<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-text-html" lang="x-western">
<div class="WordSection1"><br>
These are the Final Minutes of the Teleconference described in
the subject of this message.
<h2 class="MsoNormal">Attendees (in alphabetical order)</h2>
Anna Weinberg (Apple), Arno Fiedler (D-TRUST), Ben Wilson
(Digicert), Bruce Morton (Entrust Datacard), Chris Kemmerer
(SSL.com), Dean Coclin (Digicert), Dimitris Zacharopoulos
(HARICA), Doug Beattie (GlobalSign), Dustin Hollenback
(Microsoft), Enrico Entschew (D-TRUST), Janet Hines (Trustwave),
Frank Corday (Trustwave), Geoff Keating (Apple), Gordon Bock
(Microsoft), Inaba Atsushi (GlobalSign), India Donald (US
Federal PKI Management Authority), Iñigo Barreira (360 Browser),
Joanna Fox (GoDaddy), Kenneth Myers (US Federal PKI Management
Authority), Kirk Hall (Entrust Datacard), Li-Chun Chen (Chunghwa
Telecom), Mahmud Khair (Trustwave), Michelle Coon (OATI), Neil
Dunbar (TrustCor Systems), Niko Carpenter (Trustwave), Rich
Smith (Sectigo), Robin Alden (Sectigo), Ryan Sleevi (Google),
Shelley Brewer (Digicert), Tim Callan (Sectigo), Tim Hollebeek
(Digicert), Tim Shirley (Trustwave), Tomasz Nowak (Opera
Software AS), Trevoli Ponds-White (Amazon), Vijayakumar (Vijay)
Manjunatha (eMudhra), Wayne Thayer (Mozilla).<br>
<h2 class="MsoNormal">Minutes <br>
</h2>
<h3> 1. Roll Call<br>
</h3>
The Chair took attendance<br>
<h3 class="MsoNormal">2. Read Antitrust Statement<br>
</h3>
<p class="MsoNormal">The Antitrust Statement was read </p>
<h3 class="MsoNormal">3. Review Agenda<br>
</h3>
<p class="MsoNormal">Today's Agenda was approved.</p>
<p class="MsoNormal"> </p>
<h3 class="MsoNormal">4. Approval of Minutes of previous
teleconference</h3>
The minutes of January 10, 2019 teleconference were approved and
will be posted to the Public list and the Public web site.<br>
<p class="MsoNormal"> </p>
<h3>5. Forum Infrastructure Working Group update</h3>
<p>The Infrastructure Working Group had a short call and
basically repeated items from the previous meeting. E-mails
have been sent to some members kindly asking for some virtual
infrastructure to host the CA/B Forum services (namely the
wiki, mailman, wordpress) but there have been no responses
yet.</p>
<p>A new DocuWiki instance has been launched by Jos and is being
tested. A test wordpress instance launched by Daymion has been
created by cloning the existing cabforum.org web site. This
wordpress is part of a GoDaddy managed solution.<br>
</p>
<h3 class="MsoNormal">6. Follow-up on new WG Charters (Code
Signing, S/MIME) <br>
</h3>
Ben reported that he received only positive feedback for the
Code Signing Charter, and he is looking for endorsers.<br>
<br>
The S/MIME charter has triggered some discussion. He has made
several updates on this document and would prefer if others can
send new drafts with language they would like to see. Ben
proposed that if people want to be added to the small group of
members that are working on that draft, to send him an email.<br>
<br>
Dimitris suggested that these drafts are in pretty good shape
and would be best if they were circulated on the public list for
more discussion and review. These drafts could also be uploaded
on GoogleDocs which makes it easier for people to comment and
offer suggestions.<br>
<h3 class="MsoNormal"
style="mso-margin-top-alt:1.0pt;margin-right:0in;margin-bottom:1.0pt;margin-left:0in">7.
Upcoming F2F 46 meeting March 12-14, 2019 (hosted by Apple)</h3>
<br>
Hotel information is on the wiki. Geof mentioned that we should
primarily contact Curt for more information about the meeting.
Kirk mentioned that the hotel rate is available for booking <b>until
February 12th</b>, which is posted on the wiki. Dimitris will
send reminder to the management list about the hotel reservation
deadline. The meeting will either take place at "Infinite Loop"
or "Apple Park". Any hotel in this area would be convenient for
both possible locations.<br>
<h3 class="MsoNormal"
style="mso-margin-top-alt:1.0pt;margin-right:0in;margin-bottom:1.0pt;margin-left:0in">8.
Any Other Business</h3>
None.
<h3 class="MsoNormal"
style="mso-margin-top-alt:1.0pt;margin-right:0in;margin-bottom:1.0pt;margin-left:0in">9.
