Final Minutes for CA/Browser Forum Teleconference 2 February 2017 (approved Feb. 16)
Attendees: Andrew Whalley (Google), Arno Fiedler (D-Trust), Atsushi Inaba (Globalsign), Bruce Morton (Entrust), Christopher Kemmerer (SSL.com), Curt Spann (Apple), Dean Coclin (Symantec), Dimitris Zacharopoulos (Harica), Doug Beattie (Globalsign), Fotis Loukos (SSL.com), Frank Purdue (Trustwave), Geoff Keating, Apple, Gervase Markham (Mozilla), Jeremy Rowley (Digicert), Jos Purvis (Cisco), Kirk Hall (Entrust), Leo Grove (SSL.com), Li-Chun Chen (Chunghwa Telecom), Mads Henriksveen (BuyPass), Neil Dunbar, Trustcor, Patrick Tronnier (OATI), Peter Bowen (Amazon), Peter Miscovic, (Disig), Rich Smith (Comodo), Rick Andrews (Symantec), Robin Alden (Comodo), Sissel Hoel, (Buypass), Steve Medin (Symantec), Tim Shirley (Trustwave), Wayne Thayer (GoDaddy).
- Roll Call
- Read Antitrust Statement
- Review Agenda – there were no changes to the Agenda.
- Approve Minutes of teleconferences of Jan. 19, 2017. The draft Minutes were approved for posting to the Public list.
- Governance Change Working Group update. Dean provided an overview of the recommendations from the Working Group (WG) in the document he recently posted to the Public list. The draft form of new working group charter has recently been modified, and will be posted shortly. The WG would like input from the members before starting on Bylaws amendments.
Kirk asked if the WG found any areas of special difficulty it wanted to discuss, and Dean said no. Dimitris asked if comments should be sent to the WG list, or to the Public list. It was agreed comments should be posted to the Public list. Kirk asked the WG if it still thought these changes to Forum governance were a good idea, after all their study of the subject. Dean said yes, and Peter said the changes would enable interested CAs and others to work on different certificate types.
- Validation Working Group update. Jeremy discussed the results of the last call, and said various proposals were ready for ballots, including improvements to certificate profiles and validation methods. The WG had been waiting for Ballot 183 to pass, and now that it has, new ballots can begin.
- Policy Review Working Group update. Dimitris provided an overview of the draft changes to the BRs presented in a memo that was distributed to the Public list earlier. They mostly deal with clarifying the different uses of the term “CA” in the BRs – the term is sometimes used to refer to the organization that operates the private key, and sometimes to the X509 sub-certificate used to issue end-entity certs. The goal of the proposed amendments is to better define what is meant in each case when the term CA is used.
Kirk asked if the changes represented any new policies. Dimitris said the WG was tempted to offer some policy changes, but tried to avoid that, so there are no intentional changes. Peter asked if the WG made clarifying changes that would apply when one company was the CA named in the issuing sub-CA, but another company operated the sub-CA under a contract. Dimitris said this situation was not addressed. In general, the root key operator will be responsible for compliance with requirements.
Kirk suggested the draft be discussed by the members again on the call in two weeks, and then the WG proceed to a ballot. Peter noted there were a lot of changes to the BRs (over 100). Members should review the e-mail sent by Ben Wilson to the public list on January 19th. That e-mail contains a red-lined word document as an attachment, and also lists all the proposed changes in “ballot format.” The additional time should be enough for members to review the draft.
- Patent Advisory Group (PAG) update. Kirk said the initial call the previous week had gone very well. The PAG members had reviewed how PAGs worked for other groups, such as W3C, discussed PAG procedural rules, and reviewed relevant sections of the Forum’s IPR Policy Agreement. The PAG had then briefly looked at the three Exclusion Notices for Ballot 182, and discussed the next steps. There is a possibility that one or more of the three CAs who filed Exclusion Notices will offer royalty-free licenses to all CAs, which would make the PAG’s work much easier. The PAG will meet again next week.
