[cabfpub] Final Minutes for CA/Browser Forum Teleconference - January 24, 2019

Dimitris Zacharopoulos (HARICA) dzacharo at harica.gr
Thu Feb 7 17:53:16 UTC 2019

These are the Final Minutes of the Teleconference described in the 
subject of this message.

    Attendees (in alphabetical order)

Anna Weinberg (Apple), Arno Fiedler (D-TRUST), Ben Wilson (Digicert), 
Bruce Morton (Entrust Datacard), Chris Kemmerer (SSL.com), Dean Coclin 
(Digicert), Dimitris Zacharopoulos (HARICA), Doug Beattie (GlobalSign), 
Dustin Hollenback (Microsoft), Enrico Entschew (D-TRUST), Janet Hines 
(Trustwave), Frank Corday (Trustwave), Geoff Keating (Apple), Gordon 
Bock (Microsoft), Inaba Atsushi (GlobalSign), India Donald (US Federal 
PKI Management Authority), Iñigo Barreira (360 Browser), Joanna Fox 
(GoDaddy), Kenneth Myers (US Federal PKI Management Authority), Kirk 
Hall (Entrust Datacard), Li-Chun Chen (Chunghwa Telecom), Mahmud Khair 
(Trustwave), Michelle Coon (OATI), Neil Dunbar (TrustCor Systems), Niko 
Carpenter (Trustwave), Rich Smith (Sectigo), Robin Alden (Sectigo), Ryan 
Sleevi (Google), Shelley Brewer (Digicert), Tim Callan (Sectigo), Tim 
Hollebeek (Digicert), Tim Shirley (Trustwave), Tomasz Nowak (Opera 
Software AS), Trevoli Ponds-White (Amazon), Vijayakumar (Vijay) 
Manjunatha (eMudhra), Wayne Thayer (Mozilla).


      1. Roll Call

The Chair took attendance

      2. Read Antitrust Statement

The Antitrust Statement was read

      3. Review Agenda

Today's Agenda was approved.

      4. Approval of Minutes of previous teleconference

The minutes of January 10, 2019 teleconference were approved and will be 
posted to the Public list and the Public web site.

      5. Forum Infrastructure Working Group update

The Infrastructure Working Group had a short call and basically repeated 
items from the previous meeting. E-mails have been sent to some members 
kindly asking for some virtual infrastructure to host the CA/B Forum 
services (namely the wiki, mailman, wordpress) but there have been no 
responses yet.

A new DocuWiki instance has been launched by Jos and is being tested. A 
test wordpress instance launched by Daymion has been created by cloning 
the existing cabforum.org web site. This wordpress is part of a GoDaddy 
managed solution.

      6. Follow-up on new WG Charters (Code Signing, S/MIME)

Ben reported that he received only positive feedback for the Code 
Signing Charter, and he is looking for endorsers.

The S/MIME charter has triggered some discussion. He has made several 
updates on this document and would prefer if others can send new drafts 
with language they would like to see. Ben proposed that if people want 
to be added to the small group of members that are working on that 
draft, to send him an email.

Dimitris suggested that these drafts are in pretty good shape and would 
be best if they were circulated on the public list for more discussion 
and review. These drafts could also be uploaded on GoogleDocs which 
makes it easier for people to comment and offer suggestions.

      7. Upcoming F2F 46 meeting March 12-14, 2019 (hosted by Apple)

Hotel information is on the wiki. Geof mentioned that we should 
primarily contact Curt for more information about the meeting. Kirk 
mentioned that the hotel rate is available for booking *until February 
12th*, which is posted on the wiki. Dimitris will send reminder to the 
management list about the hotel reservation deadline. The meeting will 
either take place at "Infinite Loop" or "Apple Park". Any hotel in this 
area would be convenient for both possible locations.

