<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Georgia;
panose-1:2 4 5 2 5 4 5 2 3 3;}
@font-face
{font-family:"Times New Roman \(Body CS\)";
panose-1:2 2 6 3 5 4 5 2 3 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin-top:0in;
margin-right:0in;
margin-bottom:8.0pt;
margin-left:0in;
line-height:105%;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Georgia",serif;
color:windowtext;
font-weight:normal;
font-style:normal;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:663437000;
mso-list-template-ids:-1879911792;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1
{mso-list-id:743987417;
mso-list-template-ids:-1772058356;}
@list l1:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l1:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2
{mso-list-id:904029353;
mso-list-template-ids:-653203242;}
@list l2:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l2:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3
{mso-list-id:1389840585;
mso-list-template-ids:-31165392;}
@list l3:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l3:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l3:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l4
{mso-list-id:1667439840;
mso-list-template-ids:-478136804;}
@list l4:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l4:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l4:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l4:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l4:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l4:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l4:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l4:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l4:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l5
{mso-list-id:2037804577;
mso-list-template-ids:1924935506;}
@list l5:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l5:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l5:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l5:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l5:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l5:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l5:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l5:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l5:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l6
{mso-list-id:2042707681;
mso-list-template-ids:-93535388;}
@list l6:level1
{mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l6:level2
{mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l6:level3
{mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l6:level4
{mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l6:level5
{mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l6:level6
{mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l6:level7
{mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l6:level8
{mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l6:level9
{mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style></head><body lang=EN-US link="#0563C1" vlink="#954F72"><div class=WordSection1><p class=MsoNormal><span style='font-family:"Georgia",serif'>All three of the recent minutes postings from Kirk (F2F and 22 March/February 8 minutes) have been posted to the public website.<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:"Georgia",serif'><o:p> </o:p></span></p><div><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal'><span style='font-size:9.0pt;font-family:Consolas;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal'><span style='font-size:9.0pt;font-family:Consolas;color:black'>-- <br>Jos Purvis (jopurvis@cisco.com)<br>.:|:.:|:. cisco systems | Cryptographic Services<br>PGP: 0xFD802FEE07D19105 | +1 919.991.9114 (desk)</span><o:p></o:p></p></div><p class=MsoNormal><span style='font-family:"Georgia",serif'><o:p> </o:p></span></p><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:12.0pt;line-height:105%;color:black'>From: </span></b><span style='font-size:12.0pt;line-height:105%;color:black'>Public <public-bounces@cabforum.org> on behalf of Kirk Hall via Public <public@cabforum.org><br><b>Reply-To: </b>Kirk Hall <Kirk.Hall@entrustdatacard.com>, CA/Browser Forum Public Discussion List <public@cabforum.org><br><b>Date: </b>Sunday, 8 April, 2018 at 19:43 <br><b>To: </b>CA/Browser Forum Public Discussion List <public@cabforum.org><br><b>Subject: </b>[cabfpub] Final Minutes for CA/Browser Forum F2F Meeting Herndon, VA – 7-8 March 2018<o:p></o:p></span></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><a name="_MailOriginalBody"><b><span style='color:black'>Meeting 43 Minutes</span></b><o:p></o:p></a></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><b><span style='color:black'>Plenary Meeting - Wednesday-Thursday, 7-8 March 2018</span></b><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><b><span style='color:black'>Attendance:</span></b><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Arno Fiedler, D-TRUST; Atsushi Inaba, </span></span><a href="https://www.cabforum.org/wiki/GlobalSign"><span style='mso-bookmark:_MailOriginalBody'><span style='color:#666666;border:none windowtext 1.0pt;padding:0in;text-decoration:none'>GlobalSign</span></span><span style='mso-bookmark:_MailOriginalBody'></span></a><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>; Ben Wilson, </span></span><a href="https://www.cabforum.org/wiki/DigiCert"><span style='mso-bookmark:_MailOriginalBody'><span style='color:#666666;border:none windowtext 1.0pt;padding:0in;text-decoration:none'>DigiCert</span></span><span style='mso-bookmark:_MailOriginalBody'></span></a><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>; Bruce Morton, Entrust Datacard; Cap Hayes, Cisco; Cecilia Kam, </span></span><a href="https://www.cabforum.org/wiki/GlobalSign"><span style='mso-bookmark:_MailOriginalBody'><span style='color:#666666;border:none windowtext 1.0pt;padding:0in;text-decoration:none'>GlobalSign</span></span><span style='mso-bookmark:_MailOriginalBody'></span></a><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>; Chris Bailey, Entrust Datacard; Chris Kemmerer, SSL.com; Christoph Sutter, ACABc /TUVIT; Christopher Czajczyc, Deloitte; Corey Rasmussen, OATI, Curt Spann, Apple; Dave Blunt, Amazon; David Pederson, Amazon; Daymion Reynolds, </span></span><a href="https://www.cabforum.org/wiki/GoDaddy"><span style='mso-bookmark:_MailOriginalBody'><span style='color:#666666;border:none windowtext 1.0pt;padding:0in;text-decoration:none'>GoDaddy</span></span><span style='mso-bookmark:_MailOriginalBody'></span></a><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>; Dean Coclin, </span></span><a href="https://www.cabforum.org/wiki/DigiCert"><span style='mso-bookmark:_MailOriginalBody'><span style='color:#666666;border:none windowtext 1.0pt;padding:0in;text-decoration:none'>DigiCert</span></span><span style='mso-bookmark:_MailOriginalBody'></span></a><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>; Devon O'Brien, Google; Dimitris Zacharopoulos, HARICA; Don Sheehy, </span></span><a href="https://www.cabforum.org/wiki/WebTrust"><span style='mso-bookmark:_MailOriginalBody'><span style='color:#666666;border:none windowtext 1.0pt;padding:0in;text-decoration:none'>WebTrust</span></span><span style='mso-bookmark:_MailOriginalBody'></span></a><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>; Doug Beattie, </span></span><a href="https://www.cabforum.org/wiki/GlobalSign"><span style='mso-bookmark:_MailOriginalBody'><span style='color:#666666;border:none windowtext 1.0pt;padding:0in;text-decoration:none'>GlobalSign</span></span><span style='mso-bookmark:_MailOriginalBody'></span></a><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>; Enrico Entschew, D-TRUST; Eric Docktor, Amazon; Fotis Loukos, SSL.com; Franck Leroy, Certinomis - Docapost; Frank Corday, Trustwave; Frazier Evans, US General Services Administration; Geoff Keating, Apple; Gordon Bock, Microsoft; Iñigo Barreira, 360; J.P. Hamilton, Cisco; Jeff Ward, </span></span><a href="https://www.cabforum.org/wiki/WebTrust"><span style='mso-bookmark:_MailOriginalBody'><span style='color:#666666;border:none windowtext 1.0pt;padding:0in;text-decoration:none'>WebTrust</span></span><span style='mso-bookmark:_MailOriginalBody'></span></a><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>; Joanna Fox, </span></span><a href="https://www.cabforum.org/wiki/GoDaddy"><span style='mso-bookmark:_MailOriginalBody'><span style='color:#666666;border:none windowtext 1.0pt;padding:0in;text-decoration:none'>GoDaddy</span></span><span style='mso-bookmark:_MailOriginalBody'></span></a><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>; Jonathan Kozolchyk, Amazon; Karina Sirota, Microsoft; Ken Myers, Protiviti; Kirk Hall, Entrust Datacard; Leo Grove, SSL.com; Mads Henriksveen, Buypass; Masakazu Asano, </span></span><a href="https://www.cabforum.org/wiki/GlobalSign"><span style='mso-bookmark:_MailOriginalBody'><span style='color:#666666;border:none windowtext 1.0pt;padding:0in;text-decoration:none'>GlobalSign</span></span><span style='mso-bookmark:_MailOriginalBody'></span></a><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>; Matthias Wiedenhorst, ACABc /TUVIT; Michael Slaughter, Amazon; Mike Reilly, Microsoft; </span></span><span style='mso-bookmark:_MailOriginalBody'><span lang=EN style='color:black'>Moudrick Dadashov (SSC); </span><span style='color:black'>Neil Dunbar, </span></span><a href="https://www.cabforum.org/wiki/TrustCor"><span style='mso-bookmark:_MailOriginalBody'><span style='color:#666666;border:none windowtext 1.0pt;padding:0in;text-decoration:none'>TrustCor</span></span><span style='mso-bookmark:_MailOriginalBody'></span></a><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>; Jingan Ou, GDCA; Patrick Tronnier, OATI; Peter Bowen, Amazon; Phillip Hallam-Baker, Comodo Security Services; Philipp Bouchet, ACABc/ LSTI; Rachel </span></span><a href="https://www.cabforum.org/wiki/McPherson"><span style='mso-bookmark:_MailOriginalBody'><span style='color:#666666;border:none windowtext 1.0pt;padding:0in;text-decoration:none'>McPherson</span></span><span style='mso-bookmark:_MailOriginalBody'></span></a><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>, </span></span><a href="https://www.cabforum.org/wiki/TrustCor"><span style='mso-bookmark:_MailOriginalBody'><span style='color:#666666;border:none windowtext 1.0pt;padding:0in;text-decoration:none'>TrustCor</span></span><span style='mso-bookmark:_MailOriginalBody'></span></a><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>; Rich Smith, Comodo CA; Richard Barnes, Cisco; Robin Alden, Comodo CA; Ryan Sleevi, Google; Scott Rea, </span></span><a href="https://www.cabforum.org/wiki/DarkMatter"><span style='mso-bookmark:_MailOriginalBody'><span style='color:#666666;border:none windowtext 1.0pt;padding:0in;text-decoration:none'>DarkMatter</span></span><span style='mso-bookmark:_MailOriginalBody'></span></a><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>; Taryn Abate, CPA Canada; Tim Hollebeek, </span></span><a href="https://www.cabforum.org/wiki/DigiCert"><span style='mso-bookmark:_MailOriginalBody'><span style='color:#666666;border:none windowtext 1.0pt;padding:0in;text-decoration:none'>DigiCert</span></span><span style='mso-bookmark:_MailOriginalBody'></span></a><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>; Tim Shirley, Trustwave; Travis Graham, </span></span><a href="https://www.cabforum.org/wiki/GoDaddy"><span style='mso-bookmark:_MailOriginalBody'><span style='color:#666666;border:none windowtext 1.0pt;padding:0in;text-decoration:none'>GoDaddy</span></span><span