2019-01-24 Minutes for CA/Browser Forum Teleconference
Attendees (in alphabetical order)
Anna Weinberg (Apple), Arno Fiedler (D-TRUST), Ben Wilson (Digicert), Bruce Morton (Entrust Datacard), Chris Kemmerer (SSL.com), Dean Coclin (Digicert), Dimitris Zacharopoulos (HARICA), Doug Beattie (GlobalSign), Dustin Hollenback (Microsoft), Enrico Entschew (D-TRUST), Janet Hines (Trustwave), Frank Corday (Trustwave), Geoff Keating (Apple), Gordon Bock (Microsoft), Inaba Atsushi (GlobalSign), India Donald (US Federal PKI Management Authority), Iñigo Barreira (360 Browser), Joanna Fox (GoDaddy), Kenneth Myers (US Federal PKI Management Authority), Kirk Hall (Entrust Datacard), Li-Chun Chen (Chunghwa Telecom), Mahmud Khair (Trustwave), Michelle Coon (OATI), Neil Dunbar (TrustCor Systems), Niko Carpenter (Trustwave), Rich Smith (Sectigo), Robin Alden (Sectigo), Ryan Sleevi (Google), Shelley Brewer (Digicert), Tim Callan (Sectigo), Tim Hollebeek (Digicert), Tim Shirley (Trustwave), Tomasz Nowak (Opera Software AS), Trevoli Ponds-White (Amazon), Vijayakumar (Vijay) Manjunatha (eMudhra), Wayne Thayer (Mozilla).
Minutes
1. Roll Call
The Chair took attendance
2. Read Antitrust Statement
The Antitrust Statement was read
3. Review Agenda
Today’s Agenda was approved.
4. Approval of Minutes of previous teleconference
The minutes of January 10, 2019 teleconference were approved and will be posted to the Public list and the Public web site.
5. Forum Infrastructure Working Group update
The Infrastructure Working Group had a short call and basically repeated items from the previous meeting. E-mails have been sent to some members kindly asking for some virtual infrastructure to host the CA/B Forum services (namely the wiki, mailman, wordpress) but there have been no responses yet.
A new DocuWiki instance has been launched by Jos and is being tested. A test wordpress instance launched by Daymion has been created by cloning the existing cabforum.org web site. This wordpress is part of a GoDaddy managed solution.
6. Follow-up on new WG Charters (Code Signing, S/MIME)
Ben reported that he received only positive feedback for the Code Signing Charter, and he is looking for endorsers.
The S/MIME charter has triggered some discussion. He has made several updates on this document and would prefer if others can send new drafts with language they would like to see. Ben proposed that if people want to be added to the small group of members that are working on that draft, to send him an email.
Dimitris suggested that these drafts are in pretty good shape and would be best if they were circulated on the public list for more discussion and review. These drafts could also be uploaded on GoogleDocs which makes it easier for people to comment and offer suggestions.
7. Upcoming F2F 46 meeting March 12-14, 2019 (hosted by Apple)
Hotel information is on the wiki. Geof mentioned that we should primarily contact Curt for more information about the meeting. Kirk mentioned that the hotel rate is available for booking until February 12th, which is posted on the wiki. Dimitris will send reminder to the management list about the hotel reservation deadline. The meeting will either take place at “Infinite Loop” or “Apple Park”. Any hotel in this area would be convenient for both possible locations.
8. Any Other Business
None.
9. Bylaws and existing Charters update
Wayne lead the discussion and started by reminding participants that a Google Document was published to the management list. This document includes proposed changes and comments to various sections of the Bylaws that have been identified as problematic or ambiguous in the past. A small group of people worked on this document that is now considered to be mature enough to be discussed by the larger group of Members. Since there is no special subcommittee to work on this topic, as agreed on our last call we will use the CA/B Forum time to discuss Bylaws in more detail. Wayne asked for members to provide their opinion whether they think these changes should be brought forward in one ballot or split into smaller ballots, if this discussion should be on the public list or not.
The first change is adding a section that allows the creation of a subcommittee at the Forum level. It seems that the current Bylaws allow the creation of Subcommittees only at CWG level, and that is because of possible IPR issues. Kirk did an analysis of the IPR Policy version 1.3 and also sent an e-mail to the public list with his analysis. One of the key elements is that it is very clear that the IPR Policy applies only at the Working Group level that are working on Guidelines. Kirk read some quotes from the overview that support this interpretation. The conclusion of his analysis is that unless the Forum level starts working on Guidelines, then the IPR agreement doesn’t really apply to work done at the Forum level.
Wayne repeated that the concern was that there is no IPR protection at the Forum level so we need to make sure that when creating a subcommittee at the Forum level, that subcommittee will not introduce IP that might end up in a Guidelines document. The proposal is described in a new section 5.6. Another option would be to specify Forum-level Subcommittees in the Bylaws for example a “Bylaws subcommittee” amending the Bylaws or an Infrastructure Subcommittee.
Ryan mentioned that they had discussions with their legal counsel and confirmed these concerns about IP related issues at the Forum level. He mentioned that if we go forward with creating a Subcommittee whether directly in the Bylaws or by Ballot, besides from checking all sections of the Bylaws for consistency, we would have to explicitly state that this Subcommittee shall not produce any Guidelines that might create IP commitments. That would address the majority of issues Google had with this topic.
Ben and Dimitris agreed. Dimitris mentioned that he had proposed something similar but scoping the entire Forum-level to explicitly not produce any Guidelines and leave this work only for Chartered Working Groups.
Ryan mentioned that this is mostly captured in the Bylaws where all activities related to IP commitments is done explicitly in Working Groups that come with the IP protection. He said that there are two parts we need to check: – making sure the IP commitments are clear, which lead to Google’s concerns over Code Signing because the IP commitments with the old structure were not clear – making sure that we are not developing documents or standards without clear IP commitment and making sure we are not producing documents, Guidelines, bindings, recommendations -whatever the name is- that others might be bound to.
