Draft Minutes for CA/Browser Forum Teleconference – May 11, 2017 (version 2)
Attendees: Ben Wilson (Digicert), Bruce Morton (Entrust), Christopher Kemmerer (SSL.com), Connie Enke (SwissSign), Dean Coclin (Symantec), Dimitris Zacharopoulos (HARICA), Doug Beattie (Globalsign), Fotis Loukos (SSL.com), Jeff Stapleton (Wells Fargo), Jeremy Rowley (Digicert), Jos Purvis (Cisco), Kirk Hall (Entrust), Li-Chun Chen (Chunghwa Telecom), Mike Reilly (Microsoft); Peter Bowen (Amazon), Peter Miscovic, (Disig), Rich Smith (Comodo), Rick Andrews (Symantec), Ryan Sleevi (Google), Tarah Wheeler (Symantec), Tim Hollebeek (Trustwave), Tim Shirley (Trustwave), Tyler Myers (GoDaddy), Virginia Fournier (Apple), Wayne Thayer (GoDaddy), Wendy Brown (FPKI).
- Roll Call
- Read Antitrust Statement
- Review Agenda
- Approve of Minutes: the Minutes of the March 22-23, 2017 F2F Meeting were approved and also the CABF teleconference of April 13, 2017 as amended, and will be distributed on the Public list.
- Governance Change Working Group update. Ben said the Working Group had made lots of progress, and was working on revisions to the Bylaws to implement the changes. One issue was how to create the new form of working groups, dissolve them, extend their time, etc. There are still some issues remaining on Dean’s outline of the proposal, so the Working Group will work on that next. The goal is to have a complete proposal for discussion at the F2F meeting in Berlin.
- Validation Working Group update. Jeremy said there were many draft ballots in process, and pending Ballot 190 had been discussed at the recent meeting. Kirk noted that he and Jeremy had been working with Gerv on an updated Ballot 190, and might post a draft ballot later in the day. Jeremy indicated his plan was to stagger the various ballots so they are not all pending at once. Dimitris asked if Ballot 190 would reflect the issue raised by Gerv as to what type of domain validation was appropriate for particular domain names. Kirk said the draft does make a distinction between wildcard certs and other types of certs. Jeremy said he is also working on a follow-up ballot to correct some inconsistencies in the BR 184.108.40.206 language of Ballot 190, and he planned to circulate it to the whole group soon.
- Policy Review Working Group update. Ben said the Working Group had a call just before the Forum call, and was looking for a better way to handle distinctions such as external operating CAs, affiliates, CA versus CA operator, etc. Their hope is to modify and revive Ballot 188. Kirk asked if any of these issues involved the Delegated Third Party issue that was the subject of a draft ballot, and Ben said no.
- Draft Code of Conduct – see revised proposal (contained in Virginia’s email dated May 4). Gerv indicated he was happy with Virginia’s revised draft, and would be pleased to endorse. Ryan said he was circulating it within Google for comments, and would get back with comments by the end of the week. [Virginia joined the call later, and her comments on this topic are inserted here for continuity.] Virginia asked if anyone on the call had any comments about the redraft, and Ryan said he would provide feedback from within Google by Monday or Tuesday. Tarah said Virginia had done a good job, and asked to be kept in the loop in the ballot.
- Possible creation of a new Security Controls Working Group (to update the Network Security requirements). Kirk noted this had been discussed at the F2F meeting, and said the Forum could talk about things like the need for new Working Group charter to work on this issue, and whether to consider CI Security documents or other documents as a possible model for replacement of the current Network Security requirements. Dean said based on the prior discussions, some small group needed to “own” the issue for it to proceed, and agreed the working group process was probably the best place for this.
Gerv said that the primary driver for this issue seemed to be that CAs were fed up with the current Network Security requirements and wanted a change. Peter volunteered to draft a ballot to establish a new working group. Dean noted the existing Network Security standards were an improvement to deal with issues such as Diginotar, but unfortunately were static and never revised. Gerv said he had no criticism, but perhaps the standards should be rewritten based on something like the CIS Critical Security Controls.
Dean said there was probably no document that was a perfect fit for the Forum. Kirk suggested the new Working Group start by deciding on the type of controls it wanted, such as general security goals (with room for the CA to devise their own methods for meeting them), or very specific mandatory controls. Dean said the Working Group charter should be broad and not inhibit the Working Group’s work, and Kirk agreed. Jos said the charter could ask the Working Group to “recommend changes” to the existing Network Security Guidelines, which could include repeal or only edits.
Kirk asked if the Working Group should perhaps start by bringing in the auditors to find out what would be the best approach to new standards that can be audited. Peter wondered if such Working Group participation was allowed for Interested Parties. Dean noted the auditors did not want to be involved in the bi-weekly meetings where the BRs were being created; rather they were fine with doing “check-ins” at various points in the drafting process.
Dimitris said the Policy Review Working Group had discussed trying to incorporate the Network Security standards into existing BR Section 5 (Management, Operational, and Physical Controls), perhaps adding certain business requirements as well. Bruce wondered if the new requirements should be included in the BRs or kept separate, as the BRs apply to all types of certificates. Ryan noted that the Network Security requirements are combined with the BRs in a single WebTrust audit today. Peter noted that some CAs had only done only a Network Security audit for certain of their roots and infrastructure, not a BR audit.
Jeremy and Bruce offered to work with Peter on drafting a ballot and working on new standards.
- Ballot Status. Jeremy noted that his Ballot 191 – Clarify Place of Business Information Field Inclusion was now in the discussion period, and that he would repost after the call with two minor amendments suggested on the list.
Gerv noted he had posted his revised Bylaws amendment ballot to the list, and was looking for one more endorser. Dean said he hadn’t reviewed the ballot yet, but asked if Gerv thought it was really needed. Gerv said we might need it in the future if a browser or CA member had a change in circumstances and should be suspended or dropped from membership – right now, we don’t have a mechanism for that. Peter agreed, and said there were members we never hear from and who may have no active audits. Kirk noted that he, Gerv, and others were going through the list of members to determine if any had gone inactive and should perhaps be dropped; a list of such members will be posted to see if other members have any comments or information.
- Next F2F meeting: Kirk noted that the next Face to Face Meeting is set for June 20-22, 2017 in Berlin (hosted by D-Trust), and read an email from Arno discussing speakers and other issues. There may be a limit of about 50 attendees, so members were encouraged to sign up soon. Mike Reilly was on the call, and introduced himself as the new main representative from Microsoft in place of Jody Cloutier, who had left Microsoft. Mike was welcomed by the other members.
Kirk asked for any additional input concerning the Berlin agenda. Geoff said Apple would have a number of things to discuss, and asked for a 45 minute presentation period. Peter asked if it would be possible to participate in the meeting by telephone, and Dean replied he had asked Arno about that but would double check.
Kirk noted that the next Face to Face meeting after Berlin was set for Oct. 3-5, 2017 in Taipei (hosted by Chunghwa Telecom), and that Li-Chun had posted modified hotel and meeting information on the wiki.
- Any Other Business. There was no other business.
- Next call May 25, 2017