[cabfpub] Proposed Shanghai Agenda covering audit issues

Ryan Sleevi sleevi at google.com
Mon Sep 24 02:00:22 UTC 2018

On Sun, Sep 23, 2018 at 9:14 PM Kirk Hall via Public <public at cabforum.org>

> Ryan, I’m glad you referred to our Sept. 20 SCWG teleconference in your
> message below, and what was said there.  I went back to listen and I
> prepared draft Minutes on the Shanghai Agenda/audits issues portion.  (I’m
> sending those Minutes to the Management list because they have not yet been
> approved for publication on the Public list.)  I also included a link in
> that message to the recording so interested members can confirm for
> themselves what was said on the call.

These were posted to the Public List, and I think it's good for the
transparency of the discussion.

> The recording and draft Minutes of our Thursday teleconference do not
> support your recollection of the call as presented below.  Here are the
> main takeaways from the 15 minute discussion on the call.
> ·       I asked if anyone had Agenda items to propose for the Shanghai
> meeting.  You suggested the Forum discuss the process for inclusion of
> roots in browser root programs from the auditing standpoint, the audits
> required from birth to death of a CA, and the variety of program
> requirements in place that require different things.  You said clarity and
> consensus on that and related verbiage would be useful, and this also
> applies to reworked language in BR 8.1 and 8.2 and confusion around
> performance audits.  You thought these issues could take at least an hour
> of time at the meeting, and that 30 minutes might be necessary to get
> everyone on the same page concerning audit vocabulary, as some people use
> phrases that don’t match with professional terms.  You said the goal was to
> a common understanding as well as diagramming what the expected process
> should look like with the appropriate audit schemes recognized.  You did
> not initially say you wanted to be a presenter or the sole presenter on all
> these related issues.
I think the key point here is that I was requesting a slot, of 60 to 90
minutes, to cover these issues. Thank you for confirming the accuracy of
this, and it seems the only confusion here is that despite requesting this
slot, you did not believe it was being requested?

I think your record of the minutes also does not capture your
dismissiveness of the issue, and I certainly can see why clarity is
necessary, as it seems you're intent on not scheduling the request.

The request being made here - and the issue described - is because they are
all tightly coupled, and I believe would most benefit the Forum discussed
as a single, concerted topic, that explores those relations - as we
requested. I am explicitly requesting this separate from the WebTrust and
ACAB-C updates, because I believe it is beneficial to have a discussion
that focuses on the common understanding these issues as they stand. As
we've seen, our WebTrust folks are excellent about talking about WebTrust -
but are not so at ETSI, and so to the opposite.

That’s pretty much how I broke things down on my Agenda proposal on Friday.

Yes. And I'm objecting to that, because I believe you've taken a
description of a session that was specifically being requested, which you
disagreed with, and attempted to reorganize the content, structure, and
presentation. As discussed from our past meetings, it's clear you do not
view some of these matters as important, nor do you appreciate the issues
at play.

I believe this will be a far more productive use of folks time, energy, and
expectations, if we can have that discussion, particularly for browser
members, if taken as a cohesive single presentation that examines the
current state.

That does not conflict with the ETSI or WebTrust updates, it does not
conflict with (other than an ordering dependency) with Wayne's suggestion
made in person previously. Indeed, the specific request for this session
emerged from those discussions, and through discussions that made it clear
a more cohesive understanding was necessary.

As such, I would like to, unfortunately yet again, request that 60-90
minutes be set aside in the schedule.

For ordering purposes:
- 60-90 minutes - Discussion of current state of audits and membership
requirements (Ryan)
- 60 minutes - Discussion about future audit requirements (Wayne)

And that these discussions would best benefit independent from the WebTrust
TF or ETSI updates, which are incredibly valuable, but somewhat orthogonal
to the conversation proposed.

Please update the agenda to reflect this request.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20180923/d8e123d9/attachment-0003.html>

More information about the Public mailing list