style='mso-bookmark:_MailOriginalBody'></span></a><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>; Wayne Thayer, Mozilla; Wei-Hao Tung, </span></span><a href="https://www.cabforum.org/wiki/ChungHwa"><span style='mso-bookmark:_MailOriginalBody'><span style='color:#666666;border:none windowtext 1.0pt;padding:0in;text-decoration:none'>ChungHwa</span></span><span style='mso-bookmark:_MailOriginalBody'></span></a><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'> Telecom; Wylie Swanson, </span></span><a href="https://www.cabforum.org/wiki/TrustCor"><span style='mso-bookmark:_MailOriginalBody'><span style='color:#666666;border:none windowtext 1.0pt;padding:0in;text-decoration:none'>TrustCor</span></span><span style='mso-bookmark:_MailOriginalBody'></span></a><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>; Lei Xiu, GDCA</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><b><span style='color:black'>Start of Plenary Meeting</span></b><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Recap of Prelim Matters, Review Agenda and Logistics, Antitrust Statement & Assign Note Takers, Misc. Items of Business: opening statement, welcome new members</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><b><span style='color:black'>Official Welcome from Kurt Kufeld, VP AWS Platform, Amazon</span></b><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><b><span style='color:black'>Browser root program updates</span></b><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><b><span style='color:black'>-- Mozilla</span></b><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Note Taker: Doug</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>1 Personnel Changes</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Gerv has stepped down from his role at Mozilla due to health issues described on his blog [1]. We wish Gerv the best and thank him profusely for his service to the CA/Browser Forum. Aaron Wu has also left Mozilla. Kathleen and Wayne are splitting program responsibilities, with Wayne leading policy and enforcement activities, while Kathleen manages CCADB and owns the root inclusion process.</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>2 CCADB News</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Current Root Store Members of CCADB [2]: Mozilla, Microsoft, Google, Cisco</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>2.1 CA Problem Reporting Mechanisms and Recognized CAA Domains:</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Info directly published by CCADB to:</span><o:p></o:p></span></p><ul style='margin-top:0in' type=disc><li class=MsoNormal style='color:black;margin-bottom:11.0pt;line-height:normal;mso-list:l4 level1 lfo1;background:white'><span style='mso-bookmark:_MailOriginalBody'></span><a href="https://wiki.mozilla.org/CA/Included_CAs"><span style='mso-bookmark:_MailOriginalBody'><span style='color:#0044AA;border:none windowtext 1.0pt;padding:0in;text-decoration:none'>https://wiki.mozilla.org/CA/Included_CAs</span></span><span style='mso-bookmark:_MailOriginalBody'></span></a><span style='mso-bookmark:_MailOriginalBody'><o:p></o:p></span></li><li class=MsoNormal style='color:black;margin-bottom:11.0pt;line-height:normal;mso-list:l4 level1 lfo1;background:white'><span style='mso-bookmark:_MailOriginalBody'></span><a href="http://ccadb.org/resources"><span style='mso-bookmark:_MailOriginalBody'><span style='color:#0044AA;border:none windowtext 1.0pt;padding:0in;text-decoration:none'>http://ccadb.org/resources</span></span><span style='mso-bookmark:_MailOriginalBody'></span></a><span style='mso-bookmark:_MailOriginalBody'><o:p></o:p></span></li></ul><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Can be updated as part of Audit Case in CCADB. If needs to be updated out of the annual cycle, then send email to </span></span><a href="mailto:support@ccadb.org"><span style='mso-bookmark:_MailOriginalBody'><span style='color:#0044AA;border:none windowtext 1.0pt;padding:0in;text-decoration:none'>support@ccadb.org</span></span><span style='mso-bookmark:_MailOriginalBody'></span></a><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'> .</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>2.2 Audit Cases [3] and audit archiving:</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>New button “Add/Update Root Cases” added to Audit Case page to make it easier for CAs to associate the new audit statements with their root certs.</span><o:p></o:p></span></p><ul style='margin-top:0in' type=disc><li class=MsoNormal style='color:black;margin-bottom:11.0pt;line-height:normal;mso-list:l0 level1 lfo2;background:white'><span style='mso-bookmark:_MailOriginalBody'>CAs create a single Audit Case for a particular set of audits. Then the CA clicks on this button to create a set of corresponding Root Cases, one per root, to tell the CCADB which Root Certificate records the audit statements in that Audit Case apply to.<o:p></o:p></span></li></ul><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>New button “Edit Test Websites” added to Audit Case page to make it easier for CAs to provide/update the test websites for those root certs. It lists all of the Root Cases that were generated via the “Add/Update Root Cases” button, and lists the test websites (if pre-existing) for those root certs, so the CA can update them in one place.</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Audit statements for root cert records are archived within CCADB. By the end of March audit statements for intermediate certificate records will also be archived within the CCADB (when the intermediate cert record has separate audit statements). And we will add a section to the root and intermediate cert records listing the audit archives associated with it.</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>On our to-do list: add ability to add audit archives for older audit statements, so we could generate the full history of audit statements for a root cert. This will likely be a simplified Audit Case type of object, so CAs could upload their old audit statements, and then a root store operator could verify before CCADB processes the data.</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>2.3 Root Inclusion Cases:</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>CAs and root store members should ignore the current “CA Owner/Root Inclusion Request” Cases.</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Kathleen is redesigning Root Inclusion Case objects, and will announce when it is ready for people to begin using (hopefully by June). The redesign will be based on how Audit Cases are implemented, and will enable CAs to directly input/update their own root inclusion request data, and the Root Store Members will be able to independently make decisions on that data.</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>2.4 CP/CPS updates:</span><o:p></o:p></span></p><ul style='margin-top:0in' type=disc><li class=MsoNormal style='color:black;margin-bottom:11.0pt;line-height:normal;mso-list:l1 level1 lfo3;background:white'><span style='mso-bookmark:_MailOriginalBody'>Part of the Audit Case.<o:p></o:p></span></li><li class=MsoNormal style='color:black;margin-bottom:11.0pt;line-height:normal;mso-list:l1 level1 lfo3;background:white'><span style='mso-bookmark:_MailOriginalBody'>If a CA needs to update separately, then send email to </span><span style='mso-bookmark:_MailOriginalBody'></span><a href="mailto:support@ccadb.org"><span style='mso-bookmark:_MailOriginalBody'><span style='color:#0044AA;border:none windowtext 1.0pt;padding:0in;text-decoration:none'>support@ccadb.org</span></span><span style='mso-bookmark:_MailOriginalBody'></span></a><span style='mso-bookmark:_MailOriginalBody'> .<o:p></o:p></span></li><li class=MsoNormal style='color:black;margin-bottom:11.0pt;line-height:normal;mso-list:l1 level1 lfo3;background:white'><span style='mso-bookmark:_MailOriginalBody'>On our to-do list: Make it so CAs can directly update certain information in their Owner and Root records, such as CP/CPS links, CA Problem Reporting Mechanism, CAA Identifiers.<o:p></o:p></span></li></ul><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>2.5 Updates to Account Hierarchy section in CA Owner, root, and intermediate cert pages.</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>If over 100 records in the hierarchy, then the Account Hierarchy section will only show the directly related items (parents up to Owner, children, siblings), and there will be a link at the top of that section called: “[ATTENTION: Your hierarchy has over 100 records, click here to see full hierarchy]”. This link displays the full Account Hierarchy in a separate tab.</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Some user interface tweaks: icons showing which record you are currently looking at (star), which records have children records (two locks), which records are revoked (x). Show part of SHA2 Fingerprint (instead of SHA1), minor text changes.</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>3 Intermediate Preloading</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>This summer, Firefox will begin pre-loading its certificate database with all intermediates disclosed in the CCADB. This is an alternative to “AIA chasing” designed to reduce the incidence of “unknown issuer” errors caused by server operators neglecting to include intermediate certificates. Updates to the CCADB will be provided for Firefox users on a regular basis.</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>4 Inclusion Request Processing</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Note to CAs from Kathleen: I am 3 months behind on reviewing CA comments/additions to their root inclusion/update request bugs. If you updated your CA’s bug prior to December 5, and no one has responded to your update, then please send email to Kathleen. Otherwise, please be patient.</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>We’ve changed the inclusion process [4] by adding a separate step for detailed CPS reviews prior to the public discussion period. Since the request won’t have to wait indefinitely for someone to provide feedback on the CPS during the public discussion phase, we plan to limit the discussion period to 3 weeks with extensions if needed.</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Devon and I are performing the CPS reviews. It really helps move things along when the CA has made an effort to comply with the BRs and Mozilla policy in their CPS rather than waiting for us to point out obvious problems.</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>We are also giving audit history more attention. If you submit a root for inclusion that issued certificates prior to obtaining a BR audit, it is likely to be rejected.</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>5 November Communication</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>I summarized the responses Mozilla received [5]. The general theme was slow response by some CAs to implement new requirements. Some CAs had not complied with version 2.5 of the policy that went into effect last June [6], while others claimed compliance but hadn’t updated their CPS. I expect the next version of Mozilla policy to make these requirements more explicit.</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>We also had a few CAs who required repeated nagging before responding to this survey. With the January survey, we began treating non-response as an incident. Currently, one CA has still not responded to the January survey, which has us extremely concerned.