Final Minutes for CA/Browser Forum Teleconference – August 3, 2017 (approved 
Aug. 17, 2017)

Attendees: Ben Wilson (DigiCert), Christopher Kemmerer (SSL.com), Curt Spann 
(Apple), Dimitris Zacharopoulos (HARICA), Doug Beattie (GlobalSign), Fotis 
Loukos (SSL.com), Frank Corday (Trustwave), Geoff Keating, (Apple), Gervase 
Markham (Mozilla), Jeff Ward (WebTrust), Jeremy Rowley (DigiCert), Jos Purvis 
(Cisco), Kirk Hall (Entrust), Leo Grove (SSL.com), Li-Chun Chen (Chunghwa 
Telecom), Mads Henriksveen (BuyPass), Mike Reilly (Microsoft), Neil Dunbar 
(Trustcor), Patrick Tronnier (OATI), Peter Bowen (Amazon), Peter Miscovic 
(Disig), Rich Smith (Comodo), Rick Andrews (Symantec), Robin Alden (Comodo), 
Ryan Hurst (Google), Tim Hollebeek (Trustwave), Tyler Myers (GoDaddy), Virginia 
Fournier (Apple), Wayne Thayer (GoDaddy), Wendy Brown (FPKI).

1.    Roll Call

2.    Read Antitrust Statement

3.    Review Agenda.  Agenda was approved.

4.    Approve Minutes of F2F meeting of July 20, 2017.  The minutes as amended 
were approved and will be posted to the Public list.

5.    Governance Change Working Group.  Virginia said a draft ballot with a 
red-line version of the Bylaws and IPR Agreement had been distributed to the 
list and is ready for a vote.  She hopes to receive any questions or comments 
during the next week, after which the ballot (Ballot 206) will start the formal 
discussion and voting periods.

Kirk asked if the WG had yet drafted a charter for the first Working Group 
under the new governance rules – previously referred to as the “Server 
Certificate Working Group” or something similar.  This new Working Group would 
take over the current work of the Forum.  Ben answered no.  Kirk said he had a 
procedural concern – if Ballot 206 is passed without approving a charter for a 
new “Server Certificate Working Group”, then the old Bylaws would no longer 
exist and the Forum could no longer do work as it does at present.  He 
suggested the WG add a transition rule that says the new governance structure 
only becomes effective when the first new Working Group charter is approved by 
the Forum (which would be the “Server Certificate Working Group” covering the 
Forum’s current activities) – until then, we would continue to operate under 
the old Bylaws.  Virginia again stressed the WG would like to receive all 
comments and suggested edits from members now.

6.    Validation Working Group update.  Jeremy said the WG had met recently and 
discussed two main topics: (1) how to handle redirects to ports during domain 
validation, and what types of redirects are allowed, and (2) some differences 
in the validation rules as to when and how Random Values can be reused 
(including whether the same Random Value can be used for multiple domain 
validations using different validation methods).  This has been discussed in 
some detail in the VWG minutes previously distributed.

Jeremy prefers that a Random Value can only be used once, and cannot be reused, 
for increased security and less customer confusion.  Kirk thought it could lead 
to more customer confusion if a customer says “I didn’t get the Random Value 
email”, gets a new Random Value in a new email, then clicks the first Random 
Value and is told it’s not valid.  Peter said that wouldn’t happen, the Random 
Values in the two emails would both continue to be valid, but only 30 days for 
each.  Rick said it might be proper to require a new Random Value each time 
when using email methods, but that probably won’t work if the Random Value is 
posted to a customer page in a customer portal for use in one of the other 
methods (e.g., posting the Random Value in the DNS record).  The VWG will 
continue to work on these issues.

7.    Policy Review Working Group update.  Ben said the WG had a call the 
previous hour, and reviewed Dimitris’ recent work.  The WG is still trying to 
make clarifying changes to distinguish between internally operated sub-CAs 
versus externally operated sub-CAs.  Ben thinks this subject is handled better 
in the EV Guidelines than in the Baseline Requirements.  Dimitris said the WG 
is trying to remove references to internally operated sub-CAs wherever possible

8.    Network Security Working Group update.  Ben noted there is a draft Ballot 
210 that would make simple changes now to the existing Network Security 
guidelines, and asked for comments.  Kirk said the draft added multi-person 
control as an alternative to multi-factor control for Issuing Systems and 
Certificate Management Systems, but the text showed “multi-factor / multi-party 
authentication” – could the “/” be changed to “or” for clarity (so the auditors 
don’t think both are required)?  Ben agreed.  Ryan Hurst said the WG also 
planned to provide examples in the NetSec text for clarity, which Kirk said was 
a great idea.  Peter noted the draft ballot is only a revision to the current 
NetSec requirements, and the WG had still not decided whether to keep and 
revise the current requirements, or look to external criteria to adopt new 
requirements entirely.

