<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.m-6990807131405490681msolistparagraph, li.m-6990807131405490681msolistparagraph, div.m-6990807131405490681msolistparagraph
{mso-style-name:m_-6990807131405490681msolistparagraph;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
p.line862, li.line862, div.line862
{mso-style-name:line862;
mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">I believe topic #3 as I have listed it below fairly presents your request on the Sept. 20 teleconference call, as it covers what you said you wanted to discuss – “<span style="color:black">Problems
faced by root programs from existing WebTrust/ETSI reports and terminology.” You didn’t request #1 or #2 because I was the one who thought of adding those segments when drafting the Agenda – this is intended as an introduction to existing audit/report types
from the people who actually run WebTrust and ETSI to help educate the Members in the room so they can then fully understand the remaining topics #3 - #5.<o:p></o:p></span></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">You didn’t request #4 – Wayne did that at the WebTrust meeting in San Jose on Sept. 11, and I made a note at that time. So I think it’s appropriate to let Wayne
present his ideas.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">Finally, while you did raise a different interpretation of our membership rules on our Sept. 6 teleconference than we have followed in the past (you said you thought
a Point in Time audit is enough for a CA applicant to qualify for full membership under the current Bylaws, which is not what we have done in the past or what the members said they wanted in the Doodle poll) I was actually the person who raised the question
of what form of audit is required for membership during that call. Because Dimitris will be taking over new membership requests in November, it makes sense for him to present that issue.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">But I will remove Dimitris as a Moderator for the five issues – each presenter can be the moderator of his own topic. And I will remove Wayne as a co-presenter
with you on #3 and make you sole presenter – but I know Wayne also said he was having problems with some forms of audit reports, so I hope you will let him add his input during #3.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">If you want to suggest different wording for your #3 below, please let me know and I will include it on the Agenda. How much time would you like for this segment?</span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="line862" style="margin:0in;margin-bottom:.0001pt"><strong><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Discussion of Audit Terminology, Problems, Ideal Life Cycle for Root CA Audits</span></strong><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">
<o:p></o:p></span></p>
<p class="line862" style="margin:0in;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black"><o:p> </o:p></span></p>
<p class="line862" style="margin:0in;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">#1 Types of audits/reports under <a href="https://www.cabforum.org/wiki/WebTrust"><span style="color:#666666;border:none windowtext 1.0pt;padding:0in">WebTrust</span></a> and
their terminology Jeff, Don<o:p></o:p></span></p>
<p class="line862" style="margin:0in;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">#2 Types of audits/reports under ETSI and their terminology Arno, Clemens, Phillipe<o:p></o:p></span></p>
<p class="line862" style="margin:0in;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">#3 Problems faced by root programs from existing WebTrust/ETSI reports and terminology Ryan, Wayne<o:p></o:p></span></p>
<p class="line862" style="margin:0in;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">#4 Ideal audit life cycle – birth to death of a new CA Wayne<o:p></o:p></span></p>
<p class="line862" style="margin:0in;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">#5 Forum membership rules Bylaws Sec. 2.1 – Audit requirements Dimitris<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> Ryan Sleevi [mailto:sleevi@google.com]
<br>
<b>Sent:</b> Saturday, September 22, 2018 8:12 PM<br>
<b>To:</b> Kirk Hall <Kirk.Hall@entrustdatacard.com>; CABFPub <public@cabforum.org><br>
<b>Subject:</b> [EXTERNAL]Re: [cabfpub] Proposed Shanghai Agenda covering audit issues<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">Kirk,<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I appreciate this attempt, but this wasn't what I was requesting. Could you clarify that you're not willing to schedule the sessions as I'd requested / and/or appointing other facilitators for those discussions?<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I specifically was requesting to present on #1, #2, #3, and #5. I believe the recordings will show that.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">This is a critically important area for Google, and while we welcome participation, the request for the sessions, as made on the call, stands, with Google facilitating the discussion.<o:p></o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">On Sat, Sep 22, 2018 at 3:19 PM Kirk Hall via Public <<a href="mailto:public@cabforum.org">public@cabforum.org</a>> wrote:<o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">On our SCWG call this week, Ryan, Wayne, and others suggested we take time in Shanghai to talk about the audit programs, their different forms of audits and reports, their terminology,
and problems that browsers are encountering. Wayne also indicated he wanted to discuss an “ideal audit life cycle” for a new trusted root from birth to death. This seems like a great topic for us.<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">We can also talk about how we want to interpret our current Bylaws Section 2.1 on Forum membership requirements – what type of audit reports are required, and whether we need to
clarify Bylaws clarifications.<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">I’ve asked Dimitris to be the Moderator on these topics to make sure we stay on schedule and following a logical progression.<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">We would still have the regular auditor updates before this discussion – that’s just the place where WebTrust and ETSI can give us the most recent program news.<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Here is my proposed Agenda breakdown. Comments are welcome.<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">*****<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">1. Types of audits/reports under
<u>WebTrust</u> and their terminology, including new CAs and new audit/report types (Jeff, Don). A summary reference table would be welcome.
