Minutes of March 31, 2016
Attendees: Andrew Whalley (Google), Arno Fiedler, Atsushi Inaba, Ben Wilson, Bruce Morton, Jody Cloutier, Dean Coclin, Dimitris Zacharopoulos, Doug Beattie, Jacob Hoffman-Andrews, Jeremy Rowley, Josh Aas (Let’s Encrypt) Kirk Hall, Li-Chun Chen, Mads Henriksveen, Patrick Tronnier, Peter Bowen, Peter Miscovic, Rich Smith, Rick Andrews, Robin Alden, Ryan Sleevi, Tim Hollebeek, Volkan Nergiz, Wayne Thayer
- Antitrust Statement was read by Dean.
- Roll Call completed
- Agenda Reviewed.
- Minutes of 17 March meeting: The minutes were approved and will be sent to the public list. Minutes from the Scottsdale face to face were also approved and a link to the posted minutes (which include presentations) will be sent out to the public list.
- Ballot Status: Two ballots were discussed. Ballot 165 (Governance change WG) looks like it will pass. Ballot 166 (Membership reqts update to bylaws) also looks likely to pass. A new “BR clean up” ballot from Peter Bowen was announced and a redline was sent to the public list. Rick said there was a Microsoft tech note that allows ww*.example.com. Jody confirmed the platform supports it. Rick suggested the BRs be updated to include that. Ryan said that is not a good thing as there are multiple specs that treat this differently and historical context which would make it hard for Google to support such a ballot. Kirk asked why Peter put this in the ballot. He responded that this was raised in the past where people found a discrepancy in relation to other docs. However, given there was not consensus, he would remove from the proposed ballot. Ryan said there is a need for clarification because CAs seem to be interpreting this differently. Peter said he would create a new definition called “wildcard domain name” with an exact definition to avoid confusion and add clarity. Rick said that ideally Microsoft should remove that functionality and update the tech notes. Jody said he would need to consult with his expert on this. Peter said the goal of this ballot was to make it a “consensus” ballot and would remove anything controversial.
- Domain Validation draft ballot: Jeremy said the document was circulated to the forum list. There were a few minor redlines that need cleanup but should be ready to go before the next call.
- SHA-1 Situation: Jody said they had been approached by members of the payment industry with the problems they have had with terminals that do not support SHA-2. Some solutions floated are to reissue the certs they currently have and the other is to issue from a root not enrolled in a trusted root program. The problem with the latter is that their certification body requires it come from a trusted source. Jody said a conference in mid-April hosted by ETA trade group will be discussing this. Jody wondered if the forum should propose a solution as this issue isn’t going away. Responding to a question, Jody thinks that issuing from a non-publicly trusted root was the better solution and that the payments industry should accept that. Peter asked if there was any more info on the ETA. Jody said Microsoft was a member as well as Google. Dean confirmed the extent of the issues as Symantec has received many calls from payment processors in the last month but has solved many by issuing certs from removed roots. While this has solved most of the issues, there is still a percentage that is not solved. Ryan said Google was open to exploring solutions but wants to better understand the problem by posting info to the public list, using the set of questions he posted on the list earlier. Dean said he explained this to one particular bank that has a particular issue and that customer is deciding whether to come forward to the forum with answers to those questions. Jody said that we should try to have the right people in the room at the ETA conference to help guide a more general solution so we can be part of the solution, rather than the problem.
- Membership Applications: Dean stated that he was in discussion with the Electronic Transactions Association (ETA) about a potential Associate membership status in the forum. Dean reminded all the difference between Associate members and Interested party, the biggest difference being that AMs can attend meetings. AMs are people like ETSI, WebTrust, Paypal, Federal PKI. They cannot vote. ETA is a large organization with about 5000 members that specialize in the payment industry (payment processors, terminals, etc). As a result of the SHA-1 situation, they would like to be more involved in the forum on behalf of their members and believe they can also contribute to the forum in some fashion. The consensus from members on the call was that they would like to see something in writing from the ETA and reconsider on the next call. Kirk said it would positive to have a group like this participating but thought that we didn’t need more than one such group from this industry. Andrew wanted to know what continuing benefit they could provide going forward given their particular niche interest. Dean said that should be in their application. Peter questioned what the advantage was in having them as an Associate member vs. an Interested party. Dean replied that the major difference was that if a topic of interest was on the agenda, they could join a call or F2F meeting. Patrick said he expected more of these types of groups to join the forum, especially those representing devices (not browser based). Ryan said that this will continue to be a challenge until these groups move off of public roots and had a slight concern with these groups joining the forum for what should be a short term problem. Dean said these groups are actively moving off public roots but until fully migrated, don’t want to be caught off guard again. Peter suggested the Governance Working Group should consider this as part of their scope discussion. Rich said that there is value to the forum as well as the participants and overall security of the entire ecosystem to have these groups participate in forum discussions and hear the expertise of our members. Discussion to be continued on the next call.
- PAG/IPR Status: Dean said the list of non-signed IPR agreements has dropped to a handful. Those that have not signed will be suspended from the forum, meaning they will not be able to vote, participate in meetings or working groups, login into the wiki or post to the list. Once they sign the IPR, they will not have to re-apply. They will just have their privileges restored. Peter suggested we should not make a further attempt to contact anyone as we have published this on the public and management lists several times. Ben and Dean will review the list and provide the info to Wayne to suspend their access. Bruce suggested we have a period for their suspension and that if they don’t respond within that period, they would have to reapply. Jeremy said this would need a ballot. Jeremy said the Governance working group should consider this as part of the bylaws reform. Dean commented that ETSI and WebTrust were not required to sign the IPR in the past and won’t be required to sign the new one. Arno said that historically the ETSI lawyers had a problem signing one with an unincorporated organization. There had been an MOU with Tim Moses when he was chair of the Forum. Kirk said he believed the IPR was an agreement among members (corporate entities) and not the organization itself. Arno said he would have to check.
- Validation WG Update: No further updates
- Code Signing WG Update: At the last working group meeting, Microsoft agreed to adopt the Code Signing Baseline Requirements as of Feb 1, 2017, One concern among WG members was that since the document is not an official forum document (having been voted down by the forum), that the rights to the document were owned by the WG members. Jeremy and Ben suggested that the contributors to the WG would sign a release form to allow Microsoft to use the document.
- Policy WG Update: The group reviewed section 5 and there was a discussion on Trusted Roles. Ben sent around a draft to the working group.
- Information Sharing WG Update: No update, meeting every other Friday.
- Other Business: The Fall meeting date in Redmond was decided to be on October 18-20. There are 38 people signed up for Bilbao and more are expected. Members are urged to make hotel reservations quickly as rooms are selling out in many properties. Dean asked for members to send him agenda items.
- Next teleconference scheduled for April 14th
- Meeting adjourned