Final Minutes for CA/Browser Forum Teleconference – 28 June 2018
Attendees: Atsushi Inaba (GlobalSign), Ben Wilson (DigiCert), Bruce Morton (Entrust), Cecilia Kam, (GlobalSign), Christopher Kemmerer (SSL.com), Corey Bonnell (Trustwave),Devon O’Brien (Google), Dimitris Zacharopoulos (HARICA), Doug Beattie (GlobalSign), Frank Corday (Trustwave), Geoff Keating (Apple), Joanna Fox (GoDaddy), Ken Myers (Federal PKI), Kirk Hall (Entrust), Li-Chun Chen (Chunghwa Telecom), Mads Henriksveen (BuyPass), Michele Coon (OATI), Mike Reilly (Microsoft), Neil Dunbar (Trustcor), Patrick Tronnier (OATI), Peter Miscovic (Disig), Phillip Hallam-Baker (Comodo Security Services), Rich Smith (ComodoCA), Ryan Sleevi (Google), Shelley Brewer (DigiCert),Tim Hollebeek (DigiCert), Trevoli Ponds-White (Amazon), Wayne Thayer (Mozilla).
- Roll Call
- Read Antitrust Statement
- Review Agenda. Agenda was approved.
- Approval of Minutes of F2F meeting London June 6-7, 2018; Approval of Minutes of CABF teleconference of June 14, 2018. Ryan said Google had additional edits to make to the Minutes of F2F meeting London June 6-7, 2018, so approval will be deferred to the next teleconference. The Minutes of CABF teleconference of June 14, 2018 were approved and will be posted to the Public list.
- Validation Working Group update. Tim said the WG held its first teleconference after the F2F, and the notes of the meeting have been posted to the Validation WG mailing list. The WG’s Trello board of pending issues has been updated. The WG is waiting until the Server Certificate Working Group (SCWG) starts on July 3, after which the pending Forum ballots and other ballots will be filed as SCWG ballots and will proceed. Finally, the WG will consider the question filed on the Questions list as to potential errors in the current wording of BR 9.2.8.
- Network Security Working Group update. Tim noted the WG recently produced and circulated a final report on its work to date. Kirk asked if the report proposed a direction for the WG’s future work. Neil summarized the report’s findings: (a) the WG accepts that the Network and Certificate System Security Requirements (NCSSR) are somewhat outdated, new security threats have not been addressed, and additional compensating controls are needed; (b) the WG did look at other possible standards as a new framework, such as CIS and ISO 27000, but these frameworks are not an exact fit and moving in that direction would take a lot of time and effort; and (c) the general conclusion is the WG should continue making incremental updates to the NCSSR based on the WG’s risk assessments. Ben said the Network Security WG will be reconstituted as a Subcommittee of the new Server Certificate Working Group after July 3.
- Governance Change Working Group. Ben said the WG had a meeting earlier in the week, and had concluded that on the open questions about Associate Members and the IPR Agreement v1.3, there was no resolution to make changes to the Forum’s previous policy. The consensus was that given the short remaining time frame, the existing policy would remain the same unless and until it is changed by a ballot – meaning, the representatives of Associate Members do not also need to sign the IPRA in the names of their individual companies, and ETSI may continue to participate as an Associate Member on the basis of the existing 2009 Memorandum of Understanding without having to sign the IPRA. Later, the Governance Change WG may try to add clarity to these issues with additional Bylaws language.
Kirk added that he intends to ask all Associate Members to list their official representatives to the Forum from time to time for clarity. Kirk also reviewed the list of those Members and Associate Members who have still not signed the IPRA v1.3, and said he will contact them individually to encourage them to sign.
- Policy Review Working Group update. Ben said the WG is continuing to work on the definition of “Certification Authority” in the BRs, as it variously refers to an issuing system, a company, or a key pair associated with a CA name. The WG will likely continue as a Subcommittee of the new Server Certificate Working Group.
Dimitris said the WG spent time on BR 184.108.40.206, which is badly worded. The trouble with that section is how to align it with both old and new definitions which may refer to an issuing system, a company, or a key pair associated with a CA name. The WG is also working on how to deal with cross-signing.
- Question from Sony on browser membership requirements in the amended Bylaws. Kirk summarized the emails, and noted that Sony and any other new member applicant will have to qualify under both the requirements for Forum membership (which are somewhat open) and of at least one Working Group (which are likely to be more specific). He noted that Sony had provided information on its products and possible status as a Certificate Consumer on the Server Certificate Working Group, and asked the Members if they have enough information to respond to Sony.
Ryan said the application should be analyzed in two parts – does Sony qualify, and separately, what additional information do we need to answer the first question. The Forum will need to understand what software Sony is using and the update schedule (is the software updated or not updated once shipped) to determine Sony’s qualification. To decide, we need specific product information, like what we received from Cisco when considering its membership application to join as a browser.
