[cabfpub] Final minutes of CA/Browser Forum Meeting - May 25, 2023

[Dimitris Zacharopoulos (HARICA)]

These are the final Minutes of the Teleconference described in the 
subject of this message, prepared by Eva Van Steenberge (Globalsign).


*Attendees:*

Aaron Poulsen - (Amazon), Adam Jones - (Microsoft), Ben Wilson - 
(Mozilla), Bruce Morton - (Entrust), Cade Cairns - (Google), Chad Ehlers 
- (IdenTrust), Clint Wilson - (Apple), Corey Bonnell - (DigiCert), Corey 
Rasmussen - (OATI), Daryn Wright - (GoDaddy), Dean Coclin - (DigiCert), 
Dimitris Zacharopoulos - (HARICA), Doug Beattie - (GlobalSign), Dustin 
Hollenback - (Microsoft), Ellie Lu - (TrustAsia Technologies, Inc.), 
Enrico Entschew - (D-TRUST), Eva Vansteenberge - (GlobalSign), Fumi 
Yoneda - (Japan Registry Services), Inaba Atsushi - (GlobalSign), Inigo 
Barreira - (Sectigo), Jamie Mackey - (US Federal PKI Management 
Authority), Joanna Fox - (TrustCor Systems), Jos Purvis - (Fastly), 
Karina Sirota - (Microsoft), Kiran Tummala - (Microsoft), Kyle Duren - 
(Yahoo Inc), Lynn Jeun - (Visa), Mads Henriksveen - (Buypass AS), Marco 
Schambach - (IdenTrust), Michelle Coon - (OATI), Miguel Sanchez - 
(Google), Nate Smith - (GoDaddy), Paul van Brouwershaven - (Entrust), 
Pedro Fuentes - (OISTE Foundation), Peter Miskovic - (Disig), Rebecca 
Kelley - (Apple), Rollin Yu - (TrustAsia Technologies, Inc.), Ryan 
Dickson - (Google), Scott Rea - (eMudhra), Tadahiko Ito - (SECOM Trust 
Systems), Thomas Zermeno - (SSL.com), Tim Hollebeek - (DigiCert), Tobias 
Josefowitz - (Opera Software AS), Trevoli Ponds-White - (Amazon), Wendy 
Brown - (US Federal PKI Management Authority), Yoshiro Yoneya - (Japan 
Registry Services).


*Approval of minutes:*

  * April 27th, circulated may 12th: approved
  * March 30th, ciculated may 8th: approved
  * May 11th, circulated May 12th: approved

*Updates:

*Server cert working group - Iñigo Barreira (Sectigo)

  * Membership application of Yahoo (interested party, waiting for IPR),
    QikFox (certificate consumer consumer) which has been affected by
    the member moratorium by Mozilla.
  * Log-use from server certs to SMIME
  * Validation sub:
      o topic of domain validation: Chrome to prepare document and circulate
      o upcoming f2f items: mainly on delegation of domain validation
      o Ben Wilson (Mozilla) and Justin working on something on Subscribers.
      o No meeting next week.
  * Dean Coclin (DigiCert) confirmed that Comscope responded, forwarded,
    with updated IPR.

CodeSign cert WG - Bruce Morton (Entrust)

  * Malware based revocation ballot: passed, in IPR period
  * Working on other ballots.
  * External question on subject name stability – Microsoft will address
    that and will get back to reporter
  * F2f agenda
  * Dimitris Zacharopoulos (HARICA) had an update: completed the work on
    import of SSL BRs in CodeSign BRs, few controversial topics, working
    with Martin to resolve, hopefully ballot soon.

SMIME: Update to follow

Forum infrastructure: No update

Netsec: Trevoli Ponds-White (Amazon Trust Services): review agenda of 
the f2f

Bylaws changes - Dimitris Zacharopoulos (HARICA)

  * Dimitris Zacharopoulos (HARICA) and Tim Hollebeek (DigiCert) working
    on changes.
  * Changes to election changes,  all on github. Workingon addressing
    comments.
  * Introduction of class of probationary member as discussed on F2F
      o Ben Wilson (Mozilla) wanted to widen scope to certificate consumers.
      o Split probationary members and link them to consumers and issuers.
  * If voting member loses qualifying membership criteria, currently
    suspension, losing voting rights, rights to propose ballots/endorse
    ballots.
      o Map exactly to probationary members as well. To be presented at F2F.
  * Discussion period to start next week, there’s 2 endorsers, just
    checking language.
  * Tim Hollebeek (DigiCert) asked if we could use prospective member
    instead of probationary? He suggested that there may be possible
    negative connotations, maybe not appropriate for excited new member.
  * Dimitris Zacharopoulos (HARICA) confirmed that he was happy to
    change the name, and that’s exactly the sort of discussion that’s
    needed.
  * Ben Wilson (Mozilla) raised the consideration that there’s a group
    of members that after suspension are on probation. Associate member
    has already been taken.
  * Dimitris mentioned the opportunity to discuss at F2F.

