2014-07-10 Minutes

Minutes of Teleconference held Thursday, 10 July 2014

1. Antitrust Statement: Read by Ben.

2. Roll Call: Tim Hollebeek, Doug Beattie, Patrick Tronnier , Atsushi Inaba, Ben Wilson, Tim Shirley, Chris Casciano, Mads Henriksveen, Kirk Hall, Cecilia Kam, Dean Coclin, Jeremy Rowley, Wayne Thayer, Kelvin Yiu, Moudrick Dadashov, Conny Enke, Dave Barnet, Robin Alden, Ryan Sleevi

3. Agenda Review: Reviewed.

4. Approve Minutes:Minutes of 26 June 2014 and the summary of the face-to-face meeting were approved.

5. Ballot review: Ballot 128 (CP Working Group) passed. Dean proposes that we kick this WG off with an hour-long call next week adjacent to the times for the EV and Code Signing WG calls, whose work will be going down. We need to set up a mailing list. Dean’s current list of those interested includes Robin, Ben, Jeremy, Dean, Moudrick, and Iñigo. Jeremy will send out an email to the main group to see who wants to be added to the list. Wayne just needs a name for the list. Jeremy suggested having the call next week at 12:30 Eastern time (16:30 UTC). It would be nice if someone from Microsoft could participate, since Tom was interested in looking at other CPs and pulling in what might be needed. Jeremy will set up a brief agenda for that day. The WG will start by looking at the NIST document.

Ballot 126 (Operational Existence) was reviewed. Ben said he didn’t think it was any big change to policy even though there’s a lot of red, that shouldn’t deter people. Cecilia said that it just moves verbiage in the first part to the second part of section 11.5. It was just moving language making it easier to understand. Ben said he was going to send this out last week, but he didn’t want to send it out without an additional ok from the group, but now he will assume that it is ready for the review period, and so he changed the ballot so that the review period will start this afternoon.

Ballot 127: the voting period starts today. However, Cecilia sent out a question to Jeremy or Kirk a while back about cross-referencing a different section. Right now, it references 11.10.4, but that doesn’t make too much sense when it is for independent confirmation for the applicant. The reference should be to sections 11.4.1 and 11.4.2. She sent the email on 7/3 to the EV list, but Ben said he didn’t notice it because it should have gone to the public list because we are in the comment period, so we need to get this out to the public list. Ben will send this out following the meeting with the other section numbers.

6. Working Group Updates:

Code Signing WG: Dean said that the CSWG is almost ready to send the Code Signing BR draft to the rest of the Forum and that, barring many changes, it will be sending the draft out soon. He reiterated that It is not EV code signing. The CAB Forum will be given a 2-week review and then it will go to the public for a 60-day review and be sent to software companies.

EV Working Group: Jeremy said that two of the group’s ballots have just been reviewed, that the EV WG has a couple others that will be introduced after the others move through the review-and-voting period, and that the WG is pretty close to wrapping up its current work product.

**Performance WG: ** Wayne said that there a few websites that explain performance optimization, which he will share with the WG because he wants to avoid duplicating what others have done or are doing. If it makes sense to go ahead and draft this document, then we can get this done.

7. Follow-up: Tasks from Face-to-Face: Wayne said that the Bugzilla software is being worked on and that we are on track to have it available by the Beijing meeting, but he had no other update.

Ben said that relating to work of the Performance WG, we have discussed the need to do more for OCSP stapling and other server configuration matters. What do people think about putting more stuff up on our website for those kinds of things, and what should be the process for approving and improving upon what we say? At the face-to-face, we discussed writing down guidance, but we also wanted to make sure we weren’t dictating how people should be configuring things. Doug said that a while back there were some documents published about implementation, and that process seemed to work. Ben said those documents were for the most part already written, and he doesn’t want to flood the list with lots of little tidbits. He would rather have it in some kind of evolutionary contribution process–whether it is use of the SSL performance list or the wiki. He said he would play it by ear and use our loose rules of collaboration by reaching out to Rick, Wayne, Gerv, and other people that have been involved in these kinds of issues in the past.

Doug reminded everyone on this matter of follow-up that we need to get the meeting notes done and the list of tasks written up. The wiki has a lot of blank sections and not all note-takers are identified. We should probably try to push that along. We have a lot of action items that need to be taken care of. Ben will go on the wiki and write people’s names down who volunteered or were assigned the minutes. He asked whether anyone wanted to volunteer to do extra work on the minutes? Doug said that everyone had assignments and they should put their name on the wiki and follow through.

8. Any Other Business: India CCA, IETF and CT: Kirk said that based on an article he read, it made him wonder if their system had been hacked, or if they were issuing MITM certificates. Ryan said that from Google’s perspective, everything they are currently able to say has been released on the blog. Kelvin said that Microsoft is planning to issue a security advisory today and that he will send a link to it. Basically they are going to place the certificates on the untrusted list. It was asked what type of audit they had. Kelvin said that because they were under the Government of India’s root, auditing of operations fell under requirements of national law and that they had a government equivalency audit.

Ben noted that Adam Langley had mentioned this as an example of the need for CT, from Google’s perspective. Dean said that discussions on the IETF list reveal that there are many questions on things regarding CT’s implementation. He asked whether, since it appears things are not solidified, Google would consider pushing out its implementation time window. Ryan said that the technology itself is not dramatically being altered. The comments deal with things like the type of certificates that a log will accept. That is up to the log. There are elements of policy, discussed on the CT policy list, and elements of technology being discussed on the other list. Google welcomes discussion on matters of policy, but it would be a mischaracterization to say that things are highly in flux, the technology is fairly sound and stable at this point. There’s discussion about policy, so it would be important to be looking at CT policy discussions issues related to policy.

Ben said this reminded him of two issues: (1) the IETF meeting is coming up, so we’ll be reviewing what occurs at IETF during the meeting after next; and (2) DigiCert is looking for collaboration with somebody to operate a second independent log, so if anyone else is interested, they should let Ben or Jeremy know.

9. Next phone call: Thurs. July 24

Meeting adjourned.