[cabfpub] Final Minutes for CA/Browser Forum Teleconference – August 17, 2017

[Kirk Hall]

Final Minutes for CA/Browser Forum Teleconference – August 17, 2017 (approved Aug. 31, 2017)

Attendees: Atsushi Inaba (GlobalSign),  Ben Wilson (DigiCert),  Connie Enke (SwissSign),  Dean Coclin (Symantec),  Doug Beattie (GlobalSign),  Frank Corday (Trustwave),  Geoff Keating, (Apple),  Gervase Markham (Mozilla),  JC Jones (Mozilla),  Jeff Ward (WebTrust),  Jos Purvis (Cisco),  Kirk Hall (Entrust),  Mike Reilly (Microsoft),  Neil Dunbar (Trustcor),  Peter Bowen (Amazon),  Peter Miscovic (Disig),  Ryan Sleevi (Google),  Steve Medin (Symantec),  Tim Hollebeek (Trustwave),  Tyler Myers (GoDaddy),  Virginia Fournier (Apple),  Wayne Thayer (GoDaddy).

1.    Roll Call

2.    Read Antitrust Statement

3.    Review Agenda.  Agenda was approved.

4.    Approve Minutes of F2F meeting of August 3, 2017.  The minutes were approved and will be posted to the Public list.

5.    Governance Change Working Group.  Virginia noted she had sent out updated drafts of the Bylaws amendments and IPR Agreement in a recent email for members to review.  The WG had recently discussed the form of charter for the first new Working Group to be formed under the new governance structure, a Server Certificate Working Group, that would take over all the substantive issues covered by the Forum today, and has created an FAQ to summarize what’s in all these documents.  Kirk noted the new governance structure documents look fairly complete, and asked what would happen next.  Virginia said the final documents would not be submitted for approval until ready, which was not yet.  Kirk suggested that the members continue to review and comment, and maybe the proposal goes to ballot right after Labor Day in the US, which is Sept. 4.

6.    Validation Working Group update.  No update.

7.    Policy Review Working Group update.  No update – the most recent WG meeting date was cancelled due to holiday schedules.

8.    Network Security Working Group update.  Kirk noted that the WG had created a tracking poll for members to rank the most important changes that had to be made to the Network Security (NetSec) requirements, and the results were very useful.  Peter mentioned that Ballot 210 is intended to address the easiest and most useful changes to the NetSec requirements that the Forum can make now, and is in the discussion period.  Some parts of the proposal were not dropping standards, but instead were intended to clarify what today are confusing requirements.  He added that the WG had recently discussed what the long-term plan should be for revising the NetSec requirements.

Kirk asked if the WG had reached a decision of whether to move from the current NetSec requirements to a new outside standards document, or instead to focus on revising the current NetSec standards.  Peter said that on the last call, the consensus was not to move to a new external standard but instead to revise the current standards.  Kirk recalled that BDO did a great job of mapping the NetSec requirements to the CSC (Critical Security Controls) requirements, but there were lots of gaps.  Dean said there was no magic fit from any other standards document to our needs, so it will be best to improve what we have – that’s why Ben sent the poll asking members to prioritize where they thought improvements were most needed in the current NetSec standards.  Jeff said that the WebTrust Task Force had already started drafting amendments to the BR NetSec WebTrust criteria to deal with these changes.

9.    WebTrust Task Force request for review of WebTrust for CAs v2.1 changes.  Kirk gave an overview of prior discussions on this issue, and asked Jeff if the WebTrust Task Force had found time to respond to the comments received from Tim and others.  Jeff recalled that four weeks ago the WebTrust Task Force introduced its planned changes in WebTrust for CAs (WT4CA) v2.1, which focused on Sec. 4.5 and new Sec. 4.9-4.10.  He noted that most of the questions and comments focused on the Illustrative Controls included in the WT4CA draft, which are not prescriptive on the CA or auditors and so may not need modification in response to comments.  He also pointed out the WT4CA standards are for both public and private CAs, so not all Illustrative Controls will apply in every situation.  However, some changes have been made to the v2.1 draft, and he will forward that to the Forum later in the day for review.

10.  Ballot Status – There were no comments.

11.  Any Other Business.  There was no other business.  Kirk again reminded members who planned to attend the next F2F meeting hosted by Chunghwa Telecom in Taipei to make hotel reservations by the end of August to receive the group discount.

14.  Next call August 31, 2017

15.  Adjourn


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20170901/3db38fa0/attachment.html>