<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=iso-8859-1"><meta name=Generator content="Microsoft Word 12 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Nur Text Zchn";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.5pt;
font-family:Consolas;}
span.NurTextZchn
{mso-style-name:"Nur Text Zchn";
mso-style-priority:99;
mso-style-link:"Nur Text";
font-family:Consolas;}
span.E-MailFormatvorlage19
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
p.PlainText, li.PlainText, div.PlainText
{mso-style-name:"Plain Text";
mso-style-link:"Plain Text Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
span.PlainTextChar
{mso-style-name:"Plain Text Char";
mso-style-priority:99;
mso-style-link:"Plain Text";
font-family:Consolas;}
span.E-MailFormatvorlage22
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=DE link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='color:#1F497D'>Tim,<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D'>I really don’t know whether it’s worth to mention within the minutes – but as you stated that your recording did not work properly:<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D'>I raised the question that members should have –at least- a gentlemen’s agreement that a discussion started on the management list should not be posted to the public list and vice versa.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D'>Best regards<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D'>Carsten<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D'><o:p> </o:p></span></p><div><p class=MsoNormal><span style='font-size:7.5pt;font-family:"Arial","sans-serif";color:#7B7C7E'>Carsten Dahlenkamp</span><span style='color:#1F497D'> <br></span><span style='font-size:7.5pt;font-family:"Arial","sans-serif";color:#7B7C7E'>T-Systems International GmbH</span><span style='color:#1F497D'> <br></span><span style='font-size:7.5pt;font-family:"Arial","sans-serif";color:#7B7C7E'>Trust Center Applications</span><span style='color:#1F497D'> <br></span><span style='font-size:7.5pt;font-family:"Arial","sans-serif";color:#7B7C7E'>Untere Industriestraße 20, 57250 Netphen, Germany </span><span style='color:#1F497D'><br></span><span style='font-size:7.5pt;font-family:"Arial","sans-serif";color:#7B7C7E'>+49 271 708-1643 (Tel.)</span><span style='color:#1F497D'> <br></span><span style='font-size:7.5pt;font-family:"Arial","sans-serif";color:#7B7C7E'>E-Mail: carsten.dahlenkamp@t-systems.com</span><span style='color:#1F497D'> <br></span><span style='font-size:7.5pt;font-family:"Arial","sans-serif";color:#7B7C7E'><a href="http://www.t-systems.com">http://www.t-systems.com</a>, <a href="http://www.telesec.de">http://www.telesec.de</a></span><span style='color:#1F497D'> <o:p></o:p></span></p></div><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><div style='border:none;border-left:solid blue 1.5pt;padding:0cm 0cm 0cm 4.0pt'><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> public-bounces@cabforum.org [mailto:public-bounces@cabforum.org] <b>On Behalf Of </b>Tim Moses<br><b>Sent:</b> Friday, May 25, 2012 4:11 PM<br><b>To:</b> CABFPub<br><b>Subject:</b> [cabfpub] Notes of meeting, CAB Forum, 24 May 2012, Version 1<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span lang=EN-US>Notes of meeting<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>CAB Forum<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>24 May 2012<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>Version 1<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>1. Present<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>Tim Moses, Ben Wilson, Wayne Thayer, Atsushi Inaba, Brad Hill, Jeremy Rowley, Dean Coclin, Eddy Nigg, Kirk Hall, Robin Alden, Bruce Morton, Mads Henriksveen, Sissel Hoel, Gerv Markham, Geoff Keating, Carsten Dahlenkamp, Rick Andrews, Chris Bailey, Tom Albertson, Sid Stamm, Wendy Brown, Ryan Sleevi, Renne Rodriguez, Yngve Pettersen, Chris Palmer, John Johansen, Steve Roylance, Ryan Hurst, Simon Labram, Phill Hallem-Baker, Bill Madell, John Espinosa, Tom Ritter<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>2. Agenda review<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>Eddy asked that requirements for the inclusion of the German “state” in an EV certificate be discussed under Item 14.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>3. Minutes of meetings on 10 May<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>The minutes were accepted as published.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>4. Ballots status<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>Ballot 72 is open. Ballot 74 opens later today.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>Yngve said that he has circulated a motion to address the BR issues that were assigned to him. He is seeking endorsers.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>Tim said that he, too, has circulated a motion for BR Issue 14 and is seeking endorsers.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>5. Gjovik agenda, logistics and RSVP<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>Mads has provided logistical information for Meeting 26 in Gjovik.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US><a href="https://www.cabforum.org/wiki/Face-to-face%20meeting%20calendar">https://www.cabforum.org/wiki/Face-to-face%20meeting%20calendar</a><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>He requests that those who plan to attend let him know as soon as possible.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>The meeting agenda is also posted there. Tim asked that members review the draft agenda and identify topics for inclusion.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>6. Process for IPR Agreement submission<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>Tim said that the deadline for submitting executed IPR agreements (for continuity of membership) was 7 June. Eleven members have submitted to date.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>Jeremy said that he felt the motion for Ballot 67 was unclear. Dean said that his legal adviser told him that it could be interpreted as allowing 120 days from the effective date for submission of exclusion notices. Tim disagreed. He said that he thought the motion was clear, and that 60 days was the allowed period. Jeremy said that nothing important would be lost by extending the period. Tim said that the result of a formal ballot could only be overturned by another formal ballot. If such ballot were to complete before 7 June, it would have to be announced today.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>Wayne asked whether, in light of Entrust’s exclusion notice, there would be a Patent Advisory Group. Tim said that he believed that to be the case. He said that that should be determined once the 7 June deadline had passed.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>7. Options for governance reform<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>Chris P said that the Governance working group was almost ready to return the discussion to the Forum as a whole. There are four complete proposals; those from PayPal, Microsoft, DigiCert and TrendMicro. The next step was to post the proposals on cabforum.org.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>Brad said that the TrendMicro proposal mischaracterizes the content of the submissions that have been received concerning problems with the current organization and procedures. He asked that, if it is to be posted in such a way that rebuttal is not feasible, then it should limit itself to a description of the proposal. Kirk disagreed. He said that, if he were to make the requested changes, he would expect the other proposals to similarly remove any criticism of the Forum’s operations to date.