Minutes for CA/Browser Forum Teleconference 16 March 2017 (approved 13 April 2017)
Attendees: Atsushi Inaba (Globalsign), Bruce Morton (Entrust), Christopher Kemmerer (SSL.com), Connie Enke (SwissSign), Curt Spann (Apple), Dean Coclin (Symantec), Doug Beattie (Globalsign), Frank Corday (Trustwave), Gervase Markham (Mozilla), Jeff Stapleton (Wells Fargo), Jody Cloutier (Microsoft), Jos Purvis (Cisco), Kirk Hall (Entrust), Li-Chun Chen (Chunghwa Telecom), Mads Henriksveen (BuyPass), Patrick Tronnier (OATI), Peter Bowen (Amazon), Rich Smith (Comodo), Robin Alden (Comodo), Ryan Sleevi (Google), Steve Medin (Symantec), Tarah Wheeler (Symantec), Tim Hollebeek (Trustwave), Tim Shirley (Trustwave), Tyler Myers (GoDaddy), Virginia Fournier (Apple), Wayne Thayer (GoDaddy).
1 Roll Call
2 Read Antitrust Statement
3 Review Agenda – Agenda was approved.
4 Approve Minutes of CABF teleconference of March 2, 2017 – Minutes were approved.
5 Governance Change Working Group update. Virginia said the WG had talked about the documents it is working on and the comments received. It will post draft Bylaw changes to the wiki so people can contribute with proposed edits. The WG is also working on a draft form of Working Group charter that can be used in the future when commissioning additional Working Groups under the new governance structure. Dean said he is preparing an agenda for the WG’s next meeting on Tuesday.
6 Validation Working Group update. No update
7 Policy Review Working Group update. No update.
8 Patent Advisory Group (PAG) update. Kirk explained that the PAG had made good progress, and it looked as if the three members who filed Exclusion Notices in response to Ballot 182 all planned to withdraw their Exclusion Notices. Under the IPR Policy, this effectively means that the three members are granting royalty free licenses under the terms of IPR Policy 5.1, to the extent that any of their patents present defined Essential Claims that are covered by Ballot 182. The PAG is likely to conclude its work very soon.
9 Ballot Status
a. Ballot 193 – 825-day Certificate Lifetimes: Kirk noted that this ballot was still in its voting period.
b. Ballot 184 – RFC 822 Names and otherNames, SRV names (Jeremy). No report.
c. Ballot 186 – Limiting reuse of validation information (Ryan). Ryan is waiting to see how the Future of Web PKI discussion goes at the F2F meeting, but it’s a concrete ballot that Ryan would like feedback on because it’s something Google thinks is important.
d. Ballot 189 – Amend BR 6.1.7 to clarify signing by root keys (Dimitris). No report.
e. Ballot 190 – Add validation Methods 1 and 8 (Jeremy). Kirk said that assuming all three Ballot 182 Exclusion Notices are withdrawn, the Forum will likely want to add back all six other validation methods from Ballot 169 to this ballot. Dean, Peter, and Virginia agreed.
f. Ballot 191 – Clarify Place of Business Info (Jeremy). Kirk said he thought this ballot dealt with a mis-match between the BRs and the EV Guidelines, where one says certain place of business fields are required and the other says they are optional. Peter said the EV Guidelines assumes all cities reside in a state or province, which is not true in some countries where there are cities that are immediately subordinate to the country name. This ballot makes state or province optional when using city (if there is no applicable state or province for the city).
g. Ballot 192- Notary Clarification (Jeremy). No report.
h. BR 126.96.36.199.2 and EVGL 9.2.5 and 9.2.7 (Li-Chun). Kirk asked Li-Chun if it was a legal requirement in Taiwan to use the PKI naming scheme he has presented, in which case BR 9.16.3 might apply. If not, it appears that it may not be possible to change the BRs to allow use of that naming scheme. Peter said there was no indication that this naming scheme was a legal requirement in Taiwan and the group working on the naming scheme issue. Ballot 191 may help, as Taiwan is a country where the city is directly subordinate to the country code. This raises the more general question of what do we want in the BRs when there is another naming scheme in a country that a CA would like to use instead of the BR requirements on subject information.
Kirk asked Li-Chun for his comments. Li-Chun said his company will think about it. He previously presented ideas at the Redmond F2F meeting, but Chunghwa will discuss with its government certification teams about minimal amendments to the BRs, and also discuss with the auditors and certain government agencies. It could be that new rules are needed for government CAs in certain countries. He will respond back once he has completed these other discussions. Kirk said he would remove the issue from future agendas until Li-Chun comes back with a new proposal.
