[cabfpub] Final Minutes for CA/Browser Forum Teleconference - January 24, 2019
Dimitris Zacharopoulos (HARICA)
dzacharo at harica.gr
Thu Feb 7 17:53:16 UTC 2019
These are the Final Minutes of the Teleconference described in the
subject of this message.
Attendees (in alphabetical order)
Anna Weinberg (Apple), Arno Fiedler (D-TRUST), Ben Wilson (Digicert),
Bruce Morton (Entrust Datacard), Chris Kemmerer (SSL.com), Dean Coclin
(Digicert), Dimitris Zacharopoulos (HARICA), Doug Beattie (GlobalSign),
Dustin Hollenback (Microsoft), Enrico Entschew (D-TRUST), Janet Hines
(Trustwave), Frank Corday (Trustwave), Geoff Keating (Apple), Gordon
Bock (Microsoft), Inaba Atsushi (GlobalSign), India Donald (US Federal
PKI Management Authority), Iñigo Barreira (360 Browser), Joanna Fox
(GoDaddy), Kenneth Myers (US Federal PKI Management Authority), Kirk
Hall (Entrust Datacard), Li-Chun Chen (Chunghwa Telecom), Mahmud Khair
(Trustwave), Michelle Coon (OATI), Neil Dunbar (TrustCor Systems), Niko
Carpenter (Trustwave), Rich Smith (Sectigo), Robin Alden (Sectigo), Ryan
Sleevi (Google), Shelley Brewer (Digicert), Tim Callan (Sectigo), Tim
Hollebeek (Digicert), Tim Shirley (Trustwave), Tomasz Nowak (Opera
Software AS), Trevoli Ponds-White (Amazon), Vijayakumar (Vijay)
Manjunatha (eMudhra), Wayne Thayer (Mozilla).
Minutes
1. Roll Call
The Chair took attendance
2. Read Antitrust Statement
The Antitrust Statement was read
3. Review Agenda
Today's Agenda was approved.
4. Approval of Minutes of previous teleconference
The minutes of January 10, 2019 teleconference were approved and will be
posted to the Public list and the Public web site.
5. Forum Infrastructure Working Group update
The Infrastructure Working Group had a short call and basically repeated
items from the previous meeting. E-mails have been sent to some members
kindly asking for some virtual infrastructure to host the CA/B Forum
services (namely the wiki, mailman, wordpress) but there have been no
responses yet.
A new DocuWiki instance has been launched by Jos and is being tested. A
test wordpress instance launched by Daymion has been created by cloning
the existing cabforum.org web site. This wordpress is part of a GoDaddy
managed solution.
6. Follow-up on new WG Charters (Code Signing, S/MIME)
Ben reported that he received only positive feedback for the Code
Signing Charter, and he is looking for endorsers.
The S/MIME charter has triggered some discussion. He has made several
updates on this document and would prefer if others can send new drafts
with language they would like to see. Ben proposed that if people want
to be added to the small group of members that are working on that
draft, to send him an email.
Dimitris suggested that these drafts are in pretty good shape and would
be best if they were circulated on the public list for more discussion
and review. These drafts could also be uploaded on GoogleDocs which
makes it easier for people to comment and offer suggestions.
7. Upcoming F2F 46 meeting March 12-14, 2019 (hosted by Apple)
Hotel information is on the wiki. Geof mentioned that we should
primarily contact Curt for more information about the meeting. Kirk
mentioned that the hotel rate is available for booking *until February
12th*, which is posted on the wiki. Dimitris will send reminder to the
management list about the hotel reservation deadline. The meeting will
either take place at "Infinite Loop" or "Apple Park". Any hotel in this
area would be convenient for both possible locations.
8. Any Other Business
None.
9. Bylaws and existing Charters update
Wayne lead the discussion and started by reminding participants that a
Google Document was published to the management list. This document
includes proposed changes and comments to various sections of the Bylaws
that have been identified as problematic or ambiguous in the past. A
small group of people worked on this document that is now considered to
be mature enough to be discussed by the larger group of Members. Since
there is no special subcommittee to work on this topic, as agreed on our
last call we will use the CA/B Forum time to discuss Bylaws in more
detail. Wayne asked for members to provide their opinion whether they
think these changes should be brought forward in one ballot or split
into smaller ballots, if this discussion should be on the public list or
not.
