2014-06-26 Minutes

1. Antitrust Statement: Read by Ben.

2. Roll Call: Atsushi Inaba, Ben Wilson, Stephen Davidson, Doug Beattie, Kirk Hall, Eddy Nigg, Mads Henriksveen, Sissel Hoel, Chris Casciano, Wayne Thayer, Gerv Markham, Rick Andrews, Dave Barnet, John Amaral, and Ryan Sleevi

3. Application of OATI: We have reviewed OATI’s application. The OATI root certificate is trusted only in Internet Explorer. Kirk noted that they do not have a Baseline Requirements WebTrust audit. Gerv said that membership requirements are defined by our bylaws, which do not specifically require a WebTrust Baseline Requirements audit. Kirk said that the BRs are almost more important than a regular WebTrust audit now. Ben said that we’ve talked about creating a bugzilla tracking system and that issue could be put in there as a future task. Wayne said he has someone at GoDaddy helping to set up bugzilla. OATI’s application was approved.

4. Discussion:Questions re: Face-to-Face from those not in Attendance.

Google was asked to provide updates, if they had any, since Microsoft and Mozilla provided an update during the face-to-face.

Stephen said he wanted to know more about Google’s plans for CT logs and that for most CAs, they’ll need four different SCTs and that there is not really any information out there currently as to who will be hosting the 4+ logs that will be needed.

Ryan said that Google is always happy to answer questions about CT and to follow up and that there is a lot of information available. Ryan said information is available from the IETF working group and that many organizations have stepped up to provide a log.

Stephen said that CAs are struggling with the fairly critical information needed to incorporate CT and that the information might be available in groups rather than as a guide of what you need to know.

Ryan said there is a guide on what you need to know and it is the RFC. “I hear some concerns that we will see if we can address for you in the coming weeks. There are actually discussions on this on the list, and there are CAs that are participating in these discussions. If you want to send questions to that list, we can put together an information packet for those who have not been following that list.”

Kirk: “Could you send out that link to everyone that we could follow?”

Stephen: “There’s a lot of people commenting on the list, not from Google. If you could start doing updates that are coming from Google, then we can follow those.”

Ryan: “The question that I have is, if there are areas of concern from CAs, what information is necessary for them? We circulated a lot of documents, and then we heard from CAs saying, “stop telling us, there’s too much information.”

Kirk: Also, some third party software providers like CoreStreet are not aware of the need to support CT.

Ben: We can keep this discussion going on the list. If nobody else has any comments or questions, the executive summary that I circulated has other things and takeaways embedded, assignments, and tasks. I’ll review the minutes again and send out a list of tasks and ballots.

5. Any Other Business: None.

6. Next phone call: Thursday, July 10.

7. Meeting adjourned.