- Ballot Status. Kirk reviewed the status of each of the following draft ballots that have been circulating. To avoid a rush of ballots running simultaneously, he asked each proposer to indicate its relative priority – was the ballot ready to start, or could it go to the back of the line?
a. Ballot 183 results (Kirk). Kirk noted the ballot had passed unanimously, and that other ballots could now proceed.
b. Ballot 184 – RFC 822 Names and OtherNames (Jeremy). Jeremy said the ballot was substantially ready, but he was looking for two endorsers. It can go to the back of the line.
c. Ballot 185 – Limiting cert lifetime (Ryan). Ryan was not on the call. Arno said the ballot was new, and needed more discussion.
d. Ballot 186 – Limiting reuse of validation information (Ryan). Ryan was not on the call.
e. BR 126.96.36.199 – CNAME verification (Jeremy). Jeremy said this ballot was pretty simple, and he was looking for two endorsers. Peter said it might be better to wait for the PAG to finish its work, as this was an amendment to a domain validation method that the PAG was reviewing. Kirk agreed, but asked Jeremy if he thought there was consensus around the change proposed by this ballot. Jeremy said yes, and that the ballot could go to the back of the line. Rich asked if it would be a good idea to proceed with the ballot now, to avoid waiting for the PAG to finish its work and then risk the need to call another PAG. After discussion, there did not seem to be a clear advantage to doing that, and Wayne suggested we table that discussion until the PAG knows where GoDaddy is going on the Exclusion Notice for the domain validation method affected by Jeremy’s ballot, as that may simplify things. Jeremy said he would defer this ballot for now.
f. BR 6.1.7 – Root signing time stamping certs (Dimitris). Dimitris said this ballot had been ready for some time, and had been posted on the wiki, but now it was gone. The purpose is to clarify that time stamping certificates should not be signed by a root key. Jeremy noted that this was outside the realm of server certificates, and wondered if it was out of scope for the BRs. Dimitris said no, it was part of maintaining a trusted root. Kirk asked Dimitris for the priority of the ballot, and he said there was no rush.
g. BR 7.1.3: OCSP responder certs (Wayne). Wayne said this draft ballot was created to deal with the SHA-1 prohibition that took place on January 1, but now that the date had passed, it might not be as important. He suggested tabling the ballot for now.
h. BR 188.8.131.52.2 and EVGL 9.2.5 and 9.2.7 (Jeremy/Li-Chun). Jeremy said the Validation Working Group had been working on this, and currently plans to advance a ballot that simply aligns what the BRs and the EVGL say on the topic of the S field in a certificate, and possibly adding an Annex on how to insert the information in certain jurisdictions. Kirk asked if that would solve the problem Li-Chun had brought up, and Jeremy said he thought it would. Li-Chun said his colleagues were on holiday at present, but he would discuss with them when they return. Jeremy said the language would be finalized on the next WG call.
i. SRV names in certificates (Jeremy). Jeremy said he needs to finalize the language, and it will become part of Ballot 184 listed above.
j. Reuse of domain validation data after Ballot 169 effective date (Wayne). Wayne noted this ballot was drafted to deal with the effective date in Ballot 169. Now that Ballot 169 was replaced by Ballots 180 and 181, the deadline has gone away. But the issue will come up again once the PAG completes its work and the new Method 11 “any other method” for domain validation is removed from BR 184.108.40.206, so we should remember to add appropriate transition language to that future ballot.
k. CAA (Gerv). Gerv said the ballot was still being discussed, and reminded members if they wanted to suggest changes, then needed to provide their rationale at the same time.
l. Ballot adding back Methods 1 and 8 to BR 220.127.116.11 (Gerv). Gerv said this was really Peter’s ballot now as he has agreed to draft it for consideration. Peter explained that the ballot would add back former Methods 1 and 8 from Ballot 169 as no Exclusion Notices were filed for those methods after Ballot 182. He asked if Wayne had proposed a relevant edit to one of the methods. Jeremy said yes, and suggested the edit be added to the ballot. Peter will proceed with the ballot soon.
- New draft BR WebTrust audit guidelines (v2.2) for review and comments. Kirk mentioned that CPA Canada had issued a v2.2 draft of WebTrust Principles and Criteria for Certification Authorities – SSL Baseline with Network Security, which Kirk had previously circulated on the public list. WebTrust is looking for any comments. Kirk noted that Appendix D had been amended from the December version of the BR WebTrust audit guidelines to reflect the fact that Ballot 169 on domain validation methods had been superseded by Ballots 180 and 181, so that problem appeared to be solved.
- Next F2F meetings:
21-23 March 2017 – Research Triangle Park, NC (Cisco) – Kirk reminded members to sign up on the wiki if they planned to attend
20-23 June 2017 Berlin (D-Trust)
3-5 Oct 2017 Taipei (Chunghwa Telecom)
- Any Other Business. Peter noted that Google was hosting CT Policy Days in Mountain View on Feb. 21-22. Kirk asked if there was a registration link. Peter was not aware of one, but said Ryan Hurst had indicated there was lots of space.
- Next call on Thursday, Feb. 16, 2017. The members noted that Feb. 16 is in the middle of the RSA Security Conference, and asked if we should postpone this call. The consensus was that the call should take place as planned, even if there was a light turnout.