<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma",sans-serif;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma",sans-serif;}
p.Default, li.Default, div.Default
{mso-style-name:Default;
margin:0in;
margin-bottom:.0001pt;
text-autospace:none;
font-size:12.0pt;
font-family:"Times New Roman",serif;
color:black;}
span.EmailStyle21
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle22
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.EmailStyle23
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.EmailStyle24
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.EmailStyle25
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.EmailStyle26
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.EmailStyle27
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.EmailStyle28
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.EmailStyle29
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1460998000;
mso-list-type:hybrid;
mso-list-template-ids:-356329220 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><b><span style='color:#1F497D'>Final Minutes <o:p></o:p></span></b></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal>Attendees: Atsushi Inaba, Ben Wilson, Bruce Morton, Burak Kalkan, Connie Enke, Dean Coclin, Dimitris Zacharopoulos, Gervase Markham, Jeremy Rowley, Kirk Hall, Li-Chun Chen, Marcelo Silva, Mat Caughron, Moudrick Dadashov, Patrick Tronnier, Peter Bowen, Peter Miscovic, Rich Smith, Rick Andrews, Robin Alden, Sigjborn Vik, Tim Hollebeek, Tim Shirley, Tyler Myers, Volkan Nergiz, Wayne Thayer<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoListParagraph style='text-indent:-.25in;mso-list:l0 level1 lfo2'><![if !supportLists]><span style='mso-list:Ignore'>1.<span style='font:7.0pt "Times New Roman"'> </span></span><![endif]>Antitrust Statement Read by Kirk<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoListParagraph style='text-indent:-.25in;mso-list:l0 level1 lfo2'><![if !supportLists]><span style='mso-list:Ignore'>2.<span style='font:7.0pt "Times New Roman"'> </span></span><![endif]>Roll Call completed<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoListParagraph style='text-indent:-.25in;mso-list:l0 level1 lfo2'><![if !supportLists]><span style='mso-list:Ignore'>3.<span style='font:7.0pt "Times New Roman"'> </span></span><![endif]>Agenda Reviewed. Guest speaker on LV certificates could not attend.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoListParagraph style='text-indent:-.25in;mso-list:l0 level1 lfo2'><![if !supportLists]><span style='mso-list:Ignore'>4.<span style='font:7.0pt "Times New Roman"'> </span></span><![endif]>Minutes of 10 December meeting: The minutes were approved and will be sent to the public list.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoListParagraph style='text-indent:-.25in;mso-list:l0 level1 lfo2'><![if !supportLists]><span style='mso-list:Ignore'>5.<span style='font:7.0pt "Times New Roman"'> </span></span><![endif]>Policy Working Group Ballot Status: Ben posted a proposed ballot for Section 4 of the BRs and is discussing it on the list. A minor comment from Sig was mentioned and agreed to by the ballot endorsers. Ben will circulate an update. Section 5.1 will be the next ballot (160). The working group will be discussing section 5.2 next. Dean noted an email comment from Ryan Sleevi had not been addressed and Ben said he would look for it. <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoListParagraph style='text-indent:-.25in;mso-list:l0 level1 lfo2'><![if !supportLists]><span style='mso-list:Ignore'>6.<span style='font:7.0pt "Times New Roman"'> </span></span><![endif]>Proposed “LV” Certificates: Jeremy said that we should come up with a better way of deprecating things that need to be deprecated. The recent SHA-1 experience highlights this. Although the LV cert proposal probably won’t pass, it does illustrate the need for a better way for deprecation. Dean said the proponents of LV published some information but follow-up questions from Peter Bowen asking for additional details were never provided. Peter’s data showed that 7.5% of Mozilla connections were not coming from NSS (Peter’s call connection dropped while talking). Jeremy said he will communicate this to the proponents but doesn’t believe they will push it further. Jeremy continued by saying this process was painful for many. Dean commented that he saw Mozilla was rolling back a change they instituted on SHA-1 as proof that it’s not easy. Jeremy suggested that we move this topic to a working group, likely the Policy WG. But he wasn’t sure what<span style='color:#1F497D'> </span>algorithm migration topic would come up next. Rick said it could be towards NIST/NSA “quantum-resistant” key sizes (i.e. RSA 3072 and ECC 256), as an example. Dean thought the “internal name” issue was handled well, with less complaints, possibly because it was well documented and a timeline was agreed to by all. <o:p></o:p></p><p class=MsoListParagraph><o:p> </o:p></p><p class=MsoListParagraph style='text-indent:-.25in;mso-list:l0 level1 lfo2'><![if !supportLists]><span style='mso-list:Ignore'>7.<span style='font:7.0pt "Times New Roman"'> </span></span><![endif]>Proposed Mis-Issuance ballot: Sig gave an update on the proposed ballot. The intention is to get mis-issuance out in the open as he believes this will increase the overall security of the ecosystem. The goal is to get the info out there, the details don’t have to be perfect. Dean mentioned a concern that came from a UK partner about SSL certs they issue for the UK tax authority which contain some private info (this was brought up several months ago) and asked Gerv if he had looked into it. Gerv thought the issue was resolved a while ago. Peter B said the ballot should be changed and a new mailing list should be created for reporting purposes. A discussion about having this in individual root store requirements vs. the BRs ensued. Kirk said there was one reason in favor of that. If it is in the BRs, and the CA doesn’t report it, then the CA should fail its next WebTrust audit. Whereas if it’s simply a Browser root program requirement, it’s not an automatic WebTrust failure and the browsers can decide the appropriate penalty without failing the audit. Sig said that doesn’t really matter as the root store will still decide what to do in