Final Minutes for CA/Browser Forum Teleconference – Dec. 14, 2017
Attendees: Arno Fiedler (D-TRUST), Atsushi Inaba (GlobalSign), Ben Wilson (DigiCert), Bruce Morton (Entrust), Christopher Kemmerer (SSL.com), Corey Bonnell (Trustwave), Curt Spann (Apple), Daymion Reynolds (GoDaddy), Dean Coclin (DigiCert), Dimitris Zacharopoulos (HARICA), Don Sheehy (Deloitte – WebTrust), Doug Beattie (GlobalSign), Enrico Entschew (D-TRUST), Frank Corday (Trustwave), Jeff Ward (BDO – WebTrust), Jos Purvis (Cisco), Mike Reilly (Microsoft), Neil Dunbar (Trustcor), Peter Miscovic (Disig), Rick Andrews (DigiCert), Ryan Sleevi (Google), Shelley Brewer (DigiCert),Tim Hollebeek (DigiCert), Tim Crawford (BDO – WebTrust), Tim Shirley (Trustwave), Wayne Thayer (Mozilla), Wendy Brown (Federal PKI).
- Roll Call
- Read Antitrust Statement
- Review Agenda. Agenda was approved.
- Approval of Minutes from teleconference of Nov. 30, 2017 and F2F Minutes Oct. 4-5, 2017. The Minutes of the Forum teleconference of Nov. 30, 2017 were approved. Ryan objected to approval of the Minutes of the F2F meeting of Oct. 4-5, as the draft Minutes had only been circulated the prior day, so the approval would be deferred to the next teleconference. Dean raised the question of whether the Forum should hold its next teleconference on its next scheduled date of Dec. 28, and the members decided to cancel the meeting due to the holidays, meaning the next teleconference would be on January 11, 2018 – four weeks later.
Ryan pointed out that Bylaw 5.1(a) provides that if the Minutes will be deemed approved if no edits are offered within two weeks after publication to the members, so if there are no edits offered in the next two weeks the Minutes for the F2F meeting of Oct. 4-5 will be deemed approved and will be posted to the Public list at that time.
- Governance Change Working Group. Dean said the WG had recently met by teleconference, this time to review needed changes to the Bylaws. The last thing to do is review the draft charter for the new Web Server WG – the entire governance proposal will be ready for final review and approval by the Forum after that. The WG’s next call is on January 9, and the ballot should be ready after that. Kirk suggested the WG not go immediately to the seven-day discussion period because of the complexity of the proposal, and instead start with a pre-ballot for some period. Dean agreed, and also asked for a block of time on the January 11 Forum teleconference to discuss the ballot.
- Policy Review Working Group update. Ben said he had posted a copy of the BRs on GitHub with the WG’s proposed changes, including replacing the term “CA” with the term “TSP” or Trust Service Provider when the reference is to the business providing certificates, and not the issuing HSM itself. The WG will include explanatory comments next to each change to the BRs to help members understand the WG’s reasoning. Ben said there is one remaining issue regarding the definition “Registration Authority”, which is poorly defined and hardly used anywhere in the BRs. The WG will address and possibly amend the definition.
- Network Security Working Group update. Ben said the WG held a meeting the prior week and talked about issues like a hard drive associated with an issuing CA – how to store and maintain it. This relates to the prior discussion of defining the proper security “perimeter” for the root CA, and the other zones like “High Security Zones” etc. currently defined in the Network Security requirements, and related security requirements (roles, access, passwords, etc.).
Kirk asked if the WG would likely be making extensive changes to the existing Network Security requirements, and Ben said yes. The WG plans to prepare an early ballot with the easiest, non-controversial changes to the Network Security requirements, and then follow later with other ballots as progress is made. It’s taking time to complete, as there is variance on how different CAs do things with their network security and CAs have different ideas on how to improve the requirements – the WG is trying to come to a consensus. Dimitris said the WG members are suggesting stricter practices, and recently had a good discussion on root security where the current Network Security requirements are lacking some controls. The WG’s will want to discuss their ideas with all members at the next F2F meeting in March, as some big changes are coming – requirements will be harder, but reasonable, and some bad controls will be eliminated.
- Validation Working Group update. Tim Hollebeek said he had stepped into the WG Chair role with Jeremy Rowley’s withdrawal, and noted that Bylaw 5.3 calls for the Forum Chair to appoint the chair of new WGs, but is silent on what happens when the original chair steps down. To avoid doubt, Kirk appointed Tim the new Chair of the Validation Working Group.
