Final Minutes for CA/Browser Forum Teleconference – Nov. 9, 2017
Attendees: Atsushi Inaba (GlobalSign), Ben Wilson (DigiCert), Bruce Morton (Entrust), Devon O’Brien (Google), Dimitris Zacharopoulos (HARICA), Fotis Loukos (SSL.com), Frank Corday (Trustwave), Jeremy Rowley (DigiCert), Kirk Hall (Entrust), Li-Chun Chen (Chunghwa Telecom), Mads Henriksveen (BuyPass), Michelle Coon (OATI), Mike Reilly (Microsoft), Patrick Tronnier (OATI), Peter Bowen (Amazon), Phillip Hallam-Baker (Comodo), Rich Smith (Comodo), Rick Andrews (DigiCert), Robin Alden (Comodo), Ryan Sleevi (Google), Tim Hollebeek (Trustwave), Tim Shirley (Trustwave), Wendy Brown (Federal PKI).
- Roll Call
- Read Antitrust Statement
- Review Agenda. Agenda was approved.
- Approval of Minutes from teleconference of Oct. 26, 2017. The draft of Minutes as circulated by Ben were approved, and will be posted to the Public list.
- Membership Application of Comodo Security Solutions, Inc. (as a browser). The members agreed to defer consideration of this application until additional information was available.
Kirk then discussed the need for additional Bylaws provisions to clarify what to do when one member is substantially acquired by another (e.g., Symantec and DigiCert) as well as other membership changes. He suggested a process under which the Chair and Vice Chair collect information about the status of a company to determine if it still qualifies for membership (including the company’s own views), prepare a report and recommendations, and present to the Forum – it may be the company’s current membership status can be decided by consensus, but if not a ballot could be proposed.
Peter noted that the Symantec transaction was an asset sale, not an ownership sale, which raises different questions. Wendy noted that some member representatives formerly with Symantec could still be active in the Forum on behalf of DigiCert. Bruce said if a company signed the IPR Agreement as a member but is no longer a member, could they just state they are no longer a member and no longer bound by the IPR agreement? Peter noted some parts of the IPR Agreement will still apply even after a company is no longer a member and withdraws from the IPR Agreement (e.g., obligations that arose under the Agreement while the company was a member).
Devon noted that the legal department of departing members will care about the status of the IPR Agreement the company signed. Jeremy noted that DigiCert has already signed the IPR Agreement, which now will extend to the acquired Symantec assets. Rick said he would check with his legal department about the effect of withdrawal from the Forum on the obligations under the IPR Agreement.
- Governance Change Working Group. Ben said Virginia had circulated comments to the draft FAQ on the Governance Change proposals. There was no WG call this week, but the WG will follow up at its next meeting.
- Policy Review Working Group update. Dimitris said there was no report.
- Network Security Working Group update. Dimitris said the WG (which meets bi-weekly on Thursdays) did not have a meeting due to telecommunications problems. A sub-group was formed to take a threat analysis approach on a “Root CA System” which will hopefully map the current Network Security Requirements (the ones related to Root CA Systems) to specific vulnerabilities and threats.
This sub-group meets every Wednesday and hopefully will conclude its work in December. This sub-group reports to the Network Security Working Group. Other sub-groups have also spawned from the Network Security Working Group. One of them already discusses about password quality, and another one tries to describe a full Threat Model for the Root CA Systems.
- Validation Working Group update. Jeremy said there was no report.
- Teleconference meetings times and possible transitions from Standard Time to Daylight Savings Time. Kirk noted that North America had just moved from Daylight Savings Time (Summer Time) to Standard Time, which moved the start time for all teleconferences in North America to one hour earlier – meeting times switch back and forth two times a year for most members, which is inconvenient if a member has another fixed meeting time in local time that conflicts.
Some members have proposed setting meeting times according to a fixed local time instead of UTC to avoid this problem. (It was noted that not all jurisdictions switch times on the same date – and some countries in Asia don’t switch times at all – so there will have to be some adjustments for some members even if the Forum goes to fixed meeting times.) Kirk asked if the members would support setting meeting times to a local time instead of UTC, and the consensus was yes. Kirk suggested following time zones in the US and Canada, as most participating members live there. Ben said he would re-send all meeting calendar invitations to the current local time in the US and Canada, not UTC.
