Minutes for CA/Browser Forum Teleconference 2 March 2017
Attendees: Atsushi Inaba (Globalsign), Ben Wilson (Digicert), Bruce Morton (Entrust), Chris Bailey (Entrust), Chris Kemmerere (SSL.com), Connie Enke (SwissSign), Dimitris Zacharopoulos (Harica), Doug Beattie (Globalsign), Fotis Loukos (SSL.com), Gervase Markham (Mozilla), JC Jones (Mozilla), Jeff Stapleton (Wells Fargo), Jeremy Rowley (Digicert), Jos Purvis (Cisco), Kirk Hall (Entrust), Leo Grove (SSL.com), Mads Henriksveen (BuyPass), Patrick Tronnier (OATI), Peter Bowen (Amazon), Rick Andrews (Symantec), Robin Alden (Comodo), Ryan Sleevi (Google), Steve Medin (Symantec), Tarah Wheeler (Symantec), Tim Shirley (Trustwave), Tyler Myers (GoDaddy), Virginia Fournier (Apple), Wayne Thayer (GoDaddy)
- Roll Call
- Read Antitrust Statement
- Review Agenda – there were no changes to the Agenda.
- Approve Minutes of teleconference of Feb. 16, 2017. The draft Minutes (as amended) were approved for posting to the Public list.
- Governance Change Working Group update. Ben said the WG had a call the prior week, and he had sent out minutes. The WG reviewed Gerv’s comments to the outline, and discussed next steps. The WG may put the Bylaws up on Google docs and start redlining them, and perhaps create a diagram showing how the future governance structure would exist. The main issue is what involvement non-CAs had to have in a new WG – maybe a new WG has to have a written commitment from a non-CA to participate in the future before forming the new WG? If they don’t participate, maybe don’t disband the WG, but the Forum could check back every six months and ultimately have a ballot to disband the WG if necessary.
Kirk said there might be a project of interest to CAs only (although other members of the Forum could participate if interested), so why require non-CAs too? Ben said that would be fine as well. Gerv said he was fine with that also and was just seeking clarification, but at the same time the Forum needs to decide what the future Forum is for, and if it makes sense to have CA-only WGs.
Jos said this was discussed at the last meeting, and it was noted that some of the work of the Forum is used by downstream organizations even if they didn’t participate in formulating it – they think it’s useful for their purposes. So it may make sense to have WGs with CAs only so downstream groups could use it too. But the counterargument is, if there is no industry willing to take something on as a standard, how useful is the development of standards by the WG? Jeremy said as a practical matter CAs would probably only participate in such a WG if they saw a downstream use. Kirk noted that some WGs today functionally only have CAs as participating members. He suggested the Governance Change WG just leave it to each charter to spell out whether or not non-CAs are necessary, which must be approved by the Forum – don’t forbid CA-only WGs in the new structure.
Jeremy said non-CAs might want to wait to participate until they see what the standards might be. Ryan asked how a CA-only WG working on a new product offering would fit with the Forum’s antitrust policy. Peter said the WG would be working on a technical standard for something that could be used in a product offering, and not a new product offering itself. Ryan said this would need to be evaluated carefully when forming a new CA-only WG. Jeremy said the WG wouldn’t have to be CA-only, but might start out that way. Kirk noted that anyone in the Forum could participate in any WG but might not be interested, and a new WG should be able to work on a standard even if there were no obvious non-CAs who were interested.
Ben said another question was how long WGs could continue – indefinitely, or should they have to be re-chartered from time to time or else be terminated? Kirk said it might vary – the Web PKI WG, for example, probably would have no sunset date, but other WGs with a discrete task might have one. Ryan said all WGs should have a sunset date and be reevaluated on a recurring basis to make sure it’s still meeting the community’s needs. Josh agreed, and said that for Web PKI that could be a quick ballot. Jeremy agreed, and said that would give the Forum a chance to see if the WG was still in scope. Ben said the WG charters could say how often reauthorization would have to occur. Chris noted some groups would be more permanent than others, and there will likely be ongoing concerns that will always justify continuation. Ryan said periodic reauthorization was needed to make sure every WG was still in scope and addressing the right issues. Jos said that for WGs on things like IoT, the ground may change over time, so annual rechartering would be a good idea – the charter for each WG should include the recertification period for flexibility, and the periods can change. Jeremy thinks there should at least be a recommended rechartering period for all WGs to start with. Jos said there could be a minimum and maximum period.
