<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:2052684138;
mso-list-type:hybrid;
mso-list-template-ids:-424405692 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Ryan, I’m glad you referred to our Sept. 20 SCWG teleconference in your message below, and what was said there. I went back to listen and I prepared draft Minutes on the Shanghai
Agenda/audits issues portion. (I’m sending those Minutes to the Management list because they have not yet been approved for publication on the Public list.) I also included a link in that message to the recording so interested members can confirm for themselves
what was said on the call.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">The recording and draft Minutes of our Thursday teleconference do not support your recollection of the call as presented below. Here are the main takeaways from the 15 minute
discussion on the call.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l0 level1 lfo1"><![if !supportLists]><span style="font-size:11.0pt;font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">I asked if anyone had Agenda items to propose for the Shanghai meeting. You suggested the Forum discuss
</span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">the process for inclusion of roots in browser root programs from the auditing standpoint, the audits required from birth to death of a CA, and the variety of program requirements in place
that require different things. You said clarity and consensus on that and related verbiage would be useful, and this also applies to reworked language in BR 8.1 and 8.2 and confusion around performance audits. You thought these issues could take at least
an hour of time at the meeting, and that 30 minutes might be necessary to get everyone on the same page concerning audit vocabulary, as some people use phrases that don’t match with professional terms. You said the goal was to a common understanding as well
as diagramming what the expected process should look like with the appropriate audit schemes recognized. You did not initially say you wanted to be a presenter or the sole presenter on all these related issues.<o:p></o:p></span></p>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l0 level1 lfo1"><![if !supportLists]><span style="font-size:11.0pt;font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Jeff Ward of WebTrust said he and Don Sheehy were planning on covering those issues from a WebTrust standpoint during their update report, which would take about
an hour. He said they would not be talking about what the browser root programs should or should not require from CAs.<o:p></o:p></span></p>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l0 level1 lfo1"><![if !supportLists]><span style="font-size:11.0pt;font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Kirk said the topic of the CA audit lifecycle from birth to death was aspirational and a separate issue from the audit problems encountered today, and that Wayne
already said he wanted to present on that topic at the Sept. 11 WebTrust meeting in San Jose. Wayne confirmed he wanted to present that topic at the Shanghai meeting. You offered to do it if he didn’t want to do it, and he said the two of you could work
together<o:p></o:p></span></p>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l0 level1 lfo1"><![if !supportLists]><span style="font-size:11.0pt;font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">There was more discussion where you said that current audit problems and ideal life cycle were the same issue. Wayne disagreed, and said the topics were related
but should be treated as separate topics.<o:p></o:p></span></p>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l0 level1 lfo1"><![if !supportLists]><span style="font-size:11.0pt;font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Dimitris said that discussing the Bylaws audit requirements for Forum membership should be deferred until after you and Wayne had made your presentations, and maybe
should be combined with discussion of all the other pending Bylaws we have.<o:p></o:p></span></p>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l0 level1 lfo1"><![if !supportLists]><span style="font-size:11.0pt;font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Arno Fiedler representing ETSI said ACAB’s representatives would be at the Shanghai meeting, and would like to present ETSIs perspective.<o:p></o:p></span></p>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l0 level1 lfo1"><![if !supportLists]><span style="font-size:11.0pt;font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">At the end, I asked if you wanted to be the presenter of a segment of these issues, and you said yes, that was what you were initially proposing. You did not say
you wanted to be the sole presenter of all the issues discussed.<o:p></o:p></span></p>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l0 level1 lfo1"><![if !supportLists]><span style="font-size:11.0pt;font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">I said that I would put together something for the Agenda on these issues.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">So on last Thursday’s call, we had requests to be presenters on these related issues by Jeff/Don (WebTrust), Arno/Clemens (ETSI), Wayne (Life Cycle of a CA), and you. Dimitris
recommended we treat the Forum audit requirements for Membership along with other pending Bylaws issues but after these initial presentations.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">That’s pretty much how I broke things down on my Agenda proposal on Friday. I think we will all benefit the most if we start with a simple explanation and listing from WebTrust