<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">2. Types of audits/reports under
<u>ETSI</u> and their terminology, including new CAs and new audit/report types (Arno, Clemens). A summary reference table would be welcome.<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in">
[Jeff/Don/Arno/Clemens – do you think you can also prepare a summary comparison table of the different WebTrust and ETSI audits and reports, showing which are roughly “equivalent”, which are not, and the main differences?]<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">3. Problems faced by root programs from existing WebTrust/ETSI reports and terminology, including for new CAs (Ryan, Wayne)
<o:p></o:p></p>
<p class="m-6990807131405490681msolistparagraph"><span style="font-family:Symbol">·</span><span style="font-size:7.0pt">
</span>Oddball report types received<o:p></o:p></p>
<p class="m-6990807131405490681msolistparagraph"><span style="font-family:Symbol">·</span><span style="font-size:7.0pt">
</span>Common issues/misunderstandings by new CAs<o:p></o:p></p>
<p class="m-6990807131405490681msolistparagraph"><span style="font-family:Symbol">·</span><span style="font-size:7.0pt">
</span>Recommendations on standard terminology to be used (if any)<o:p></o:p></p>
<p class="m-6990807131405490681msolistparagraph"><span style="font-family:Symbol">·</span><span style="font-size:7.0pt">
</span>Recommendation for clarification on audit requirements in <b><u>current</u></b> BRs, root programs to eliminate misunderstandings, adopt common terminology<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">4. Ideal audit life cycle – birth to death of a new CA (Wayne – also Ryan, or Mike, or Geoff)
<o:p></o:p></p>
<p class="m-6990807131405490681msolistparagraph"><span style="font-family:Symbol">·</span><span style="font-size:7.0pt">
</span>Description of ideal cycle (with timelines, multiple use cases) – not necessarily what is required today by BRs, WT/ETSI, root programs, but what browsers would like to see<o:p></o:p></p>
<p class="m-6990807131405490681msolistparagraph"><span style="font-family:Symbol">·</span><span style="font-size:7.0pt">
</span>Once there is consensus on ideal life cycle, how do we get there? Via BRs or via root programs (or both)?
<o:p></o:p></p>
<p class="m-6990807131405490681msolistparagraph"><span style="font-family:Symbol">·</span><span style="font-size:7.0pt">
</span>Proposals for BR amendments to reach ideal life cycle<o:p></o:p></p>
<p class="m-6990807131405490681msolistparagraph"><span style="font-family:Symbol">·</span><span style="font-size:7.0pt">
</span>Do we need to better align BRs and root program rules?<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">5. Forum membership rules Bylaws Sec. 2.1 (Dimitris)
<o:p></o:p></p>
<p class="m-6990807131405490681msolistparagraph"><span style="font-family:Symbol">·</span><span style="font-size:7.0pt">
</span>What does the Forum *<b>want</b>* the audit requirements to be based on different level of membership (Associate Member, Member). See
<a href="https://cabforum.org/pipermail/public/2018-April/013259.html" target="_blank">
https://cabforum.org/pipermail/public/2018-April/013259.html</a> <o:p></o:p></p>
<p class="m-6990807131405490681msolistparagraph"><span style="font-family:Symbol">·</span><span style="font-size:7.0pt">
</span>Potential amendments to Bylaws to clarify audit requirements for Associate Member, full Member status. <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
</div>
<p class="MsoNormal">_______________________________________________<br>
Public mailing list<br>
<a href="mailto:Public@cabforum.org" target="_blank">Public@cabforum.org</a><br>
<a href="https://cabforum.org/mailman/listinfo/public" target="_blank">https://cabforum.org/mailman/listinfo/public</a><o:p></o:p></p>
</blockquote>
</div>
</div>
</div>
</body>
</html>