      8. Any Other Business


      9. Bylaws and existing Charters update

Wayne lead the discussion and started by reminding participants that a 
Google Document was published to the management list. This document 
includes proposed changes and comments to various sections of the Bylaws 
that have been identified as problematic or ambiguous in the past. A 
small group of people worked on this document that is now considered to 
be mature enough to be discussed by the larger group of Members. Since 
there is no special subcommittee to work on this topic, as agreed on our 
last call we will use the CA/B Forum time to discuss Bylaws in more 
detail. Wayne asked for members to provide their opinion whether they 
think these changes should be brought forward in one ballot or split 
into smaller ballots, if this discussion should be on the public list or 

The first change is adding a section that allows the creation of a 
subcommittee at the Forum level. It seems that the current Bylaws allow 
the creation of Subcommittees only at CWG level, and that is because of 
possible IPR issues. Kirk did an analysis of the IPR Policy version 1.3 
and also sent an e-mail to the public list with his analysis. One of the 
key elements is that it is very clear that the IPR Policy applies only 
at the Working Group level that are working on Guidelines. Kirk read 
some quotes from the overview that support this interpretation. The 
conclusion of his analysis is that unless the Forum level starts working 
on Guidelines, then the IPR agreement doesn't really apply to work done 
at the Forum level.

Wayne repeated that the concern was that there is no IPR protection at 
the Forum level so we need to make sure that when creating a 
subcommittee at the Forum level, that subcommittee will not introduce IP 
that might end up in a Guidelines document. The proposal is described in 
a new section 5.6. Another option would be to specify Forum-level 
Subcommittees in the Bylaws for example a "Bylaws subcommittee" amending 
the Bylaws or an Infrastructure Subcommittee.

Ryan mentioned that they had discussions with their legal counsel and 
confirmed these concerns about IP related issues at the Forum level. He 
mentioned that if we go forward with creating a Subcommittee whether 
directly in the Bylaws or by Ballot, besides from checking all sections 
of the Bylaws for consistency, we would have to explicitly state that 
this Subcommittee shall not produce any Guidelines that might create IP 
commitments. That would address the majority of issues Google had with 
this topic.

Ben and Dimitris agreed. Dimitris mentioned that he had proposed 
something similar but scoping the entire Forum-level to explicitly not 
produce any Guidelines and leave this work only for Chartered Working 

Ryan mentioned that this is mostly captured in the Bylaws where all 
activities related to IP commitments is done explicitly in Working 
Groups that come with the IP protection. He said that there are two 
parts we need to check:
- making sure the IP commitments are clear, which lead to Google's 
concerns over Code Signing because the IP commitments with the old 
structure were not clear
- making sure that we are not developing documents or standards without 
clear IP commitment and making sure we are not producing documents, 
Guidelines, bindings, recommendations -whatever the name is- that others 
might be bound to.

Wayne summarized that a reasonable approach would be to make this 
explicit in the section for Forum level subcommittees and resolve the 
problem. Wayne asked Ryan to help drafting the language to "forbid 
working on Final Guidelines or Final Maintenance Guidelines" and 
possibly technical matters that might introduce IP commitments.

Kirk pointed out that the IPR Policy is related to Guidelines and we 
should be careful not to forbid technical discussions in general, at the 
Forum level.

Wayne moved to section 2.1 for Membership qualifications and the group 
discussed abound the requirement for "clean" audits. Wayne's personal 
opinion is not requiring "clean" audits but also stated that it is 
generally agreed that the Forum should not making decisions about which  
non-conformities or qualifications might be acceptable or not.

Ryan mentioned that this is a challenging topic because a CA could scope 
their WebTrust engagement in such a way that they don't include any 
validation activities and get a "Successful" Audit. Google's opinion is 
also to not requiring "clean" audits.

Dimitris mentioned that the current Bylaws describe in section 2.2 a 
process where a Member might be suspended if their audit is challenged 
and cannot produce a clean audit report for 15 months and he is trying 
to understand where this is coming from and what the intent was. Ryan 
corrected that the intent was for CAs to produce qualifying audit 
reports continuously and the Bylaws make sure this is maintained without 
requiring "clean" reports.

Dimitris asked if members are ok with accepting audit reports that 
include qualifications and major non-conformities in their membership 
qualifying audit report.

Ryan said that it is not ideal but that's the current reading of the 
Bylaws. Ryan mentioned the Seal program requirements for WebTrust that 
require "clean" audits and defer to CPA Canada for the "subjectivity" of 
qualifications and how to interpret those.