Phillip noted that Sony PlayStations have web browsers, and that Sony may have a product in the future like Nintendo, which could mean it qualifies for participation on the SCWG as a Certificate Consumer. Ryan agreed they do ship a browser, but thought they don’t do security updates (and Nintendo doesn’t do root updates), which may be relevant. He suggested Sony should list the products it thinks will qualify them for participation in the SCWG as a Certificate Consumer, and provide more detailed information such as functionality and root store and security updates for the products.
Wayne also noted it was not clear from Sony’s emails that it actually wanted to participate on the SCWG, or instead was more interested in a possible future Code Signing Working Group, and suggested that they be asked that question. Wayne also asked if the updated Bylaws require an applicant to first join a Working Group, and only then join the Forum.
Kirk said he thought the two processes could be simultaneous, but that an applicant couldn’t be a Forum member until it was also a member of one Working Group. He also said he had thought that membership in a Working Group automatically qualified the member for membership in the Forum, and asked if that had changed in Ballot 206. Tim said that had been discussed in the Governance Change Working Group, and the solution was that a new Working Group charter could allow applicants to be WG members even if they do not qualify to be members of the Forum. Wayne and Tim thought the current Bylaws language required an applicant to first be admitted to a Working Group before it could be admitted to Forum membership.
There was discussion about how a new Working Group establishes its membership, and agreement that the new Bylaws do not contain specifics on the actual processes for starting up. Kirk also asked who decides (and by what process) who can be a member of a new Working Group once established, and Tim said that was a good question. The Forum may want to add provisions to the Bylaws on these questions.
Returning to Sony’s application, Ryan also suggested that Sony be informed it could instead sign up as an Interested Party with certain rights to participate, or even start participating at the invitation of the Chair. Kirk agreed and said he would provide that information to Sony.
Kirk said he had enough feedback to send Sony a response asking for more product information to see if Sony qualified as a Certificate Consumer, and to offer other alternatives such as Interested Party participation. Once Sony responds, the matter may come back to the Forum or SCWG.
- Future call for Member participation in Server Certificate Working Group; First meeting July 12, 2018. Kirk outlined his plan for getting the SCWG started – issue a call to current Members to indicate their interest in serving on the SCWG and for an initial organizational meeting immediately following the Forum’s next regularly scheduled call on July 12 – that call would start with a short meeting of the Forum, and after adjournment the immediate commencement of the first SCWG call.
Members could indicate their interest in participating on the SCWG in advance by posting their name on a new wiki page for that purpose. During the first call, the Members would start by reviewing the SCWG qualifications of those who indicated interest, and could challenge anyone who didn’t qualify (Kirk didn’t expect any challenges). The SCWG would then follow an Agenda covering other issues such as creating a process for electing its officers, establishing Subcommittees, etc. Kirk also suggested that all pendingwg Ballots of the Forum be refiled in the SCWG with distinctive new numbers, such as SCWG Ballot 1, SC Ballot 2, etc.
Tim indicated he wanted to file an SCWG Ballot before the first meeting on July 12 and even start the discussion period. Kirk suggested Tim could file SCWG Ballots, but should keep them as pre-ballots for discussion, and not start the official discussion period until after the SCWG had formally been organized on the July 12 call – the Forum wouldn’t know for sure who is actually a member of the SCWG until then.
Ben said he had already established a new SCWG mail list for public and management uses, and suggested maybe all existing Forum mail list members should just be copied and transferred over to the new lists. They would all be “moderated” (meaning they can’t post) until they have signed the IPRA and declared their intent to participate in the SCWG, at which point they would be unmoderated and could post. Dimitris suggested we continue to use the main Forum lists for both the Forum and the SCWG matters until we have all agreed on a transition plan. Ryan suggested that under things like the GDPR, putting people on mailing lists without some form of explicit consent could be problematic. Ben agreed, and said the better process might be to send an invitation to existing Forum list members to indicate their consent to also become SCWG list members.
- Ballot Status – Discussion of ballots (See Ballot Status table at end of Agenda). No discussion.
- Invitation letter, visa requirements for Shanghai F2F meeting Oct. 16-18, 2018. Kirk noted that China has a visa requirement for US citizens to visit China (he wasn’t sure about other countries) and that the host CFCA would prepare an invitation letter on request to Yi. He suggested Members start their visa application process 90 days in advance of the Oct. 16-18 meeting (meaning mid-July).
- Likely dates for Winter 2019 F2F meeting in Silicon Valley: March 12-14, 2019. Kirk indicated that the polling on three possible dates for the Winter 2019 F2F meeting in Silicon Valley showed conflicts on two of the dates but no conflicts for March 12-14, 2019. That will be the likely meeting date.
- Any Other Business. Kirk discussed a request he had received from a non-Member CA to attend the Shanghai F2F meeting, and indicated he was likely to extend an invitation as we have done in the past. There were no comments, and there was no other business.
- Next call: July 12, 2018