</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>6 January Communication and Ballot 218</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>We decided to send out a special survey in January to raise awareness of the vulnerabilities found in domain validation methods 1, 5, 9, and 10. The detailed responses on the use of method 1 provided by some CAs were very helpful [7]. Mozilla expects CAs to comply with ballot 218 and discontinue use of methods 1 and 5 by August 1st, but we currently have no plans to impose additional root program requirements.</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>7 BR Self Assessments</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Thank you to all CAs who completed assessments by the original deadline of January 31st. Extensions until April 15th have been granted to some CAs. We would like to make a review and update of this an annual requirement that each CA submits along with -or perhaps prior to - their annual audit statements.</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Google Doc of BR Self Assessment Status: </span></span><a href="https://docs.google.com/spreadsheets/d/1Lmdkl3gTpKyBgZwL_6j5ivClBXiGMUnZyAVJDTHtjO4/edit?usp=sharing"><span style='mso-bookmark:_MailOriginalBody'><span style='color:#0044AA;border:none windowtext 1.0pt;padding:0in;text-decoration:none'>https://docs.google.com/spreadsheets/d/1Lmdkl3gTpKyBgZwL_6j5ivClBXiGMUnZyAVJDTHtjO4/edit?usp=sharing</span></span><span style='mso-bookmark:_MailOriginalBody'></span></a><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'> If your CA’s BR Self Assessment status in this document is incorrect, please send email to Kathleen.</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>8 Audit Reporting Requirements</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Section 3.1.4 of the Mozilla Root Store Policy [8] requires audit reports to contain certain information. We have begun to reject reports that don’t contain this information. Mozilla strongly encourages CAs to ask their auditors to supply the required information.</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Kathleen is using the Audit Letter Validation (ALV) tool [9] provided by Microsoft in the CCADB to help verify that all of the required information is in the audit statement.</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>We are also aware that ETSI is working to improve their audit statement templates and look forward to their update later in the meeting.</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>9 Deadline for S/MIME Name Constraints</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'>Section 5.3.1 and 5.3.2 of the latest Mozilla policy requires CAs to publicly disclose (via CCADB) or technically constrain (via both EKU and Name Constraints) all subordinate CA certificates including those used to issue email S/MIME certificates. At the Taipei F2F meeting we pushed the compliance deadline to April 15th, which is now the date all subordinate CA certificates must be disclosed, constrained via EKU and name constraints, or revoked.<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>10 Symantec Certificates and Firefox</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>We are planning to release the second phase of the Symantec distrust plan -- remove trust in all Symantec certs issued prior to June 1, 2016 -- [10] [11] in Firefox 60, due to be released in May [12]. With the exception of certain whitelisted subordinates, certificates that chain to Symantec roots and that were issued prior to June 1, 2016 will generate an error. Our implementation has been updated to whitelist certain subordinate CAs based on their public key. We have also added the preference “security.pki.distrust_ca_policy” to FIrefox. A large number of sites are currently impacted by this change, but we are optimistic that the situation will improve prior to the release of Firefox 60.</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>In Firefox 63 due in October, we plan to remove the exception for certificates issued after June 1, 2016. but exceptions for the whitelisted intermediates will remain in place. We have not yet set a date for removing the whitelist or the Symantec roots.</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>11 Certificate Transparency</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Mozilla has no new information or plans to share at this time, but we are still considering implementing our own CT policy.</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>12 Root Store Policy Version 2.6</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>I am working on a number of updates to our root store program [13]. CAs are encouraged to participate in the discussion on mozilla.dev.security.policy. One area that I would especially like CAs input is requirements for transfers of subordinate CAs.</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>URLs related to the above:</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>[1] </span></span><a href="http://blog.gerv.net/"><span style='mso-bookmark:_MailOriginalBody'><span style='color:#0044AA;border:none windowtext 1.0pt;padding:0in;text-decoration:none'>http://blog.gerv.net/</span></span><span style='mso-bookmark:_MailOriginalBody'></span></a><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'> [2] </span></span><a href="http://ccadb.org/rootstores/"><span style='mso-bookmark:_MailOriginalBody'><span style='color:#0044AA;border:none windowtext 1.0pt;padding:0in;text-decoration:none'>http://ccadb.org/rootstores/</span></span><span style='mso-bookmark:_MailOriginalBody'></span></a><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'> [3] </span></span><a href="http://ccadb.org/cas/updates"><span style='mso-bookmark:_MailOriginalBody'><span style='color:#0044AA;border:none windowtext 1.0pt;padding:0in;text-decoration:none'>http://ccadb.org/cas/updates</span></span><span style='mso-bookmark:_MailOriginalBody'></span></a><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'> [4] </span></span><a href="https://wiki.mozilla.org/CA/Application_Process"><span style='mso-bookmark:_MailOriginalBody'><span style='color:#0044AA;border:none windowtext 1.0pt;padding:0in;text-decoration:none'>https://wiki.mozilla.org/CA/Application_Process</span></span><span style='mso-bookmark:_MailOriginalBody'></span></a><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'> [5] </span></span><a href="https://groups.google.com/d/msg/mozilla.dev.security.policy/Bs3yRryKWFQ/zJkUtz0GBAAJ"><span style='mso-bookmark:_MailOriginalBody'><span style='color:#0044AA;border:none windowtext 1.0pt;padding:0in;text-decoration:none'>https://groups.google.com/d/msg/mozilla.dev.security.policy/Bs3yRryKWFQ/zJkUtz0GBAAJ</span></span><span style='mso-bookmark:_MailOriginalBody'></span></a><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'> [6] </span></span><a href="https://wiki.mozilla.org/CA/Root_Store_Policy_Archive"><span style='mso-bookmark:_MailOriginalBody'><span style='color:#0044AA;border:none windowtext 1.0pt;padding:0in;text-decoration:none'>https://wiki.mozilla.org/CA/Root_Store_Policy_Archive</span></span><span style='mso-bookmark:_MailOriginalBody'></span></a><span style='mso-bookmark:_MailOriginalBody'><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><b><span style='color:black'>-- Microsoft</span></b><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Note Taker: Tim Microsoft Root Program Updates (CABF 43 f2f):</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Talking points from Mike:</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>• </span></span><a href="mailto:msroot@microsoft.com"><span style='mso-bookmark:_MailOriginalBody'><span style='color:#0044AA;border:none windowtext 1.0pt;padding:0in;text-decoration:none'>msroot@microsoft.com</span></span><span style='mso-bookmark:_MailOriginalBody'></span></a><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'> should be used for communications to ensure timely response. Communications to CAs will come from this address as well rather than from individual team members. (old </span></span><a href="mailto:trustcert@microsoft.com"><span style='mso-bookmark:_MailOriginalBody'><span style='color:#0044AA;border:none windowtext 1.0pt;padding:0in;text-decoration:none'>trustcert@microsoft.com</span></span><span style='mso-bookmark:_MailOriginalBody'></span></a><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'> will relay mails to msroot but eventually will be decommissioned) • We now have the capability to deploy root store changes on a monthly cadence. Root change request review may not move as quickly though depending on complexity, conformance to CABF baseline requirements and/or Microsoft root program requirements/contract • January release came out on 30 Jan. For more information, see: </span></span><a href="http://aka.ms/rootupdates"><span style='mso-bookmark:_MailOriginalBody'><span style='color:#0044AA;border:none windowtext 1.0pt;padding:0in;text-decoration:none'>http://aka.ms/rootupdates</span></span><span style='mso-bookmark:_MailOriginalBody'></span></a><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>. Next release targeted for the end of March. Monthly change capability begins in April • Continuing to conduct end-to-end examination of each root in the root store for EKUs, use, contract compliance and other issues which may represent risk to Microsoft our users. Moving last remaining CAs on 2007 version contracts to updated 2015 version • Continued efforts toward automation of program processes to minimize errors and enable increased verification of program compliance • Update on our Common CA Data Base CA Audit Letter Validation project (Jixi) o In production and visible to everyone in the CCADB o Actively being used and finding CA audit letter problems o Demo/Q&A Thursday after lunch (slot 13 on f2f 43 agenda)</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Gordon and Karina from Microsoft are here so people can meet them.</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Doing an end-to-end scrub of all roots including EKUs, risk ranking, contract requirements, and so on. Will be reaching out with questions and concerns.</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Chris: How are risk rankings determined? Audit status, on latest contract, ability to meet requirements, discussions in public forums, unresponsiveness.</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Mike: Still have ~24 people on the 2007 contract, everyone needs to move to 2015 contract.</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Continuing to try to increased use of automation, driven by Gordon.</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Doug: Mozilla has a pretty open process for policy development, does Microsoft have any such plans? Also, some terms in the Microsoft policy are confusing, how to get updates?</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Mike: No plans to have a collaborative feedback on policy planning, but will share through CABF what changes might be coming. Send a note to MSROOT about things you find confusing, and if there are common misunderstandings or things that are unclear, they will be fixed.