10 Final review of Agenda for F2F meeting next week. Kirk discussed the draft agenda he had recently circulated. For the Tuesday working group sessions, he had scheduled a simultaneous meeting of an informal Workflow Management group meeting and a standing working group, but some comments indicated concern about simultaneous meetings. Ryan discussed the technical purposes of the Workflow Management group meeting were to automate and simplify the production of Forum documents and indicated there was strong interest among a number of members who wanted to participate. Ryan would schedule a time for the meeting among interested members.
Kirk noted there were open times available on Thursday. Gerv suggested adding a discussion of RAs, also called Delegated Third Parties in the BRs. They have various responsibilities (sometimes audited, sometimes not). Mozilla feels these rules could use a little tightening up, and the members could explore possible solutions at the F2F meeting. Kirk agreed to schedule time on Thursday.
The members then reviewed the procedures for the “Future of Web PKI” sessions at the F2F meeting. Kirk noted several topic proposals has been posted to the list for this part of the meeting. Peter said he had also collected suggestions, and explained how he planned to manage the sessions and pick topics for discussion over the two days.
11 Expected ASN.1 grammar for BR & EV certificates. Peter said Li-Chun has noted the current EV Guidelines include a reference for how we encode jurisdiction of incorporation in EV certificates that doesn’t jibe with modern ASN.1 syntax, so Peter sent a proposal to the list that says let’s take all the different places that suggest attributes for names and include that as an Appendix in the BRs for people who care about parsing the ASN.1 according to the ASN.1 syntax.
There was some concern expressed on the list about redefining things, but an appendix would help coordinate with RFC 5280, which used 1988 ASN.1 syntax which didn’t allow you to directly address things in code like the maximum length of fields, whereas newer syntax does allow you to say explicitly things like maximum length of fields. Kirk asked if this should go through a working group first, and if Peter had a recommendation for the Forum. Peter’s recommendation was the document he had suggested be adopted as an appendix, but he noted others may not agree to the proposal. Kirk asked if Peter wanted to propose that in a ballot.
Ryan said he supported taking the appendix forward in a ballot. One of the questions was that we have an ASN.1 grammar that is specific to the BRs, and an ASN.1 grammar specific to the EV Guidelines (for example, rules for .onion names only appear in the EV Guidelines). It could be useful to address this in a ASN.1 module document that could be kept in sync between the BRs and the EV Guidelines, or put it in the BRs as an appendix that applies to both documents (although that would require updates to the BR document even if you only wanted an ASN.1 amendment applicable to the EVGL). Ryan suggests the ASN.1 grammar either go entirely in the BRs or in a separate document, as splitting it up between the BRs and EVGL harms readability. We would have to make sure any ballot meets ASN.1 technical requirements and doesn’t introduce errors. In response to a question, Peter said this document would not be intended to change anything CAs are doing today, but would clarify in the ASN.1 grammar certain rules we have today (such as organization names being limited to 64 characters, which is already in RFC 5280). Kirk asked Peter and Ryan if they would draft a ballot as the next step, and Peter said yes.
12 Use of Trello board to keep track of Forum projects. Peter said the Forum had a lot to do, and it’s hard to keep track of all projects. It’s easy to lose things and hard to keep track of where things are. Trello allows users to create and share a common “to do” list, so Peter had created a list and put it online. Dean mentioned the Forum used to have a tracking sheet of open projects and issues, but it was terrible (some projects remained on the list forever because no one was interested in it).
Kirk asked how potential projects would ever get deleted from the Trello board once added. Peter said the idea was to keep track of things independently of topics that are on the Forum’s calls every week. To keep the list fresh, perhaps the Forum would spend an hour on the project list at each of its three F2F meetings during the year. There could also be a process for moving ideas and projects to a deletion list, then deleting it at the next meeting if no one objected, and also including a time limit for taking up a listed project. Everyone agreed that the Forum’s teleconference agendas would not be based on the project list on the Trello board. Kirk said the idea could be discussed more next week at Ryan’s Workflow Management meeting. Ryan said that group would meet after the Validation Working Group meeting ends at 4:00 pm on Tuesday, and he had added meeting information on the wiki.
13 Next F2F meeting: March 21-23, 2017 – Research Triangle Park, NC (Cisco). Following meetings: June 20-23, 2017 Berlin (D-Trust), Oct. 3-5, 2017 Taipei (Chunghwa Telecom).
14 Any Other Business. There was no other business.
15 Next call March 30, 2017. [The meeting was later cancelled by consensus of the members.]