- Changes to WhoIs:
(a) ICANN PDP WG Next-Generation gTLD Registration Directory Services to Replace Whois
(b) EU’s General Data Protection Regulation:
Kirk noted he had sent out the links above with information about discussion in ICANN and EU regulations that could make most contact information for domain owners (e.g., Registrant, Admin, and Tech contact email address and phone number) unavailable for use in authenticating domains – apparently some participants in the ICANN Policy Development Process on this issue and the EU believe the data should not be disclosed for privacy reasons. This could make it harder for CAs to authenticate domains for some customers.
Peter thought the ICANN group brought up a reasonable question, and noted that there is no requirement under the BRs that CAs use WhoIs data – it’s just one of several authentication methods. Rich thought the Forum should consider modifying the BRs to recognize the move of many registries to RDAP – the BRs should be tech agnostic. Many TLDs don’t publish ownership information. Robin said he likes email address information to be available, and noted his company has agreements with some WhoIs operators to have access to the information.
- CT Domain Label Redaction – IETF TRANS WG. Kirk noted that a number of CAs and website owners would still like specifications for CT domain label redaction to be completed so that they could be implemented by willing browsers/applications, CAs, and website owners. He noted that he had listed the reasons in favor of allowing use of CT domain label redaction in a previous email sent to the members. Several CAs were approaching the IETF TRANS WG co-chairs at the current meeting in Singapore to ask to restart the discussion.
Ryan asked Kirk what the overall goal for this was. Kirk began describing some of the use cases for this draft, shared on the Public List. Ryan clarified that he was trying to understand the process goals – the reason redaction was removed from the IETF drafts were that implementers, such as Chrome, were not interested in supporting this. The reason that implementers were not supportive was because of policy concerns – that is, the impacts of redaction on the ecosystem. As the IETF does not deal in policy, and the technology may need to change based on the proposed policy solutions, it seemed premature to push this in the IETF without a plan to address those concerns. Kirk indicated that the proposal was to discuss this in the Forum and the IETF in parallel.
There was then a discussion about use cases. Kirk highlighted that several CAs have had their customers asking for this feature. Ryan responded that Chrome had heard a number of people opposed to redaction. While he understands that CAs need to represent their customers, browsers need to represent their users, and redaction posed risk to the ecosystem.
Peter indicated that view represented the browser perspective, but not necessarily the perspective of the domain owners and that other PKIs may be interested in CT, outside of the Web PKI. He also noted that even with domain label redaction, all certificates would still be CT logged. The point of reopening the discussion in the IETF is to develop a hard technical standard that can be used by those who want to use it.
Ryan highlighted that CT is not purely a technology, but an ecosystem. Ryan raised the example of how ensuring logs have incorporated certificates, or preventing split views, depends on clients checking SCTs and monitors/auditors checking consistency proofs, but had seen no explanation or examples of how this would happen in non-Web PKI use cases.
As it applies to the Web PKI, Ryan stated Chrome had raised the concerns regarding redaction to allow CAs time to respond and address the policy concerns, but only one CA, Amazon, engaged in those discussions. As a result of that engagement, Chrome had integrated that feedback, but that now it was too late in the product cycle for Chrome to reconsider redaction.
Tim expressed concern that any one member would try to prevent discussion of an issue in the CA/Browser Forum, and Ryan reiterated that he wasn’t opposed to the discussion, merely that as a trust store policy, Chrome has decided redaction presents too much risk to the ecosystem due to the policy concerns, and that as a product schedule, it was going forward.
Rich and Mike both indicated they thought it would be appropriate to discuss the policy issues around CT domain label redaction in the Forum. Ryan agreed that policy issues were appropriate for the Forum.
- Ballot Status – There was no discussion.
- Any Other Business. There was no other business.
- Next call: Nov. 30, 2017. Kirk noted that the next call normally would be in two weeks, on Nov. 23, but that was the Thanksgiving holiday in the US. The members agreed to move the next teleconference call to one week later, Nov. 30, to avoid this conflict, with following calls every two weeks after that.. This will also avoid the conflict with the Christmas holiday.