Final Minutes for CA/Browser Forum Teleconference – August 31, 2017 (approved Sept. 14, 2017)
Attendees: Arno Fiedler (D-TRUST), Atsushi Inaba (GlobalSign), Ben Wilson (DigiCert), Christopher Kemmerer (SSL.com), Curt Spann (Apple), Dean Coclin (Symantec), Devon O’Brien (Google), Dimitris Zacharopoulos (HARICA), Doug Beattie (GlobalSign), Frank Corday (Trustwave), Geoff Keating (Apple), Gervase Markham (Mozilla), JC Jones (Mozilla), Jeff Ward (WebTrust), Jeremy Rowley (DigiCert), Ken Myers (US FPKI), Kirk Hall (Entrust), Leo Grove (SSL.com), Li-Chun Chen (Chunghwa Telecom), Mads Henriksveen (BuyPass), Neil Dunbar (TrustCor), Peter Bowen (Amazon), Peter Miscovic (Disig), Rick Andrews (Symantec), Robin Alden (Comodo), Tim Hollebeek (Trustwave), Tim Shirley (Trustwave), Virginia Fournier (Apple), Wayne Thayer (GoDaddy), Wendy Brown (US FPKI), Zhihui Liang (360),
Read Antitrust Statement
Review Agenda. Agenda was approved.
Approve Minutes of teleconference of August 17, 2017. The minutes were approved and will be posted to the Public list.
Governance Change Working Group. Dean said the WG had met this week and reviewed the draft FAQ that will be circulated. It also reviewed Gerv’s extensive and helpful comments, and will complete those revisions on the next call. The WG hopes to have a ballot ready for voting in September. Kirk asked if the WG was also drafting an initial new Working Group Charter (e.g., Server Certificate Working Group) to take over the work of the current Forum if the Ballot passes. Dean said yes, a new charter was being prepared in the standard format. He said the WG had also discussed if the members of all the new Working Groups would have a seat at the Forum level, and the answer appears yes with voting at the Forum level likely to be CAs in one group and non-CAs in a second group.
Policy Review Working Group update. Ben said there had been a WG call that morning, working on the definition of “Certification Authority” in the BRs using a combination of ETSI and ISO definitions. He also mentioned the use of the term Trust Service Provider, and Kirk asked if we already have a definition for that. Dimitris said yes, as included in ISO 21188 which is referenced by WebTrust for CAs. In general, CA might be the term used for the more technical systems and operators for issuing and revoking certificates, while Trust Service Providers could be used for recognizing that a party could operate multiple CAs with different policies. Kirk asked if the goal of the WG is to modify the BRs to be clearer on the use of terms, but not otherwise to change any rules, and the answer was yes.
Network Security Working Group update. Ben said he had taken the list of 13 possible changes and improvements to the current NetSec requirements and posted them to an online survey where WG members could rate the issues in order of importance, and he discussed the results. The top priorities were to clarify the use and definition of “Root CA” and which of the NetSec requirements should apply to them (especially when the Root CA is offline). The definitions need to be reworked. Kirk asked if the WG’s plan was to work on one issue at a time and get to a proposed solution before moving to the next issue, and Ben said generally yes (assuming it didn’t take too long to fix each problem). He noted that some issues overlap and have dependencies, which will require a coordinated approach.
Validation Working Group update. No report (but see Ballot Status discussion).
Restart of Ballot 190 v7 (BR 188.8.131.52 Validation Methods). Kirk noted he had proposed a restart of Ballot 190 on the Public list, which had been delayed waiting for new BR definitions in Ballot 202 that could be used in Ballot 190. Because Ballot 202 had failed (over minor issues that can be fixed) and no new definitions ballot has been filed, it was time to get Ballot 190 finished so the revised BR 184.108.40.206 validation methods would be passed, then immediately start on improvements. Gerv suggested the formal discussion period not start until after the US Labor Day holiday on Sept. 4 so that members would focus on the final ballot, and Kirk agreed.
Ballot 211 – Resolution of Approval for WTCA v2.1 Changes. Jeff said the WebTrust Task Force wanted “vetting” by Forum members of their proposal for changes to WebTrust for CAs (Sec. 4.5-4.10) concerning key destruction, transportation, etc., and appreciated the useful comments from Forum members. He recognized that the Forum generally wants to “own” any standards it endorses, and said the Task Force had decided the WTCA changes probably should not be formally approved by the Forum as they applied both to public and private CAs. Accordingly, the Task Force was no longer asking the Forum for formal approval. Kirk said that the related Ballot 211 would be withdrawn.
Ballots 207-209 – ASN.1 Jurisdiction in EV Guidelines, dnQualifiers, EV Liability. Dean asked when these ballots were going to move forward. Jeremy said they were all ready, and would start soon. Kirk suggested Ballot 209 on EV Liability might generate more discussion and so maybe should start after the other two.
Draft Revocation Ballot – Jeremy said he was seeking endorsers for his draft ballot changing the current BRs (BR 220.127.116.11 and 4.9.5) on time deadlines for responding to problem reports and revocation requests, as the current rules don’t work when minor, non-security related issues are reported to a CA. A blanket response time of 24 hours for non-critical issues did not leave enough time to contact the customer, provide a replacement cert (which the customer needed to install), and revoke the prior certificate. He believes the permitted period for critical security issues (e.g., revocation after the customer reports key compromise) should remain at 24 hours, but that other non-critical revocation issues should have up to 7 days to complete a response.
Gerv noted the rules require some sort of initial response in the first 24 hours, but a complete response might take longer (gathering information, etc.). Peter agreed that some investigation could take a long time. Kirk asked what would happen if the CA contacted the customer for information on a non-critical issue, and the customer didn’t respond back in 7 days. Jeremy said the CA should document that it “could not determine” if the certificate should be revoked due to lack of response, and then the CA should probably close the file.
Kirk noted the proposal had language requiring reporting to the Forum concerning some revocation requests, but thought it was better if the CA simply responds to the person who filed a problem report – if the problem was reported to the CA via a public list on Mozilla, etc. the person could share the CA’s response there. Jeremy agreed that some issues would not be appropriate for public disclosure. Gerv noted that some revocation issues arguably involve “misissuance” by the CA (using that term loosely), and said he had written and circulated a “best practices” document for CAs on the most effective way to make public disclosure of such issues. Tim said he agreed that CAs shouldn’t be required to report problems in applying the revocation response rules back to the Forum – if there is a problem with the rules in the BRs, the CA is extremely likely to bring the issue back to the Forum anyway. Kirk agreed.
Any Other Business. There was no other business. Kirk suggested members send him agenda ideas for the upcoming F2F meeting in Taipei in October. Doug noted the group hotel had told him the cancellation policy was two days before the meeting, not an earlier date as previously reported.
Next call Sept. 14, 2017