9.    WebTrust Task Force request for review of WebTrust for CAs v2.1 changes.  
Kirk said he had posted a new draft Ballot 211 which would formally approve the 
proposed changes to WebTrust for CAs in v. 2.1 concerning key destruction and 
transportation, and asked if there were comments.

Dimitris asked why this ballot was needed, and whether his company should be 
involved when it had ETSI audits and not WebTrust audits.  Jeff said the 
original WTCA was based on ISO 21188, but those criteria don’t cover the issues 
of key destruction and transportation.  The WebTrust Task Force does not 
normally create standards to be audited, so it was looking for Forum approval 
of its draft audit criteria (which were based on recent auditor activity) to 
fill that gap – and Ballot 211 would work for the Task Force’s purposes.  Kirk 
said perhaps ETSI-audited CAs should abstain or not vote on the ballot, and 
Gerv suggested abstention was better in order to meet quorum requirements.  
Kirk said he would proceed with the Ballot.

10.  Status of Ballot 202 successor ballot (definitions), Ballot 190.  Peter 
noted that Ballot 202 did not pass because of three separate concerns from 
different CAs.  One concern re use of Unicode seemed to be resolved among the 
three Chinese CAs that voted no, a second concern on definitions such as Domain 
Names would be resolved by using IETF definitions for clarity, and a third 
concern would be resolved by creating Forum-specific definitions that can then 
be used in other parts of the BRs.  He had been waiting for the discussion to 
die down, and will draft a revised ballot as successor to Ballot 202 and seek 
endorsers.

Kirk said that Ballot 190 had almost started its voting period, but then some 
members had indicated they preferred to use updated definitions in the text of 
BR 3.2.2.4 validation methods instead of relying on clarifying Notes, as the 
most recent ballot draft did.  Kirk had pulled back the ballot to wait for the 
BR definitions to be modified in Peter’s Ballot 202, and will move forward 
rapidly to complete a vote on Ballot 190 once the new definitions have been 
fixed.

11.  Ballot Status - Discussion of ballots (See Ballot Status table at end of 
Agenda).  Ben noted there was a growing list of ballots ready to go, and asked 
for opinions as to how many ballots to start at one time.  Kirk suggesting 
staggering them, or even restricting to one at a time, to avoid confusion and 
ballot fatigue.  Ben said he thought the Forum could handle an overlapping two 
or three ballots at a time.  Peter suggested we first look to see if the draft 
ballots overlap – if there is no significant overlap in subject matter, the 
ballots could proceed simultaneously.  Kirk asked that most of the ballots 
start with a short pre-ballot period if possible and not immediately start with 
the limited seven-day discussion period followed by voting – that may not be 
enough time (especially during summer holiday season) if any ballot includes 
any controversial or difficult issues.

As to pending ballots, Jos said Kirk could remove the ballot “Bylaw change - 
Voting rules” from the list, as the Governance Change WG had incorporated those 
proposals in its current governance change Ballot 206.

12.  Membership application of SSL Corp.  Kirk noted that SSL.com had 
participated as an Associate Member since last fall, and had now completed its 
WebTrust audits and applied for full membership.  He said the application 
appeared to meet the Bylaws requirements to him, and asked if there were any 
questions for the three SSL.com representatives on the call.  There were no 
questions, so the three representatives dropped off the call.  Kirk noted that 
membership decisions were generally made by consensus on a teleconference call, 
and asked if any member believed SSL.com did not meet the Bylaws membership 
criteria.  There were no questions or concerns expressed and so SSL.com was 
added as a full member of the Forum by consensus.  Kirk said he would notify 
the SSL.com representatives.

13.  Any Other Business.  There was no other business.  Kirk reminded members 
who planned to attend the next F2F meeting hosted by Chunghwa Telecom in Taipei 
to make hotel reservations very soon.

14.  Next call August 17, 2017

15.  Adjourn

_______________________________________________
Public mailing list
Public@cabforum.org
https://cabforum.org/mailman/listinfo/public

Reply via email to