The first change is adding a section that allows the creation of a
subcommittee at the Forum level. It seems that the current Bylaws allow
the creation of Subcommittees only at CWG level, and that is because of
possible IPR issues. Kirk did an analysis of the IPR Policy version 1.3
and also sent an e-mail to the public list with his analysis. One of the
key elements is that it is very clear that the IPR Policy applies only
at the Working Group level that are working on Guidelines. Kirk read
some quotes from the overview that support this interpretation. The
conclusion of his analysis is that unless the Forum level starts working
on Guidelines, then the IPR agreement doesn't really apply to work done
at the Forum level.
Wayne repeated that the concern was that there is no IPR protection at
the Forum level so we need to make sure that when creating a
subcommittee at the Forum level, that subcommittee will not introduce IP
that might end up in a Guidelines document. The proposal is described in
a new section 5.6. Another option would be to specify Forum-level
Subcommittees in the Bylaws for example a "Bylaws subcommittee" amending
the Bylaws or an Infrastructure Subcommittee.
Ryan mentioned that they had discussions with their legal counsel and
confirmed these concerns about IP related issues at the Forum level. He
mentioned that if we go forward with creating a Subcommittee whether
directly in the Bylaws or by Ballot, besides from checking all sections
of the Bylaws for consistency, we would have to explicitly state that
this Subcommittee shall not produce any Guidelines that might create IP
commitments. That would address the majority of issues Google had with
this topic.
Ben and Dimitris agreed. Dimitris mentioned that he had proposed
something similar but scoping the entire Forum-level to explicitly not
produce any Guidelines and leave this work only for Chartered Working
Groups.
Ryan mentioned that this is mostly captured in the Bylaws where all
activities related to IP commitments is done explicitly in Working
Groups that come with the IP protection. He said that there are two
parts we need to check:
- making sure the IP commitments are clear, which lead to Google's
concerns over Code Signing because the IP commitments with the old
structure were not clear
- making sure that we are not developing documents or standards without
clear IP commitment and making sure we are not producing documents,
Guidelines, bindings, recommendations -whatever the name is- that others
might be bound to.
Wayne summarized that a reasonable approach would be to make this
explicit in the section for Forum level subcommittees and resolve the
problem. Wayne asked Ryan to help drafting the language to "forbid
working on Final Guidelines or Final Maintenance Guidelines" and
possibly technical matters that might introduce IP commitments.
Kirk pointed out that the IPR Policy is related to Guidelines and we
should be careful not to forbid technical discussions in general, at the
Forum level.
Wayne moved to section 2.1 for Membership qualifications and the group
discussed abound the requirement for "clean" audits. Wayne's personal
opinion is not requiring "clean" audits but also stated that it is
generally agreed that the Forum should not making decisions about which
non-conformities or qualifications might be acceptable or not.
Ryan mentioned that this is a challenging topic because a CA could scope
their WebTrust engagement in such a way that they don't include any
validation activities and get a "Successful" Audit. Google's opinion is
also to not requiring "clean" audits.
Dimitris mentioned that the current Bylaws describe in section 2.2 a
process where a Member might be suspended if their audit is challenged
and cannot produce a clean audit report for 15 months and he is trying
to understand where this is coming from and what the intent was. Ryan
corrected that the intent was for CAs to produce qualifying audit
reports continuously and the Bylaws make sure this is maintained without
requiring "clean" reports.
Dimitris asked if members are ok with accepting audit reports that
include qualifications and major non-conformities in their membership
qualifying audit report.
Ryan said that it is not ideal but that's the current reading of the
Bylaws. Ryan mentioned the Seal program requirements for WebTrust that
require "clean" audits and defer to CPA Canada for the "subjectivity" of
qualifications and how to interpret those.