- Validation Working Group update. Jeremy said the WG is working on three or four ballots, which are on the wiki for review, and which should circulate on the main list soon. He highlighted a ballot to reauthorize domain validation Methods 1 and 8 to BR 188.8.131.52, along with corrections to other validation methods. There is also a ballot with clarification on Latin notaries, as well as an update to the rules on place of business in EV certs. The WG is also close on a ballot on IP addresses validation, which should be available next week.
- Policy Review Working Group update. Ben noted that Ballot 188 (now in the voting period) was likely to fail, and that the WG had received comments that would be reviewed on the WG’s next call. Kirk asked if the comments received were “solvable” or not solvable by the WG. Ben thought they were solvable, but may require changes to what was in the ballot. Gerv asked if the WG should start by working on the applicable definitions, and then changing the rest of the BRs according to those new definitions. If the issues are around the definitions, it might be less work to tackle those first.
Ryan thought the problem was not with the definitions, but mapping them to the rest of the BR sections. The WG needs to work through the BRs where the terms are used and agreeing on what would be meant, then address the definitions if needed. Examples were discussed (e.g., whether certificates or keys sign something). Ryan suggested the WG take the existing BRs, and simply correct the areas of confusion and make sure the terms are consistently applied, rather than starting by amending definitions.
Gerv asked if Ryan thought the definitions in the BRs needed any changes as part of this process, and Ryan said yes. Gerv suggested it might be best to make the definition changes first before amending the other parts of the document. Ryan said a holistic examination was needed first. There was further discussion on how to proceed. Kirk asked if Ryan could help the WG with drafting new text, and Ryan said yes. Peter suggested tabling the question of how to proceed on this call, and issue a broad invitation to the next WG call where it can be discussed. Dimitris said the WG had gathered all issues and would discuss on the WG call next Thursday.
- Patent Advisory Group (PAG) update. Virginia said it looks the three members who filed Exclusion Notices are willing to license their IP on a royalty-free basis. At the next meeting, the PAG will discuss what needs to be done with the three Exclusion Notices and then the Forum will be ready to re-vote on the domain validation methods covered by the Exclusion Notices. Kirk asked Virginia what she thought the PAG’s final output or “conclusion” to the Forum would be. Virginia though that the conclusion would be that each member who filed an Exclusion Notice was ready to grant a royalty-free license and whether they are requiring a written license agreement or not, and that the domain validation methods affected could be resubmitted by ballot for voting. The PAG would not be commenting on whether the licenses offered comply with Sec. 5.1 of the IPR Agreement defining the form of license – that’s for each member to decide upon advice of counsel. Also, the PAG will not be recommending yes or no votes on any subsequent ballots.
Gerv asked if a member does not like the RF license offered by another member, could the member ask whether that member had “contributed” its IP by participation in drafting of the ballot (so the RF license would not be necessary) – would the PAG offer an opinion on that question? Virginia said that issue had not been considered by the PAG given that the three members were all offering RF licenses. Gerv said if the PAG was not going to opine on whether the RF licenses met Sec. 5.1 of the IPR Agreement, shouldn’t it offer an opinion on the “contribution” issue? Virginia said if a member didn’t like the license offered, it should just vote no on the ballot. Gerv said one of the responsibilities of the PAG was to decide if an Exclusion Notice was valid or not, but Virginia said that was not what the PAG had decided to do.