</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><b><span style='color:black'>-- Google</span></b><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Note Taker: Robin <br>Ryan: Contact information. There is a CCADB blast in your mailbox. The email address to contact us for the root program is </span></span><a href="mailto:chrome-root-authority-program@google.com"><span style='mso-bookmark:_MailOriginalBody'><span style='color:#0044AA;border:none windowtext 1.0pt;padding:0in;text-decoration:none'>chrome-root-authority-program@google.com</span></span><span style='mso-bookmark:_MailOriginalBody'></span></a><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Please do not email individuals for root program issues as an email could be missed or the individual may be away from work.</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Certificate validation:<br>SYMANTEC - Chrome 65 is no longer trusting certificates from legacy roots issued after December 2017. Chrome 65 is out today. Chrome 66 will be out Mar 16, removing trust for SYMC certificates issued before June 1, 2016. Common-name matching that was enabling for Enterprise use - this feature is being removed in Chrome 66. 825 days lifetime will be ENFORCED at 825 days (measured in seconds). Chrome 66 also blocks certificates issued with valid_from in the future.</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>If you are trusted, or were ever trusted on a Chrome platform, you will be subject to requirements as they emerge over time, in perpetuity. CT - enforced on public CAs. Blogs going out (today) talking about transitions.</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>UI/UX<br>Chrome 65 has been actively doing trials of HTTP marked as non-secure, as well as HTTP being marked as non-secure with a red danger triangle.<br>This is all part of our move to deprecate HTTP. Chrome 68 will mark HTTP as non-secure. Any site that uses HTTP will be marked as not secure.</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>We have a tool called lighthouse. It is Webdev-oriented and examines your site and gives performance tips. We have introduced a new lighthouse audit that looks for mixed content (http & https). We will look at other things in lighthouse audits, too.</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>CT (Devon)<br>Chrome 65 added 2 new sets of time-sharded logs. time-sharded logs Argon & Nimbus (Cloudflare) now in Chrome 65.<br>In early February we updated CAs (thru CCADB) and reposted to CT-policy asking about CT readiness.<br>If you haven't already answered the survey - please do!!! Also, we have migrated the authority source of truth for CT policy to </span></span><a href="https://www.cabforum.org/wiki/GitHub"><span style='mso-bookmark:_MailOriginalBody'><span style='color:#666666;border:none windowtext 1.0pt;padding:0in;text-decoration:none'>GitHub</span></span><span style='mso-bookmark:_MailOriginalBody'></span></a><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>. The old page now redirects to </span></span><a href="https://www.cabforum.org/wiki/GitHub"><span style='mso-bookmark:_MailOriginalBody'><span style='color:#666666;border:none windowtext 1.0pt;padding:0in;text-decoration:none'>GitHub</span></span><span style='mso-bookmark:_MailOriginalBody'></span></a><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>. This creates a more controlled approach to policy.</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Since we added sharded logs for CT, operators have asked for shard groups. We are trying to balance the benefit of having enough logs without having too many. There will be public discussions. Since we are closing in on 100% enforcement. If you plan on supporting CT without embedding SCTs, please reach out to us, we want to make sure you are fully aware of what that means. Also if you ARE planning to embed 100% - let us know.<br>Finally, the last CT policy day was in November 2017. Followup will be summer/fall 2018, after the 2018 CT enforcement date so we can tweak policy from lessons learned. Attend if you have things to say!</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Q: Roots removed from chrome store - what does that mean?<br>A: If a root is removed from public trust, but added back as an enterprise root, (e.g. Equifax root) if we encounter a chain that has been buit in that way, we will treat it as if it were publicly trusted.<br>Chrome used to have an issue where an enterprise root signed a publicly trusted root, (J&J do this), we used to treat it as an enterprise root.</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>1024 bit is a special case, because some users in (e.g.) India struggle to get authroot updates.<br>SHA-1 - we have an enterprise policy which enables it. - but if it transits a public trust anchor (identified by SPKI) then we apply rules as if public.</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Q: Where is there a list of public trust SPKIs.<br>A: I have a lovely json doc in the Chrome source tree.<br>Q: There is a single unified set across all platforms?<br>A: Correct, in Chrome 65 and earlier it was based on local config & platform.<br>from Chrome 66 it is based on a single list. (with meta-data relating to platforms)</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><b><span style='color:black'>-- Apple</span></b><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Note Taker: Mike</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Upcoming distrust of Symantec plan details to be published soon. Apple plans to align distrust with the timeline published by Google and Mozilla. However, what will be distrusted may be different than those root stores which focus only on TLS</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Certificate Transparency (CT) update: Looking into CT log policy development but most likely the Apple CT policy will align with that of Google. Apple will also use the same list of trusted logs as Google. This list can be found at </span></span><a href="https://chromium.googlesource.com/chromium/src.git/"><span style='mso-bookmark:_MailOriginalBody'><span style='color:#0044AA;border:none windowtext 1.0pt;padding:0in;text-decoration:none'>https://chromium.googlesource.com/chromium/src.git/</span></span><span style='mso-bookmark:_MailOriginalBody'></span></a><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'> +/master/net/data/ssl/certificate_transparency/log_list.json</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Should a log operator desire to include their log in Apple’s program requests should be sent to certificate-transparency- </span></span><a href="mailto:program@group.apple.com"><span style='mso-bookmark:_MailOriginalBody'><span style='color:#0044AA;border:none windowtext 1.0pt;padding:0in;text-decoration:none'>program@group.apple.com</span></span><span style='mso-bookmark:_MailOriginalBody'></span></a><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'> and include the following:</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>- Two points of contact (email and phone number)</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>- CT logging policy for accepting certificates</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>- Subject DN and SHA256 fingerprint of accepted root certificates</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>- Publicly accessible CT log server URL</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>- CT Log public key (DER encoding of the </span></span><a href="https://www.cabforum.org/wiki/SubjectPublicKeyInfo"><span style='mso-bookmark:_MailOriginalBody'><span style='color:#666666;border:none windowtext 1.0pt;padding:0in;text-decoration:none'>SubjectPublicKeyInfo</span></span><span style='mso-bookmark:_MailOriginalBody'></span></a><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'> ASN.1 structure)</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>- The Maximum Merge Delay (MMD) of the Log</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Apple Evaluating standing up a Root CA that will issue certificates to be used to verify CT Log for MMD compliance.</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Cert revocation capability is still going well. CT log updates now flow almost immediately into next revocation information update.</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><b><span style='color:black'>-- 360</span></b><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Note Taker: Mads</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Qihoo 360 Browser presented by Inigo</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>1 Browser characteristics</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Two browsers based on Chromium. 360 Safe Browser used in China, the 360 Extreme Browser used outside. Both sharing the same root program. Flash Icon to change to the IE look and feel or Chromium look and feel.</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>2. Security enforced certificate strategies</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Intercepts any certificate error by default. White lists based on websites with high traffic.</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Approx 90k sites are blocked pr day – more than 40% due to invalid certificate date invalid, mostly caused by incorrect system time.</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>3. White list</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>White lists includes top gov websites and top banks.</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>4. UI presentations</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Different UI for EV, OV, IV and DV.</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>5. 360 Browser Root Inclusion Process</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>360 Browsers trust the root certificates in the underlying operating system. CAs are to encouraged to apply for inclusion in their Root Certificate Program – see caprogram.360.cn.</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Robin asked if CAs already included in Microsoft, Apple, Mozilla etc should apply for inclusion in the 360 Root Certificate Program and the answer was yes.</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>All CAs must start applying now or else they will be removed. The application process is described on the website caprogram.360.cn. Just fill in the form to apply.</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>360 has contacted Mozilla to also use CCADB.</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>6.Others</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>HTTPS by default, Symantec issue to be implemented this year.</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>In China most of the systems are old and websites support IE.</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Wayne asked about how to contact the Root Certificate Program system operators. The application form contains some information.</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Dimitris said that we need this information from all the browsers in the Forum.</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><b><span style='color:black'>Working Group Reports</span></b><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><b><span style='color:black'>-- Governance Change Working Group</span></b><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Note Taker: Cecilia</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>History: Governance Change Working Group was formed after Ballot 165 passed. The goal of this group was to:</span><o:p></o:p></span></p><ol style='margin-top:0in' start=1 type=1><li class=MsoNormal style='color:black;margin-bottom:11.0pt;line-height:normal;mso-list:l6 level1 lfo4;background:white'><span style='mso-bookmark:_MailOriginalBody'>Revise the scope of what the forum should work on.