Final Minutes CABF Teleconference 27 October 2016
Attendees: Alex Wight (Cisco), Atsushi Inaba (Globalsign), Ben Wilson (Digicert), Bruce Morton (Entrust), Connie Enke (SwissSign), Curt Spann (Apple), Dean Coclin (Symantec), Dimitris Zacharopoulos (Harica), Geoff Keating, Apple, Gervase Markham (Mozilla), JC Jones (Mozilla Jeremy Rowley (Digicert), Josh Aas (Let’s Encrypt), Kirk Hall (Entrust), Mads Henriksveen (BuyPass), Peter Bowen (Amazon), Peter Miscovic, (Disig), Rick Andrews (Symantec), Robin Alden (Comodo), Ryan Sleevi (Google), Sissel Hoel, (Buypass), Steve Medin (Symantec), Tim Hollebeek (Trustwave), Tyler Myers (GoDaddy), Virginia Fournier (Apple), Wayne Thayer (GoDaddy), Wendy Brown (FPKI),
- Read Antitrust Statement
- Roll Call
- Agenda Reviewed – no changes
- Minutes of October 13, 2016. The Minutes of the teleconference on October 13, 2016 as amended by Dean in his email dated Oct. 24 were approved and will be posted to the Public list.
- Ballot status:
Kirk started by reviewing the current status of readoption Ballots 180, 181, and 182, which are now in their discussion stage. A Review Notice will be sent to Members on Tuesday, Nov. 1, which will begin a 60 day Review Period under the Forum’s IPR agreement. Right now we expect Ballots 180 and 181 not to attract any Exclusion Notices, which means a vote on final adoption will start on Dec. 31 and end on Jan. 7, 2017. Ballot 182 will likely attract Exclusion Notices, so will not be completed until later.
Once Ballot 180 is adopted on Jan. 7, other amendments to the BRs, etc. will be possible by new ballots, which will also go through a 7 day discussion period, 30 day review period, and 7 day voting period before adoption. Kirk recommended all pending draft ballots proceed through the discussion period and a possible straw vote (to demonstrate support) now, and then all start their 30 day review period under our IPR Policy as Maintenance Guidelines on Jan. 8, followed by a voting period to end on approximately Feb. 15.
There was then considerable discussion of this proposed procedure. During the discussion, the following points were made (although not in this exact order).
Jeremy said he had a issue with that process, that’s not what the Bylaws say, we have not had a vote to suspend ballots or interrupt the process in any way. I realize the IPR process is ongoing but he didn’t think we could tell members that they can’t bring ballots without having a vote on the process. The Bylaws clearly say that anyone that wants to bring a ballot can do so as long as they have two endorsers. There’s no precedent or grounds for preventing people from bringing ballots in this way.
Kirk asked what part of the process Jeremy was objecting to specifically. Jeremy said we haven’t had any kind of vote to suspend further ballots, and as long as a ballot has two endorsers it can proceed right now and put them into the same state as everything else where it becomes a guideline essentially with no IPR review until all the IPR reviews are complete.
Virginia said the problem with that was that members could be infringing the IP rights of other members if the IP review comes after the vote. Jeremy said we already have guidelines out there adopted by that method, but Virginia said the process was wrong.
Peter said he agreed with Jeremy that there was nothing to prevent people from bringing ballots, if we want to do the new straw poll thing informally we can do it, and then it needs to go to IPR review, but until we have a set of guidelines adopted without exclusion notices, we’re likely to have exclusion notices on every ballot. Jeremy noted we have had exclusion notices in the past, but we’ve never formed PAGs so technically all our material is in the same boat.
Peter added that he thought we were welcome to move ballots forward, but to Virginia’s point, as long as we are following the correct order of operations defined in the bylaws and we do the IPR review and then vote on it, we will be all fine. Peter said the concern, which may be unfounded, is that if we try to move it forward we’re going to end up with every ballot shoved into PAGs.
