2017-11-30 Minutes
Final Minutes for CA/Browser Forum Teleconference – Nov. 30, 2017
Attendees: Arno Fiedler (D-TRUST), Atsushi Inaba (GlobalSign), Ben Wilson (DigiCert), Bruce Morton (Entrust), Christopher Kemmerer (SSL.com), Corey Bonnell (Trustwave), Curt Spann (Apple), Dean Coclin (DigiCert), Devon O’Brien (Google), Dimitris Zacharopoulos (HARICA), Doug Beattie (GlobalSign), Enrico Entschew (D-TRUST), Fotis Loukos (SSL.com), Frank Corday (Trustwave), Jeremy Rowley (DigiCert), Jos Purvis (Cisco), Julie Olson (GlobalSign), Ken Myers (Federal PKI), Kirk Hall (Entrust), Neil Dunbar (Trustcor), Rick Andrews (DigiCert), Robin Alden (Comodo), Ryan Sleevi (Google), Shelley Brewer (DigiCert),Tim Hollebeek (DigiCert), Tim Shirley (Trustwave), Wayne Thayer (Mozilla), Wendy Brown (Federal PKI), Xiu Lei (GDCA).
Roll Call
Read Antitrust Statement
Review Agenda. Agenda was approved.
Membership Application of Comodo Security Solutions, Inc. (CSS) as a browser. Kirk said he, Ben, and Dean had reviewed the application of CSS to be a Forum member as a browser, and believe CSS qualifies under the Bylaws. Kirk also read an email from Gerv Markham of Mozilla saying that he had asked questions about the CSS application for information, but believed CSS qualifies under the current Bylaws also. Ryan asked if the application included emergency contact information, and Dean said yes. The members agreed by consensus to accept Comodo Security Solutions, Inc. as a browser member.
Governance Change Working Group. Dean said the WG had a call on Tuesday, and has finished the FAQ document. Next step is to finish the edits to the Bylaws, which will likely occur on the next call. The WG hopes to be finished by the holidays and then proceed with the ballot.
Ben said there was one minor issue – the Bylaws include two definitions for a CA member, one a Root CA and the other an Issuing CA, and the definitions are almost the same. The WG may consider creating a merged definition for the future. In past meetings, Virginia Fournier has recommended not making other general changes, but instead to stick to those changes necessary for the governance change in order to avoid complications. Dean said the WG could clean up other things in the Bylaws, but doesn’t want to create objections by members. Kirk suggested the WG could recommend other Bylaws changes if it was clear they were minor only and would not generate objections. He asked if the first new WG charter (the new Web Server WG) was completed, and Dean said the charter was fairly close to completion.
Policy Review Working Group update. Ben said the WG had completed a call earlier that day, and was using GitHub for its suggested revisions. The WG has completed new definitions for the key terms “Certification Authority” and “Trust Service Provider”, and was now going through the BRs to insert the new terms where they fit. Dimitris noted that the new definitions had been circulated on the Public list on December 14, 2017, and the WG is moving forward.
Network Security Working Group update. Kirk noted that Bruce was again participating in the WG, and asked if Bruce would return to chairing the WG; Bruce said no. Dimitris reported that the WG hadn’t been certain as to the threats to be addressed by the NetSec controls, so had formed a subgroup to try to define this better this so the WG would have a clearer roadmap for updating the NetSec requirements. The subgroup has posted a document to Google spreadsheets to show the threats addressed and corresponding controls, and will report back to the WG with its results soon. Kirk asked if the WG or subgroup had reached any conclusions yet about appropriate changes to the NetSec requirements, and Dimitris said no.
Ben said the WG had received an email from Josh Aas of Let’s Encrypt raising an inconsistency in the BRs and NetSec requirements concerning HSMs being FIPS compliant but then being patched with security updates that were not themselves certified as FIPS compliant, and the WG will work on that. The WG will also review the definitional changes to the BRs and NetSec requirements being drafted by the Policy Review WG and decide if those changes will require further editing of the NetSec requirements.
- Validation Working Group update. Jeremy said that due to his schedule he could no longer chair the WG, and had missed the last meeting. Kirk asked the WG members to volunteer if they were willing to become the chair. Ben said that on its last call the WG considered CAA issues as a follow-up to the last F2F meeting discussion. Rick had listened to the recording of the F2F meeting and had listed the open issues – perhaps the VWG should take them up. Tim said he had an issue for the WG relating to random value tokens and nonces.
Ben noted that a number of VWG matters had been completed by successful ballots in prior weeks, but noted that two (relating to SRV names and IP address validation) were still pending. Bruce has raised the need to remove outdated provisions from the BRs such as those addressing Internal Names and gTLDs – those provisions can now be deleted. Bruce said he would circulate a proposal to the main list.
Wiki on pros and cons of CT Redaction – additional comments. Kirk said Gerv asked him to remind members to post any additional comments on the pros and cons of CT domain name redaction to the wiki.
Possible CAA Working Group. Kirk noted that the members seemed in favor of forming a CAA Working Group at their last F2F meeting to deal with open questions about CAA implementation, but it wasn’t clear if there was in fact support. He noted that a number of CAA issues had been discussed in a recent Validation Working Group meeting, which could be another place for discussion.
Tim said creation of a new WG depended on the members’ band width. Wayne noted that creating a new WG doesn’t create more time for members, and most member are busy so the Validation WG might be a better place for discussion of CAA issues. Kirk noted that Rick had created a list of open CAA issues from the last discussion, and asked if the VWG should start with that list; Rick said it was probably a good starting point. Tim said he had additional items to add to Rick’s list, and agreed to be maintain a list of CAA issues for discussion in the VWG.
Ballot Status – Discussion of ballots. Kirk noted the members had worked through the backlog of pending ballots, and there were only a few draft ballots remaining on the Agenda. Ryan said he had delayed introducing a ballot requiring CAs to write their CPSs in RFC 3647 format due to all the other activities happening, but thought the time to introduce the ballot was now right. HARICA was one endorser and Trustwave had been the other, but Tim had now moved to DigiCert. Tim again volunteered to be an endorser in his role at DigiCert. Dimitris asked about the time frame for compliance by CAs in moving to RFC 3647 format. Ryan planned to push out the deadline for RFC 3647 updates from February 2018 to April 2018, and would proceed with a ballot. He also noted there was some minor inconsistency in the language of the BRs versus the EV Guidelines as to CPS format, which would be resolved by the ballot.
Locations for 2019 F2F meetings. Kirk noted that the Forum had received the following generous offers to host the Face-to-Face Forum meetings in 2018 and 2019:
2018: March – Herndon VA (Amazon), June – London (Comodo), Oct. – Shanghai (CFCA)
2019: March – Cupertino (tentative), June – Greece (HARICA) – tentative, Oct. – Guangzhou (GDCA)
This would continue the pattern from 2017 of having one meeting each year in North America, Europe, and Asia. Before committing the Forum for meetings two years in advance, he wanted to let members review the tentative calendar and offer comments and opinions. Tim thought the pattern and meeting locations was good. There were no other comments, so the meeting schedule will be as listed, subject to confirmation by the hosts.
Any Other Business. There was no other business.
Next call: Dec. 14 at 12:00 Noon Eastern Time