<o:p></o:p></span></li><li class=MsoNormal style='color:black;margin-bottom:11.0pt;line-height:normal;mso-list:l6 level1 lfo4;background:white'><span style='mso-bookmark:_MailOriginalBody'>Change IPR policy<o:p></o:p></span></li><li class=MsoNormal style='color:black;margin-bottom:11.0pt;line-height:normal;mso-list:l6 level1 lfo4;background:white'><span style='mso-bookmark:_MailOriginalBody'>Reviewing the voting schemes<o:p></o:p></span></li></ol><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>The proposed amendments were shared. The working group suggests that you review the documents on your own, and with your counsel. They are hoping to move forward with the ballot 206 shortly after this meeting.</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Each member will have 90 days to sign the updated IPR agreement once Ballot 206 passes</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'></span><a href="https://www.cabforum.org/wiki/Meeting%2043%20Minutes?action=AttachFile&do=view&target=CABF_F2Fpreso_030518_vmf.pptx"><span style='mso-bookmark:_MailOriginalBody'><span style='color:#0044AA;border:none windowtext 1.0pt;padding:0in;text-decoration:none'>CABF_F2Fpreso_030518_vmf.pptx</span></span><span style='mso-bookmark:_MailOriginalBody'></span></a><span style='mso-bookmark:_MailOriginalBody'><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Ballot is effective 90 days after it passes and can use the old rules till then.</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>The Working group has also been compiling a list of issues. They have it on a spreadsheet and have categorized by 3 categories. 1. Won't fix 2. Important 3. Critical. They are trying to address the critical ones first. If categorized as important they are not critical for ballot 206. If categorized as won't fix - they will not fix. Dean/Ben will add this list on the wiki.</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><b><span style='color:black'>-- Policy Review Working Group</span></b><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Note Taker: Chris K.</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Presenters: Ben Wilson, Dimitris Zacharopoulos</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>The group's primary focus to date has been to review and disambiguate use of the phrase "Certificate Authority" and where required replace this with "Trust Service Provider" (where "CA" refers to a certificate authority's people and/or processes and "TSP" to the legal entity that operates the CA ("a distinction that is needed").</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Upcoming needs and functions of the PWG are TBD and might include evaluating standards of other similar groups to see if the BRs are "up to speed" and reexamining the WG charter.</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>The latest email from the WG (of Feb 23d) includes a RFC and a link to the </span></span><a href="https://www.cabforum.org/wiki/GitHub"><span style='mso-bookmark:_MailOriginalBody'><span style='color:#666666;border:none windowtext 1.0pt;padding:0in;text-decoration:none'>GitHub</span></span><span style='mso-bookmark:_MailOriginalBody'></span></a><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'> </span></span><a href="https://github.com/cabforum/documents/pull/84"><span style='mso-bookmark:_MailOriginalBody'><span style='color:#0044AA;border:none windowtext 1.0pt;padding:0in;text-decoration:none'>pull request</span></span><span style='mso-bookmark:_MailOriginalBody'></span></a><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'> incorporating all proposed CA/TSP language changes. This review is now complete and likely to move to a ballot soon after this F2F meeting</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><b><span style='color:black'>-- Network Security Working Group</span></b><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Note Taker: Tim Shirley</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Presenters: Ben Wilson, Dimitris Zacharopoulos</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Good progress from the morning discussion; discussed where we are and how we got here. A sub-group is doing thread analysis of root CA systems and identifying compensating controls. Seeking feedback from forum if thread analysis process is a good one to use in the future.</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Generally positive response to methodology from auditors & CAs; worth continuing. Discussed upcoming changes to password requirements. Discussed waves of ballots to make changes gradually. First ballot will make 2FA mandator and NIST doc as guideline for password properties. Discussed 2 definitions of air-gapped zone and high security physical zone. Work is ongoing.</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Kirk asked what the plan is to do next, after completing these "bites". Ben responded they have a lengthy list; looking to extend charter (expires in June.) Want to add how we handle cloud-based systems.</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><b><span style='color:black'>-- Validation Working Group</span></b><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Note Taker: Neil Dunbar</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Speaker: Tim Hollenbeek</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Validation WG Summit yesterday. Surprised, and pleased, to see many of the methods coming under scrutiny, hence a desire to critically appraise the validation methods, towards improvement, or removal.</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Some good discussions on each method, identifying weaknesses and concerns, as well as potential improvements. With Wayne compiling the list of improvements, we wish to turn those action items into workable ballots. Participation in this process would be appreciated, given the time commitment.</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Still some controversy over whether method 1 can be rescued; this is the priority in the work because of its current use and incipient removal in a short timeframe.</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Some doubt remains, given the scope of work and availability of resources to complete the balloting process.</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Some other work products involve EV improvement and IP validation, but at a lower priority.</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'></span><a href="https://www.cabforum.org/wiki/WebTrust"><span style='mso-bookmark:_MailOriginalBody'><b><span style='color:#666666;border:none windowtext 1.0pt;padding:0in;text-decoration:none'>WebTrust</span></b></span><span style='mso-bookmark:_MailOriginalBody'></span></a><span style='mso-bookmark:_MailOriginalBody'><b><span style='color:black'> Update</span></b><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Note Taker: Kirk</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'></span><a href="https://www.cabforum.org/wiki/WebTrust"><span style='mso-bookmark:_MailOriginalBody'><span style='color:#666666;border:none windowtext 1.0pt;padding:0in;text-decoration:none'>WebTrust</span></span><span style='mso-bookmark:_MailOriginalBody'></span></a><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'> for CA Update</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Presented by Jeff Ward, Don Sheehy, and Taryn Abate Current Status of </span></span><a href="https://www.cabforum.org/wiki/WebTrust"><span style='mso-bookmark:_MailOriginalBody'><span style='color:#666666;border:none windowtext 1.0pt;padding:0in;text-decoration:none'>WebTrust</span></span><span style='mso-bookmark:_MailOriginalBody'></span></a><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'> audit criteria:</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'></span><a href="https://www.cabforum.org/wiki/WebTrust"><span style='mso-bookmark:_MailOriginalBody'><span style='color:#666666;border:none windowtext 1.0pt;padding:0in;text-decoration:none'>WebTrust</span></span><span style='mso-bookmark:_MailOriginalBody'></span></a><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'> Baseline + NS vs 2.3 Released effective February 1, 2018 Updated to conform with Baseline 1.5.4 and NS 1.1</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'></span><a href="https://www.cabforum.org/wiki/WebTrust"><span style='mso-bookmark:_MailOriginalBody'><span style='color:#666666;border:none windowtext 1.0pt;padding:0in;text-decoration:none'>WebTrust</span></span><span style='mso-bookmark:_MailOriginalBody'></span></a><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'> for CA 2.1 Released effective September 1, 2017 Sections added on key migration, destruction and transport Publicly Trusted Code Signing Vs 1.0.1 Modified version released to fix error in material and to remove unauditable criterion Current Status - updated</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'></span><a href="https://www.cabforum.org/wiki/WebTrust"><span style='mso-bookmark:_MailOriginalBody'><span style='color:#666666;border:none windowtext 1.0pt;padding:0in;text-decoration:none'>WebTrust</span></span><span style='mso-bookmark:_MailOriginalBody'></span></a><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'> EV SSL Released v 1.6.2 effective October 1, 2017 Updated EV SSL Audit Criteria to conform to EV SSL Guidelines v1.6.2 and other clarifications</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'></span><a href="https://www.cabforum.org/wiki/WebTrust"><span style='mso-bookmark:_MailOriginalBody'><span style='color:#666666;border:none windowtext 1.0pt;padding:0in;text-decoration:none'>WebTrust</span></span><span style='mso-bookmark:_MailOriginalBody'></span></a><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'> EV Code Signing Released vs 1.4.1 effective October 1, 2017 Removed Principle 2, Criterion 5.12 as it was not auditable Current Status - updated</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Practitioner Audit Report templates Approved by AICPA/CPA Canada Released Sept 1, 2017 Covers almost all potential types of reports (about 18 examples in each) and assertions Assertion based examples, as well as direct subject matter Need to be followed to get the seal</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Applicability Matrix updated </span></span><a href="http://www.webtrust.org/principles-and-criteria/docs/item85436.pdf"><span style='mso-bookmark:_MailOriginalBody'><span style='color:#0044AA;border:none windowtext 1.0pt;padding:0in;text-decoration:none'>http://www.webtrust.org/principles-and-criteria/docs/item85436.pdf</span></span><span style='mso-bookmark:_MailOriginalBody'></span></a><span style='mso-bookmark:_MailOriginalBody'><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Current Status – updating/preparing</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'></span><a href="https://www.cabforum.org/wiki/WebTrust"><span style='mso-bookmark:_MailOriginalBody'><span style='color:#666666;border:none windowtext 1.0pt;padding:0in;text-decoration:none'>WebTrust</span></span><span style='mso-bookmark:_MailOriginalBody'></span></a><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'> for RA Third Draft version being prepared Will have main principles similar to </span></span><a href="https://www.cabforum.org/wiki/WebTrust"><span style='mso-bookmark:_MailOriginalBody'><span style='color:#666666;border:none