Kirk said the PAG could assemble prior emails and minutes so the members could decide on their own if a member with an Exclusion Notice had already “contributed” something. Gerv noted that would be a lot of work, and it might be more efficient for the PAG to present the licenses and offer to investigate the “contribution” issue if any member cared about that – perhaps everyone will like the licenses and not care. But there is no means in the Forum other than the PAG for members to decide on whether a member has “contributed” a method. Kirk said that as he reads the IPR Agreement, once a license is granted it can’t be taken back for the lifetime of the patent and method, so if a member thinks it’s satisfied with a license and it covers the issues the member cares about, then maybe the member should sign or accept the license (note: no legal advice was being provided).
Steve asked if the PAG was going to decide whether a particular claim covered by an Exclusion Notice was an “Essential Claim”, or would that be for each member to decide. Virginia said each member must decide.
- Ballot Status
Ballot 187 – Make CAA checking mandatory (Gerv): Kirk noted that the voting period for this ballot had started.
Ballot 188 – Clarify use of term “CA” in Baseline Requirements (Dimitris): The voting period ends later today. This ballot was already discussed as part of the Policy Review WG discussion.
Ballot 193 – 825-day Certificate Lifetimes (Chris): This ballot is in the discussion period. Chris gave some background on the ballot, and how the proponents were trying to come up with something that would work for everyone. He mentioned the prior Ballot 185, which many members thought was too short a certificate period. In discussions with website owner customers, it appeared they had pain when moving form three year certs to something less, but two year certs seemed to be acceptable. The ballot proponents wanted to move quickly on the ballot because there appeared to be some consensus on two years. CAs and website owners need some time to make this kind of change and education to distribution and reseller channels is needed, which the ballot allows. It will be shortening certificate lifetimes by one year, which people seem to agree on. The other parts of the ballot were to coordinate provisions in the BRs and EVGL.
Ryan said Ballot 185 was intended to get feedback from CAs, and it did. He had outlined a path after the ballot to allow the Forum to have a more fruitful discussion, including at the F2F meeting. Ballot 185 had brought out two pain points – both the duration and the time. Ballot 193 seems to circumvent those further discussions, and Ryan asked Chris why he moved forward with Ballot 193 at this time now that we understand where members’ pain points are. For example, several members agreed during discussion of Ballot 185 to 13 month certs, but wanted more time to adapt (e.g., a two year phase in). Why was there urgency in moving forward with Ballot 193?
Chris agreed that consensus was important to what was to be achieved, but he didn’t think there was consensus on moving to a 13 month maximum certificate or data period. The consensus appeared to be something longer than that. Ryan thought there should have been more discussion in the Forum before going to Ballot 193. The ballot bypasses those additional discussions and proposes a specific solution without using the knowledge gained in discussion of Ballot 185.
Ben said the Ballot 193 proponents used Ballot 185 as a starting point, but the more pressing issue was the need to come up with a response in a short time frame to the rejection of Ballot 185, in part because of tweets Ryan had sent out that was a “call to action” to people that they should distrust CAs that voted against Ballot 185.
Ryan asked if the goal of Ballot 193 was not to reach consensus but instead to affect public appearances. Ben said no, not at all. But, Ben said the fact that Ryan had started tweeting on how CAs should vote on Ballot 185 and how they should be viewed based on their vote was not proper.
Peter noted that Ryan had made it clear in the Forum that the current status quo (three year certs) was not acceptable and had indicated that if the status quo didn’t change that browsers such as Google would put some change into their root program requirements. Ryan confirmed that was correct, and that a change in program requirements was still on the table regardless of Ballot 193. Peter said Ballot 193 should simply be viewed as another proposal on how we change the status quo. Ryan agreed, and said Ballot 193 was a positive change on validity period alone, although some of the other provisions were problematic. But the point to be highlighted was the need for browsers, subscribers, and relying parties to have clear direction as to where the Forum was going with this, and he wants to make sure there is a discussion on that. They need to know if Ballot 193 is presented as an “end state” or presented as a “stepping stone” toward an end state, in order to deal with complaints that there is not enough notice or preparation time for future changes. Does Ballot 193 represent an end state of itself (which is unacceptable), or does it represent a stepping stone to an end state (which would be fantastic).
