[cabfpub] Proposed Shanghai Agenda covering audit issues

Kirk Hall Kirk.Hall at entrustdatacard.com
Mon Sep 24 01:14:16 UTC 2018

Ryan, I’m glad you referred to our Sept. 20 SCWG teleconference in your message below, and what was said there.  I went back to listen and I prepared draft Minutes on the Shanghai Agenda/audits issues portion.  (I’m sending those Minutes to the Management list because they have not yet been approved for publication on the Public list.)  I also included a link in that message to the recording so interested members can confirm for themselves what was said on the call.

The recording and draft Minutes of our Thursday teleconference do not support your recollection of the call as presented below.  Here are the main takeaways from the 15 minute discussion on the call.

·       I asked if anyone had Agenda items to propose for the Shanghai meeting.  You suggested the Forum discuss the process for inclusion of roots in browser root programs from the auditing standpoint, the audits required from birth to death of a CA, and the variety of program requirements in place that require different things.  You said clarity and consensus on that and related verbiage would be useful, and this also applies to reworked language in BR 8.1 and 8.2 and confusion around performance audits.  You thought these issues could take at least an hour of time at the meeting, and that 30 minutes might be necessary to get everyone on the same page concerning audit vocabulary, as some people use phrases that don’t match with professional terms.  You said the goal was to a common understanding as well as diagramming what the expected process should look like with the appropriate audit schemes recognized.  You did not initially say you wanted to be a presenter or the sole presenter on all these related issues.

·       Jeff Ward of WebTrust said he and Don Sheehy were planning on covering those issues from a WebTrust standpoint during their update report, which would take about an hour.  He said they would not be talking about what the browser root programs should or should not require from CAs.

·       Kirk said the topic of the CA audit lifecycle from birth to death was aspirational and a separate issue from the audit problems encountered today, and that Wayne already said he wanted to present on that topic at the Sept. 11 WebTrust meeting in San Jose.  Wayne confirmed he wanted to present that topic at the Shanghai meeting.  You offered to do it if he didn’t want to do it, and he said the two of you could work together

·       There was more discussion where you said that current audit problems and ideal life cycle were the same issue.  Wayne disagreed, and said the topics were related but should be  treated as separate topics.

·       Dimitris said that discussing the Bylaws audit requirements for Forum membership should be deferred until after you and Wayne had made your presentations, and maybe should be combined with discussion of all the other pending Bylaws we have.

·       Arno Fiedler representing ETSI said ACAB’s representatives would be at the Shanghai meeting, and would like to present ETSIs perspective.

·       At the end, I asked if you wanted to be the presenter of a segment of these issues, and you said yes, that was what you were initially proposing.  You did not say you wanted to be the sole presenter of all the issues discussed.

·       I said that I would put together something for the Agenda on these issues.

So on last Thursday’s call, we had requests to be presenters on these related issues by Jeff/Don (WebTrust), Arno/Clemens (ETSI), Wayne (Life Cycle of a CA), and you.  Dimitris recommended we treat the Forum audit requirements for Membership along with other pending Bylaws issues but after these initial presentations.

That’s pretty much how I broke things down on my Agenda proposal on Friday.  I think we will all benefit the most if we start with a simple explanation and listing from WebTrust and ETSI (issues #1 and #2) of their current audits and reports as a refresher for the members on what comes next.  You have complete control of the problems the current audit systems are causing for browsers, including helping us understand and use the right vocabulary (issue #3).  If Wayne wants to pull you in on his presentation on the ideal life cycle for a CA from birth to death (issue #4, which I understood focuses in part on different issues than current browser), that’s fine with me – the two of you can refashion issues #3 and #4 as you please, and just give me the new descriptive text for the Agenda.  Finally, as Dimitris and I agreed on the call, the question of how our Bylaws on audit requirements for membership should be interpreted or amended (issue #5) should be discussed later, as a separate matter after you and Wayne have made your presentations.  I’d like Dimitris to handle issue #5 as the presenter, as he will be the person speaking for the Forum on new membership applications starting November 1 when he takes over as Chair.

Again, anyone who wants more details on our Thursday discussion of these issues can look at the draft Minutes I’m sending on the Management list.

From: Ryan Sleevi [mailto:sleevi at google.com]
Sent: Sunday, September 23, 2018 11:26 AM
To: Kirk Hall <Kirk.Hall at entrustdatacard.com>
Cc: CABFPub <public at cabforum.org>
Subject: [EXTERNAL]Re: [cabfpub] Proposed Shanghai Agenda covering audit issues

On Sun, Sep 23, 2018 at 1:59 PM Kirk Hall <Kirk.Hall at entrustdatacard.com<mailto:Kirk.Hall at entrustdatacard.com>> wrote:
I believe topic #3 as I have listed it below fairly presents your request on the Sept. 20  teleconference call, as it covers what you said you wanted to discuss – “Problems faced by root programs from existing WebTrust/ETSI reports and terminology.”  You didn’t request #1 or #2 because I was the one who thought of adding those segments when drafting the Agenda – this is intended as an introduction to existing audit/report types from the people who actually run WebTrust and ETSI to help educate the Members in the room so they can then fully understand the remaining topics #3 - #5.

Kirk, I do not believe it to be fairly presented. If there is any confusion, it's no doubt because you were interjecting during my description of the session to indicate you did not believe it would be necessary, as you felt it would take "60 seconds, at best".

I felt there was a clear request for a session, of 60 to 90 minutes length, by Google, to cover these topics. Do you believe that request - the first thing that was asked for - was unclear? At several times during the call, you attempted to suggest different topics of discussion, or why you felt they were not necessary, and again, the request was made.

You didn’t request #4 – Wayne did that at the WebTrust meeting in San Jose on Sept. 11, and I made a note at that time.  So I think it’s appropriate to let Wayne present his ideas.

Finally, while you did raise a different interpretation of our membership rules on our Sept. 6 teleconference than we have followed in the past (you said you thought a Point in Time audit is enough for a CA applicant to qualify for full membership under the current Bylaws, which is not what we have done in the past or what the members said they wanted in the Doodle poll) I was actually the person who raised the question of what form of audit is required for membership during that call.  Because Dimitris will be taking over new membership requests in November, it makes sense for him to present that issue.

While perhaps that's the case, if you also recall, on our previous call, I indicated that I have been working with both ETSI and WebTrust to address the issues arising from your misunderstanding and misrepresentation - of the Doodle poll and of the respective audits. Happy to revisit that with you, if you felt it was unclear that this was a topic that Google was actively working on

But I will remove Dimitris as a Moderator for the five issues – each presenter can be the moderator of his own topic.  And I will remove Wayne as a co-presenter with you on #3 and make you sole presenter – but I know Wayne also said he was having problems with some forms of audit reports, so I hope you will let him add his input during #3.

If you want to suggest different wording for your #3 below, please let me know and I will include it on the Agenda.   How much time would you like for this segment?

I again reiterate the request that was made on the call, for 60 - 90 minutes for a session, prior to the discussion about future expectations, to include both a presentation based on discussions Google has been having with browser representatives and auditor members, to bring clarity to these matters.

Can you ensure that such a thing is scheduled? Or do you believe your schedule is the only way to get this on the agenda?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20180924/929aea4b/attachment-0003.html>

More information about the Public mailing list