windowtext 1.0pt;padding:0in;text-decoration:none'>WebTrust</span></span><span style='mso-bookmark:_MailOriginalBody'></span></a><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'> and additional principles (appendices) for Baseline+NS, EV Strength of controls will be issue Reporting alternatives being discussed including SOC2 like, public report and impact on CA report</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Practitioner guidance for auditors Under development covering public and private CAs. Will provide examples of tools and approaches as best practices – please share if you have any in mind Draft expected Summer/Fall 2018</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Some new and old issues - Terminology CABF public post from Don and Jeff March 15, 2017 provided definition of</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>“Point In Time” - as of a given date Focused on the design and implementation of controls Effectiveness of controls not tested Audit report, example in our reporting guidance</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>“Period Of Time” - Minimum 2 months, max of 12 (not when auditors were there) Includes testing effectiveness of controls Audit report. Examples in our reporting guidance</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>“Readiness Assessment” = Consulting report – not an audit Report is for management and internal users only</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Some new and old issues: </span></span><a href="https://www.cabforum.org/wiki/WebTrust"><span style='mso-bookmark:_MailOriginalBody'><span style='color:#666666;border:none windowtext 1.0pt;padding:0in;text-decoration:none'>WebTrust</span></span><span style='mso-bookmark:_MailOriginalBody'></span></a><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'> for CA reports – should a more detailed version be created similar to SOC 2 (limited distribution/no seal) or report with detailed system description and controls Cloud computing Additional formalization of CPA Canada processes More detailed license and process for auditors, including international www.webtrust.org project to upgrade site is underway</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>CPA Canada (now)</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Reporting Structure/Roles</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>- Gord Beal – </span></span><a href="https://www.cabforum.org/wiki/WebTrust"><span style='mso-bookmark:_MailOriginalBody'><span style='color:#666666;border:none windowtext 1.0pt;padding:0in;text-decoration:none'>WebTrust</span></span><span style='mso-bookmark:_MailOriginalBody'></span></a><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'> falls into Guidance and Support activities of CPA Canada</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>- Janet Treasure – Seal system responsibility</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>- Bryan Walker –Licensing advisor</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>- Don Sheehy - Task Force and CABF liaison</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>- Jeff Ward - Chair of the </span></span><a href="https://www.cabforum.org/wiki/WebTrust"><span style='mso-bookmark:_MailOriginalBody'><span style='color:#666666;border:none windowtext 1.0pt;padding:0in;text-decoration:none'>WebTrust</span></span><span style='mso-bookmark:_MailOriginalBody'></span></a><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'> Task Force and primary contact</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>- All Task Force members provide </span></span><a href="https://www.cabforum.org/wiki/WebTrust"><span style='mso-bookmark:_MailOriginalBody'><span style='color:#666666;border:none windowtext 1.0pt;padding:0in;text-decoration:none'>WebTrust</span></span><span style='mso-bookmark:_MailOriginalBody'></span></a><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'> services to clients</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>- Volunteers are supported by additional technical associates and CPA Canada liaison but report to CPA Canada</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><b><span style='color:black'>ETSI Update</span></b><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Note Taker: Ben</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'></span><a href="https://www.slideshare.net/ArnoFiedler/presentation-to-cabforumonetsistandards201803v5"><span style='mso-bookmark:_MailOriginalBody'><span style='color:#0044AA;border:none windowtext 1.0pt;padding:0in;text-decoration:none'>https://www.slideshare.net/ArnoFiedler/presentation-to-cabforumonetsistandards201803v5</span></span><span style='mso-bookmark:_MailOriginalBody'></span></a><span style='mso-bookmark:_MailOriginalBody'><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>attachment:Presentation_to_CABForum_on_standards2018-03-V5.ppt</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><b><span style='color:black'>Review of pending ballots</span></b><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Note Taker: Robin</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>206 - Governance reform</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>213 revocation timeline extension</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>219 clarify CAA</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>220 clarify purpose ...</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>219 now in discussion period<br>tried to make change with IETF but heard nothing back</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Ryan Sleevi: IETF 6844 issues will be addressed at the IETF meet in the next months. We got to 5 different errata last time around to get it right.</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Tim Holbeek: 6844bis specifically excludes this errata.</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Ryan: Is the process of understanding of 6844 ..</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Tim: I would like them to understand their process is a bit broken.<br>Ryan: worth poking the chair.<br>Tim: I want to get to know them and let them know there is an entire industry waiting on this.</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Kirk - Is that ballot in the 7 day discussion period?</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Tim: Ballot 216 exists. Maybe we leave the discussion period open until after IETF.</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Ryan: Yes, lets talk to the chairs. If we extend a week, let's Tim and I follow-up.</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><b><span style='color:black'>CT implementation issues</span></b><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Note Taker: Mads</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Mike asked about the feedback from the CA CT-survey.</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Ryan said they were using CCADB to collect responses to the survey and they had feedback from a lot of CAs. He said that the vast majority of CAs are ready to support CT and a few say no. Google will reach out to these.</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>CAs are recommended to embed SCTs in the certificates, it’s not yet easy to use the TLS extension in all situations. Very few CAs plan to use OCSP extension, OCPS stapling allows to use this, bit OCSP stapling is slow to roll out.</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Some CAs are using CA software supporting CT. Most commercial CA software vendors have support for CT. If there are any issues with your SW vendors regarding CT, please let us know.</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><b><span style='color:black'>NIST Cryptographic Module Validation Program (aka FIPS 140)</span></b><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Note Taker: Ken</span><o:p></o:p></span></p><ul style='margin-top:0in' type=disc><li class=MsoNormal style='color:black;margin-bottom:11.0pt;line-height:normal;mso-list:l2 level1 lfo5;background:white'><span style='mso-bookmark:_MailOriginalBody'>FIPS 140-1 issued on January 11, 1994 through a public/private working group. NIST established the Cryptographic Module Validation Program (CMVP) to maintain the working group and publication. Industry drives cryptographic development which can be seen in the latest NIST project to identify post-quantum algorithms. It is also a joint program with the Canadian equivalent program. FIPS 140-2 was issued on May 25, 2001 with very modest changes. The mission of the CMVP is to improve security and technical quality of cryptographic modules used by the Federal government.<o:p></o:p></span></li><li class=MsoNormal style='color:black;margin-bottom:11.0pt;line-height:normal;mso-list:l2 level1 lfo5;background:white'><span style='mso-bookmark:_MailOriginalBody'>Help with identifying and developing standards and support national laboratories. The CVMP Program teams with other national programs around the world. The CMVP program tests and validates commercial cryptographic products against government standards. An approved national lab tests the product and issue a report.<o:p></o:p></span></li><li class=MsoNormal style='color:black;margin-bottom:11.0pt;line-height:normal;mso-list:l2 level1 lfo5;background:white'><span style='mso-bookmark:_MailOriginalBody'>Industry perspective on CMVP. <o:p></o:p></span></li><ul style='margin-top:0in' type=circle><li class=MsoNormal style='color:black;margin-bottom:11.0pt;line-height:normal;mso-list:l2 level2 lfo5;background:white'><span style='mso-bookmark:_MailOriginalBody'>Long review cycles out of sync with product cycles and industry/customer needs. It is costly and rigid. Algorithm testing is not focused on security, but interoperability. Software is not covered and hardware testing is out-of-date.<o:p></o:p></span></li><li class=MsoNormal style='color:black;margin-bottom:11.0pt;line-height:normal;mso-list:l2 level2 lfo5;background:white'><span style='mso-bookmark:_MailOriginalBody'>CMVP and CST Labs are concerned with their labor-intensive structure and approval model which requires an essay style application process and challenges in testing state-of-the-art products against aged testing rigs and requirements.<o:p></o:p></span></li></ul><li class=MsoNormal style='color:black;margin-bottom:11.0pt;line-height:normal;mso-list:l2 level1 lfo5;background:white'><span style='mso-bookmark:_MailOriginalBody'>Agencies echo same challenges as industry. <o:p></o:p></span></li><ul style='margin-top:0in' type=circle><li class=MsoNormal style='color:black;margin-bottom:11.0pt;line-height:normal;mso-list:l2 level2 lfo5;background:white'><span style='mso-bookmark:_MailOriginalBody'>Long review cycles and difficult-to-understand validation reports make acquisition difficult.<o:p></o:p></span></li><li class=MsoNormal style='color:black;margin-bottom:11.0pt;line-height:normal;mso-list:l2 level2 lfo5;background:white'><span style='mso-bookmark:_MailOriginalBody'>Agencies can't find or use latest security products because they do not pass FIPS 140-2 testing which is a federal security requirement.<o:p></o:p></span></li><li class=MsoNormal style='color:black;margin-bottom:11.0pt;line-height:normal;mso-list:l2 level2 lfo5;background:white'><span style='mso-bookmark:_MailOriginalBody'>Another agency challenge is enabling FIPS mode that meets federal security implementation guidance.