Tim said the WG was working on the following issues. He has posted a draft ballot in GitHub on the issue of secret value versus freshness which should solve that issue. The WG will also work on a ballot updating the methods for IP validation, and issues that CAs have had with CAA. CAA issues will include both the policy side to be discussed at the CABF and the technical side to be discussed at IETF (IETF has a couple of proposals pending on how to fix the C-NAME issues). Finally, the WG is considering how CAs use information sources under the EV Guidelines and may develop some possible improvements.
- Developing Requirements for Cloud-Based CA functions; Creating Audit Guidelines. Kirk noted that the Forum had previously discussed whether any part of a CA’s systems could reside in the cloud and be in compliance with WebTrust and ETSI requirements, but had reached no conclusions. There was interest in pursuing the issue, and so he had asked members of the WebTrust Task Force to be on the call and help the members figure out how to proceed. Kirk asked the members if they had a current issue in this topic.
Curt started by asking if CA services located in the cloud could be audited under current standards. Kirk said that was an interesting question, and some believed current audit requirements could be applied to a cloud environment, but might be difficult to apply. Arno said ETSI had similar discussions but had likewise not reached any conclusions but would discuss again in January.
Ryan noted that CAs could use a cloud provider today and if the auditor could perform all necessary parts of the audit on the cloud provider’s premises (physical security, logical separation, etc.) it would be possible under the audit scheme today to achieve that – but it’s unlikely that some cloud service providers (e.g., AWS) would allow an auditor that level of access. Cloud providers do have their own audits, including a SOC Type 1, 2, and 3 (where Type 2 is often given to customers and contains more detail, and Type 1 is intended for auditor to auditor use as a basis for an opinion), but that may not be sufficient. There are unique challenges depending on what definition of cloud services we use and who the provider is.
Jeff Ward of the WebTrust Task Force said there are two main issues: reporting (as in the AWS example), and then whether the requirements are already there to audit the virtualized network setup in the cloud. On reporting, Type 2 audits get into the SOC world and details of the testing and results. Even if WebTrust auditors looked at AWS’s Type 2 report they would still need to get comfortable with the work performed and do some testing on their own, which is where it gets difficult if access is restricted. The bigger issue is what’s in WebTrust now that wouldn’t apply if the service is in the cloud.
Jeff thinks there are things that need to be added to the WebTrust requirements for cloud based services, and he sees two paths forward. Path 1 would be for the Forum to come up with the additional criteria needed (like it did with the Network Security Requirements) and then WebTrust would wrap the audit criteria around it, and Path 2 would be to find another publicly available framework that could be adopted by the WebTrust Task Force and let the Forum respond to where it falls short, then put that those additional criteria in the WebTrust for CAs document or have some addition to the BRs document, or a blend of the two. Getting started is the hard part.
Don Sheehy of the WebTrust Task Force said it comes down to both the auditing process and the measurement criteria. On the auditing process, WebTrust has always been what’s called an “inclusive approach” so you’re not allowed to carve out a third party like you can on a SOC 1 or 2 report. The issuance of the seal has always been a process where the auditor has covered the complete length of the process. In doing that the auditor would have to be able to get satisfaction that the auditor of the other service providers did a good job, and each firm has its own rules on that. The toughest thing might be getting an actual assertion from that third party auditor who was not under contract to the WebTrust auditor with respect to the controls being operated. That’s something auditors can address in the audit world.
In the measurement world Don agreed with the prior statements – it’s been brought up many times but without resolution because of different priorities within the Forum. Don’s understanding was that there were issues in the BRs as they stood today with respect to the cloud, as the BRs were developed more for the non-cloud environment. In terms of any development of measurements, if we were to go to a different framework for cloud computing the WebTrust Task Force could get comments from the Forum members as to whether they think the framework language is appropriate or not, but we want to avoid the scenario we just finished with the new requirements on key destruction, etc. where the Task Force could not get a Forum vote because it came from outside the Forum (but the Task Force did get useful comments and was able to incorporate them in the new WebTrust requirements). On how to move forward on whether the BRs need to be modified for cloud services, it might make sense to have the auditors and Forum members work in a cloud group to come up with criteria and controls that will be acceptable to the members and can quickly be put into audit criteria.
Kirk asked the members if they wanted to assign this task either to an existing Forum working group or create a new working group. Tim pointed out there’s a lot currently happening in the Network Security WG around how to deal with remote locations, how to have a High Security Zone that is geographically distributed, etc., so this is a closely related topic. A separate cloud services WG would have to work closely with the Network Security WG. Arno said it would be good to have more information about the use cases – for example, are we drafting requirements to allow the HSM to be placed in the cloud anywhere in the world, or something else? It would be easier to draft new criteria if we are clearer on the use cases we are addressing.
