Notes of Teleconference
24 July 2014
1. Antitrust Statement: Read by Ben
2. Roll Call: Tim Shirley, Ben Wilson, Atsushi Inaba, Eddy Nigg, Dean Coclin, Stephen Davidson, Kirk Hall, Dave Barnet, Chris Casciano, Robin Alden, Gerv Markham, Geoff Keating, Ryan Sleevi, Kelvin Yiu
3. Agenda: Reviewed, and item 7 below was discussed directly after approval of last meeting’s minutes.
4. Minutes: 10 July 2014 approved.
5. Ballot review: Voting on Ballot 126 – Operational Existence closes today for ballot 126. It is looking like we will have quorum and that it will pass.
Voting on Ballot 129 (PSL) begins Monday, July 28. It appears that Brian Smith made a suggestion that was accepted by Gerv and Ben. Rick Andrews provided his consent.
Concerning Ballot 125–we’ll pass on discussing CAA, since Rick isn’t on the call. Dean said that Rick is just trying to clear up some obstacles on that ballot.
Proposed Bylaw Amendment to working group formation: remove the word “ballot” from working group formation requirement.
Kirk looking for two endorsers, unless there are objections.
Ryan still concerned about amending the bylaws without fully understanding what it is trying to solve.
Kirk has explained the reasons on the list, including that it just seems silly to put out a ballot every time we want to create a working group.
Ryan agreed that it is good to remove the bureaucratic stuff, but having a working group without a ballot might lead to working groups working on something outside the scope of the Forum.
Kirk: If nobody feels strongly about it, then we can just leave it as is.
Ryan: All WGs go through a settle-down period after formation, and it takes a couple of months to produce anything anyway.
Dean: Nothing is preventing people from working on things separately.
Kirk: I suppose we can drop this ballot.
EV Insurance Revision: Ben sent out his current thinking on how to revise the current requirements. What are CAs thinking? Do the browsers have feedback from their prospective? Unless he has feedback, he doesn’t know which direction to go.
Kirk: It requires insurance products that are not easily available throughout the world.
Ben: The newer draft simplifies the requirements, so it already eliminates that concern, so your comment really is in favor of my proposal. I’ll recirculate the language for everyone to look at again.
6. Plan to Release Code Signing Baseline Requirements for Public Review: Per CABF Project Lifecycle, CSWG is submitting this for Forum review followed by a public review-and-comment period. Dean would like the rest of the Forum to look at it to see if the working group missed anything. Jeremy will send this out soon. The project lifecycle release process is adopted in our Bylaws. The working group is supposed to decide by majority that the working draft is ready to send to the Forum as a “Forum Draft”. At that point, the Forum reviews the draft and determines whether it needs public comment. The working group has already decided that it needs public comment, so this ballot will be an opportunity for Forum members to review it before it goes out to public comment, currently planned for 15 August, although that can change based on how this proceeds.
7. Discussion: BR 17.7 key ceremony / audit (Subject:[cabfpub] BRs, audits and historical point-in-time events): BR 17.7 Key ceremony audit discussion: There have been questions about the situation concerning the BR audit, and on the list we have discussed various traps that people can fall into when they try to comply with Section 17.7. Gerv: basically, we could solve this problem by granting a waiver, but I have raised this issue to get a sense of whether that is the right approach, given that this issue relates to something that could have happened a long time ago. Maybe we should say that the BRs shouldn’t say anything about how key ceremonies are done and leave it to WebTrust and ETSI, but they are the Baseline Requirements, so maybe it should say something. When this CA root key was generated, it was being audited under the WebTrust scheme. In July 2012 there was the ceremony. Kirk: Section 17.7 of the BRs says that the ceremony has to be observed or taped, so I wonder what the issue is. The auditor is creating the issue by saying, “we now have to write this report about things that we weren’t thinking at the time.” One way of solving the problem would be to specifically say in the BRs that watching the video after the fact is sufficient for audit report purposes.
Ben: These requirements have been in WebTrust and ETSI for a while, so I don’t understand why this auditor is saying it is a new or different BR requirement that they weren’t aware of. It’s a typical situation where the auditors are very hesitant to come up to speed on things that have been in existence for a while. They aren’t getting ready. I push it back on the auditors for not being aware. This is in WebTrust section 4.1 and illustrative control #4.
Gerv: They don’t want to opine on a different set of criteria that are different than they were looking for at the time. We could give them a waiver.
Kirk: But it sounds like in this situation, compliance with the BRs was not necessary because browsers were not enforcing the BRs at the time.
Ben: I’d agree with that approach.
Dave: If we are about to set up a new CA, it was mentioned that we can use an internal auditor.
Ben: If it is just a regular CA, rather than an EV CA, then you can have a qualified auditor or have it videotaped, but your auditor may not feel comfortable just reviewing the video.
Dave: We are not allowed to video where we maintain our CA.
Gerv: The Mozilla root program requirements the audits have to be done by competent and independent third party.
Kirk: You should really go through all three WebTrust sets of criteria, the BRs, EV Guidelines, etc. There are discrepancies, so make a table and make sure that every problem is addressed.
Ben: EV requires that the auditor witness, but the BRs allow just videotaping.
Kelvin: We’ve focused on the WebTrust audits, but what about the ETSI audits? Are there any discrepancies with the ETSI audit?
Ben: We received some explanation on this from Moudrick and Iñigo, I can send it to you if you can’t find it.
Kelvin: As a relying party to the audits, we want to make sure that they are all consistent. Is it within the CAB Forum’s interest to make sure they are aligned?
Kirk will create a table in a couple of weeks with the requirement and the discrepancies.
7. Updates on Current Business: EV and Policy Review Working Groups, India CCA, etc.: The CP Working Group aka Policy Review WG had a short first meeting last week. There are documents that are being collected, and the group has started to look at the RFC and the NIST document. Ben asked whether there were any updates on information about India CCA, for instance he has read Google’s post and the Microsoft Security Advisory. He asked for clarification on why part of the Security Advisory focused on issuance of an Intermediate CA and that he would send Kelvin the part of the advisory that he had a question about.
8. Any Other Business: None.
9. Next phone call — Thurs. Aug. 7th
10. Meeting Adjourned.