Minutes, WPKOPS, 7 Nov 2013, 15:20 PST.

1. Attendees' attention was drawn to the standard "note well" statement.

2. The agenda was accepted as published.

3. Tim Moses reviewed the objectives, history and status of the group's 
work.  He said that several early milestones had been missed.  However, 
it was his intention to work with the authors to try to maintain the end 
dates.  Tim said that the objective was to record how the Web PKI works.  
But, on its own, that has little value.  It was intended to use the 
Security Considerations section of the documents to catalog the ways in 
which the reliability of Web PKI assertions could be compromised.

4. There were presentations on each of the four documents identified in 
the charter.  There was active discussion, primarily about methods the 
group would use to obtain the information it requires to complete its 
documents.  Representatives of Mozilla and Microsoft present in the 
meeting committed to help by providing answers to a questionnaire.  
Hence, the first order of work is to compile a questionnaire for software 
vendors covering all aspects of how their products use the Web PKI.  It 
was acknowledged that the landscape is more dynamic than originally 
thought; threats are evolving and (particularly in the area of 
revocation) browsers are rethinking their approaches.  It was decided 
that the group should not attempt to track evolving product design.  
Instead it should pick a point in time.  The end of 2013 was chosen.
	
There was some discussion regarding the inclusion of naming authorities 
in the trust model.  It was decided that they should get brief mention.  
It was recognized that where to place the boundaries between the various 
documents in the set is not obvious; these would be negotiated by the 
authors to ensure that nothing falls between the cracks.  There was 
likely to be extensive cross-referencing between the documents as they 
matured.

Paul Hoffman asked that some discussion of "too big to fail" be included.   
Ben Wilson cautioned against including a discussion of how CAs respond to 
a full-scale compromise.  Brian Smith asked that the documents not make 
recommendations.  Tim Moses said that the charter was clear on this 
point.  

Steve Kent asked that the documents identify events that lead to 
interaction with the user while not attempting to capture the details of 
the interaction.

Paul Hoffman asked if mobile clients act differently when compared to 
desktop clients.  Several examples of such differences were cited (e.g. 
FireFox mobile does not distinguish EV in its UI).

Rick Andrews asked that behaviour of CDNs and load balancers be included.  
This was agreed.

5. David Chadwick had provided a set of slides that were presented on his 
behalf by Tim.  The subject matter covered work items to be included in 
the 2016 version of ITU X.509 and work on an international framework for 
PKI governance being considered within ISO/IEC JTC1 SC27.  Phill Hallam-
Baker pointed out an error in the slides: the cited compromise involving 
Comodo did not affect its root key, rather it involved a failure at a 
regional affiliate RA.

6. The meeting closed at 17:00 PST.