Final Minutes for CA/Browser Forum Teleconference 5 January 2017 (approved 19 January 2017)
Attendees: Arno Fiedler (D-Trust), Atsushi Inaba (Globalsign), Ben Wilson (Digicert), Bruce Morton (Entrust), Dean Coclin (Symantec), Dimitris Zacharopoulos (Harica), Doug Beattie (Globalsign), Fotis Loukos (SSL.com), Gervase Markham (Mozilla), JC Jones (Mozilla), Jeremy Rowley (Digicert), Jos Purvis (Cisco), Kirk Hall (Entrust), Li-Chun Chen (Chunghwa Telecom), Mads Henriksveen (BuyPass), Peter Bowen (Amazon), Rich Smith (Comodo), Ryan Sleevi (Google), Tarah Wheeler (Symantec), Tim Shirley (Trustwave), Tyler Myers (GoDaddy), Virginia Fournier (Apple), Wayne Thayer (GoDaddy)
- Roll Call
- Read Antitrust Statement
- Review Agenda – there were no changes to the Agenda.
- Approve Minutes of teleconferences of Dec. 22, 2016. The draft Minutes were approved for posting to the Public list.
- Validation Working Group update. Results of last call – Ben said the Working Group did not meet during the holidays. He said a number of ballots were nearly ready, including drafts relating to validation of IP addresses and wifi locations.
- Policy Review Working Group update. Results of last call – Ben said the Working Group did not meet during the holidays, and so there was no update.
- Governance Change Working Group update. Results of last call – Dean said the Working Group had met, and the draft of a structure for governance change was finished. He noted Virginia had later provided some comments on the updated draft that will be considered in the Working Group’s next meeting, after which the draft will be posted for comments. In response to a question from Kirk, Dean said the Working Group had not yet drafted corresponding changes to the Bylaws that would be required to implement the governance change ideas, but wanted to receive comments as to the general proposal from the Forum first.
- IPR Policy Task Force update. Results of last call – Virginia said the Task Force had met, and she and Chris from Amazon were working on a draft Ballot 183 that would include new voting procedures for the Bylaws to apply for any Ballot that proposed new guidelines or requirements (known as “Final Guidelines” in our IPR Policy) or edits to current guidelines or requirements (known as “Maintenance Guidelines”). The new ballot rules are needed to coordinate with requirements of the Forum’s IPR Policy for an IP Review Period, and how to deal with Exclusion Notices, formation of Patent Advisory Groups (PAGs), etc.
In brief, the structure in the draft Ballot 183 would provide for a seven day discussion period and a seven day voting period. If the ballot is approved, then it would be subject to a 30 or 60 day Review Period under the IPR Policy (depending on whether it proposed a Maintenance Guideline or a Final Guideline). If no Exclusion Notices are filed during the Review Period, the previous vote of approval would be final, but if any Exclusion Notices are filed, then the previous vote of approval is rescinded and the ballot goes to a PAG. There are additional procedures after that.
Kirk asked if the first vote of approval would be the effective date of the ballot, or would the effective date be the expiration of the Review Period without any Exclusion Notices? Bruce said perhaps the end of the voting period should be the effective date if the ballot imposes mandatory requirements, but asked what would happen if the vote is later rescinded? Gerv said the drafters of ballots could solve this by including specific implementation dates of 30 days (or 60 days, as appropriate) after the vote of approval. Virginia said she will look at the question.
Virginia said she was about to circulate the draft Ballot 183 as a pre-ballot, and asked members who make comments to include specific suggestions for wording changes for improvement – not just comments that the member doesn’t like something in the draft. Kirk asked if Ballot 183 would be a two-week ballot (seven days discussion, seven days voting, with no Review Period), and Virginia said yes, as there are no amendments to guidelines included in Ballot 183.
Dean said he was still somewhat confused by the procedures in Ballot 183, and asked if the process flow could also be shown in pictorial form. Virginia said she would do this.
Kirk then noted that draft ballots numbered 176 and 179 had been proposed in the past, but never went forward while we worked on Ballots 180 through 182. He suggested that the proponents of those ballots should choose different numbers (184 or higher) to avoid confusion, and asked if there was any objection – there were no objections. Gerv suggested we make a notation about Ballots 176 and 179 on the wiki (i.e., that there were no ballots), and Kirk agreed.
- Ballot Status. Kirk noted the following list of pending ballots:
- Ballots 180-182 (Kirk, Virginia) – Voting started 12/31/2016, ends 1/7/2017
- Ballot 176: BR 220.127.116.11 – CNAME verification (Jeremy) – to be renumbered
- Ballot 179: BR 6.1.7 – Root signing time stamping certs (Dimitris) – to be renumbered
- BR 7.1.3 : OCSP responder certs (Wayne)
- BR 18.104.22.168.2 and EVGL 9.2.5 and 9.2.7 (Li-Chun)
- SRV names in certificates (Jeremy)
- Reuse of domain validation data after Ballot 169 effective date (Wayne)
- RFC 822 Names and Other Names (Jeremy)
- CAA (Gerv)
Kirk reviewed the progress of Ballots 180-182, and said there had been discussion among the proposer and endorsers of the Ballots (Entrust, Amazon, and Apple) of whether voting should be suspended on Ballot 182 or the Ballot should be withdrawn because Exclusion Notices were filed and a PAG needed to be formed and do its work. He noted that the Bylaws on voting do not explicitly allow either voting suspension or ballot withdrawal, although proponents and endorsers have withdrawn ballots before. Kirk suggested the Governance Change Working Group might want to clarify this in the Bylaws by a future ballot.
