Minutes, WPKOPS, 6 Mar 2014, 10:00 GMT. 1. Attendees' attention was drawn to the standard "note well" statement. 2. The agenda was accepted as published. 3. Tim Moses reviewed the objectives, history and status of the group's work. He said that several early milestones had been missed. Unfortunately, if anything useful is to emerge from this activity, then the end-date will have to slip. Tim said that the objective was to record how the Web PKI works. But, on its own, that has little value. It was intended to use the Security Considerations section of the documents to catalog the ways in which the reliability of Web PKI assertions could be compromised. Where vendors have adopted different approaches, an informed discussion may result in a consensus view of best practice. 4. Rick Andrews reviewed the results of the vendor survey. He has received partial results from some browser suppliers. He expects more input from Mozilla and Microsoft. Oracle declined to participate as they saw no commercial benefit. He is hoping that Ben Laurie will facilitate a response from Apache. OpenSSL representatives declined to participate as they apprehended a suspicious motive. Paul Hoffman said that OpenSSL is a toolkit, not a product. So, their responses would be a limited usefulness anyway. Yngve Pettersen said that a survey distributed by an area director may elicit a more cooperative reaction. Gerv Markham brought up Hello message size concerns. He said that limitations apply only at the server end. Daniel Kahn Gilmor said that messages outside the range 256-512 bytes are unaffected. Rick mentioned that some client suppliers had requested access to test sites with aberrant certificate and revocation data structures. Rick said that the group has no such facilities available to it. Gerv mentioned that Microsoft has a test suite. The discussion turned to whether it was better to ask product suppliers and service providers how their offerings work, or to test them. Joel Jaeggli said that there is value in both approaches. A survey might be considered less antagonistic than second-party testing. We can expect the results from testing and from a survey to differ. Server suppliers don’t have the same motivation as CAs, who may be eager to have their conformance recognized. Paul said that we should encourage the creation of a test suite. He also observed that it would be harder to achieve acceptable test coverage for OCSP than it would be for certificates. Rick said that he was expecting to get the help of a summer intern, and will have him/her contribute to this project. Steve Kent said that product suppliers should know how their products work without having to rely on black-box testing. He wondered whether the Electronic Frontier Foundation might be willing to undertake a testing program. Exactly this sort of testing was performed in the RPKI project. Joel mentioned that there is a Benchmarking Methodology working group whose charter covers standard test suites for networking components. Paul mentioned NIST’s PKITS. But, he said that many of the certificates it contains have now expired. Furthermore, it does not contain sufficient negative cases. Gerv suggested that we give more consideration to individual questions and how we might use the corresponding responses. Phill Hallem-Baker said that we should renew our efforts to advance the work; it is becoming increasingly important. Gerv suggested that we allow the survey approach one more “IETF cycle” of four months. Scott Rae listed a number of organizations that control resources that could be deployed against the testing task: the US Federal Government, the International Grid Trust Federation, Massimiliano Pala, and InCommon. Rick mentioned that Tom Ritter was considering producing a JRE test-suite. Rick mentioned that Apache was still a problem, in particular because it may not be visible which version of Apache is in use at a given site. Gerv said that Netcraft may have the tools to discover this. In summary, several options for filling in the gaps had been explored. 5. The meeting closed.