[cabfpub] Final Minutes for CA/Browser Forum 45th F2F meeting October 17, 2018

Dimitris Zacharopoulos (HARICA) dzacharo at harica.gr
Fri Nov 23 17:32:37 UTC 2018

These are the Approved Minutes of the 45th F2F meeting in Shanghai for 
the CA/B Forum session.


    Day One – 17 October 2018

*Attendees on October 17, 2018:* Iñigo Barreira, 360; Richard Wang, 360 
Group; Billy Qin, 360 Group; Danny Wu, 360 Group; Clemens Wanko, ACAB’c; 
Phillipe Bouchet, ACAB’c; Trevoli Ponds-White, Amazon Trust Services; 
Xiaosi Li, Amazon Trust Services; Geoff Keating, Apple; Paul Yang, 
BaishanCloud / OpenSSL; Franck Leroy, Certinomis (Docapost); Aleksandra 
Kapinos, Certum; Wojciech Trapczyński, Certum; Yi Zhang, CFCA; Jonathan 
Sun, CFCA; Ivy Xu, CFCA; J.P. Hamilton, Cisco; Jos Purvis, Cisco; Robin 
Alden, Comodo CA; Tony K.F. Chan, Deloitte China (Beijing); Jesse Yun He 
Wang, Deloitte China (Beijing); Putzy De Wei Lu, Deloitte China 
(Beijing); Peter Koo, Deloitte China (Hong Kong); Ben Wilson, DigiCert; 
Tim Hollebeek, DigiCert; Arno Fiedler, D-TRUST; Enrico Entschew, 
D-TRUST; Vijayakumar (Vijay) Manjunatha, eMudhra Technologies Limited; 
Kirk Hall, Entrust Datacard; Bruce Morton, Entrust Datacard; Chris 
Bailey, Entrust Datacard; Ken Myers, Federal PKI; Wei Yicai, GDCA; Zhang 
Yongqiang, GDCA; Wang Chunlan, GDCA; Xiu Lei, GDCA; Atsushi Inaba, 
GlobalSign; Doug Beattie, GlobalSign; Daymion Reynolds, GoDaddy; Adam 
Sink, GoDaddy; Devon O’Brien, Google; Ryan Sleevi, Google; Ryan Hurst, 
Google; Dimitris Zacharopoulos, HARICA; Xu Jiang 徐江, Huace Network 
Security Cert. Auth.; Zhang Yong, Huace Network Security Cert. Auth.; 
Rachel Gao, Huace Network Security Cert. Auth.; Mike Reilly, Microsoft; 
Gordon Bock, Microsoft; Wayne Thayer, Mozilla; Tomasz Nowak, Opera; 
Albert L. Lam, PwC; Freeman Guo, PwC; Tadahiko Ito, SECOM; Cui Jiuqiang, 
SHECA; Dai Yeqi, SHECA; William Luo, ShenZhen Digital Certificate 
Authority Center Co., Ltd; Zheng Huitao, ShenZhen Digital Certificate 
Authority Center Co., Ltd; Fotis Loukos, SSL.com; Leo Grove, SSL.com; 
Matthias Bartholdi, SwissSign; Edwin Zhai, TrustAsia Technologies, Inc.; 
Jack Zhang, TrustAsia Technologies, Inc.; Frank Corday, Trustwave; Jeff 
Ward, WebTrust/BDO; Don Sheehy, WebTrust/CPA Canada.

      Call to Order – CA/Browser Forum Plenary Meeting

        Read Antitrust Statement

The Antitrust Statement was read.

        1. Approval of CABF Minutes from Oct. 4 call (emailed Oct. 5)

*Presenter:* Kirk Hall, Entrust Datacard
*Notetaker:* Kirk.
The draft Minutes were approved, and will be posted to the Public list.

        2. Report from Forum Infrastructure Working Group

*Presenter:* Jos Purvis, Cisco
*Notetaker:* Robin
The first item discussed by the Forum Infrastructure Working Group was 
website content management. The website is going to be reconfigured to 
add sections for each of the working groups. The chair of each working 
group is going to be responsible for maintaining their own content. The 
sections will be divided to indicate subcommittees of working groups. We 
will be adding minutes and ballots for each of the working groups.
The second item discussed was the wiki. We have an offer from Microsoft 
to test out SharePoint. We also have a couple of open-source, 
self-hosted options we can test, so the idea was to test the options. 
When we have something set up, we’ll migrate over a little bit of data 
and test and then make a recommendation to the Forum as a whole.
The third item was document management. We felt there were several 
different problems. One was identifying the canonical version of the 
Baseline Requirements. The EV Guidelines and the Network Security 
document already have defined GitHub as the canonical version. We 
discussed how to improve the document management workflow for ballots. 
Tim volunteered to put together a set of instructions on how to get a 
ballot from idea into GitHub and to the Forum vote. Hopefully in working 
on the process we’ll identify where we have problems, such as 
identifying the canonical version of the Baseline Requirements. We 
discussed whether to use GitHub or Word, but before deciding on a 
process, we felt that we needed to identify the canonical version first. 
We also decided that we need to identify the what – “I need a red-line 
version, I don’t care what format it’s in”, etc.

