2018-09-20 Minutes of the Server Certificate Working Group
- Roll Call
Attendees: Arno Fiedler (D-TRUST), Atsushi Inaba (GlobalSign), Ben Wilson (DigiCert), Christopher Kemmerer (SSL.com), Daymion Reynolds (GoDaddy), Dimitris Zacharopoulos (HARICA), Doug Beattie (GlobalSign), Fotis Loukos (SSL.com), Frank Corday (Trustwave), Geoff Keating (Apple), India Donald (FPKI), Jeff Ward (WebTrust), Joanna Fox (GoDaddy), Jos Purvis (Cisco), Ken Myers (Federal PKI), Kirk Hall (Entrust), Li-Chun Chen (Chunghwa Telecom), Mads Henriksveen (BuyPass), Marcelo Silva (Visa), Michele Coon (OATI), Mike Reilly (Microsoft), Neil Dunbar (Trustcor), Patrick Tronnier (OATI), Phillip Hallam-Baker (Comodo Security Services), Rich Smith (ComodoCA), Ryan Sleevi (Google), Shelley Brewer (DigiCert),Tim Callan (Comodo CA), Tim Shirley (Trustwave), Trevoli Ponds-White (Amazon), Wayne Thayer (Mozilla), Wendy Brown (Federal PKI).
- Antitrust Statement read by Kirk.
- Review Agenda. Agenda was approved.
- Approval of Minutes of SCWG teleconference of Sept. 6, 2018. The Minutes were approved and will be posted to the Public list.
- Voting Period for SCWG Vice Chair. Kirk noted that voting started on. Sept. 19 and would end on Sept. 26 on Ballot SC5 – Election of SCWG Vice Chair. He reminded the Members that we are following a special procedure for this ballot, with votes going to an Election Committee and not to the Public or Management list.
- Status of SCWG Ballots to create Subcommittees – SCWG Ballots SC9 (Validation Subcommittee) and SC10 (Network Security Subcommittee). Wayne said that Ballot SC9 would essentially convert the existing Validation Working Group to a Validation Subcommittee of the SCWG with no end date and with other procedural requirements included. The discussion period started yesterday, and he hoped the Ballot would be approved by October 3 when the Validation Working Group is dissolved so the work on validation issues can be continued uninterrupted.
Ryan thanked Wayne for including some of the procedural rules to govern the Subcommittee in the Ballot itself, as this addressed concerns he had. He liked the provision that says amendments to the SCWG charter establishing general procedural rules for Subcommittees will control over the provisions in Ballot SC9. Wayne said after the passage of Ballots SC9 and SC10, he will use the procedural language as a template for amending the SCWG Charter, or maybe the same language will just be put into future SCWG Ballots establishing new Subcommittees.
- Picking Ballot numbers / posting to wiki. Kirk noted that some draft SCWG Ballots had been listed with specific SCWG Ballot numbers on the wiki, but then Members had posted a new ballot with a different subject using the same “reserved” number on the wiki, which can cause confusion. He recommended that Members first list their ballot title on the wiki and take the next open number before they post a ballot. If they want to use a ballot number that is already “reserved”, they should contact the member who reserved the number to see if the member really intends to proceed with the ballot.
Dimitris said his understanding is that a ballot needs two endorsers before it can reserve a ballot number, so Members should not be taking ballot numbers on the wiki until their ballot has been proposed and has endorsers. Ben disagreed, saying it is useful for a draft ballot that has no endorsers yet to have a ballot number to help with discussion on the list. Kirk concluded by simply recommending that proposers of new ballots take a look at the wiki first to see what other ballots may be coming, and then choose their ballot number accordingly.
- SCWG issues for Shanghai F2F meeting Agenda. Kirk asked if there were other topics to add to the Shanghai F2F agenda. Ryan said that there had been discussions among browsers on the process for inclusion of roots from the auditing standpoint, the audits required from birth to death of a CA. There are a different variety of program requirements in place that require different things. Clarity and consensus on that and some verbiage would be useful, and this also applies to reworked language in BR 8.1 and 8.2 and confusion around performance audits.
Ryan didn’t know if these issues were already on the agenda, but he can it taking at least an hour of time. It might take 30 minutes to get everyone on the same page vocabulary-wise, some people use phrases that don’t match with professional terms. We want to spend time getting a common understanding as well as diagramming what the expected process should look like with the appropriate audit schemes recognized.