Geoff highlighted that any ballots passed between now and January 7 would effectively vanish. That’s because Ballot 180 adopts a specific Draft Guideline as a Final Guideline, and has a full document attached. If it passes, then on January 7, any previous changes are replaced with the ‘new’ text, which is what was in Ballot 180, so it doesn’t make sense to hold ballots before 180.
Wayne asked if Ballot 180 could simply be modified to say that any ballots passed and going through proper IPR review between now and then could simply be incorporated. Ryan asked how we could do that because the new ballots would be dangling appendages, and the whole point of Ballot 180 was that we would go through a full 60 day review. He said we can’t do a maintenance guideline until we have an adopted guideline, which is what Ballot 180 is doing to avoid any ambiguities. Jeremy responded that isn’t what the IPR policy says, you can still pass ballots now.
There was further discussion of whether IPR review comes before or after a vote, with Kirk saying the IPR review must come before a vote, and Jeremy and Ryan disagreed. Ryan said both interpretations of our IPR policy could be supported, and the best thing to do would be to have a vote to decide which procedure to follow, and Jeremy agreed, saying we should have a ballot if we are going to change procedures. Virginia said that from her perspective, we are not changing anything, the IPR policy was based on the W3C policy, and that’s how the W3C policy works, you do exclusions notices before something is approved. It doesn’t make sense to approve something and then have exclusions that would make the guidelines then infringe a patent, and the patent holder could go back and sue everyone for patent infringement. Ryan pointed out that in W3C working groups do vote on adopting things after last call, etc. to make sure there is consensus on the proposals before proceeding with the IP review, so in many ways W3C works as Jeremy described.
Wayne said this (IP review before voting) is not the way we have operated in the CAB Forum so the fact that the IPR policy is based on W3C doesn’t mean that there is an unclear interpretation of the IPR Policy and bylaws, and we have a precedent for how we’ve always done this. There hasn’t been a vote to change, and there’s clearly not consensus that we want to model the W3C behavior here.
Virginia disagreed and said it does not make sense to put everyone at the risk of patent infringement. Peter said he thought that might be overstating the danger. Peter said there was potential danger, but most of our ballots state an effective date that was not the date the ballot passes, so one option is to have a discussion period and a vote but require that every ballot have an effective date that is 30 days later, and have our rules state that if there is an essential claim during the review period then the effective date of the ballot is suspended, otherwise the ballot would become effective at the end of that period. Ballot 169 was an example, with a March effective date. Kirk said that was an interesting idea, but that’s not what our current IPR Policy says right now. He suggested let’s finish what we started (Ballots 180-182), wait until Jan. 7 for the ballots to be approved, and then maybe have a new ballot to make a change like Peter has outlined.
Jeremy thinks we need to have a ballot if we want to put everything on hold until Jan. 7, there’s no authority for waiting, and he’d like to pass things now. There are several ballots pending. Kirk asked if Jeremy was saying these new ballots could be passed and become effective with a 7 day discussion period and 7 day voting period without completing an IPR review period. That’s not what our IPR Policy says. Jeremy disagreed, and said under his interpretation of the IPR Policy the vote can be held before a review period. Virginia disagreed and said the IPR Policy does not allow that. Peter said the “prior to the approval” language of the IPR Policy could be interpreted to mean that the end of voting by members does not cause the final “approval” to happen. Kirk asked what would happen to final “approval” if voting occurs before a review period and exclusion notices are then received – there is nothing that undoes the ballot that you just approved by a vote.
Jeremy said a PAG then has to meet and review it, but that’s fine because the ballot is still there for him to show his auditors that the matter had been voted on by the CAB Forum. Kirk asked in that case (receiving exclusion notices after a vote by the Forum) if there would have to be another ballot to rescind the earlier ballot. Jeremy said yes, that is what the IPR Policy says. Virginia again raised the point that this process could lead people to willfully infringing somebody’s patents. Jeremy said that was not a problem, once the exclusion notices were received it was up to the various CAs to decide what they wanted to do about that.
Jeremy said that most of our ballots have expanded what a CA can do and not restricted it, and yes, there is a new methodology in there. He pointed out a pending ballot that would allow continued use of SHA1 for OCSP responders, and said he saw no reason to prevent that ballot from going forward – there may be IP implications but no more than in the past from using SHA1 for OCSP responders.
