Minutes for CA/Browser Forum Teleconference – Sept. 14, 2017
Attendees: Atsushi Inaba (GlobalSign), Ben Wilson (DigiCert), Christopher Kemmerer (SSL.com), Connie Enke (SwissSign), Curt Spann (Apple), Dimitris Zacharopoulos (HARICA), Frank Corday (Trustwave), Geoff Keating (Apple), Gervase Markham (Mozilla), JC Jones (Mozilla), Jeff Ward (WebTrust), Jeremy Rowley (DigiCert), Kirk Hall (Entrust), Li-Chun Chen (Chunghwa Telecom), Mads Henriksveen (BuyPass), Neil Dunbar (Trustcor), Peter Bowen (Amazon), Rich Smith (Comodo), Rick Andrews (Symantec), Steve Medin (Symantec), Tim Hollebeek (Trustwave), Tim Shirley (Trustwave), Tyler Myers (GoDaddy), Virginia Fournier (Apple), Wayne Thayer (GoDaddy).
- Roll Call
- Read Antitrust Statement
- Review Agenda. Agenda was approved.
- Approve Minutes of teleconference of August 31, 2017. The minutes were approved with the edits suggested by email on Sept. 5 by Dimitris, Atsushi, and Eric, and will be posted to the Public list.
- Governance Change Working Group. Ben said there was no report. The WG still needs to work on Gerv’s previous comments and suggestions.
- Validation Working Group update. Ben quickly reviewed the last WG minutes, and said he had no issues to discuss. Kirk asked if the WG was compiling a list of domain validation edits for BR 220.127.116.11 once Ballot 190 passes, and Ben said yes. Ben said if members have any issues concerning the new domain validation standards they should sent them to him. He will collect them all and present them for discussion at the F2F meeting in Taipei. Wayne asked who was chairing the WG, and Jeremy said he was, but had just been very busy lately.
- Policy Review Working Group update. Dimitris said the WG would propose replacing the term “Certification Authority” with “TSP” or trust service provider when the context in the BRs refers to the operator of the CA, and reserve the term “Certification Authority” or CA to refer to the services themselves. The WG is continuing its work.
- Network Security Working Group update. Ben said the WG continued the discussion on defining a root CA and offline or air-gapped roots – the security rules may need to be different for those as opposed to working, issuing sub-CAs connected to a network. He has distributed a red-line ballot for some of these proposed changes. The WG is continuing through a list of the top 10-15 ideas for improving the Network Security requirements, and the ideas will generally be addressed in order of decreasing importance and urgency.
Kirk noted there had been a suggestion on the WG list to first define a “secure perimeter” for the Network Security requirements, and then modify the other requirements accordingly. Neil said this was his suggestion, and Tim said he agreed with it – it will help if we first define the perimeters better, then we can know when special rules may apply for things like offline/air gapped roots.
- CAA Implementation Issues. Wayne noted there was a lot of ambiguity in the CAA rules as written, and asked whether the Forum needed a new WG to address this (or could an informal group prepare a revision ballot instead). Wayne said one of the hardest current issues was when DNSSEC was involved – it has been difficult to determine if a CAA record was or was not present in some cases. Some CAs think if the CA can’t determine whether a CAA record is present because of DNSSEC, it can’t issue, but others believe it can. This is impacting GoDaddy’s customers.
Gerv said there are three basic options: (1) tell websites they must implement DNSSEC properly if they want to do CAA, (2) pretend DNSSEC doesn’t exist and proceed on the data that is available, and (3) come up with a short-term solution now while working on a longer term fix. He agreed the current CAA rule is ambiguous when applied to some DNSSEC sites. There was further discussion on this issue. Geoff thought the CAA RFC was clear, and Wayne believed the best solution might be to modify the BRs as to CAA implementation to address the current problems.
- Ballot Status. There was no report.
- Planning and Agenda for Taipei F2F meeting Oct. 3-5. Kirk said he was preparing a draft agenda and asked for input as to items for discussion. The location of the social dinner was discussed.
- Any Other Business. Gerv noted the Forum had recently amended its Bylaws to clarify how a member could leave the Forum, but added that our Bylaws do not cover what happens if a member is acquired by another member. He added that if the pending DigiCert-Symantec acquisition occurs, two current members will effectively become one. Jeremy said DigiCert would be the surviving member, and Rick said if the acquisition is completed Symantec would resign from the Forum. Kirk said he thought the acquired member (Symantec) would still be able to send representatives for the acquired brands to the Forum meetings, but formally they would be there under DigiCert’s membership.
Gerv noted that the Forum’s website currently shows 360, WoSign, and StartCom as members, but 360 owns the two other companies which are no longer independent members. Ben said he would correct that on the website. Kirk said he would confirm by emailing the three companies to make sure they agreed.
As a separate matter, Rick asked Gerv if there was anything special that DigiCert and Symantec would need to do on the CCADB site in relation to the acquisition. Gerv recommended that Rick ask Kathleen Wilson of Mozilla for the answer.
- Next call Sept. 28, 2017. For now, the Forum teleconference call will occur as scheduled to handle any last-minute issues before the F2F meeting the following week. If no issues arise, the teleconference may be cancelled by the Chair.