Agenda

  • Welcome and update: David Kibbe
  • Final round of changes to CP per comments from last two meetings: Arien Malec
  • Discussion: ALL
  • Next work items: Arien Malec, David Kibbe, Sean Nolan

Attendees
  • Brian Ahier
  • Gary Christensen
  • Adrian Gropper`
  • Andy Hereen
  • Don Jorgenson
  • Sri Koka
  • Greg Meyer
  • Alice Nyberg
  • John Odden
  • Pete Palmer
  • Bruce Schreiber

  • David Kibbe
  • Arien Malec
  • Greg Chittim
Could not attend
  • Brett Peterson
  • John Williams
  • Melissa Manning
  • David McCallie
  • McLain Causey (Ability)
  • Brian Hoffman
  • Chris Moyer
  • Colin Barry
  • Mark Gingrich
  • Mark Stine
  • Noam Arzt
  • Pat Pyette
  • Sean Nolan
  • Steve Waldren
  • Umesh Madan
  • Vince Lewis
  • Will Ross

Notes
  • Welcome and update: David Kibbe
    • o Hopefully this will be our last discussion before getting to consensus and publishing the CP
    • o Thanks to Arien and Don for making the last edits to the CP
  • Final round of changes to CP per comments from last two meetings: Arien Malec
    • o Only remaining issues that people had raised were about the generalization of the DirectTrust.org governance
    • o We have majority of Yes’s and two No’s
    • o How do we either get to all Yes (which was the goal of Direct in general and almost always achieved)
    • o There is a time issue – we need to get this approved so that we can get DT.org setup ASAP
    • o Bruce Schreiber and John Odden – (1) can you suggest the small changes needed to get to you to yes, or (2) give a succinct explanation of the more existential issues
  • Discussion: ALL
    • o Bruce Schreiber – will yield the floor on (1) above to John Odden.
      • § Don’t want to create two trust organization. Want to either
      • § 4.12 - if the CP doesn’s support key escrow and recovery. Do we not care? Or that it explicitly shouldn’t be done
        • Arien- likely Brett Peterson’s language. “No stipulation” is probably the correct language. If there is no objection to that, we will likely change it to that
        • § What’s the process by which DirectTrust.org gets established?
          • There could be multiple organization that ensure adherence to the CP. But moving beyond 1 should not hold up the approval of the CP.
          • Don Jorgenson- we need to find a way to get this set up ASAP.
            • o David Kibbe – there are still some questions about how quickly this gets set up and how it might interact with similar entities set up by industry entities and/or ONC itself.
              • § We can’t let perfect be the enemy of the good in this case.
              • § Bruce - All my issues have been addressed, pending John’s comments
          • o John Odden
            • § Agree we can get a lot of stuff done with DT.org, but experience says it might take a lot longer. Could we write the CP so that it’s managed by the RotR group, with the stated interest of moving towards DT.org?
            • § Do we have a railroad break of gauge potential here? No need to force everyone to bear the "cost" of operating with FBCA certs. We want this to be regular vs. premium gas, not gas vs. diesel.
              • “with respect to validation and verification of identity….” When we narrow this just to validation and verification when we defer to federal entities, we box out a lot of stuff that we might not have thought about. If we take out these words, my concern is gone. Someone else might have an explanation that addresses my concern.
                • o Arien – Brett looked at a lot of CPs in this generation. Wanted to create a standalone one that was compatible with FBCA. Goal is compatibility – if we broke it we need to fix it. Do this as opposed to “if it’s broken, then something else automatically takes precedence”
                • o Arien – don’t love the current language, but don’t have a big concern, since we lifted verification language from FBCA.
                • o Arien – to restate. The goal is to create CP that can be used today, and can be used in compliance with FBCA.
                • o Arien – would propose we take out the entire last sentence to say that we are intending to be compliant with FBCA, and that if we break it, we will fix it.
                • § Comfortable changing vote to Yes based on these changes
      • The Verizon CyberTrust CP (http://cp1.govt.com-strong-id.net/CPS/Cybertrust-SAFE-Certificate-Policy-v1-42.pdf) says that “if there’s a conflict, we’re going to resolve it, and we’re going to resolve it when we get cross certified”—it doesn’t defer to anyone, and enforces that we don’t create a dual gauge problem.

        • “Conflicts between the SAFE CP and this CP shall be resolved at time of CP mapping for cross certification. In the event of a conflict, Cybertrust shall submit one or more waivers to identify the timeframe for conflict resolution for PAA approval”
  • Next work items: Arien Malec, David Kibbe, Sean Nolan
    • o All thanks to John for raising thoughtful objections and to all for strong round of conversation
    • o Arien to make changes immediately (to 0.9)
      • § Language around conflicts above
      • § Escrow (4.12) to no stipulation
      • o Next steps:
        • § How do we wish to get the word out about this CP?
          • Do have a Direct Communication WG – (currently mostly inactive)
          • Lots of industry connections
          • Greg Meyer - Key is to get this out to HISPs who are not doing best practice things
          • Through ONC
            • o Direct training that Arcadia (Greg Chittim) is developing for REC/HIEs
            • o Push of Direct through HIE program
            • § What do we do next?
              • HISP rules of the road
              • CP for the citizen’s community?