Ryan said the one problem he had with Jeremy’s proposal was trying to figure out what the inputs are and what the outputs are – regardless of the different interpretations we do have specific terms in our bylaws and IPR Policy, and those are Draft Guidelines, Final Guidelines, and Final Maintenance Guidelines. We are haggling over this word “approved” in “prior to the approval”. There is universal consensus that we at least need a vote and we need IPR review, and unless those both happen we don’t have a Final Guideline or Final Maintenance Guideline. The issue Ryan had with Jeremy’s suggestion is that there would be this “nether” state, this unapproved Final Guideline.
Jeremy said no, there would be a Draft Guideline waiting for IPR review, but if he waits until January 1 to go through with the IPR review then that starts the 30 days. Ryan said there was a problem with that because Draft Guidelines don’t get 30 day reviews, they go through 60 day reviews. Jeremy said he meant Maintenance Guidelines. Ryan said Draft Maintenance Guideline was not a term. Jeremy said there are Maintenance Guidelines. Ryan said Jeremy’s interpretation was not supported for a “nether” state. There was further discussion between Jeremy and Ryan on these points.
Jeremy said the pending ballots could start now also as Final Guidelines with a 60 day review period to speed up the process. Ryan said the problem was that at the end of that process, we would end up with two different sets of Final Guidelines and you would have to do something to reconcile them. There was further discussion of this point. Jeremy said that none of our current guidelines are Final Guidelines because no PAG has ever met, so technically we should never be passing any Draft Guidelines ever because we don’t have any Final Guidelines. Ryan said that’s what Ballot 180 is trying to resolve, so that we do have Final Guidelines on January 7, and then we can do subsequent ballots that are Final Maintenance Guidelines after 30 day IPR review that can be incorporated in the Final Guidelines without this ambiguity as to what do they modify. Jeremy responded that the current bylaws say there is to be a 7 day discussion period and then a 7 day voting period and the ballots are then passed – the bylaws don’t say they are Draft Guidelines or Final Guidelines and then the IPR review period kicks in (and terms like Draft and Final Guideline apply there) – but the ballot is already approved by the voting under the bylaws. Ryan said the bylaws don’t support what Jeremy just described. There was further discussion between Ryan and Jeremy on these points.
Kirk asked for the views of others on the call. Jeremy said he didn’t care which way we go so long as we have a vote describing the process moving forward, and if members are going to be prevented from starting new ballots until January, that should be laid out in a ballot establishing the procedure. Ryan said this is how we have done voting for the Chair or Vice-Chair or areas of ambiguity within the bylaws, so he thought Jeremy’s point was fair. We have two-plus years of precedent using ballots to confirm consensus among members about particular interpretations.
Kirk said that if Jeremy wants to put forward a procedural ballot on the voting process he could, and because no Guidelines or IP would be involved it could probably be a 14 day ballot under our bylaws. But in the interim, Kirk would not be pulling back Ballots 180-182. Jeremy didn’t care about pulling back Ballots 180-182, and anyone can put forward a procedural ballot like that, but if Kirk wants Jeremy not to put forward a new ballot now he will have to put that to a vote, because as soon as Jeremy finds two endorsers he will put his ballots forward, and others may too. Kirk noted that at the F2F we did put forward a process for ballots and no one objected at that time, that the ballot would go to IPR review before a final vote. There might be a straw ballot before the IPR review, which is not in our bylaws. Kirk again encouraged Jeremy to put forward a ballot of what he things the process should be from this point forward. Jeremy said he didn’t know what the best way should be.
Kirk said the Forum clearly needed to work on this later on, make the bylaws clearer and mesh with the IPR Policy, but for now the natural reading of the two is discussion/IPR review/vote. Jeremy disagreed. Kirk asked if other people wanted to offer their opinion. Virginia said one of the purposes of the CAB Forum is for members to have an informed opinion on the guidelines, and she didn’t see how you could have an informed opinion if IP review comes after voting and you don’t know what IP is out there. How can you vote to approve something if you don’t know what IP pertains to it?