Jeremy noted that the IPR Policy provided for certain types of withdrawals under specified conditions. Ryan said the best course of action might be for the members simply not to vote on Ballot 182 so it would fail from lack of a quorum; later, after the PAG completes its work, and new ballot covering the same topic can be started. Kirk agreed.
Peter said he didn’t see any way to suspend voting on a ballot, and Ryan agreed. Virginia noted that under our current voting rules, we could end up with an endless cycle of ballots, Review Periods with Exclusion Notices, PAG conclusions, new proposals that started the process all over again, etc., and that draft Ballot 183 would resolve this issue. For example, if a follow-up ballot after a PAG conclusion is essentially the same as the prior ballot (and would not generate new Exclusion Notices), the PAG can say it won’t consider the ballot again before a new vote. Gerv asked if this meant we could skip a second Review Period if the second ballot was the same as the first, and Virginia said yes.
Virginia also noted that the option of publicly abstaining on a vote was somewhat unclear in the Bylaws – in one place, the Bylaws imply a vote should be only yes or no, but in another place the Bylaws say that votes to abstain will not be counted for quorum purposes. This could be clarified in a future Bylaws update.
The other pending draft ballots were discussed. Jeremy said Wayne’s ballot g) on the list should perhaps have first priority to deal with the pending March 1, 2017 deadline for implementation of new domain validation methods and the question of whether domain validations done before that date could be reused for the normal 13/39 month period. Peter noted that this may no longer be a problem if Ballots 180 and 181 pass, as they effectively supersede Ballot 169 and the March 1 deadline, especially as the Ballots restored the “any other method” language for domain validation.
Ryan said domain revalidation under the new validation methods might not be needed for simple reissue of a certificate for its original validity period, but he was not sure he was comfortable allowing reuse by CAs of domain validation that was done as much as 39 months ago after new domain validation methods were adopted. Kirk noted that had always been the case in the past – changes to domain validation methods did not require revalidation for subscribers during the data re-use period if the prior validations were done in compliance with the existing validation rules at the time of validation. Ryan said he would consider the issue, but that was not an ideal outcome.
The other pending ballots were briefly reviewed. Peter said some were essentially ready to begin once the voting rules have been clarified.
- Response from researcher dated 1/2/2017 re access to CRL/OCSP query logs. Dean noted the members had received a response from the researcher to the questions he had posed, and it was now up to individual CAs to share data with the researcher if they choose.
- CT Policy Days Update organized by Ryan Hurst. Kirk noted that Ryan Hurst had announced the meeting would be held at Google’s offices in Mountain View, CA on Feb. 21-22, 2017.
- Next F2F meetings: Kirk noted the next F2F meeting would be held on 21-23 March 2017 at Research Triangle Park, NC, hosted by Cisco. He said that the wiki showed 50 people had signed up so far, and asked if there was a limit on numbers who could attend. Dean said he thought there was a practical limit of 60 to 65 people, but he noted that some on the list had said their plans were “tentative”, so some may drop out.
Kirk asked Dean about the status of his wiki poll on the meeting scheduled for Berlin (sponsored by D-Trust) for Spring-Summer 2017. Dean said 23 people had responded, and 22 could come on the proposed dates of 20-23 June 2017, so those would be the dates. Arno, as host, was glad that the dates were now fixed. Arno said the ETSI CA Day meeting would be scheduled for Monday, June 19, 2017 in Berlin, so members can attend both meetings if they like the same week.
Finally, Kirk noted again the dates for the Fall meeting in Taipei (hosted by Chunghwa Telecom) were 3-5 Oct 2017, and said those dates were also fixed.
- Potential hosts for 2018 F2F meetings. Dean said a number of companies have offered to host F2F meetings in 2018, starting with a Silicon Valley meeting in February-March. HARICA has also offered to host in Greece, and CFCA had recently offered to host in Shanghai (or in another city in China) as well. Dean expressed thanks to the companies that have offered to host, and said the members can discuss the options for 2018 at the next F2F in North Carolina.
- Any Other Business. Kirk said he had been considering the difficulty for some Forum members to participate in the bi-weekly Forum teleconferences (especially Asian members, for whom the teleconferences start at midnight or 1 am local time), and noted that the Forum does record its calls. He suggested the Forum might want to make access to the recordings available to members so they can listen to meetings they miss or which occur at inconvenient hours.
Dean said it would be fine to send the recordings to members upon request, on the condition they be kept the recordings confidential and not share them without permission of call participants. Gerv suggested it would be more efficient to post the recordings automatically in a place with access control rather than make members ask for them. Dean said the recordings could be posted to the Forum’s wiki, which he thinks can cope with the large size of the recording files. Virginia said the recordings should only be made available to Forum members, and Ryan said the Bylaws should perhaps be strengthened to clarify the rules for access and use. Kirk agreed, and said he would work with Ben to come up with an appropriate warning for the wiki page about confidentiality and the prohibition against sharing the recordings without permission of the members.
There was no other business.
- Next call on Thursday, Jan. 19, 2017