either case. Jeremy agreed with Kirk, in that the root program rules is a better place. The CA/B Forum isn’t in the business of reporting issues or a repository as we are more of a standards body. Rick said Microsoft’s root policy says you have to disclose mis-issuance (not defined) to Microsoft. Jeremy said that is good because a discussion with the root program can be had to determine if it needs to be disclosed. Mat said clarity should be made in what needs to be disclosed. Apple would also weigh a failed audit heavily. Dean clarified that there hasn’t been a “failed” audit. Rather there are “findings” that are disclosed to the browsers which decide what action, if any, they want to take. Jeremy said this is called a “qualified audit”. Mat said they are in favor of more reporting rather than less. Jeremy agreed but said that this reporting should be to the browsers not the forum. Mat agreed. Dean said, as a corollary, during the development of the code signing BRs, there was discussion about having the forum be the repository for the “bad actors” list but that idea was turned down as the forum is not in the business of managing such a list. Sig said the intent is to make the disclosure public instead of a CA publishing something “hidden” that wouldn’t necessarily be seen and that the Forum is a nice mechanism for that. Peter said the Forum is really a standards group and isn’t the right place for this. <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoListParagraph style='text-indent:-.25in;mso-list:l0 level1 lfo2'><![if !supportLists]><span style='mso-list:Ignore'>8.<span style='font:7.0pt "Times New Roman"'> </span></span><![endif]>Discussion of “generic names”: Dean said the context is the creation of an intermediate CA and the rules in the BRs surrounding this. One of the rules is that the names cannot be generic. Peter gave an example in an email of a name, “Admin-Root” which would be considered generic and wouldn’t be allowed. Dean asked about “Admin-Root-CA GmbH” since it could be a registered name in Germany. Dean believes the rule was instituted so that relying parties could find out who the issuer of the cert is and hence a registered name would allow for that. Jeremy said as further context, if a CA operated a sub CA for Company A within the CA’s infrastructure, then you might want to indicate this in the cert. Peter said the way the BRs read, it could also be a trademark. Shouldn’t be an issue for something that can pass standard OV validation. A discussion on trademark names ensued. Kirk agreed with Peter that as long as it’s a registered trademark, it should be ok, as long as it’s not misleading. He also said it’s up to CAs to turn down customer requests if the CA feels it doesn’t meet the rules and if they are not comfortable with it. Perhaps a revision to this section is necessary to include only Org validated names. <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoListParagraph style='text-indent:-.25in;mso-list:l0 level1 lfo2'><![if !supportLists]><span style='mso-list:Ignore'>9.<span style='font:7.0pt "Times New Roman"'> </span></span><![endif]>PAG Status: Ben said a ballot will be coming on the new IPR policy with an effective date of 1 February. The ballot will give companies 30 days to sign the agreement and 60 days to disclose patents. Peter said he had not seen the pre-ballot. Ben said he will circulate it again. <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoListParagraph style='text-indent:-.25in;mso-list:l0 level1 lfo2'><![if !supportLists]><span style='mso-list:Ignore'>10.<span style='font:7.0pt "Times New Roman"'> </span></span><![endif]>Validation WG Update: Kirk said a call is scheduled for next week. He will send out some info to the working group in preparation for the meeting. <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoListParagraph style='text-indent:-.25in;mso-list:l0 level1 lfo2'><![if !supportLists]><span style='mso-list:Ignore'>11.<span style='font:7.0pt "Times New Roman"'> </span></span><![endif]>Code Signing WG Update: Dean reviewed the ballot results. The working group respects the vote of the forum but is not disbanding. A meeting is planned for next week to discuss other options for the work product. The forum will be updated once the working group comes up with a plan. <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoListParagraph style='text-indent:-.25in;mso-list:l0 level1 lfo2'><![if !supportLists]><span style='mso-list:Ignore'>12.<span style='font:7.0pt "Times New Roman"'> </span></span><![endif]>Policy WG Update: No further update.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoListParagraph style='text-indent:-.25in;mso-list:l0 level1 lfo2'><![if !supportLists]><span style='mso-list:Ignore'>13.<span style='font:7.0pt "Times New Roman"'> </span></span><![endif]>Information Sharing WG Update: The CyberSecurity Act of 2015 passed and was signed the US President. It provides liability protection for sharing information. <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoListParagraph style='text-indent:-.25in;mso-list:l0 level1 lfo2'><![if !supportLists]><span style='mso-list:Ignore'>14.<span style='font:7.0pt "Times New Roman"'> </span></span><![endif]>Other Business: Scottsdale meeting: all attendees should book hotels on their own with information provided on the wiki. If you are unable to book online, then call the hotel directly. Please continue to sign up on the wiki. We have about 25 participants signed up so far. <o:p></o:p></p><p class=MsoListParagraph><o:p> </o:p></p><p class=MsoListParagraph>Dates for Bilbao meeting: Dean sent out an expanded poll for Bilbao dates. The week of May 17<sup>th</sup> seems to be the new favorite. Dean will confirm before the next call. <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoListParagraph style='text-indent:-.25in;mso-list:l0 level1 lfo2'><![if !supportLists]><span style='mso-list:Ignore'>15.<span style='font:7.0pt "Times New Roman"'> </span></span><![endif]>Next teleconference scheduled for January 21st<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoListParagraph style='text-indent:-.25in;mso-list:l0 level1 lfo2'><![if !supportLists]><span style='mso-list:Ignore'>16.<span style='font:7.0pt "Times New Roman"'> </span></span><![endif]>Meeting Adjourned<o:p></o:p></p></div></body></html>