Wayne said Peter put forward a very reasonable way forward, and Gerv has also offered some options. Wayne said that a 50 day voting period would cause us issues, so we can start having the conversation now that the IPR review comes before or after the voting – he personally supports after for the reasons just stated – can we start discussing that now, or do we need to wait until January. Kirk said we could start now, and asked if Wayne, Peter, Gerv, and Jeremy could work together and come up with a recommended process first that can be turned into a draft ballot right now. Wayne asked if this should be part of the Governance Working Group, and Kirk said that made sense. Peter suggesting continuing discussion on the public mailing list, but also discussing in the Governance Working Group.
Virginia added that Apple would not be in favor of any process where the IP review comes after voting on the ballot. Kirk said he thought he heard Peter say the ballot would not go into effect until after the IP review had been completed, and if exclusion notices are filed, the ballot would be rescinded and a PAG would be formed. Virginia said that doesn’t adequately address the problem. Jeremy suggested maybe there should be a straw ballot before the IP review to test consensus – it would be a waste of time to have the PAG meet if the ballot has no chance of passing. Virginia said we had talked before about having a straw poll before the IP review, then a formal vote. Jeremy said we should hold the vote before the IPR review so the vote would be binding if there are no exclusion notices filed. Kirk suggested the matter be discussed in the Governance Working Group. The members then went on to other topics.
Kirk noted the following ballots are pending, and again suggested the proponents complete drafting, start the 7 day discussion period, and maybe even take a straw ballot while we are waiting for Ballot 180 to pass.
Ballot 176: BR 188.8.131.52 – CNAME verification (Jeremy)
Ballot 179: BR 6.1.7 – Root signing time stamping certs (Dimitris)
Li-Chun’s ballot on BR 184.108.40.206.2 and EVGL 9.2.5 and 9.2.7 (further discussed in the Policy Review Working Group section below)
Jeremy’s ballot on SRV names in ballots
Wayne’s ballot on amending 7.1.3 (see below)
- Possible Ballot on BR 7.1.3: OCSP responder certs
Kirk asked Wayne if he wanted to proceed with a ballot to modify BR 7.1.3, which currently says in part:
“***CAs MAY continue to sign certificates to verify OCSP responses using SHA1 until 1 January 2017. ***”
Wayne has pointed out that in some cases involving revoked SHA-1 certificates with expiration dates on or after January 1, 2017, CAs may still need to sign OCSP responses with SHA1 after the deadline to work in certain applications. However, after the discussion on the public list he is withdrawing his draft ballot now as he doesn’t want to force the Forum to adopt unusual ballot procedures while Ballot 180 is pending. He may bring the ballot back after Ballot 180 passes.
- Governance Change Working Group update; Results of last call. Dean said the Governance Change Working Group had met that week and followed the list of open issues in Kirk’s summary memo on governance change presented at the F2F meeting in Redmond. The working group reached conclusions on most issues, and will start drafting amendments to the Bylaws and IPR Policy to present to the Forum, along with draft charters for the first three new Working Groups.
- Validation Working Group Status – Jeremy said the Working Group needed to find a new time slot to meet, as the old time slot was no longer available. Dean suggested the group use the old Code Signing Working Group time slot. Kirk asked Jeremy to come up with a list of open items to work on, and said he would check his notes and send a list of projects.
- Policy Review Working Group – Ben said the Policy Review Working Group was continuing its work to clarify all the uses of the term “CA” in the BRs and try to make the uses less ambiguous. The Working Group is also following up on the issues Li-Chun has raised in prior meetings concerning BR 220.127.116.11.2 and EVGL 9.2.5 and 9.2.7. Peter clarified that the amendments being discussed deal with two topics: (1) the EVGL jurisdiction attributes, and (2) the current rules on showing subdivisions of countries in certificates (e.g., L and S fields).
