<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 12 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal">Notes of meeting<o:p></o:p></p>
<p class="MsoNormal">CAB Forum<o:p></o:p></p>
<p class="MsoNormal">12 July 2012<o:p></o:p></p>
<p class="MsoNormal">Version 1<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">1. Present<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Tim Moses, Ben Wilson, Wayne Thayer, Atsushi Inaba, Brad Hill, Dean Coclin, Eddy Nigg, Kirk Hall, Bruce Morton, Mads Henriksveen, Gerv Markham, Geoff Keating, Rick Andrews, Renne Rodriguez, Yngve Pettersen, Simon Labramm, Phill Hallem-Baker,
Stephen Davidson, Scott Rea<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">2. Agenda review<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">It was agreed to discuss the Network Security project as part of item 10. Otherwise, the agenda was approved as published.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">3. Minutes of meetings on 21 and 26-28 June<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The minutes were approved as published.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">4. Ballots status<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Tim said that Ballots 69 and 79 were in their review periods.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">5. Meeting calendar<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Tim said that the date of Meeting 27 has been confirmed: 25-26 Sep 2012 in New Jersey, US, as guests of Comodo. The 27 Sep is reserved for a meeting of the Revocation Working Group.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Gerv has offered to host Meeting 28 in Mountain View, US. Gerv said that 6-7 and 13-14 Feb 2013 were available. Tim said that he would run a poll to decide between the two choices.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Dean said that he believes he will be able to offer a location for Meeting 29, either in Reading, UK or Munich, Germany. He is also looking at other facilities. Gerv suggested early June would be suitable timing. Dean expected to have
more definitive information in time for our next meeting.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">6. Civil code<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Tim said that he had circulated a proposal on this topic on 27 June. He wanted to confirm that the members really did want the chair to police decorum in Forum meetings and mail-lists. He said that the notion of a “sanction” had raised
eye-brows. So, perhaps, mention of that should be removed.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Tim asked members to confirm that we should make a statement up-front that there is a standard of civility expected of our contributors. Ben said that it is a good idea. We could also rely on self-policing off-list. Tim said that other
members may not know whether action was being taken and they may just choose to disengage. However, an official approach does not preclude informal and private approaches.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Yngve said that, in really bad cases, the IETF has withdrawn posting privileges. Tim said that he thought this would be such an unlikely contingency that we don’t need a plan for it.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Ben said that he has an Acceptable Use Policy. It may form a suitable starting place. Tim reminded Ben that the Wiki already includes a section on “professional conduct”.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Tim said that he would update the existing Wiki section.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">7. Luxembourg accreditation scheme<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Tim said that LuxTrust has asked for our opinion on their plan for achieving EV recognition. LuxTrust has been advised that the plan may not be accepted by the CABForum. Tim said that Maurice Schubert of LuxTrust had called him and sent
details of their plan, which Tim had forwarded to the mail list. Tim said that he thought that the plan was sound, although a little unusual in that the auditor is not contracted by LuxTrust, but by ILNAS, the Luxembourg supervisory body.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Yngve said that Hungary is in a similar situation. He is presently evaluating whether this meets their requirements. He is inclined to accept it, but a firm decision has yet to be made.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Stephen said that when the audit is paid for by the supervisor of qualified certificates, it may be slanted towards their concerns. Tim said that LuxTrust claims that the audit will be conducted against ETSI TS 102 042 EVCP+. Stephen
said that QuoVadis’s ETSI audit focuses on the requirements of the national scheme for which the audit is being conducted.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Yngve said that guidance from Tom Albertson and Kathleen Wilson should be sought. Tim said that he would get back to LuxTrust advising them to seek guidance from Mozilla and Microsoft.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">8. IPR Revisions<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Tim said that discussions were on-going. Ben said that the outstanding issues include: blanket exclusion (no consensus); essential claim (minor change); disclosure (dependent upon governance changes and the involvement of non-members);
individual versus corporate commitment; licensing (no big issues); applications and granted patents (when do commitments kick in); and new members.