Wayne summarized that a reasonable approach would be to make this explicit in the section for Forum level subcommittees and resolve the problem. Wayne asked Ryan to help drafting the language to “forbid working on Final Guidelines or Final Maintenance Guidelines” and possibly technical matters that might introduce IP commitments.
Kirk pointed out that the IPR Policy is related to Guidelines and we should be careful not to forbid technical discussions in general, at the Forum level.
Wayne moved to section 2.1 for Membership qualifications and the group discussed abound the requirement for “clean” audits. Wayne’s personal opinion is not requiring “clean” audits but also stated that it is generally agreed that the Forum should not making decisions about which non-conformities or qualifications might be acceptable or not.
Ryan mentioned that this is a challenging topic because a CA could scope their WebTrust engagement in such a way that they don’t include any validation activities and get a “Successful” Audit. Google’s opinion is also to not requiring “clean” audits.
Dimitris mentioned that the current Bylaws describe in section 2.2 a process where a Member might be suspended if their audit is challenged and cannot produce a clean audit report for 15 months and he is trying to understand where this is coming from and what the intent was. Ryan corrected that the intent was for CAs to produce qualifying audit reports continuously and the Bylaws make sure this is maintained without requiring “clean” reports.
Dimitris asked if members are ok with accepting audit reports that include qualifications and major non-conformities in their membership qualifying audit report.
Ryan said that it is not ideal but that’s the current reading of the Bylaws. Ryan mentioned the Seal program requirements for WebTrust that require “clean” audits and defer to CPA Canada for the “subjectivity” of qualifications and how to interpret those.
Dimitris replied that perhaps we don’t need a seal and there is no need for Subjectivity from the Forum’s side but just an audit report that states that “the management assertion is fairly stated in all matters” (or something similar) which is commonly used in WebTrust reports with no qualifications, and similar with ETSI for reports with no major non-conformities. He thought that this would be ideal. Ryan agreed it would be ideal but he described issues about audit scope. Also, for WebTrust there are different reporting templates that can be used depending on the framework. He also worries that if we enforce this “clean” audit requirement for CA/B Forum Membership, it would drive CAs to not reporting non-conformities to provide transparency or choosing auditors that don’t report non-conformities. Wayne also supported the idea of reporting non-conformities for increased transparency. Wayne thinks the Forum must be more inclusive and CAs that went to the trouble of an audit and got an audit report should be given the opportunity to participate in Forum activities.
Wayne summarized that unless there were objections, he would remove the word “Successful” and “Clean” and just require an audit report.
Kirk asked if we need to specify more the word “current” for an audit report. Wayne agreed and proposed language that the audit report “must be issued within 15 months” or something similar. There were no concerns raised with this recommendation.
Ben mentioned whether these audit reports need to be publicly available because some CAs might have audit reports they don’t want to disclose. Ryan had the same concern and asked that we explicitly require this to be public so that at least the Forum can evaluate whether it meets the membership requirements.
Wayne introduced the next item which is the audit requirement for a period-of-time vs a point-in-time that qualified a Certificate Issuer for Membership. He mentioned that we need to at least specify what the minimum of this period-of-time should be. Currently CA members need a period-of-time audit to be considered for Full Membership and a point-in-time audit to be accepted as an Associate Member.
Ryan mentioned that there is an issue with ETSI because it doesn’t have a notion of point-in-time or period-of-time, there is only some guidance from ACAB’c. But regardless of that, he was curious about the underlying intent that we are trying to capture with this requirement especially when a CA can get an audit report with fewer principles and criteria (scoping down the audit requirements).
Wayne also raised the issue of requiring CAs that they “actively issue certificates” that a point-in-time audit definitely can’t capture.
Ryan repeated the case where a CA can carve out certain sections of the WebTrust Principles and Criteria that can still produce a clean audit report. He added that in Microsoft Root program a point-in-time audit is considered sufficient for inclusion and the CA has 2 months before producing a period-of-time and you have 3 months before this report is issued. So, as a CA you would be able to issue publicly-trusted certificates without having a period-of-time audit report. So there is a gap which could be solved if we required for example 5 months before being accepted in the Forum, and if we do, what is the difference that we try to capture with this requirement?
Wayne said that it boils down to precedent, this is how the Forum has gone about this so far.
Gordon likes the idea of Associate Member if that CA only has a point-in-time audit and explained that the whole idea of Microsoft accepting a point-in-time is to bootstrap CAs. That’s why Microsoft requires three months later a period-of-time audit. So similar for the Forum they would be a Full Member three months later when they submit a period-of-time audit report. He had questions about the ETSI program and how it maps to the WebTrust terminology of point-in-time and period-of-time audits.
Dimitris mentioned that the practice for ETSI audits is that they are practically a period-of-time, even when the audit is initialized (for the first time). Current practice requires CAB review of at least 60 days of operations before the CAB can issue Certification. Ryan said that this is not formalized in the ETSI criteria or the audit standards. WebTrust has explicit guidance that require a minimum of 60 days audit period for a period-of-time. He realizes that ACAB’c has provided guidance and the ETSI new drafts try to capture some of these requirements. He believes that ETSI is somewhere in between a point-in-time and period-of-time because of other jurisdiction factors like NAB and Supervisory Body rules that come in addition to the existing criteria.
Wayne proposed a way to address that and substitute the period-if-time to something like “covering a period of at least 60 days” but the question is if we want that or not. There seem to be different opinions and this discussion must continue probably on the public list. Kirk mentioned that he supports the current precedent.
10. Next call
February 7, 2019 at 11:00 am Eastern Time.