Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

Dispute Over Intellectual Property Rules Divides CA/Browser Forum

Authentication vendor Entrust recently caused a stir when they announced they were leaving the CA/Browser Forum that it co-founded after a dispute tied to the group’s proposed rules governing intellectual property and patent licensing.

Authentication vendor Entrust recently caused a stir when they announced they were leaving the CA/Browser Forum that it co-founded after a dispute tied to the group’s proposed rules governing intellectual property and patent licensing.

The CA/Browser Forum is an industry consortium of browser vendors and certificate authorities, and has published guidelines dealing with issues such as issuing and managing extended validation certificates. In the aftermath of breaches at certificate authorities last year, the group also published rules for managing publicly-trusted certificates.

SSL/TLS Certificate Standards

The disagreement regarding the intellectual property policy went public when Entrust issued a press release explaining its decision for leaving, despite being involved in the industry consortium for several years.

At the center of the controversy is the group’s recently published Intellectual Property Rights (IPR) Policy Agreement, which so far has been signed by more than 30 members and lays out rules to allow members a royalty-free license of patents that touch on proposed standards. To Entrust, the policy is too expansive and would require them to give free, worldwide licenses to all patents used in Forum documents even if Entrust was not involved in writing a particular document, Entrust CTO Jon Callas explained in a blog post last week.

In comments today to SecurityWeek, he added that the rules also hurt companies like Entrust because it is owned by Thoma Bravo, a private equity firm with an extensive IP portfolio.

“There are two parts of the policy that forced us to leave,” said Callas. “One of them is that the policy applies to all companies that are owned together. We are owned by a private equity firm, and have no legal authority to enter into an agreement for those other companies. This applies to other firms that are subsidiaries of larger organizations, or to firms that are backed by private equity or venture capital.”

According to the CA/B Forum, the policy was developed over the course of two years with input from forum members. 

“The IPR policy itself includes not only mechanisms that seek to balance the interests of patent holders and implementers, but also protections common among standards setting organizations with royalty-free policies, such as the ability to exclude a patent from royalty-free licensing. See Section 4.2 of https://www.cabforum.org/IPR_Policy_V1.pdf,” a spokesperson for the forum said.

Among the forum members who have signed the policy is Symantec. Dean Coclin, Symantec’s senior director of business development, told SecurityWeek that the policy is meant to ensure there can be widespread deployment of future standards without fear of possible IP infringement. In addition, he said, there is a mechanism by which members can exclude certain patents from royalty-free licensing requirements, though Callas said the exclusion mechanism is “unclear and inconsistent.”

“Before the policy took effect, the Forum had many discussions about what the correct interpretation is,” he said. “Unfortunately, we didn’t come to a resolution before the effective date of the policy. That lack of resolution is part of why we didn’t sign.”

While Coclin stated that the forum would welcome Entrust back, he also said there is a sense of “IPR fatigue” that has set in for those who have been discussing the policy for nearly two years. He added that originally, there were 49 companies listed as members prior to Aug. 1. Of those companies, eight of them have never been involved in the organization. Of the remaining 41, 33 have signed the policy, he said.

“There’s been some numbers thrown out saying that, you know, 40 percent of the members didn’t sign,” Coclin said. “That’s totally not true. It’s really a fairly small number at this point in time.”

Callas however called it “a fact” that almost 40 percent of the CA/B Forum have parted ways with the organization.

“We believe that the present policy is unduly burdensome on many of the members including ourselves,” Callas said. “We believe that the present policy is divisive and bad for the Forum and therefore for the security of the Internet as a whole. We believe in an inclusive Forum that has many members who work cooperatively for benefit of everyone. We continue to work toward resolving these differences.”

RelatedNIST Issues Guidance for Dealing With a CA Compromise

Written By

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

Funding/M&A

Twenty-one cybersecurity-related M&A deals were announced in December 2022.

Management & Strategy

Microsoft making a multiyear, multibillion dollar investment in the artificial intelligence startup OpenAI, maker of ChatGPT and other tools.