Dimitris replied that perhaps we don't need a seal and there is no need
for Subjectivity from the Forum's side but just an audit report that
states that "the management assertion is fairly stated in all matters"
(or something similar) which is commonly used in WebTrust reports with
no qualifications, and similar with ETSI for reports with no major
non-conformities. He thought that this would be ideal. Ryan agreed it
would be ideal but he described issues about audit scope. Also, for
WebTrust there are different reporting templates that can be used
depending on the framework. He also worries that if we enforce this
"clean" audit requirement for CA/B Forum Membership, it would drive CAs
to not reporting non-conformities to provide transparency or choosing
auditors that don't report non-conformities. Wayne also supported the
idea of reporting non-conformities for increased transparency. Wayne
thinks the Forum must be more inclusive and CAs that went to the trouble
of an audit and got an audit report should be given the opportunity to
participate in Forum activities.
Wayne summarized that unless there were objections, he would remove the
word "Successful" and "Clean" and just require an audit report.
Kirk asked if we need to specify more the word "current" for an audit
report. Wayne agreed and proposed language that the audit report "must
be issued within 15 months" or something similar. There were no concerns
raised with this recommendation.
Ben mentioned whether these audit reports need to be publicly available
because some CAs might have audit reports they don't want to disclose.
Ryan had the same concern and asked that we explicitly require this to
be public so that at least the Forum can evaluate whether it meets the
membership requirements.
Wayne introduced the next item which is the audit requirement for a
period-of-time vs a point-in-time that qualified a Certificate Issuer
for Membership. He mentioned that we need to at least specify what the
minimum of this period-of-time should be. Currently CA members need a
period-of-time audit to be considered for Full Membership and a
point-in-time audit to be accepted as an Associate Member.
Ryan mentioned that there is an issue with ETSI because it doesn't have
a notion of point-in-time or period-of-time, there is only some guidance
from ACAB'c. But regardless of that, he was curious about the underlying
intent that we are trying to capture with this requirement especially
when a CA can get an audit report with fewer principles and criteria
(scoping down the audit requirements).
Wayne also raised the issue of requiring CAs that they "actively issue
certificates" that a point-in-time audit definitely can't capture.
Ryan repeated the case where a CA can carve out certain sections of the
WebTrust Principles and Criteria that can still produce a clean audit
report. He added that in Microsoft Root program a point-in-time audit is
considered sufficient for inclusion and the CA has 2 months before
producing a period-of-time and you have 3 months before this report is
issued. So, as a CA you would be able to issue publicly-trusted
certificates without having a period-of-time audit report. So there is a
gap which could be solved if we required for example 5 months before
being accepted in the Forum, and if we do, what is the difference that
we try to capture with this requirement?
Wayne said that it boils down to precedent, this is how the Forum has
gone about this so far.
Gordon likes the idea of Associate Member if that CA only has a
point-in-time audit and explained that the whole idea of Microsoft
accepting a point-in-time is to bootstrap CAs. That's why Microsoft
requires three months later a period-of-time audit. So similar for the
Forum they would be a Full Member three months later when they submit a
period-of-time audit report. He had questions about the ETSI program and
how it maps to the WebTrust terminology of point-in-time and
period-of-time audits.
Dimitris mentioned that the practice for ETSI audits is that they are
practically a period-of-time, even when the audit is initialized (for
the first time). Current practice requires CAB review of at least 60
days of operations before the CAB can issue Certification. Ryan said
that this is not formalized in the ETSI criteria or the audit standards.
WebTrust has explicit guidance that require a minimum of 60 days audit
period for a period-of-time. He realizes that ACAB'c has provided
guidance and the ETSI new drafts try to capture some of these
requirements. He believes that ETSI is somewhere in between a
point-in-time and period-of-time because of other jurisdiction factors
like NAB and Supervisory Body rules that come in addition to the
existing criteria.
Wayne proposed a way to address that and substitute the period-if-time
to something like "covering a period of at least 60 days" but the
question is if we want that or not. There seem to be different opinions
and this discussion must continue probably on the public list. Kirk
mentioned that he supports the current precedent.
10. Next call
February 7, 2019 at 11:00 am Eastern Time.
Adjourned
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20190207/7b758a22/attachment-0002.html>
More information about the Public
mailing list