Jeff said that he and Don will be presenting a WebTrust update and going over this issue which seems to be relevant. Jeff said he had already done a posting on this in March 2017 and would be happy to walk people through that information not only for current WebTrust audit reports but a new form of report called “Root Key Protection” covering when a key is generated and stored but not yet used. The presentation will extend as far as explaining WebTrust rules, but obviously can’t make decisions for the browsers on what’s required for acceptance by root programs, or what the root programs want to see. There’s a good need to reserve an hour on the Agenda for the WebTrust update at this meeting.
Kirk said he had heard two topics proposed by Ryan. He was at the recent WebTrust meeting in San Jose, and Wayne said he would present his ideas for the audit cycle from the birth to death of a CA. He asked Wayne who would make that presentation, and Wayne said he would. Ryan offered to Wayne that he would cover the topic if Wayne didn’t want to, and Wayne said the two of them could work together.
Kirk said there was also the question about current Forum membership rules, and what type of audit was required for membership. He thought it wasn’t useful to argue about what our current Bylaws say or how to interpret them, but instead he’d rather spend time on what we want them to say, then clarify the Bylaws if needed. He said he’d put that as a topic on the Agenda as well.
Ryan said he thought the two topics (current audit rules, and the Forum’s membership rules) were really the same topic. When we have BR 8.2 issues and questions of what is a public CA and what are the audit requirements, those are closely related to the Forum membership requirements and we should tackle them as the same issue. If we spend time talking about the audit flow, we’ll come up with specific language that meets both conceptual and technical expectations. It doesn’t need to be a separate bit because it’s so closely related to that lifecycle.
Kirk disagreed and said we would list both (membership and general audit requirements) as separate topics. He also said that Wayne’s topic on preferred lifecycle of CA audits from birth to death was aspirational – Wayne doesn’t think the current audit requirements are clear on that. So we’ll treat general audit requirements and Forum membership requirements as separate, but perhaps they will merge.
Wayne said he thinks the topics are related but agreed they should be treated as separate topics.
Ryan countered that there is a chronological dependency between those, and we won’t be productive at the Forum level without understanding their vocabulary.
Dimitris said we should have the presentations by Wayne and Ryan before having the discussion about the Bylaws. He also suggested we widen the Bylaws discussion to include the other pending Bylaws issues (i.e., Subcommittees of Working Groups, elections, etc.), so we can add those in there as well.
Kirk agreed that the Forum can go through the list of Bylaws issues at the meeting, and so we’ll have the Bylaws as a third topic.
There was further discussion about the need to differentiate between Bylaws which affect Working Groups versus Bylaws that only apply at the Forum level. Kirk pointed out there is only one set of Bylaws, which is at the Forum level, so any changes would need to be made there. Ryan pointed out that some things are delegated to the SCWG by its Charter.
Jeff returned to his planned WebTrust update, and said he may not need an hour if Wayne and Ryan go first. Kirk questioned whether the issue of “definitions” was really so difficult. Ryan said it was from the browser root program perspective, differences between the approach of WebTrust versus ETSI, etc. It may seem like a non-issue for existing CAs, but it was creating problems where new CAs were concerned. There needs to be a common understanding in the Forum and for browser expectations.
Jeff said that from the WebTrust perspective, this was more of a new CA problem, and they are trying to figure out what to do. Ryan and the other browsers are getting oddball reports from auditors, and are not sure what to do with them.
Arno agreed that the Forum should talk about the CA lifecycle and the TSP lifecycle. There will be representatives from ACAB’c at the Shanghai meeting, and he and Clemens Wanko will explain it from the ETSI perspective. He expects we will need 1-1/2 hours for this discussion. Kirk thanked Arno, and said he would put that on the Agenda.
Kirk added that he hopes that what results is not just a good discussion of the issues, but also proposals for how we clarify this. He asked Ryan if he wanted to take a segment, be a presenter of a segment of these issues. Ryan said yes, that was what he was originally requesting.
Wayne said there is a segment on distinctions between WebTrust and ETSI audits, the definitions, the different artifacts that are created, and so forth. Then there’s the section as Jeff and Arno described about the audit lifecycle. And then there’s a third section about governments that we’ve talked about so far. Kirk ask if that referred to membership [in root programs], and Wayne said yes.
Kirk said he would put something together for the Agenda that flows. He said that if members have language they want to suggest for the BRs, please do.
- Ballot Status. No discussion.
- Any Other Business. There was no other business.
- Next call: Oct. 4, 2018 at 11:00 am Eastern Time