Peter asked what Ryan meant by stepping stone versus end state – is Ryan saying “if an 825 day maximum cert period is intended to be the state for (say) three or four years and in perpetuity unless something changes, that is not something Google would support”? Ryan said Google would need to take the feedback and need to address the issue with their program requirements. Peter asked did this mean the new status quo of an 825 day maximum cert period would not be sufficient to avoid having Google place a different requirement in the Google program requirements? Ryan said the ballot would not be a sufficient road map for the community to address the set of security concerns we have. Google would be thrilled to find consensus on that in the Forum if there is the opportunity to find consensus on that roadmap, but Google wants to make sure there is a roadmap in place. The fact that we have been discussing this for three years highlights the need to present this roadmap.
Gerv said he thought it was a shame that the Forum has gone straight into the discussion period on Ballot 193 because that limits the options for editing the ballot. Also, he preferred Ryan’s earlier Ballots 185 and 186 because they separated out the issue of maximum cert life from maximum reuse of data, which are different issues and different concerns and parameters, etc. Also, Gerv agreed with Ryan that the Forum should come to an agreement on whether two year certs are a stepping stone to one year certs or not. If two year certs are a stepping stone to one year, it would have been better for the ballot to have transition dates for that. If Ballot 193 is not intended as a stepping stone, it would be good for the Ballot to say that so that others actors can go off and do other things using whatever powers they have, and then that’s something people have to consider when making their decision. It would be good for the Forum to come to a consensus, but neither of those things is easy to do within the current discussion framework, which is limited by the text of Ballot 193. It would have been better to have a discussion on whether we are planning a transition to one year certs, or not.
Chris said the question was whether such a transition is a time-based or event-based decision. According to discussions with current website customers, moving to a one-year cert is not currently an acceptable model for them. Do they have a time frame for such a change? That’s hard to say, as they only found out about this issue about three weeks ago. Dealing with enterprise customers is the ultimate problem – a lot of CAs are in the same position. Ryan said that’s what Ballot 185 was intended to address, which was to create an event so that CAs could now have fruitful discussions with enterprise customers as to “what would a time frame look like for a 13 month migration?” If the feedback received is no agreement to a transition, then as Gerv highlighted if Ballot 193 is not a stepping stone, then we have to address that as appropriate. However, if the feedback from enterprise customers is “we can achieve this if we allow for a two year migration plan, etc.” then we can provide a clear roadmap as to how that looks.
Peter said what he was hearing from various CAs was it was not clear to them that there was a target to reduce cert lifetimes to some endpoint. Peter noted that Ryan had said he has brought the issue up at various meetings, but was seen by many as an idea (reducing certificate lifetime) that didn’t go anywhere, so it got dropped. We’ve had various ideas in the Forum that people have suggested and there wasn’t interest in moving them forward, so they died.
Peter said one of the things at the coming F2F that could be valuable would be for anyone, CA or browser, who thinks there are changes that should be made in, say, the next three years to highlight that. Any discussion of future directions could be valuable because, as Chris said, it does take time to get feedback. Peter thought the feeling was, where did this notion of a need for a plan to reduce cert lifetimes to one year come from? At the F2F we should be looking at things like “what is the end state that Chrome would like to see in three years?” based on current knowledge, understanding that this desired end state could change. Are there other things Chrome will be proposing, so we can go back to our customers for feedback? Ryan agreed that would be a useful discussion.
Kirk noted that time was running out, and asked if anyone wanted to talk about the other pending ballots. There were no comments.
10. Expected ASN.1 grammar for BR & EV certificates. Peter said this was related to the issue of what goes into a cert, and Li-Chun’s request for changes on that issue as to the grammar for EV certs. There was not enough time for this topic, so it was deferred.
11. Next F2F meeting: March 21-23, 2017 – Research Triangle Park, NC (Cisco). Kirk noted he did get comments back on the draft Agenda and will work on a revised agenda.
12. Any Other Business. There was no other business.
13. Next call on Thursday, March 16, 2017.