<o:p></o:p></span></li></ul><li class=MsoNormal style='color:black;margin-bottom:11.0pt;line-height:normal;mso-list:l2 level1 lfo5;background:white'><span style='mso-bookmark:_MailOriginalBody'>NIST may adopt ISO 19790 as the next FIPS 140. NIST standards may change, but the mission remains the same. US Government will continue to identify standards, but may get out of creating standards. An industry working group was re-started December 2015 and is open for participation by emailing </span><span style='mso-bookmark:_MailOriginalBody'></span><a href="mailto:aposol.vassilex@nist.gov"><span style='mso-bookmark:_MailOriginalBody'><span style='color:#0044AA;border:none windowtext 1.0pt;padding:0in;text-decoration:none'>aposol.vassilex@nist.gov</span></span><span style='mso-bookmark:_MailOriginalBody'></span></a><span style='mso-bookmark:_MailOriginalBody'>.<o:p></o:p></span></li><li class=MsoNormal style='color:black;margin-bottom:11.0pt;line-height:normal;mso-list:l2 level1 lfo5;background:white'><span style='mso-bookmark:_MailOriginalBody'>Developing a plan to re-organize the CVMP program in a phased approach to meet the industry and agency feedback. Primary update will be to tackle depth and scope of testing and leverage mature industry security development processes including automating and integrating testing into product development. Overall goal is to reduce cost, enable agile testing verification during product development, and reduce validation cycle. Powerful economic incentives for industry participation. NIST wants to move away from a point-in-time validation testing and evolve to a continuous testing approach aligned with product development. Is it possible for industry to cheat automated testing methods (VW problem). NIST has algorithm testing status on </span><span style='mso-bookmark:_MailOriginalBody'></span><a href="https://www.cabforum.org/wiki/GitHub"><span style='mso-bookmark:_MailOriginalBody'><span style='color:#666666;border:none windowtext 1.0pt;padding:0in;text-decoration:none'>GitHub</span></span><span style='mso-bookmark:_MailOriginalBody'></span></a><span style='mso-bookmark:_MailOriginalBody'> (</span><span style='mso-bookmark:_MailOriginalBody'></span><a href="https://github.com/usnistgov/ACVP"><span style='mso-bookmark:_MailOriginalBody'><span style='color:#0044AA;border:none windowtext 1.0pt;padding:0in;text-decoration:none'>https://github.com/usnistgov/ACVP</span></span><span style='mso-bookmark:_MailOriginalBody'></span></a><span style='mso-bookmark:_MailOriginalBody'>). Collaborating with industry partners already including Google Wycheproof. Intend to rollout automated testing platform in 2018 Q3 (April - June). Hope to also integrate with other validation programs such as common criteria which also may include a way to leverage existing validation certifications. NVLAP intend to implement third party or out-of-band audits of the automated testing results. Also collaborating with universities to independently verify validation modules in the field. Module testing status will be updated in a bottom-up approach. FIPS 140 is too big to change at once. Two active pilots with 3+ planned with status update at the October 2018 at the working group. The CVMP will introduce new testing for cloud providers. A draft proposal was released for public comment in February 2018. NIST is working through comments and the approach is to look at toolchain vs individual modules in tandem.<o:p></o:p></span></li><li class=MsoNormal style='color:black;margin-bottom:11.0pt;line-height:normal;mso-list:l2 level1 lfo5;background:white'><span style='mso-bookmark:_MailOriginalBody'>Q & A: <o:p></o:p></span></li><ul style='margin-top:0in' type=circle><li class=MsoNormal style='color:black;margin-bottom:11.0pt;line-height:normal;mso-list:l2 level2 lfo5;background:white'><span style='mso-bookmark:_MailOriginalBody'>When you do automated testing but the module is still testing, does the module still need to go to the lab? When using automated testing it should not have to be redone by the lab. If algorithms change then the report goes back to NIST to confirm update.<o:p></o:p></span></li><li class=MsoNormal style='color:black;margin-bottom:11.0pt;line-height:normal;mso-list:l2 level2 lfo5;background:white'><span style='mso-bookmark:_MailOriginalBody'>Do you expect all FIPS 140-3 modules to be ISO 19790 compliant? NIST reserves the right for federal government approval so it's not a 1-for-1 right now. Testing requirements will be aligned eventually and other countries have adopted the ISO.<o:p></o:p></span></li><li class=MsoNormal style='color:black;margin-bottom:11.0pt;line-height:normal;mso-list:l2 level2 lfo5;background:white'><span style='mso-bookmark:_MailOriginalBody'>Should CAB Forum update guidance from FISP 140 or international standard to FIPS 140 or ISO 19790? Yes, it can be more specific.<o:p></o:p></span></li><li class=MsoNormal style='color:black;margin-bottom:11.0pt;line-height:normal;mso-list:l2 level2 lfo5;background:white'><span style='mso-bookmark:_MailOriginalBody'>Can you give us an overview of FIPS 140 and ISO 19790 differences? A lot of overlap, but minor differences. FIPS 140-2 and 3 have slight differences.<o:p></o:p></span></li><li class=MsoNormal style='color:black;margin-bottom:11.0pt;line-height:normal;mso-list:l2 level2 lfo5;background:white'><span style='mso-bookmark:_MailOriginalBody'>Are you working with military testing labs? Yes, we are and at least in the US the DOD references NIST standards. We plan to publish the code for the testing server and if another government wants to implement a similar automated approach they can use our code.<o:p></o:p></span></li><li class=MsoNormal style='color:black;margin-bottom:11.0pt;line-height:normal;mso-list:l2 level2 lfo5;background:white'><span style='mso-bookmark:_MailOriginalBody'>Talk about algorithm agility. Industry may have a requirement to use FIPS 140, but want to use other algorithms not included in FIPS 140? FIPS 140 is meant for federal government so that is our audience. We look at algorithms from that perspective and do not include commercial applications.<o:p></o:p></span></li><li class=MsoNormal style='color:black;margin-bottom:11.0pt;line-height:normal;mso-list:l2 level2 lfo5;background:white'><span style='mso-bookmark:_MailOriginalBody'>There used to be allowed vs approved algorithms and it seems the program has moved away from that. Government has to use approved but allowed mode was flexible for commercial. Any feedback on expanding allowed vs approved mode? This may come down to requirement interpretation. The approved comes down to approved in government and not mandating algorithms for use outside the government. That is outside the scope of our program.<o:p></o:p></span></li><li class=MsoNormal style='color:black;margin-bottom:11.0pt;line-height:normal;mso-list:l2 level2 lfo5;background:white'><span style='mso-bookmark:_MailOriginalBody'>Auditor interpret CAB Forum requirements to mean modules must be run in FIPS mode rather than you must use a FIPS approved module. NIST should look at providing clarity between the difference. Concerning to people if you aren't running in FIPS mode then your operation mode is not FIPS validated? Yes I see how that can be a difficult situation. This is one of things we may integrated into our automated testing and we plan to expand the number of algorithms and standards to make the process less rigid. <o:p></o:p></span></li><ul style='margin-top:0in' type=square><li class=MsoNormal style='color:black;margin-bottom:11.0pt;line-height:normal;mso-list:l2 level3 lfo5;background:white'><span style='mso-bookmark:_MailOriginalBody'>NIST - If there are algorithms that should be included, please let the NIST working group know about those algorithms so they can be considered.<o:p></o:p></span></li><li class=MsoNormal style='color:black;margin-bottom:11.0pt;line-height:normal;mso-list:l2 level3 lfo5;background:white'><span style='mso-bookmark:_MailOriginalBody'>AWS - It's kind of on the fly because its random customer requests. They have their risk in using it but as industry I need the flexibility to allow them to use it using my FIPS approved module.<o:p></o:p></span></li><li class=MsoNormal style='color:black;margin-bottom:11.0pt;line-height:normal;mso-list:l2 level3 lfo5;background:white'><span style='mso-bookmark:_MailOriginalBody'>FIPS validation levels are a concern of the CAB Forum. Which level is acceptable is which scenario? Online issuer doing high volume activity, offline CA doing very limited activity, etc? Federal PKI requires level 2 with level 3 hardware for physical protection. What is NIST intent or schema as it applies to assigning levels? Levels are assigned based on a threat model. As we go through this update effort we can do a better job in explaining the criteria for the levels. We hope to address this over time. This is something we struggled with and it can't be automated. We can solve this problem with specific inspection profiles and if you have ideas tell us! We don't have all the answers and only know what we know through either industry participation or requests and agency feedback. NIST may not have the bandwidth and expertise to solve all technical problems we just look at what's available sometimes and say "yes, that is fit for government".<o:p></o:p></span></li></ul></ul></ul><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><b><span style='color:black'>Forum web site, current form/problems, what information we want to convey to the public</span></b><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Note Taker: Wayne Thayer</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Presenter: Dimitris</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><i><span style='color:black'>(Presentation)</span></i><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Current situation: Lots of manual updates for guidelines, ballots, and minutes. Some information is obsolete Some sections are not maintained Some information is duplicated</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Who is interested in the site / Who is the targeted audience?</span><o:p></o:p></span></p><ul style='margin-top:0in' type=disc><li class=MsoNormal style='color:black;margin-bottom:11.0pt;line-height:normal;mso-list:l5 level1 lfo6;background:white'><span style='mso-bookmark:_MailOriginalBody'>CAs<o:p></o:p></span></li><li class=MsoNormal style='color:black;margin-bottom:11.0pt;line-height:normal;mso-list:l5 level1 lfo6;background:white'><span style='mso-bookmark:_MailOriginalBody'>Auditors<o:p></o:p></span></li><li class=MsoNormal style='color:black;margin-bottom:11.0pt;line-height:normal;mso-list:l5 level1 lfo6;background:white'><span style='mso-bookmark:_MailOriginalBody'>Relying parties<o:p></o:p></span></li><li class=MsoNormal style='color:black;margin-bottom:11.0pt;line-height:normal;mso-list:l5 level1 lfo6;background:white'><span style='mso-bookmark:_MailOriginalBody'>Interested parties<o:p></o:p></span></li><li class=MsoNormal style='color:black;margin-bottom:11.0pt;line-height:normal;mso-list:l5 level1 lfo6;background:white'><span style='mso-bookmark:_MailOriginalBody'>Media<o:p></o:p></span></li><li class=MsoNormal style='color:black;margin-bottom:11.0pt;line-height:normal;mso-list:l5 level1 lfo6;background:white'><span style='mso-bookmark:_MailOriginalBody'>Members (versus the wiki)<o:p></o:p></span></li></ul><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><i><span style='color:black'>(Discussion)</span></i><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Kirk: trying to be topical will result in news that’s always out of date</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Ryan: Given current structure of the CAB Forum, CA information will always be out of date. CCADB provides better incentives for keeping this type of information up to date.