SSL certificate provider Entrust has announced its withdrawal from the Certification Authority/Browser Forum on Thursday, citing problems with the new mandatory Intellectual Property Rights Policy the group has adopted.
The IP policy requires CAB Forum’s members to provide fellow members a royalty-free license of their patents that touch on proposed standard. CAB Forum says this is to promote the widest adoption of CAB Forum Guidelines.
“It is with deep regret that Entrust is exiting an organization that we co-founded, co-chaired and provided invaluable leadership for more than six years,” Entrust CEO and president Bill Conner said in a statement. “We understand why large certification authorities and browser developers are asking for free intellectual property, and we also realize why smaller vendors would like it for free. We do not believe, however, that simply giving away intellectual property makes the SSL market safer. In fact, we’re of the strong opinion it does the exact opposite.”
With the recent security compromises of certificate authorities like DigiNotar in the past year, the CA/Browser Forum hopes to create more standardization around SSL security and policy. Entrust says the IPR policy would have a negative impact on security.
“By making CA/Browser Forum members’ intellectual property available to all, many smaller, unproven CAs are empowered with issuing digital certificates that could very well jeopardize the trust and security of the entire Internet. Entrust can’t support this position.”
According to Entrust, it is one of 18 members that have decided to leave the forum. In a blog post, Entrust CTO Jon Callas says other companies such as IdenTrust, Network Solutions, RIM, RSA and T-Systems are part of the group that has dediced to leave.
Callas says the problem with the policy where Entrust is concerned is that it extends to affiliate organizations as well. This would apply to the entire portfolio of its parent equity company, Thoma Bravo.
“That obligation would also apply to any new companies our owner purchases and would continue to the present partner companies once they leave Thoma Bravo,” he says.
Callas calls the IPR policy too “expansive” since it requires it to give free licenses to all patents used in forum documents even if it didn’t participate in writing that document.
“We, along with some other former members, are working with the Forum to come up with an alternate intellectual property policy that addresses these concerns. We hope that all of us will be able to resume participation soon.”
Entrust says since the forum is a voluntary organization it will not affect its certificate roots in various browsers.
In May, security researchers submitted a proposal to the Internet Engineering Task Force for a new extension to the Transport Layer Security protocol that would allow browsers to detect and block fraudulent SSL certificates.
Talk back: What do you think of the new policy? Would you withdraw from the CAB forum based on the policy? Let us know your thoughts in a comment.