly burdensome on many of the members including ourselves," Callas said. "We believe that the present policy is divisive and bad for the Forum and therefore for the security of the Internet as a whole. We believe in an inclusive Forum that has many members who work cooperatively for benefit of everyone. We continue to work toward resolving these differences."

RelatedNIST Issues Guidance for Dealing With a CA Compromise

Subscribe to the SecurityWeek Email Briefing
view counter