<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 12 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Plain Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.5pt;
font-family:Consolas;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.PlainTextChar
{mso-style-name:"Plain Text Char";
mso-style-priority:99;
mso-style-link:"Plain Text";
font-family:Consolas;}
span.EmailStyle20
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
span.EmailStyle23
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D">Thanks Steve. I’ll definitely add this to the record. All the best. Tim.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Steve Roylance [mailto:steve.roylance@globalsign.com]
<br>
<b>Sent:</b> Friday, May 25, 2012 11:03 AM<br>
<b>To:</b> Tim Moses<br>
<b>Cc:</b> CABFPub<br>
<b>Subject:</b> Re: [cabfpub] Notes of meeting, CAB Forum, 24 May 2012, Version 1<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Arial","sans-serif";color:black">Hi Tim.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Arial","sans-serif";color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Arial","sans-serif";color:black">In the AOB section, I also raised the subject of retention of Personal Identifiable Information. Within both the EV and BR guidelines the CABForum mandates times
to store information beyond the expiry of a certificate. Given that under BR SSL certificates 'may' be purchased by individuals and noting that individuals may already be somehow involved in a face to face meetings or investigation by a CA during the vetting
process, then we need to be mindful of current and future European Regulations such that we don't unnecessarily burden CA's with requirements that could be deemed incompatible with legislation. It's not one for immediate discussion and possibly not one for
the next F2F, but maybe one for the meeting beyond that, especially if we could aim to locate a guest speaker knowledgeable on the subject.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Arial","sans-serif";color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Arial","sans-serif";color:black">I don't feel it's necessary to up-issue the meeting minutes for this item, but please feel free to add if any other changes are necessary.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Arial","sans-serif";color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Arial","sans-serif";color:black">Steve<o:p></o:p></span></p>
</div>
</div>
</div>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Arial","sans-serif";color:black"><o:p> </o:p></span></p>
</div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="color:black">From: </span></b><span style="color:black">Tim Moses <<a href="mailto:tim.moses@entrust.com">tim.moses@entrust.com</a>><br>
<b>Date: </b>Friday, 25 May 2012 15:10<br>
<b>To: </b>CABFPub <<a href="mailto:public@cabforum.org">public@cabforum.org</a>><br>
<b>Subject: </b>[cabfpub] Notes of meeting, CAB Forum, 24 May 2012, Version 1<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Arial","sans-serif";color:black"><o:p> </o:p></span></p>
</div>
<div>
<div>
<p class="MsoNormal"><span style="color:black">Notes of meeting<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black">CAB Forum<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black">24 May 2012<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black">Version 1<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black">1. Present<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black">Tim Moses, Ben Wilson, Wayne Thayer, Atsushi Inaba, Brad Hill, Jeremy Rowley, Dean Coclin, Eddy Nigg, Kirk Hall, Robin Alden, Bruce Morton, Mads Henriksveen, Sissel Hoel, Gerv Markham, Geoff Keating, Carsten Dahlenkamp,
Rick Andrews, Chris Bailey, Tom Albertson, Sid Stamm, Wendy Brown, Ryan Sleevi, Renne Rodriguez, Yngve Pettersen, Chris Palmer, John Johansen, Steve Roylance, Ryan Hurst, Simon Labram, Phill Hallem-Baker, Bill Madell, John Espinosa, Tom Ritter<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black">2. Agenda review<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black">Eddy asked that requirements for the inclusion of the German “state” in an EV certificate be discussed under Item 14.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black">3. Minutes of meetings on 10 May<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black">The minutes were accepted as published.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black">4. Ballots status<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black">Ballot 72 is open. Ballot 74 opens later today.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black">Yngve said that he has circulated a motion to address the BR issues that were assigned to him. He is seeking endorsers.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black">Tim said that he, too, has circulated a motion for BR Issue 14 and is seeking endorsers.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black">5. Gjovik agenda, logistics and RSVP<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black">Mads has provided logistical information for Meeting 26 in Gjovik.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"><a href="https://www.cabforum.org/wiki/Face-to-face%20meeting%20calendar">https://www.cabforum.org/wiki/Face-to-face%20meeting%20calendar</a><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black">He requests that those who plan to attend let him know as soon as possible.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black">The meeting agenda is also posted there. Tim asked that members review the draft agenda and identify topics for inclusion.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black">6. Process for IPR Agreement submission<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black">Tim said that the deadline for submitting executed IPR agreements (for continuity of membership) was 7 June. Eleven members have submitted to date.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black">Jeremy said that he felt the motion for Ballot 67 was unclear. Dean said that his legal adviser told him that it could be interpreted as allowing 120 days from the effective date for submission of exclusion notices.