- Continuing the Discussion on CAA
Rick said we are at odds on whether CAA checking should be done at validation or issuance time, and noted that Jeremy and Bruce suggested validation time, especially for enterprises. Rick continued that Jacob from Let’s Encrypt (LE) sent an email saying performance is not bad at all for checking at issuance, and that LE had issued 1 million certs in a given day doing full CAA checking. Rick asked did LE do 1 million domain validations on one day and full CAA checks on those 1 million domains? Ryan said yes. Rick asked if LE supports certs with multiple SANs? Ryan said yes, up to 50 or 100 FQDNs per certificate. The CAA checking occurs for all SANs for all names in a given path – for the FQDN and then for all parent labels until a CAA record is encountered or there are no more labels. Josh said LE also validates control of the FQDN domain for each FQDN.
Rick noted that doing CAA checking at time of issuance according to the RFC for a cert with 50 SANs at the third or fourth level domain, you have to do potentially 200 CAA validation checks before issuing the one certificate, which could create performance issues. One possible mitigation for this would be to keep a short term cache you could rely on if you already did CAA validation for a given FQDN. He said that it seems the Forum is at a slight impasse between those who want CAA checking at issuance time and those who want it at validation time (checking at validation time could be reserved for certain enterprise customers). There seems to be some interest in allowing CAs to cache CAA validation data for some period and reuse it.
Ryan noted he had given some examples of certs issued after CAA checking at validation time which were not authorized by the SLDN owner at time of issuance (but were properly issued under BR 18.104.22.168), and so there needs to be a balance between CAA checking at validation time with caching and CAA checking at time of issuance. How long should a CA be able to cache CAA check results as part of their administrative system? Let’s Encrypt’s ACME implementation gives users a token they can later use to get a certificate, so some CAA results caching occurs in effect. It should not be a 39 month cache as currently permitted in the BRs.
Jeremy asked whether rekeying a certificate should require a new CAA check. Ryan said that rekeying is issuance of a new certificate and requires a new CAA check. Jeremy thinks we should allow a domain owner to add a property to a CAA record that tells CAs to do CAA validation at the authorization domain level where the CA is doing the domain validation, which ties it to the validation process. That lets the person who controls the SLDN control the domain. Peter asked if the reason for that was to optimize, and Jeremy said yes.
Peter noted that Microsoft had given everyone a list of domains and told CAs they could not issue for those domains, and also tells CAs who do issue for those domains that they must revoke. That rule set is something they can do because they run a root store, but CAA is intended to give power to all domain owners as to certificate issuance, even if the issuance passes domain validation rules under BR 22.214.171.124.
Kirk asked Jeremy how the CA would know there was a flag at the SLDN level saying “don’t issue certs for any FQDN including this SLDN” if the CA is required to start doing CAA checking at the FQDN level and then work back to the SLDN level – how would a flag at the SLDN level be known (and help optimize future checking for the CA) if the CA finds a CAA record at the FQDN level first? Rick asked Jeremy if the CA could cache the flag found at the base domain level and then later skip all the higher level domains? Jeremy said yes, until it changes. That way the domain owner would not have to monitor every single FQDN for that domain. Kirk asked what happens if there is conflicting information at the FQDN level versus the SLDN level – the CA starts a CAA check at the FQDN, and if a record is found there, the CA will stop checking and never see a conflicting record at the SLDN level. Gerv said if people put conflicting information in the DNS, the behavior will be undefined, so domain owners shouldn’t put conflicting information in the DNS.
Ryan said the process is defined in the RFC, and there is no ambiguity. Jeremy said there are lots of domain owners that would like to specify only at the base domain level. Ryan thought that would be problematic and not in accord with the CAA spec. Gerv asked why was it problematic – because it could introduce ambiguity if CAs do the checking in a different order? Ryan said yes, it introduces ambiguity because it doesn’t strictly follow the CAA specs. (The parties continued discussing the matter after the Forum teleconference ended.)
- Continuing the Discussion on CT. The Members ran out of time and did not discuss CT.
- Any Other Business – There was no other business.
- Next meeting on Thursday, Nov. 10, 2016.