        3. Report on Governance Change, Bylaws Issues: (1) Governance WG
        or Subcommittee, (2) Review Bylaws Change List

*Presenter:* Jos Purvis, Cisco
*Notetaker:* Bruce
/*Allow the formation of a Bylaws Subcommittee*/
Ben pointed out that the work of the Forum was compartmentalized into 
working groups in order to section off IPR scope. In keeping with that, 
using a Working Group for Governance seems the only way to go. Others 
agreed after some discussion that IPR is bound at the Working Group 
level, so there’s minimal IPR coverage for work done purely at the Forum 
level. This is one objection to subcommittees at the Forum level: that 
there is minimal IPR coverage for their work, which could expose IP 
The group then discussed whether a sub-committee or a Working Group was 
the right model for this. The concern with a Working Group was two-fold: 
the additional overhead from the establishment and operation of a 
Working Group, and the concern with pushing work on Forum-wide issues of 
the Forum-level Bylaws to a Working Group operating as a peer of the 
other WGs. There was some debate over whether the Bylaws permit for 
subcommittees at the Forum level; the result of the discussion was that 
work would begin on a ballot to clarify the Bylaws to permit 
subcommittees with specific requirements.
Wayne pointed out that if people felt strongly that this work should be 
done at the Forum level, there wasn’t anything in the Bylaws to prevent 
the Forum itself from holding a Forum meeting specifically to work on 
the problem. After some discussion, there was agreement that it was 
permissible to hold a Forum meeting to tackle specific issues like 
Governance questions, so long as it was an official Forum meeting with 
all the usual trappings (agenda, schedule, minutes). This was the 
suggestion to tackle these problems immediately while working out the 
subcommittee issue with the Bylaws.
/*Establishment of Subcommittees*/
Discussion then turned to subcommittees themselves. Dimitris asked what 
to use as the model for subcommittees, and whether to enact these rules 
at the Forum or the Working Group level. The group agreed that it was 
important to spell out the rules for how Working Groups and 
Subcommittees were required to function, and that the charter of the 
SCWG had taken place without fully spelling out those rules, which led 
to the current conflict. The group agreed that it was important to spell 
out the minimum requirements for the establishment and operation of a 
subcommittee as a general requirement, with a focus on transparency and 
general rules rather than being overly prescriptive. Tim pointed out 
that we had a good working model for this with the previous model for 
what we used to call Working Groups (e.g. the Validation Working Group), 
we just didn’t enforce them properly which led to some WGs being better 
than others about producing things like minutes. The group agreed after 
some discussion that the minimum requirements for a subcommittee was the 
combination of a public mailing list for discussions and minutes for any 
meetings held, with those to be consistently and firmly enforced. A 
remaining concern was whether to institute those requirements at the 
Forum level or to make them at the SCWG level first. Ryan suggested that 
we focus our efforts on the work-output-producing groups first, which 
meant the subcommittees of the SCWG, and then consider propagating those 
requirements upwards into the Forum.
/*Conflicts in Forum and WG Rules*/
Finally, Dimitris raised the question of whether the Forum rules take 
precedence over conflicting rules from the WG charters. Ryan pointed out 
there are two questions here: one of conflicting rules, and one of lack 
of guidance. The group agreed that conflicts in WG charters should be 
avoided by more careful reviews of charters while establishing them; 
Ryan added that a more specific list of requirements would improve this 
(e.g. ‘must specify voting structure’, ‘must specify mailing list 
requirements’, etc.).
Tim indicated that a major problem with the Bylaws was a lack of 
guidance over what rules applied only to the Forum, what rules also were 
required to apply to Working Groups or Subcommittees no matter what, and 
which rules were required to apply to WGs if they didn’t specify 
anything else. That is, which rules descended to WGs and which ones of 
those could the WG decide to override in their charter. The group agreed 
that the resolution to this was to review and revise the Bylaws to add 
statements like “Working Groups must do X” vs. “Working Groups must do X 
unless otherwise specified in the WG charter”. We know the SCWG has this 
issue with the Bylaws already, so everyone felt the group as a whole 
could begin tackling the Bylaws for review immediately, without needing 
to wait on the resolution of the Governance committee issue.