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>Brad agreed to send Kirk a revised version of the TrendMicro proposal for his consideration. Dean said that Kirk will simply reject Brad’s version. Brad said that an alternative approach would be to publish all the discussion related to the proposals. The issue was returned to the Governance working group for further discussion and resolution.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>Tim asked about the next step. He voiced a concern that to simply put multiple proposals to the vote may not produce a result that fairly reflects the members’ views.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>Chris P said that he foresaw more discussion taking place within the Forum membership on the individual elements of the decision process as laid out by Jeremy in his summary of progress to date. This will probably result in refined/combined proposals. It was also agreed that the working group would meet one more time and that it would consider the question of how to get to _one_ proposal from the current four.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>7. The way forward for the network security project<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>Ben said that the Network Requirements document was ready for public review. There was some discussion about whether this step should be approved by ballot. It seems clear that our lifecycle process demands this. Jeremy said that, now that we have more public scrutiny on the document development, a ballot should be unnecessary.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>Tom said that he had been expecting a ballot and was preparing to review the document once the ballot was announced.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>It was agreed that any revisions to the lifecycle document could await the outcome of the governance deliberations.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>Gerv and Eddy agreed to endorse Ben’s motion to move the document to public review.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>8. Qualified CSPs<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>Tim said that both Tom and Stephen Davidson had expressed concerns that there is (potentially) a significant number of CSPs in Europe to whom the Baseline Requirements may apply, and who may not even be aware of the BRs’ existence.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>Tim said that any CSP in the Mozilla program should be aware as a result of Kathleen Wilson’s communication. Tom said that he could also contact members of Microsoft’s program and make them aware of the existence and relevance of the Baseline Requirements.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>Tom said that he would also make his embedding partners aware of the Forum’s upcoming Meeting 26.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>10. MITM with bogus certificates<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>Yngve said that he has posted an article on recent uses of malware to perform MITM attacks.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoPlainText><span lang=EN-US><a href="http://my.opera.com/securitygroup/blog/2012/05/16/suspected-malware-performs-man-in-the-middle-attack-on-secure-connections">http://my.opera.com/securitygroup/blog/2012/05/16/suspected-malware-performs-man-in-the-middle-attack-on-secure-connections</a><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>11. Non-member contributions<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>Tim pointed out that there exist some anomalies in our handling of non-member contributions. 1. We have indicated that current members who don’t sign the IPR agreement ahead of Meeting 26 should not plan to attend, yet we have invited non-members to attend. 2. The point of application of the IPR obligation is the 60-day review period, but non-members who have made a contribution may no longer be active at that time.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>Ben and Jeremy agreed to provide a short notice indicating the expectation that contributions be identified as encumbered where that is the case. The notice would be added to the notices that are currently attached to the agenda, to the anti-trust statement read out at the beginning of in-person meetings, and to a boilerplate slide for inclusion in non-members’ presentations.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>12. Luxembourg audit scheme and EV<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>Tim recapped his understanding of the audit scheme in Luxembourg as described by ILNAS. ILNAS is a public institution that audits private CSPs in Luxembourg. They are (apparently) self-accrediting. This precise situation is not contemplated in the BR and EV Audit Requirements. If the CSP had been a public-sector operation, then it would have been allowed. ILNAS has asked if their EV audit of a private-sector CSP (LuxTrust) would be acceptable to the CAB Forum.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>Two suggestions were considered: 1. We could ask LuxTrust to become a member of the Forum and make a proposal to modify the EV Guidelines to accommodate their situation. 2. We could recommend that LuxTrust approach each of the embedding programs with a request that their situation be allowed. Then the embedding programs would make a proposal to modify the EV Guidelines accordingly. It was decided to take the latter approach. Tim agreed to contact Nick Pope and ask him to put this to ILNAS.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>13. Use of the "public" list<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>There was some discussion about which topics should be discussed on the public mail list and which on the private mail list. The Governance working group was asked to consider the question and provide guidance within their governance proposals.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>It was decided that the agenda and minutes of teleconferences and other meetings would be circulated on the public list, but teleconference dial-in details would be available only on the members-only Wiki.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>14. Any other business<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>Eddy brought up the question of EV certificates and the need to identify the German state. It was agreed that German states should be treated in a manner similar to US states.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>Eddy said that he had attempted to contact a member concerning a non-conformant certificate that they had issued. He had not received a reply. He wondered when it would be appropriate to escalate. It was agreed that researchers should (as Eddy has done) contact the relevant CA whenever a non-conformance is discovered. The researcher should use his or her own discretion in deciding when to escalate. But, that escalation could take the form of posting the certificate in the “Observed Problems” section of the Wiki.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>John E asked for clarification concerning the requirements for signing the IPR Agreement and exclusion notice. Tim said that, for continuity of membership, the deadline for submission of both is 7 June. John pointed out that those who miss the deadline will be required to make a royalty-free grant without exclusions.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>15. Next meeting<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>7 June.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>T: +1 613 270 3183<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p></div></div></body></html>