2018-09-06 Minutes of CA/Browser Forum
Attendees: Arno Fiedler (D-TRUST), Atsushi Inaba (GlobalSign), Ben Wilson (DigiCert), Bruce Morton (Entrust), Christopher Kemmerer (SSL.com), Corey Bonnell (Trustwave),Daymion Reynolds (GoDaddy), Dimitris Zacharopoulos (HARICA), Doug Beattie (GlobalSign), Enrico Entschew (D-TRUST), Geoff Keating (Apple), Jeannie Rissman (Network Solutions), Joanna Fox (GoDaddy), Jos Purvis (Cisco), Ken Myers (Federal PKI), Kirk Hall (Entrust), Li-Chun Chen (Chunghwa Telecom), Mads Henriksveen (BuyPass), Marcelo Silva (Visa), Michele Coon (OATI), Mike Reilly (Microsoft), Neil Dunbar (Trustcor), Peter Miscovic (Disig), Robin Alden (ComodoCA), Ryan Sleevi (Google), Shelley Brewer (DigiCert),Tim Shirley (Trustwave), Tomasz Nowak (Opera),Trevoli Ponds-White (Amazon), Wayne Thayer (Mozilla), Wendy Brown (Federal PKI).
Roll Call
Antitrust Statement read by Robin.
Review Agenda. Agenda was approved.
Approval of Minutes of teleconference of August 23, 2018. The Minutes were approved and will be posted to the Public list.
Update on changes to mailing lists. Dimitris said the mailing list plan posted to the list some weeks ago had been successfully implemented, and all authorized representatives of Members, Associate Members, and Interested Parties can now post to both the Public list and the SCWG list. The Management list and SCWG list are now effectively the same. There are still some legacy names on the Public list with posting rights who are not on the official representatives lists, and their posting rights will be removed in the future. Kirk asked if Members should start posting on the SCWG list concerning SCWG matters, and Dimitris said yes. Kirk thanked Dimitris for all his hard work in updating our lists.
Close of Voting Period for CABF Chair, election results. Kirk said that the Election Committee would be announcing who had been elected the Chair of the CABF for 2018-2020 later in the day. [Note: after the teleconference ended, the Elections Committee announced that Dimitris Zacharopoulos would be the new Chair of the CABF.]
Close of Nomination Period for CABF Vice Chair. Kirk noted that there were two candidates for CABF Vice Chair for 2018-2020: Dean Coclin and Wayne Thayer. The election will occur as follows: Sept. 6-13: Discussion Period (with optional candidate statements), Sept 13-20: Voting Period. [Note: Those dates have since changed.]
Possible discussion of new member applications. Kirk noted that eMudhra Technologies Limited was in the process of applying for membership, and noted they had provided a successful Point in Time Readiness Audit (PITRA) dated February 2018. He had asked them for a link to a commercial customer who was using one of their certificates. There was then an extensive discussion of whether or not a successful PITRA audit was sufficient to qualify a CA for full Membership, or only for Associate Membership. Kirk noted that under Bylaw 2.1(b)(6), applicants to be full Members were required to provide a link to the “URL of the current qualifying performance audit report,” which implied a Period of Time (POT) audit and not a PITRA audit. Ryan responded that under WebTrust standards, a PITRA audit was a “performance” audit and so was sufficient for full Membership status. Kirk said that in the Forum for some years, the term “readiness” audit was short hand for a PITRA audit, and the term “performance” audit was short hand for a POT audit, so he believed the Bylaw requirement was for a POT audit and not a PITRA audit for full Membership. Both noted there had been an April 2018 Doodle poll of Members on their preference for which types of audits would be required for Associate Member and Member status (the poll results showed Members believed that a PITRA audit should be required for Associate Member status, and a POT audit should be required for Member status). Being accepted as a Member means the applicant must meet all other requirements as well, not just the audit requirements. Dimitris said a PITRA audit could not be sufficient for full membership, as the CA also needed to show it was “actively issuing certificates” to customers under Bylaw 2.1(a)(1) and (a)(2). Ryan countered that a CA who had a PITRA audit could actively issue certificates for 90 days before its first POT audit period ended, so a PITRA audit could be sufficient for membership. Chris noted that when SSL.com started, it first had Interested Party status, then received Associate Member status when it had its PITRA audit, and then moved to full Member status once it had received a POT audit. No conclusion was reached. The conversation was continued in the SCWG meeting that followed.
Governance Change Working Group update. Ben said the Governance Change Working Group had been working on several matters, including a Forum ballot to extend the term of current officers through October 31 (as new officers will start November 1), and a ballot to conform the Bylaws to include changes made in Ballot 216 that were later inadvertently dropped by the subsequent Ballot 206. He noted the WG will expire on October 3, but that Ballot 206 may have a process for converting existing WGs to new Subcommittees of the Server Certificate Working Group.
New Forum Infrastructure Working Group update. Jos said he had issued a call for Members who wanted to participate in the new WG, which will have its first meeting soon.
Creation of other new Working Groups (S/MIME, Code Signing, IoT). Ben suggested we schedule “birds of a feather” sessions at the Shanghai F2F to discuss creation of new WGs.
Ballot Status. No discussion.
New dates for Spring 2019 F2F meeting: June 11-13, 2019 – Greece (HARICA). Dimitris announced that HARICA had moved the meeting date for the Thessaloniki F2F meeting to June 11-13, 2019 to avoid a conflict with the Memorial Day holiday in the US. He has posted information about the meeting on the wiki.
Meeting Structure and Agenda Items for F2F Meeting Shanghai, Oct. 16-18, 2018. Kirk noted he had posted the first draft of a possible Agenda for the Shanghai meeting, and asked for topics and suggestions. Ben had suggested “birds of a feather” sessions for chartering of new Working Groups earlier in the call. Arno said he would have ideas in Shanghai for how to keep ETSI guideline reference numbers updated in Forum documents.
Any Other Business. There was no other business.
Next call: Sept. 20, 2018 at 11:00 am Eastern Time