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">9. Ballot 69<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Tim said that, in announcing the ballot, he had thought that views had converged. Clearly, given the discussions in the last week, misunderstandings remain. While there are strong voices on both sides that “may” be irreconcilable, we
should allow the discussion to continue in order to judge whether a solution acceptable to all can be found.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Tim said that his choice of an effective date had been arbitrary and (as we’ve discussed previously) a poor one, given the range of religious and secular holidays that occur throughout the world at the end of the calendar year. Therefore,
it should not be considered immutable.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Dean said that there seems to be some uncertainty about the purpose and benefits of the proposal, so more discussion would be beneficial. He agreed that withdrawal or extension of the voting period would be worthwhile.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Tim asked about the asymmetry in the proposal, in that it places a requirement on the CAs that has no effect unless the browsers decide to modify their behaviour, yet there is no requirement on the browsers, merely a feeling that they may
wish to make use of the policy information at some time in the future. Does this philosophy make sense? Or, should the CAs refuse to change unless a corresponding commitment comes from the browsers.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Rick said that he did not accept the premise that the CAs, acting together, cannot cause change by the browsers. Somehow, the CAs got the browsers to agree on how to validate an EV certificate. He said that it is hard to sell to his product
managers that we should make a change without a clear understanding of the benefit it provides. Tim said that, at this point, we just have Google saying that this information should be available from the certificate.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Ben recognized the concern. He said that the CAs could list and prioritize their requests for changes in browser behaviour in order to ensure that we are pushing for the most valuable new functionality. If we “recommend” that CAs include
the reserved identifiers there may come a time when it will be straightforward to make it a requirement. Ben said that he recognizes the value of using an “industry” identifier.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Eddy said that it makes sense to have an industry identifier for each certificate type (including EV). While browsers are not currently required to take account of the information, there may be other relying parties that do make use of
the information. CAs may also have their own identifiers.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Ben said that this is not intended to deprecate DV. Wayne said that if we are tracking adherence to the Baseline Requirements, then there should be an identifier for BR, not for DV and OV. There is a significant difference between vetting
for an organization and vetting for an individual. So (if anything) there should be an identifier for IV. He said that the way it is currently written the motion is not acceptable to him.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Tim said that the motion does allow a CA to include the reserved identifier for BR (on later examination, this turned out to be wrong; this option had been left out of the motion by mistake). Wayne asked why we wouldn’t just leave out
the DV and OV identifiers.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Eddy asked if we really want to demote OV certificates to the level of DV. There is a big difference between the two validation requirements. Wayne said that there are other ways to tell whether a certificate is a DV, OV or IV. He suggested
that we use three identifiers.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Tim said that IV has been allocated a policy identifier in the motion. There was confusion on this point.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Ben suggested that we modify the motion as Wayne proposed (separate identifiers for DV, OV and IV) and to address Rick’s concern about implementation timeframe.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Scott said that, to be consistent, we should have a fourth identifier, for EV. Tim said five: BR, DV, EV, IV and OV. Eddy said that this would make the BR identifier redundant. Ben suggested considering a proposal for allocating policy
identifiers before returning to consider this motion.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Tim said that there is definitely confusion about what the motion says and which parts of it (if any) are flexible. He said that he would withdraw the motion, expecting the discussion to continue.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">10. BR Issues list<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Ben said that he received comments from Mads. Mads characterized the changes as minor. Ben said that he will work with endorsers to craft a suitable motion. He thought that Robin Alden had expressed willingness to endorse. Rick said
that he would be willing to work on the motion.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Tim said that we had set ourselves a deadline of June 2012 for publishing v1.1. Clearly, we have missed that. But, we have approved three errata.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Yngve said that he has one endorsement on two ballot issues (5 and 7). He has a second indication for issue 5. Ben said that the sticking point for issue 5 has been the question of “monitoring” and what the CA would be required to do.
He recommends that we change the MUST to SHOULD. Then monitoring would be viewed as a “best practice”. Yngve said that he prefers MUST because a request for the status of an unknown certificate would be the earliest indication of that type of compromise.
However, he said that he could live with a SHOULD.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Tim wondered whether there was a way to indicate that CAs should plan for this (probably) becoming mandatory in the future. Yngve said that he would expect the Network Security document to include a requirement for monitoring. Ben said
that this was a possibility. However, the question remained as to whether this interface would be exploited in a DoS attack. Yngve agreed that this was a possibility. Tim summarized: there was agreement to change the wording to SHOULD. He asked people
to consider endorsing Yngve’s motion. Tim asked Yngve to update the Wiki with the latest version of the proposal.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">11. Any other business<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Dean asked if there is on-going discussion of the governance issue. Tim said that the motion should be balloted as soon as the membership is stable (i.e. on 1 Aug). Dean asked if the voting scheme is clear. Tim said that if someone feels
strongly about the inclusion of the status quo in the first round, then they need to take action.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">12. Next meeting<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">26 July.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">T: +1 613 270 3183<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>