Curt said we could go the opposite way – identify what current parts of the WebTrust audit criteria cloud services can’t meet, and consider how we need to modify the criteria so they can be applied to the cloud. Ryan said that the definition of cloud can mean a lot of things – it would be interesting to approach by crafting a problem statement of what problem we are trying to solve, then ask is this a problem a working group should address. While there’s been interest in the subject, it’s unclear what the problem statement/objectives are – otherwise we could do a lot of make-work with unclear value. As a starting point, maybe we don’t form a working group but have those who are interested come up with a set of problems they want to address.
Curt thought the problem was that the current audit requirements will not allow CA services to be placed in a cloud environment, so the problem is already defined. Ryan disagreed, saying the current audit requirements do allow using the cloud – the problem maybe arises when you are talking about AWS versus maybe a local provider – but a CA could host in a private cloud, for example, which would present different issues, or a cloud provider could allow the auditor to inspect what it wanted. A CA may have a system located in multiple locations all covered by a single audit today with multiple audit assertions and site visits, which in some ways is like a cloud environment. A problem statement from CAs will help focus on what needs to be done that existing requirements don’t allow.
Kirk asked Tim and Ben if the Network Security WG wanted to discuss taking on this project. Tim said he agreed there were two parts to this: how do you do the audits themselves (not for the NetSec WG), and what the technical requirements should be. We are talking about complex CA architectures that are not just located in a single room, which is becoming more common. What the requirements and controls for a complex CA need to be is something the NetSec WG needs to keep in mind as it does its current work.
Kirk asked what the plan forward should be. Dimitris said when the NetSec WG gets some use cases and some complex architectures involving the cloud where auditors could find challenges, it can be discussed. Ryan agreed that rather than have the auditors come up with what might be problematic in the abstract, it would be useful to hear from CAs as to the specific challenges they are facing – “We are trying to do X, and using the cloud would be beneficial for this reason… The NetSec requirements say Y, but AWS won’t let the auditors do that…” to help frame the problems. We can then figure out what appropriate controls look like for that case and build toward a solution, knowing what we are building toward.
Kirk asked Ben (as chair of the NetSec WG) and Dimitris to take the matter forward in the WG and come up with a game plan in according to these discussions, and Ben said yes.
- Updates to CABF properties like websites, wikis, IPR, etc. Dean had suggested that the Forum needed to update the following documents and lists:
- Remove names from member’s list on website
- Update certain wiki pages
- Archive IPR agreements
- Remove email privileges
Dean noted there had been lots of changes at the Forum, including withdrawal of members, new members, mergers of CAs, movement of people from one member to another, etc. Some documents like IPR Agreements should be archived, and email addresses should be updated. He said there’s a lot to do, but updates are needed. He suggested that a “checklist” should be prepared for future Forum officers listing all the records that needed to be maintained. Ben said members also wanted a place for information, like dial in numbers for teleconferences. Kirk and Ben agreed to work on these issues. Ben noted some members like Dimitris and Wayne have volunteered to help in the past, and asked for volunteers. Jos also offered to help with the work.
- Ballot Status – Discussion of ballots (See Ballot Status table at end of Agenda). Kirk noted that Ballot 216 (Update Discussion Period Process) and Ballot 217 (Sunset RFC 2527) were ending their discussion period, and the voting period would begin later that day.
- Any Other Business. Kirk said that Li-Chun of Chunghwa Telecom had asked if the Forum teleconferences could be moved to one hour earlier (from 12:00 noon Eastern to 11:00 am Eastern), and the members agreed to do that. Ben also said he will upload the recordings of the main teleconference meetings to the wiki and leave for some weeks so that members could listen after the fact. The Policy Review WG teleconference will switch its time with the full Forum teleconference time, so will now meet at 12:00 noon Eastern. This will start on January 11, 2018, as there will be no calls on Dec. 28 due to the holidays.
Dean said he had lined up a guest speaker for the F2F meeting in March 2018 which will be hosted by Amazon in Herndon, VA. The speaker is a member of the US Congress with expertise in cybersecurity in general (not in the CA industry in particular). Kirk said that sounded interesting, and Dean said he would complete the arrangements and find a good time for the speaker.
- Next call: Jan. 11, 2018 at 11:00 Noon Eastern Time. The members agreed to cancel the regularly scheduled teleconference on Dec. 28, and instead meet on the regularly scheduled date of Jan. 11, 2018 at the new time of 11:00 am Eastern Time.