Server cert charter update (Ben Wilson):

  * updating requirements for consumers, only three new requirements:
    mandatory compliance to BRs, maintain of a list of CA, having
    criteria for adding and removing CAs from the list. Some other vague
    ones have been removed (or not clear what objectives were).
  * “Probationary members”: Attend 30% of the teleconference and at
    least 1 F2F (which can be virtual), in a year, or at least before
    voting on the membership.
  * Updated language to conform to suggestions made by Aaron and
    Dimitris, so it’s more based on meeting the requirements.
  * Update on attendance language, 1st of January 2024 as a start date,
    difficult to accomplish, trying to find a date of mandate this
    requirement.
  * Dimitris Zacharopoulos (HARICA) reminded the group that the charter
    needs to be discussed at a forum level, of course these discussions
    can be held in the groups. He suggested to combine the two
    discussions, server cert update and bylaws – break 1 slot into 2 for
    guest speaker.
  * Dimitris Zacharopoulos (HARICA) reminded of the registration of the
    F2F attendance.
  * Dimitris Zacharopoulos (HARICA) said that for the approval agenda of
    F2F, we don’t have the titles of the guest speaker presentations.
  * Tim Hollebeek (DigiCert) raised that there may be IPR issues with
    regards to forum presentations? Suggested to take this to the list.
  * Dimitris Zacharopoulos (HARICA) mentioned he wasn’t sure what the
    titles are on the presentations, so was not sure to which level they
    relate to.
  * Background: presentations that are scheduled in a timeslot under
    forum level part, Tim Hollebeek (DigiCert) was concerned to move
    that to server cert slot, similar for guest speakers, move to
    relevant slots . Forum level not protected by IPR.
  * Trevoli Ponds-White (Amazon Trust Services) explained that the
    presentation was just going to talk about TLS, and she didn’t
    particularly care which slot.
  * Tim Hollebeek (DigiCert) was mostly concerned about this
    presentation. Guest speakers, less of a concern, historically done
    on forum level, no change needed.
  * Karina Sirota (Microsoft) confirmed there was not a topic yet, not
    on specific cert type.
  * Tim Hollebeek (DigiCert) mentioned that the forum is supposed to be
    charters and working groups, not technical or policy, and that it’s
    not appropriate forum for those discussions that relate to multiple
    working groups. He reiterated that the forum was intended to protect
    people from discussions they’d like to avoid. Path forward to more
    cross cutting working groups, within well defined scopes that
    protect everyone, like Netsec and the discussions about the
    definitions working group. Perhaps good for putting forward to
    discussions.
  * Paul van Brouwershaven (Entrust) gave the example of the
    presentation of AWS on CA rotation, that it could apply to multiple
    WGs, so that’s why it was decided to do that on forum level, to take
    it into the working group, and discuss if needed. But definitely to
    consider on how to move forward.
  * Trevoli Ponds-White (Amazon Trust Services) notes that Amazon trust
    services is presenting, not AWS.
  * Tim Hollebeek (DigiCert) suggested taking 15 minutes for a
    governance overview.
  * Trevoli Ponds-White (Amazon Trust Services) asked that you don’t
    have to be part to part of a group attend in f2f, functionally?
  * Dimitris Zacharopoulos (HARICA) confirmed yes, but can’t contribute,
    the can listen in.
  * Paul van Brouwershaven (Entrust) confirmed that that’s why the
    presentation was suggested at forum level, and discussions in WG.
  * Tim Hollebeek (DigiCert) highlighted that being in room when
    discussion happen can expose you to legal risk. If you choose to
    attend, then the risk on you. But we shouldn’t put people at risk
    because they are listening in and then the discussion veers off into
    another working group’s topic, good to keep things in chartered
    working groups.
  * Dimitris Zacharopoulos (HARICA) suggested to make some changes to
    agenda. Add a 15 slot for governance issue?
  * Paul van Brouwershaven (Entrust) suggested moving governance issue
    on day one, and bylaws changes to one session and shift the agenda
    later the day.
  * Dimitris Zacharopoulos (HARICA) proposed to make slot 3.1 for
    governance, 20 min slot, lead by Tim? Only have bylaws update for 40
    minutes on Wednesday. There’s still 20 minute slot for website? Are
    there significant updates? There’s no updates – maybe we make that
    one governance, slot number 4?


No other business.

Next meeting: June 22nd

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20230622/a80dd890/attachment.html>