Bylaws and existing Charters update </h3>
<br>
Wayne lead the discussion and started by reminding participants
that a Google Document was published to the management list.
This document includes proposed changes and comments to various
sections of the Bylaws that have been identified as problematic
or ambiguous in the past. A small group of people worked on this
document that is now considered to be mature enough to be
discussed by the larger group of Members. Since there is no
special subcommittee to work on this topic, as agreed on our
last call we will use the CA/B Forum time to discuss Bylaws in
more detail. Wayne asked for members to provide their opinion
whether they think these changes should be brought forward in
one ballot or split into smaller ballots, if this discussion
should be on the public list or not.<br>
<br>
The first change is adding a section that allows the creation of
a subcommittee at the Forum level. It seems that the current
Bylaws allow the creation of Subcommittees only at CWG level,
and that is because of possible IPR issues. Kirk did an analysis
of the IPR Policy version 1.3 and also sent an e-mail to the
public list with his analysis. One of the key elements is that
it is very clear that the IPR Policy applies only at the Working
Group level that are working on Guidelines. Kirk read some
quotes from the overview that support this interpretation. The
conclusion of his analysis is that unless the Forum level starts
working on Guidelines, then the IPR agreement doesn't really
apply to work done at the Forum level.<br>
<br>
Wayne repeated that the concern was that there is no IPR
protection at the Forum level so we need to make sure that when
creating a subcommittee at the Forum level, that subcommittee
will not introduce IP that might end up in a Guidelines
document. The proposal is described in a new section 5.6.
Another option would be to specify Forum-level Subcommittees in
the Bylaws for example a "Bylaws subcommittee" amending the
Bylaws or an Infrastructure Subcommittee.<br>
<br>
Ryan mentioned that they had discussions with their legal
counsel and confirmed these concerns about IP related issues at
the Forum level. He mentioned that if we go forward with
creating a Subcommittee whether directly in the Bylaws or by
Ballot, besides from checking all sections of the Bylaws for
consistency, we would have to explicitly state that this
Subcommittee shall not produce any Guidelines that might create
IP commitments. That would address the majority of issues Google
had with this topic.<br>
<br>
Ben and Dimitris agreed. Dimitris mentioned that he had proposed
something similar but scoping the entire Forum-level to
explicitly not produce any Guidelines and leave this work only
for Chartered Working Groups.<br>
<br>
Ryan mentioned that this is mostly captured in the Bylaws where
all activities related to IP commitments is done explicitly in
Working Groups that come with the IP protection. He said that
there are two parts we need to check:<br>
- making sure the IP commitments are clear, which lead to
Google's concerns over Code Signing because the IP commitments
with the old structure were not clear<br>
- making sure that we are not developing documents or standards
without clear IP commitment and making sure we are not producing
documents, Guidelines, bindings, recommendations -whatever the
name is- that others might be bound to.<br>
<br>
Wayne summarized that a reasonable approach would be to make
this explicit in the section for Forum level subcommittees and
resolve the problem. Wayne asked Ryan to help drafting the
language to "forbid working on Final Guidelines or Final
Maintenance Guidelines" and possibly technical matters that
might introduce IP commitments.<br>
<br>
Kirk pointed out that the IPR Policy is related to Guidelines
and we should be careful not to forbid technical discussions in
general, at the Forum level. <br>
<br>
Wayne moved to section 2.1 for Membership qualifications and the
group discussed abound the requirement for "clean" audits.
