Minutes October 13th, 2016
Attendees: Andrew Whalley (Google), Alex Wight (Cisco), Atsushi Inaba (Globalsign), Ben Wilson (Digicert), Billy VanCannon (Trustwave), Bruce Morton (Entrust), Curt Spann (Apple), Dean Coclin (Symantec), Dimitris Zacharopoulos (Harica), Gervase Markham (Mozilla), Josh Purvis (Cisco), Kirk Hall (Entrust), Li-Chun Chen (Chunghwa Telecom), Mads Henriksveen (BuyPass), Peter Bowen (Amazon), Peter Miscovic, (Disig), Rick Andrews (Symantec), Robin Alden (Comodo), Ryan Sleevi (Google), Steve Medin (Symantec), Tim Shirley (Trustwave), Tyler Myers (GoDaddy), Virginia Fournier (Apple), Wendy Brown (FPKI)
- Roll Call
- Antitrust Statement was read by Robin
- Review Agenda – no changes
- Approve Minutes of Sept. 29th – Dean asked if there were any edits to the draft minutes which was done by memory since the recording failed. These were approved. The minutes from September 15th were approved on the last call but some corrections were noted after approval. These were sent out to the list. Hearing no objections, these are now re-approved.
- Ballot Status
There are no open ballots at this time. Dean mentioned that we would like to fix the IPR issues before re-starting ballots. Kirk said he will propose a “way forward” on ballots. Gerv commented that the issue with new ballots is that you do a 30 day IPR review, rather than a 60 because it’s a change rather than a whole document. But that assumes that when you do a change, the thing you are changing has already had a review so you are only reviewing the change. This makes the status of the change somewhat uncertain. Kirk said that is one interpretation. But this would mean that we couldn’t have any new ballots for 2.5-3 months and we don’t want to wait that long. Peter said the challenge we have is that the requirement in our bylaws is that we have approved guidelines. If we start trying to do ballots, we will have exclusions pointed out. Ben said we have exclusions with the maintenance guidelines. Peter said in general (contrary to other standards organizations) we modify our guidelines way more times. Virginia said that you normally send out the whole guideline but highlight the new language. Going forward we would highlight the new language and exclusions would only apply to that highlighted part. Peter said we need a clean version first. Ben suggested we create an entire “set” but remove sections that have had exclusion notices filed (by Symantec and GoDaddy) and adopt that as the base document (as it would be unlikely that exclusions would come out). Gerv said we should go with the 3 ballot plan but that is not the issue we are discussing. Some suggested that the safest thing to do is not pass any ballots but others suggested that this is not realistic. Kirk and Ben are working on a document to move this forward.
Affiliate Voting: Kirk said we need to clearly define affiliates in the bylaws as a first step. Peter said we have a definition in the IPR agreement. Kirk and Peter discussed the definition Ben said he would like to see control be less than 51%. Peter pointed out that Qihoo has 84% ownership in 2 other CA/B Forum members. Kirk proposed some language which Gerv said could be passed without waiting for the IPR ballots to pass.
- Continuing the discussion on CAA:
Rick said that Mozilla and Google are clearly in favor of hard fail and wanted to know the position of some of the CAs. Gerv said that 26 of the Alexa top million are using CAA hence it is underused and stories about massive failures are overblown. He preferred to start out with hard fail and then hear from CAs afterwards if we need to back off from this. Gerv went on to say that if the CA/B Forum doesn’t act on CA, then he would talk to his team about making it a root program requirement. Therefore if CAs would like some control of the CAA ‘destiny’, it should be done in the forum in a timely manner. Bruce said he would favor it for new customers but for existing customers who have bought lots of certs in the past, it could be a problem if someone in the company inadvertently changes their CAA record, unbeknownst to the other division, department, etc. Peter further commented that such a policy could include a memo to the requestor that you’ve successfully performed all the validation but are blocked from issuing due to the customer’s CAA record. Ben said that’s a lot of work for nothing. Bruce commented that this prevents issuance to a customer that you may have issued hundreds of certs for. Peter said that’s because they may have told you not to by changing the CAA record. Bruce said that it might have been done by a person on the DNS team who is not responsible for the certs. Peter asked what other method exists for the requestor to tell CAs they only want CA “X” to be the issuer for their certs. Gerv said this solves the problem of any public CA can issue for any domain in the world. Kirk said he is not aware of any case where this has worked. Gerv said that’s because CAA is not widely deployed. Ryan said that CAA has prevented mis-issuance for Google’s domains. Kirk suggested that a requirement could say that CAs could specify in section 4.2.1 what the exact name they want in a CAA record. Peter said it’s already required to put a domain name in there. Kirk said that “malformed” CAA records should be checked (he listed “Entrus” vs. “Entrust” as 1 example). Peter said the CAA record contains more info than that (and is clearly specified by the RFC). If the property tag is correct, then it’s not up to the CA to decide if it’s a known CA or not. Ryan said the RFC covers every permutation and byte sequence possible in this field and unless it matches yours, you cannot issue. Rick said this has been a great discussion but we are no closer to understanding which CAs are for/against hard fail. Bruce said they prefer hard fail for new customers but not for existing customers. Dean suggested a straw poll be taken at the face to face meeting.
- Governance Change Working Group update. A much more detailed meeting will take place at the F2F where the latest proposal would be presented.
- Validation Working Group Status. No meeting this week.
- Policy Review Working Group. Ben said they are still working on Dimitris’ redlines regarding the use of the word “CA”. This will be continued at the F2F. Kirk asked what the objective of this was. Dimitris explained that the current document is confusing in its definition when it uses the term “CA”, “Root CA”, “CA issuer” and other areas.
- Application of current IPR policy. Kirk recapped that Peter had a good idea on how to solve and will work with Ben to get a draft out. Further discussion will occur at the F2F next Wednesday.
- Associate Membership application from SSL.com: SSL.com has a point in time audit, not a period audit, hence is applying for Associate membership. All items received were in order. Their application was granted.
- WoSign/Startcom/Qihoo 360 discussion: Dean said we need to determine which of these 3 entities would like to be the official forum member. More discussion will occur at the F2F.
- SHA-1 exception: Dean said that the current applicant is now almost at the end of the process and the only questions have come through have been from Mozilla. Trustwave said they are working with TNS to submit their application. Dean said they are waiting to hear from browsers soon so they can have approval to issue and that they TBS certs contained an issue date of Oct. 14th. Gerv said that would be ok (the backdating). Peter suggested we take a look at this procedure next week and get some “lessons learned” if we have time.
- Ballot 178: Ben Wilson has been elected vice-chair of the Forum.
- Any Other Business – Dean said that the spring meeting Doodle poll results indicate a preference for the week of Feb. 8th, 2017.
- Next Forum teleconference will be on October 27th.