and ETSI (issues #1 and #2) of their current audits and reports as a refresher for the members on what comes next. You have complete control of the problems the current audit systems are causing for browsers, including helping us understand and use the right
vocabulary (issue #3). If Wayne wants to pull you in on his presentation on the ideal life cycle for a CA from birth to death (issue #4, which I understood focuses in part on different issues than current browser), that’s fine with me – the two of you can
refashion issues #3 and #4 as you please, and just give me the new descriptive text for the Agenda. Finally, as Dimitris and I agreed on the call, the question of how our Bylaws on audit requirements for membership should be interpreted or amended (issue
#5) should be discussed later, as a separate matter after you and Wayne have made your presentations. I’d like Dimitris to handle issue #5 as the presenter, as he will be the person speaking for the Forum on new membership applications starting November 1
when he takes over as Chair.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Again, anyone who wants more details on our Thursday discussion of these issues can look at the draft Minutes I’m sending on the Management list.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> Ryan Sleevi [mailto:sleevi@google.com]
<br>
<b>Sent:</b> Sunday, September 23, 2018 11:26 AM<br>
<b>To:</b> Kirk Hall <Kirk.Hall@entrustdatacard.com><br>
<b>Cc:</b> CABFPub <public@cabforum.org><br>
<b>Subject:</b> [EXTERNAL]Re: [cabfpub] Proposed Shanghai Agenda covering audit issues<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<div>
<p class="MsoNormal">On Sun, Sep 23, 2018 at 1:59 PM Kirk Hall <<a href="mailto:Kirk.Hall@entrustdatacard.com">Kirk.Hall@entrustdatacard.com</a>> wrote:<o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">I believe topic #3 as I have listed it below fairly presents your request on the Sept. 20 teleconference call, as
it covers what you said you wanted to discuss – “<span style="color:black">Problems faced by root programs from existing WebTrust/ETSI reports and terminology.” You didn’t request #1 or #2 because I was the one who thought of adding those segments when drafting
the Agenda – this is intended as an introduction to existing audit/report types from the people who actually run WebTrust and ETSI to help educate the Members in the room so they can then fully understand the remaining topics #3 - #5.</span></span><o:p></o:p></p>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Kirk, I do not believe it to be fairly presented. If there is any confusion, it's no doubt because you were interjecting during my description of the session to indicate you did not believe it would be necessary, as you felt it would take
"60 seconds, at best".<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I felt there was a clear request for a session, of 60 to 90 minutes length, by Google, to cover these topics. Do you believe that request - the first thing that was asked for - was unclear? At several times during the call, you attempted
to suggest different topics of discussion, or why you felt they were not necessary, and again, the request was made.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">You didn’t request #4 – Wayne did that at the WebTrust meeting in San Jose on Sept. 11, and I made a
note at that time. So I think it’s appropriate to let Wayne present his ideas.</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">Finally, while you did raise a different interpretation of our membership rules on our Sept. 6 teleconference
than we have followed in the past (you said you thought a Point in Time audit is enough for a CA applicant to qualify for full membership under the current Bylaws, which is not what we have done in the past or what the members said they wanted in the Doodle
poll) I was actually the person who raised the question of what form of audit is required for membership during that call. Because Dimitris will be taking over new membership requests in November, it makes sense for him to present that issue.</span><o:p></o:p></p>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">While perhaps that's the case, if you also recall, on our previous call, I indicated that I have been working with both ETSI and WebTrust to address the issues arising from your misunderstanding and misrepresentation - of the Doodle poll
and of the respective audits. Happy to revisit that with you, if you felt it was unclear that this was a topic that Google was actively working on<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">But I will remove Dimitris as a Moderator for the five issues – each presenter can be the moderator of
his own topic. And I will remove Wayne as a co-presenter with you on #3 and make you sole presenter – but I know Wayne also said he was having problems with some forms of audit reports, so I hope you will let him add his input during #3.</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">If you want to suggest different wording for your #3 below, please let me know and I will include it
on the Agenda. How much time would you like for this segment?</span><o:p></o:p></p>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I again reiterate the request that was made on the call, for 60 - 90 minutes for a session, prior to the discussion about future expectations, to include both a presentation based on discussions Google has been having with browser representatives
and auditor members, to bring clarity to these matters.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Can you ensure that such a thing is scheduled? Or do you believe your schedule is the only way to get this on the agenda?<o:p></o:p></p>
</div>
</div>
</div>
</div>
</body>
</html>