Wayne's personal opinion is not requiring "clean" audits but
also stated that it is generally agreed that the Forum should
not making decisions about which non-conformities or
qualifications might be acceptable or not.<br>
<br>
Ryan mentioned that this is a challenging topic because a CA
could scope their WebTrust engagement in such a way that they
don't include any validation activities and get a "Successful"
Audit. Google's opinion is also to not requiring "clean" audits.<br>
<br>
Dimitris mentioned that the current Bylaws describe in section
2.2 a process where a Member might be suspended if their audit
is challenged and cannot produce a clean audit report for 15
months and he is trying to understand where this is coming from
and what the intent was. Ryan corrected that the intent was for
CAs to produce qualifying audit reports continuously and the
Bylaws make sure this is maintained without requiring "clean"
reports. <br>
<br>
Dimitris asked if members are ok with accepting audit reports
that include qualifications and major non-conformities in their
membership qualifying audit report. <br>
<br>
Ryan said that it is not ideal but that's the current reading of
the Bylaws. Ryan mentioned the Seal program requirements for
WebTrust that require "clean" audits and defer to CPA Canada for
the "subjectivity" of qualifications and how to interpret those.<br>
<br>
Dimitris replied that perhaps we don't need a seal and there is
no need for Subjectivity from the Forum's side but just an audit
report that states that "the management assertion is fairly
stated in all matters" (or something similar) which is commonly
used in WebTrust reports with no qualifications, and similar
with ETSI for reports with no major non-conformities. He thought
that this would be ideal. Ryan agreed it would be ideal but he
described issues about audit scope. Also, for WebTrust there are
different reporting templates that can be used depending on the
framework. He also worries that if we enforce this "clean" audit
requirement for CA/B Forum Membership, it would drive CAs to not
reporting non-conformities to provide transparency or choosing
auditors that don't report non-conformities. Wayne also
supported the idea of reporting non-conformities for increased
transparency. Wayne thinks the Forum must be more inclusive and
CAs that went to the trouble of an audit and got an audit report
should be given the opportunity to participate in Forum
activities.<br>
<br>
Wayne summarized that unless there were objections, he would
remove the word "Successful" and "Clean" and just require an
audit report.<br>
<br>
Kirk asked if we need to specify more the word "current" for an
audit report. Wayne agreed and proposed language that the audit
report "must be issued within 15 months" or something similar.
There were no concerns raised with this recommendation.<br>
<br>
Ben mentioned whether these audit reports need to be publicly
available because some CAs might have audit reports they don't
want to disclose. Ryan had the same concern and asked that we
explicitly require this to be public so that at least the Forum
can evaluate whether it meets the membership requirements.<br>
<br>
Wayne introduced the next item which is the audit requirement
for a period-of-time vs a point-in-time that qualified a
Certificate Issuer for Membership. He mentioned that we need to
at least specify what the minimum of this period-of-time should
be. Currently CA members need a period-of-time audit to be
considered for Full Membership and a point-in-time audit to be
accepted as an Associate Member.<br>
<br>
Ryan mentioned that there is an issue with ETSI because it
doesn't have a notion of point-in-time or period-of-time, there
is only some guidance from ACAB'c. But regardless of that, he
was curious about the underlying intent that we are trying to
capture with this requirement especially when a CA can get an
audit report with fewer principles and criteria (scoping down
the audit requirements).<br>
<br>
Wayne also raised the issue of requiring CAs that they "actively
issue certificates" that a point-in-time audit definitely can't
capture.<br>
<br>
Ryan repeated the case where a CA can carve out certain sections
of the WebTrust Principles and Criteria that can still produce a
clean audit report. He added that in Microsoft Root program a
point-in-time audit is considered sufficient for inclusion and
the CA has 2 months before producing a period-of-time and you
have 3 months before this report is issued. So, as a CA you
would be able to issue publicly-trusted certificates without
having a period-of-time audit report. So there is a gap which
could be solved if we required for example 5 months before being
accepted in the Forum, and if we do, what is the difference that
we try to capture with this requirement?<br>
<br>
Wayne said that it boils down to precedent, this is how the
Forum has gone about this so far.<br>
<br>
Gordon likes the idea of Associate Member if that CA only has a
point-in-time audit and explained that the whole idea of
Microsoft accepting a point-in-time is to bootstrap CAs. That's
why Microsoft requires three months later a period-of-time
audit. So similar for the Forum they would be a Full Member
three months later when they submit a period-of-time audit
report. He had questions about the ETSI program and how it maps
to the WebTrust terminology of point-in-time and period-of-time
audits.<br>
<br>
Dimitris mentioned that the practice for ETSI audits is that
they are practically a period-of-time, even when the audit is
initialized (for the first time). Current practice requires CAB
review of at least 60 days of operations before the CAB can
issue Certification. Ryan said that this is not formalized in
the ETSI criteria or the audit standards. WebTrust has explicit
guidance that require a minimum of 60 days audit period for a
period-of-time. He realizes that ACAB'c has provided guidance
and the ETSI new drafts try to capture some of these
requirements. He believes that ETSI is somewhere in between a
point-in-time and period-of-time because of other jurisdiction
factors like NAB and Supervisory Body rules that come in
addition to the existing criteria.<br>
<br>
Wayne proposed a way to address that and substitute the
period-if-time to something like "covering a period of at least
60 days" but the question is if we want that or not. There seem
to be different opinions and this discussion must continue
probably on the public list. Kirk mentioned that he supports the
current precedent.<br>
<h3 class="MsoNormal">10. Next call</h3>
<p class="MsoNormal">February 7, 2019 at 11:00 am Eastern Time.</p>
<h3 class="MsoNormal">Adjourned</h3>
<p class="MsoNormal"><br>
</p>
</div>
</div>
</body>
</html>