        4. Potential Amendments to SCWG Charter

*Presenter:* Tim Hollebeek, DigiCert
*Notetaker:* Dimitris
This topic was covered by the previous (slot #3) discussion. There was 
consensus that the current SCWG Charter should be amended to reflect the 
changes that we would like to see in a CWG template. This review needs 
to take place along with the review of the Bylaws.

        5. Creation of additional Working Groups – Code Signing

*Presenter:* Ben Wilson, DigiCert
*Notetaker:* Arno
Tim had sent the draft charter on 24.04.2018 to the Mailinglist. 
Previously there were a set of CS guidelines developed, but not adopted 
by the Forum. Governance reform gives the ability to create a new, 
chartered working group.
Ryan S – Regarding scope, it would be good to identify the work in 
detail and then define the working group.
Discussion followed on who should participate in a working group and 
what user agents would be involved.

        6. Creation of additional Working Groups – Secure Mail; Other

*Presenter:* Ben Wilson, DigiCert
*Notetaker:* Kenneth Myers, Protiviti supporting the US Federal PKI
A Secure Email Working Group was first brought up at the London meeting. 
We understand the multiple types of email clients and the differing 
types of certificates. It might be a good idea to have it scoped toward 
a specific application such as a desktop mail client vs a web-based mail 

  * Ryan Sleevi, Google – This has the same pitfalls as the code signing
    discussion. Secure Mail can also be regionally specific such as a
    Euro profile based on specific crypto algorithms and extensions.
    There could be multiple owners of a Secure Email certificate private
    key such as a person, an organization, or even an application. What
    is the most pressing issue with Secure Email and I would suggest
    focus on that. Maybe start with a certificate profile as a first
    work product and then work on a baseline requirement after that. In
    addition to specific EKUs and key sizes, what should be the identity
    validation properties?. In an enterprise RA model, maybe the user
    doesn’t manage or protect their private key and they are stored in a
    cloud or a multi-tenant environment.
  * Ben – Let’s hear from some of the Euro CAs and browsers who have
    email trust bit enabled for their perspective.
  * Tim Hollebeek, DigiCert – One item of clean-up could be to look at
    certificates that currently assert email and then create a BR based
    on those.
  * Wayne Thayer, Mozilla – We are interested in email validation
  * – We suggest maybe an approach similar to Adobe with integration and
    recognition of QC signing certificates.
  * Ben – Do we want to carve out desktop from web email to narrow the
  * Ryan – The initial scope is the minimum set of requirements to meet
    the current challenge. If the current challenge is standardization
    of email certificates, start with that. Then you can move onto
    identity validation, private key protection, secure email
    validation, etc. We can get to an end state with all these pieces,
    but I suggest a solid foundation based on a profile to start.
  * Ben – It sounds like the initial charter should focus on three
    aspects: profile, identity validation of email and identity (host
    and local part), and private key protection.
  * Kirk Hall, Entrust – Is that enough to start drafting a charter?
  * Ben – Yes, I can start a charter based on those three principles.
  * Geoff Keating, Apple – Maybe start a CA Certificate working group?
  * Ryan – We talked about this at London also. Start with a limited
    number of working groups, find the commonality between the groups
    and then work on common certificate profiles. Instead of focusing on
    different CA conditions such as CA = True and EKU = SMIME which may
    lead to having separate roots which I think no one is interested in
  * Wayne – Is your interest in a CA Cert working group, based on a
    problem or a notion from the governance reform?
  * Geoff – It is based on governance reform. For example, if we find
    OCSP may be a requirement of one CA type and not another it may have
    to go through multiple working groups and what if it fails in one
    and not another.
  * Dimitris Zacharopoulos, HARICA – This came up during the Network
    Security Subcommittee discussion and we anticipate this happening as
    more working groups are established. It is better to approach the
    issue when it comes up rather in theoretical.
  * Tim – A working group could simply be a mailing list and a charter
    with no document management.
  * Ryan – IETF ran into this problem where they had multiple groups
    with no products and caused confusion when trying to update or
    create a new document because of the overlapping scopes.
  * Kirk – Geoff, if you are interested in a CA Certificate Working
    group, please draft a charter for the group to discuss.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20181123/ee76cf09/attachment-0002.html>

More information about the Public mailing list