Tim disagreed. He said that he thought the motion was clear, and that 60 days was the allowed period. Jeremy said that nothing important would be lost by extending the period. Tim said that the result of a formal ballot could only be overturned by another
formal ballot. If such ballot were to complete before 7 June, it would have to be announced today.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black">Wayne asked whether, in light of Entrust’s exclusion notice, there would be a Patent Advisory Group. Tim said that he believed that to be the case. He said that that should be determined once the 7 June deadline
had passed.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black">7. Options for governance reform<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black">Chris P said that the Governance working group was almost ready to return the discussion to the Forum as a whole. There are four complete proposals; those from PayPal, Microsoft, DigiCert and TrendMicro. The
next step was to post the proposals on cabforum.org.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black">Brad said that the TrendMicro proposal mischaracterizes the content of the submissions that have been received concerning problems with the current organization and procedures. He asked that, if it is to be posted
in such a way that rebuttal is not feasible, then it should limit itself to a description of the proposal. Kirk disagreed. He said that, if he were to make the requested changes, he would expect the other proposals to similarly remove any criticism of the
Forum’s operations to date.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black">Brad agreed to send Kirk a revised version of the TrendMicro proposal for his consideration. Dean said that Kirk will simply reject Brad’s version. Brad said that an alternative approach would be to publish all
the discussion related to the proposals. The issue was returned to the Governance working group for further discussion and resolution.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black">Tim asked about the next step. He voiced a concern that to simply put multiple proposals to the vote may not produce a result that fairly reflects the members’ views.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black">Chris P said that he foresaw more discussion taking place within the Forum membership on the individual elements of the decision process as laid out by Jeremy in his summary of progress to date. This will probably
result in refined/combined proposals. It was also agreed that the working group would meet one more time and that it would consider the question of how to get to _one_ proposal from the current four.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black">7. The way forward for the network security project<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black">Ben said that the Network Requirements document was ready for public review. There was some discussion about whether this step should be approved by ballot. It seems clear that our lifecycle process demands this.
Jeremy said that, now that we have more public scrutiny on the document development, a ballot should be unnecessary.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black">Tom said that he had been expecting a ballot and was preparing to review the document once the ballot was announced.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black">It was agreed that any revisions to the lifecycle document could await the outcome of the governance deliberations.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black">Gerv and Eddy agreed to endorse Ben’s motion to move the document to public review.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black">8. Qualified CSPs<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black">Tim said that both Tom and Stephen Davidson had expressed concerns that there is (potentially) a significant number of CSPs in Europe to whom the Baseline Requirements may apply, and who may not even be aware of
the BRs’ existence.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black">Tim said that any CSP in the Mozilla program should be aware as a result of Kathleen Wilson’s communication. Tom said that he could also contact members of Microsoft’s program and make them aware of the existence
and relevance of the Baseline Requirements.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black">Tom said that he would also make his embedding partners aware of the Forum’s upcoming Meeting 26.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black">10. MITM with bogus certificates<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black">Yngve said that he has posted an article on recent uses of malware to perform MITM attacks.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"> <o:p></o:p></span></p>
<p class="MsoPlainText"><span style="color:black"><a href="http://my.opera.com/securitygroup/blog/2012/05/16/suspected-malware-performs-man-in-the-middle-attack-on-secure-connections">http://my.opera.com/securitygroup/blog/2012/05/16/suspected-malware-performs-man-in-the-middle-attack-on-secure-connections</a><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black">11. Non-member contributions<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black">Tim pointed out that there exist some anomalies in our handling of non-member contributions. 1. We have indicated that current members who don’t sign the IPR agreement ahead of Meeting 26 should not plan to attend,
yet we have invited non-members to attend. 2. The point of application of the IPR obligation is the 60-day review period, but non-members who have made a contribution may no longer be active at that time.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black">Ben and Jeremy agreed to provide a short notice indicating the expectation that contributions be identified as encumbered where that is the case. The notice would be added to the notices that are currently attached
to the agenda, to the anti-trust statement read out at the beginning of in-person meetings, and to a boilerplate slide for inclusion in non-members’ presentations.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black">12. Luxembourg audit scheme and EV<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black">Tim recapped his understanding of the audit scheme in Luxembourg as described by ILNAS. ILNAS is a public institution that audits private CSPs in Luxembourg. They are (apparently) self-accrediting. This precise
situation is not contemplated in the BR and EV Audit Requirements. If the CSP had been a public-sector operation, then it would have been allowed. ILNAS has asked if their EV audit of a private-sector CSP (LuxTrust) would be acceptable to the CAB Forum.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black">Two suggestions were considered: 1. We could ask LuxTrust to become a member of the Forum and make a proposal to modify the EV Guidelines to accommodate their situation. 2. We could recommend that LuxTrust approach
each of the embedding programs with a request that their situation be allowed. Then the embedding programs would make a proposal to modify the EV Guidelines accordingly. It was decided to take the latter approach. Tim agreed to contact Nick Pope and ask
him to put this to ILNAS.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black">13. Use of the "public" list<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black">There was some discussion about which topics should be discussed on the public mail list and which on the private mail list. The Governance working group was asked to consider the question and provide guidance
within their governance proposals.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black">It was decided that the agenda and minutes of teleconferences and other meetings would be circulated on the public list, but teleconference dial-in details would be available only on the members-only Wiki.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black">14. Any other business<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black">Eddy brought up the question of EV certificates and the need to identify the German state. It was agreed that German states should be treated in a manner similar to US states.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black">Eddy said that he had attempted to contact a member concerning a non-conformant certificate that they had issued. He had not received a reply. He wondered when it would be appropriate to escalate. It was agreed
that researchers should (as Eddy has done) contact the relevant CA whenever a non-conformance is discovered. The researcher should use his or her own discretion in deciding when to escalate. But, that escalation could take the form of posting the certificate
in the “Observed Problems” section of the Wiki.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black">John E asked for clarification concerning the requirements for signing the IPR Agreement and exclusion notice. Tim said that, for continuity of membership, the deadline for submission of both is 7 June. John
pointed out that those who miss the deadline will be required to make a royalty-free grant without exclusions.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black">15. Next meeting<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black">7 June.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black">T: +1 613 270 3183<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"> <o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Arial","sans-serif";color:black">_______________________________________________ Public mailing list
<a href="mailto:Public@cabforum.org">Public@cabforum.org</a> <a href="http://cabforum.org/mailman/listinfo/public">
http://cabforum.org/mailman/listinfo/public</a> <o:p></o:p></span></p>
</div>
</body>
</html>