CT Policy Days NYC - Agenda

[Ryan Hurst]

I am looking forward to seeing folks in-person and online over the next few days.

Just like last year our plan is to structure the event as an un-conference with a focus on the break out sessions where we will discuss policy issues relating to the adoption of Chrome.

In addition to these break out sessions we are lucky to have some great speakers present issues, technologies and opportunities related to CT adoption.

The un-conference nature is designed to enable us to have the most relevant conversations with the folks who will be in attendance, this will allow us to spend more time on the topic that are most urgent and important to the group.

It also means that the schedule will be somewhat fluid, with that background bellow you will find our current tentative schedule.

Day #1

Session	Presenter	Start Time	Duration
Introductions & Logistics	Ryan / Devon	9:00 am	15 min
The Direction of CT	Devon	9:15 am	15 min
User Agent CT Policies	Devon	9:30 am	30 min
Break out session selection/scheduling	Ryan / Devon	10:00 am	45 min
Break	All	10:45 am	15 min
Break out Sessions #1	All	11:00 am	1 hour
Lunch	All	12:00 pm	1 hour
Break out Sessions #1 Presentations	Session Group Leads	1:00 pm	1 hour
Next generation logs and Trillian	Al / et al	2:00 pm	30 min
Break out Sessions #2	All	2:30 pm	1 hour
Break	All	3:30 pm	15 min
Break out Sessions #2 Presentations	Session Group Leads	3:45 pm	1 hour
Downtime	All	4:45 pm	1:15 hour
Dinner	All	6:00 pm	--

Day #2

Introductions & Logistics	Ryan / Devon	9:00 am	30 min
CT in the US Government	Lachelle and Deb	9:30 am	45 min
Break out session selection/scheduling	Ryan / Devon	10:15 am	30 min
Break	All	10:45 am	15 min
Break out Sessions #3	All	11:00 am	1 hour
Lunch	All	12:00 pm	1 hour
Break out Sessions #3 Presentations	Session Group Leads	1:00 pm	1 hour
Let’s Encrypt and Certificate Transparency	Roland	2:00 pm	15 min
		2:30 pm
Next Steps

Meeting details have been mailed to those individuals who have registered, if you have not received the details let me know.

Ryan Hurst

[Devon O'Brien]

On November 2nd and 3rd, we held the second CT Policy Days event at Google NYC. Turn out for the event was great; we had over 40 people present in person and regularly had over 15 participating remotely.

We had representatives from browsers (Microsoft, Apple, Mozilla and Google) as well as from CAs, log operators, log monitors, enterprises, governments, and other interested parties.

The focus of the event was largely to provide an ecosystem status update and to clarify what would common elements and approaches should browsers include when defining their log inclusion policies.

We had presentations from the Google CT team where they brought up an instance of the Trillian Log Server real time, we heard about Apple’s implementation of CT, the US Government talked about their CT plans, and Let’s Encrypt discussed the plans to deploy a log server based on Trillian in 2018. Even though CloudFlare could not attend they did announce their new Trillian based log server at the same time of the event as a show of support and DigiCert discussed their new log that will be released soon.

The feedback from both local participants and remote participants was that the event was both constructive and a good use of their time. I know that within Google, we found the event hugely valuable in shaping how we will spend our efforts over the next year.

As we have done previously we structured the event into break-out sessions where the attendees expressed interest and willingness to discuss the various topics. Based on those conversations the following topics were discussed:

Log Compliance Monitoring and Availability

What happens in April 2018 (CT Enforcement)?

Overzealous Logging and Policy Implications (DoS, accept revoked/expired?)

Log Architecture & Scaling (Internal Operations)

Pain points in Log operation & encouraging new log operators to join the fray

Non-publicly trusted Logs & Use Cases

Impacts of CT to Site Operators & Cloud Services

Towards multiple UA Policies

Improving the Log Evaluation Period / Log Lifecycle

Log Operator Incident Response (Policy Violations)

RFC 6962-bis

Each breakout session was lead by an in-person attendee who also captured rough notes (where possible) and then presented back to the group. I have attached unedited copies of those notes from these conversations for reference.

At the close of the event, we discussed best timing for the next event and it seemed it made the most sense for it to happen some time proximal to the April, 2018 date that Chrome is targeting for CT Enforcement. There was also some interest in the event being coordinated with the IETF event in London in March just before the enforcement date. We would be interested in seeing feedback on list regarding timing and locations for the next instance of this event so please let us know.

I want to thank everyone who participated remotely or in person; this was a great event and that would not have been possible without each and every one of you.

Ryan Hurst and Devon O’Brien

Google