Dimitris replied that perhaps we don't need a seal and there is no need 
for Subjectivity from the Forum's side but just an audit report that 
states that "the management assertion is fairly stated in all matters" 
(or something similar) which is commonly used in WebTrust reports with 
no qualifications, and similar with ETSI for reports with no major 
non-conformities. He thought that this would be ideal. Ryan agreed it 
would be ideal but he described issues about audit scope. Also, for 
WebTrust there are different reporting templates that can be used 
depending on the framework. He also worries that if we enforce this 
"clean" audit requirement for CA/B Forum Membership, it would drive CAs 
to not reporting non-conformities to provide transparency or choosing 
auditors that don't report non-conformities. Wayne also supported the 
idea of reporting non-conformities for increased transparency. Wayne 
thinks the Forum must be more inclusive and CAs that went to the trouble 
of an audit and got an audit report should be given the opportunity to 
participate in Forum activities.

Wayne summarized that unless there were objections, he would remove the 
word "Successful" and "Clean" and just require an audit report.

Kirk asked if we need to specify more the word "current" for an audit 
report. Wayne agreed and proposed language that the audit report "must 
be issued within 15 months" or something similar. There were no concerns 
raised with this recommendation.

Ben mentioned whether these audit reports need to be publicly available 
because some CAs might have audit reports they don't want to disclose. 
Ryan had the same concern and asked that we explicitly require this to 
be public so that at least the Forum can evaluate whether it meets the 
membership requirements.

Wayne introduced the next item which is the audit requirement for a 
period-of-time vs a point-in-time that qualified a Certificate Issuer 
for Membership. He mentioned that we need to at least specify what the 
minimum of this period-of-time should be. Currently CA members need a 
period-of-time audit to be considered for Full Membership and a 
point-in-time audit to be accepted as an Associate Member.

Ryan mentioned that there is an issue with ETSI because it doesn't have 
a notion of point-in-time or period-of-time, there is only some guidance 
from ACAB'c. But regardless of that, he was curious about the underlying 
intent that we are trying to capture with this requirement especially 
when a CA can get an audit report with fewer principles and criteria 
(scoping down the audit requirements).

Wayne also raised the issue of requiring CAs that they "actively issue 
certificates" that a point-in-time audit definitely can't capture.

Ryan repeated the case where a CA can carve out certain sections of the 
WebTrust Principles and Criteria that can still produce a clean audit 
report. He added that in Microsoft Root program a point-in-time audit is 
considered sufficient for inclusion and the CA has 2 months before 
producing a period-of-time and you have 3 months before this report is 
issued. So, as a CA you would be able to issue publicly-trusted 
certificates without having a period-of-time audit report. So there is a 
gap which could be solved if we required for example 5 months before 
being accepted in the Forum, and if we do, what is the difference that 
we try to capture with this requirement?

Wayne said that it boils down to precedent, this is how the Forum has 
gone about this so far.

Gordon likes the idea of Associate Member if that CA only has a 
point-in-time audit and explained that the whole idea of Microsoft 
accepting a point-in-time is to bootstrap CAs. That's why Microsoft 
requires three months later a period-of-time audit. So similar for the 
Forum they would be a Full Member three months later when they submit a 
period-of-time audit report. He had questions about the ETSI program and 
how it maps to the WebTrust terminology of point-in-time and 
period-of-time audits.

Dimitris mentioned that the practice for ETSI audits is that they are 
practically a period-of-time, even when the audit is initialized (for 
the first time). Current practice requires CAB review of at least 60 
days of operations before the CAB can issue Certification. Ryan said 
that this is not formalized in the ETSI criteria or the audit standards. 
WebTrust has explicit guidance that require a minimum of 60 days audit 
period for a period-of-time. He realizes that ACAB'c has provided 
guidance and the ETSI new drafts try to capture some of these 
requirements. He believes that ETSI is somewhere in between a 
point-in-time and period-of-time because of other jurisdiction factors 
like NAB and Supervisory Body rules that come in addition to the 
existing criteria.

Wayne proposed a way to address that and substitute the period-if-time 
to something like "covering a period of at least 60 days" but the 
question is if we want that or not. There seem to be different opinions 
and this discussion must continue probably on the public list. Kirk 
mentioned that he supports the current precedent.

      10. Next call

February 7, 2019 at 11:00 am Eastern Time.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20190207/7b758a22/attachment-0002.html>

More information about the Public mailing list