</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Tim: the website is for participants - CAs, Auditors, and Interested Parties</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Frazier: Provide link to CCADB</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Ryan: Disagree</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Robin: Providing links to authoritative sources is fine</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Ryan: The link to CCADB isn’t authoritative for all root stores. If you give some information, people expect you to give all information. “Useful links” will grow to be unmanageable.</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Dimitris: Website should contain static information except for primary activities of guidelines, ballots, and minutes.</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Ryan: Suggest allowing members to share whatever information they choose, maintained by the member.</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Dimitris: Don’t want to give update access to every member</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Ryan: Okay, just give every member a link</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Dimitris: Who is the audience? Not auditors.</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Tim: “Participants” are the audience</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Ryan H: Recommend moving from Wordpress to </span></span><a href="https://www.cabforum.org/wiki/GitHub"><span style='mso-bookmark:_MailOriginalBody'><span style='color:#666666;border:none windowtext 1.0pt;padding:0in;text-decoration:none'>GitHub</span></span><span style='mso-bookmark:_MailOriginalBody'></span></a><span style='mso-bookmark:_MailOriginalBody'><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Ryan: There is an upfront investment that will pay dividends over time</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Next steps:</span><o:p></o:p></span></p><ul style='margin-top:0in' type=disc><li class=MsoNormal style='color:black;margin-bottom:11.0pt;line-height:normal;mso-list:l3 level1 lfo7;background:white'><span style='mso-bookmark:_MailOriginalBody'>Remove duplicate information<o:p></o:p></span></li><li class=MsoNormal style='color:black;margin-bottom:11.0pt;line-height:normal;mso-list:l3 level1 lfo7;background:white'><span style='mso-bookmark:_MailOriginalBody'>Update useful pages<o:p></o:p></span></li><li class=MsoNormal style='color:black;margin-bottom:11.0pt;line-height:normal;mso-list:l3 level1 lfo7;background:white'><span style='mso-bookmark:_MailOriginalBody'>Automate maintenance tasks<o:p></o:p></span></li><li class=MsoNormal style='color:black;margin-bottom:11.0pt;line-height:normal;mso-list:l3 level1 lfo7;background:white'><span style='mso-bookmark:_MailOriginalBody'>etc.<o:p></o:p></span></li></ul><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Conclusion: work toward moving website to </span></span><a href="https://www.cabforum.org/wiki/GitHub"><span style='mso-bookmark:_MailOriginalBody'><span style='color:#666666;border:none windowtext 1.0pt;padding:0in;text-decoration:none'>GitHub</span></span><span style='mso-bookmark:_MailOriginalBody'></span></a><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>. Ryan H., Tim, and Wayne offered to help.</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><b><span style='color:black'>CCADB Update</span></b><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Note Taker: Mike</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>· Demo of automated audit letter validation (ALV) capability was provided by Microsoft.</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>· CAs can now run this validation tool themselves to self-check that their audit letters meet requirements. It provides a report of the issues found which can be shared with the CA’s auditor to fix the errors. This is not required at this time, but will be in the near future</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>· Text readable PDF files will work the best in the tool. Please verify that the thumbprints for the roots in scope are in the audit letter.</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>· If you have questions when using the tool please email CCADB () or your root store operator directly for clarification</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>· Q: Webtrust has 70-80 formats and can this tool read all those formats? Yes, it can as long as the audit letter follows the published format and is in a text readable PDF format.</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>· Q: Can we provide good templates to share which run through the system well? A: Yes, the templates on the </span></span><a href="https://www.cabforum.org/wiki/WebTrust"><span style='mso-bookmark:_MailOriginalBody'><span style='color:#666666;border:none windowtext 1.0pt;padding:0in;text-decoration:none'>WebTrust</span></span><span style='mso-bookmark:_MailOriginalBody'></span></a><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'> site work well. We are working to get better ETSI templates for those that use this audit standard</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><b><span style='color:black'>CA Incident Reporting</span></b><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Note Taker: Bruce Morton</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Where should users report certificate incidents? Currently a user will find bad certificate, then must find the CPS and then find the place to report incident.</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Why not report incident address in the end entity certificate? The was some push back as this will increase size of certificates for a very low use case.</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>The BRs do not state the place to report is in the CPS. Should BRs specify where? Wayne proposes that a a specific statement must be put in the CPS 1.5.2 and also put place in repository.</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Note the CCADB has list for all CA's but this is best for CA's, browsers and researchers, but not good for common users. See </span></span><a href="https://ccadb-public.secure.force.com/mozilla/AllProblemReportingMechanismsReport"><span style='mso-bookmark:_MailOriginalBody'><span style='color:#0044AA;border:none windowtext 1.0pt;padding:0in;text-decoration:none'>https://ccadb-public.secure.force.com/mozilla/AllProblemReportingMechanismsReport</span></span><span style='mso-bookmark:_MailOriginalBody'></span></a><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>.</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Phil states that he is reviewing another standard and would like consistency, see </span></span><a href="https://tools.ietf.org/html/draft-ietf-uta-smtp-tlsrpt-17"><span style='mso-bookmark:_MailOriginalBody'><span style='color:#0044AA;border:none windowtext 1.0pt;padding:0in;text-decoration:none'>https://tools.ietf.org/html/draft-ietf-uta-smtp-tlsrpt-17</span></span><span style='mso-bookmark:_MailOriginalBody'></span></a><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>. Phil also stated that we could create an email address similar to mailto from CAA. Phil followed up with a proposal, see </span></span><a href="https://cabforum.org/pipermail/public/2018-March/013073.html"><span style='mso-bookmark:_MailOriginalBody'><span style='color:#0044AA;border:none windowtext 1.0pt;padding:0in;text-decoration:none'>https://cabforum.org/pipermail/public/2018-March/013073.html</span></span><span style='mso-bookmark:_MailOriginalBody'></span></a><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>.</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><b><span style='color:black'>News from the Council of Accredited Conformity Assessment Bodies (ACAB-c) on Harmonized audit attestation presented by Philipp Bouchet from ACABc Member LSTI France and Mattias Wiedenhorst ACABc Member TÜVIT</span></b><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Note Taker: Arno</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>ACAB-c is a non-profit organisation founded in 2016 for Conformity assessment bodies (CABs) accredited by a EA (</span></span><a href="http://www.european-accreditation.org/"><span style='mso-bookmark:_MailOriginalBody'><span style='color:#0044AA;border:none windowtext 1.0pt;padding:0in;text-decoration:none'>http://www.european-accreditation.org/</span></span><span style='mso-bookmark:_MailOriginalBody'></span></a><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>) according to ISO/IEC 17065 AND eIDAS Art. 3 No. 18 with scope of accreditation in the area of electronic identification and trust services for electronic transactions. Strategic goal is the cooperation with eIDAS relevant Organisations, CA/B-Forum and Browsers. Members are obliged to fulfil an ACAB-c “Code of Conduct”. In Europe 20 accredited Conformity Bodies are active, now seven are in negotiations with ACAB-c</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>At the last Meeting in Paris they agreed about a template for an Audit Attestation Letter containing “Clean audit”, Contact Information identifying TSP ; Root, Audit Type and period. Separate Attestation is needed for each Root CA. Wayne says it seems to be complete, Matthias thanks Kathleen for advice. Arno reports that ETSI plans to updates 319 403 accordingly</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Discussion about Public availability of the AAL-Form:</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Arno says that ETSI ESI doesn’t define the design of a form, that’s done by ACAB-c, the Form can be provided by the Browser,but the usage of the Form with the ACAB-c Logo is restricted to ACAB-c Members.</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Mike says that Microsoft will think about making the ACAB-c Form mandatory</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Matthias says that the Audit Attestation Letter SHALL be provided in English language and reminds that CA’s remain responsible for their audits and have to cooperate with and provide the necessary information to the auditors.</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'></span><a href="https://www.slideshare.net/ArnoFiedler/20180308-cabf-acabcpresentationv2"><span style='mso-bookmark:_MailOriginalBody'><span style='color:#0044AA;border:none windowtext 1.0pt;padding:0in;text-decoration:none'>https://www.slideshare.net/ArnoFiedler/20180308-cabf-acabcpresentationv2</span></span><span style='mso-bookmark:_MailOriginalBody'></span></a><span style='mso-bookmark:_MailOriginalBody'><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><b><span style='color:black'>Guest Speaker - Rep. Jim Langevin (D-RI), House Armed Services Committee and Homeland Security Committee (no Minutes)</span></b><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><span style='color:black'>Note Taker: No notes for this segment</span><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><b><span style='color:black'>Review accomplishments/list of tasks/thank you to hosts</span></b><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.0pt;line-height:normal;background:white'><span style='mso-bookmark:_MailOriginalBody'><b><span style='color:black'>Adjourn</span></b><o:p></o:p></span></p></div></body></html>