<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body vlink="#954F72" link="#0563C1" lang="EN-US">
<div class="WordSection1">
<p class="MsoNormal">Final Minutes of the CA/B Forum Meeting<o:p></o:p></p>
<p class="MsoNormal">2020-08-20<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Present:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Amanda Mendieta (Apple)<o:p></o:p></p>
<p class="MsoNormal">Andrea Holland (SecureTrust)<o:p></o:p></p>
<p class="MsoNormal">Andreas Hentschel (D-TRUST)<o:p></o:p></p>
<p class="MsoNormal">Ben Wilson (Mozilla)<o:p></o:p></p>
<p class="MsoNormal">Bruce Morton (Entrust Datacard)<o:p></o:p></p>
<p class="MsoNormal">Clint Wilson (Apple)<o:p></o:p></p>
<p class="MsoNormal">Corey Bonnell (SecureTrust)<o:p></o:p></p>
<p class="MsoNormal">Chris Kemmerer (SSL.com)<o:p></o:p></p>
<p class="MsoNormal">Curt Spann (Apple)<o:p></o:p></p>
<p class="MsoNormal">Daniela Hood (GoDaddy)<o:p></o:p></p>
<p class="MsoNormal">Dean Coclin (Digicert)<o:p></o:p></p>
<p class="MsoNormal">Doug Beattie (GlobalSign)<o:p></o:p></p>
<p class="MsoNormal">Dustin Hollenback (Microsoft)<o:p></o:p></p>
<p class="MsoNormal">Hazhar Ismail (MSC Trustgate)<o:p></o:p></p>
<p class="MsoNormal">Inaba Atsushi (GlobalSign)<o:p></o:p></p>
<p class="MsoNormal">Joanna Fox (GoDaddy)<o:p></o:p></p>
<p class="MsoNormal">Jos Purvis (Cisco Systems)<o:p></o:p></p>
<p class="MsoNormal">Karina Sirota (Microsoft)<o:p></o:p></p>
<p class="MsoNormal">Kirk Hall (Entrust Datacard)<o:p></o:p></p>
<p class="MsoNormal">Mads Henriksveen (Buypass AS)<o:p></o:p></p>
<p class="MsoNormal">Mayur Manchanda (Visa)<o:p></o:p></p>
<p class="MsoNormal">Michelle Coon (OATI)<o:p></o:p></p>
<p class="MsoNormal">Neil Dunbar (TrustCor Systems)<o:p></o:p></p>
<p class="MsoNormal">Niko Carpenter (SecureTrust)<o:p></o:p></p>
<p class="MsoNormal">Patrick Nohe (GlobalSign)<o:p></o:p></p>
<p class="MsoNormal">Pedro Fuentes (OISTE Foundation)<o:p></o:p></p>
<p class="MsoNormal">Rae Ann Gonzales (Godaddy)<o:p></o:p></p>
<p class="MsoNormal">Robin Alden (Sectigo)<o:p></o:p></p>
<p class="MsoNormal">Ryan Sleevi (Google)<o:p></o:p></p>
<p class="MsoNormal">Stephen Davidson (Digicert)<o:p></o:p></p>
<p class="MsoNormal">Tim Callan (Sectigo)<o:p></o:p></p>
<p class="MsoNormal">Tim Hollebeek (Digicert)<o:p></o:p></p>
<p class="MsoNormal">Tobias Josefowitz (Opera Software AS)<o:p></o:p></p>
<p class="MsoNormal">Trevoli Ponds-White (Amazon)<o:p></o:p></p>
<p class="MsoNormal">Wayne Thayer (Mozilla)<o:p></o:p></p>
<p class="MsoNormal">Wendy Brown (US Federal PKI Management
Authority)<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">1. Roll Call<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The Roll Call was taken.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">2. Read Antitrust Statement<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The Antitrust statement was read.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">3. Review Agenda<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Dimitris still being on vacation, Dean
chaired this meeting.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The agenda was accepted with no
modifications. <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">4. Approval of minutes from last
teleconference<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The minutes were approved.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">5. Forum Infrastructure Subcommittee update<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Jos provided the update. The subcommittee met
on the 12th August.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Password reminders have been removed from the
list, following requests from<o:p></o:p></p>
<p class="MsoNormal">some participants that this be done. Jos
asked to be notified if those<o:p></o:p></p>
<p class="MsoNormal">reminders are still being received. The team
are still reviewing the various<o:p></o:p></p>
<p class="MsoNormal">lists to ensure this feature has been turned
off.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Forum Infrastructure is now tracking GitHub
IDs as part of the repository<o:p></o:p></p>
<p class="MsoNormal">management, in the Google Docs spreadsheet of
membership. This is being done<o:p></o:p></p>
<p class="MsoNormal">to allow validation of pull requests against
the repository. Jos noted that<o:p></o:p></p>
<p class="MsoNormal">not everyone's GitHub ID looks like their
name, thus it is advantageous to be<o:p></o:p></p>
<p class="MsoNormal">able to recognize the identity of the pull
requestor.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">A password solution is now online, and the
team is busy moving things like<o:p></o:p></p>
<p class="MsoNormal">saved list server and infrastructure
passwords into that tool. The team will<o:p></o:p></p>
<p class="MsoNormal">work with the various committee chairs and
vice chairs to ensure that they <o:p></o:p></p>
<p class="MsoNormal">have access to the solution.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The subcommittee completed a review of the
GitHub account and organization<o:p></o:p></p>
<p class="MsoNormal">and has removed a number of people who are no
longer part of the CA/B Forum. <o:p></o:p></p>
<p class="MsoNormal">Jos believes that they are down to members
and interested parties now. <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Wayne renamed the "master" branch of the
GitHub repository to "main", as part<o:p></o:p></p>
<p class="MsoNormal">of the ongoing industry trend to remove that
kind of language. No difficulties<o:p></o:p></p>
<p class="MsoNormal">have been observed stemming from the rename,
but Jos did say that if<o:p></o:p></p>
<p class="MsoNormal">parties are having any difficulties it might
be useful to check if the renamed<o:p></o:p></p>
<p class="MsoNormal">branch could be the source of any problem.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The subcommittee also discussed a proposal to
separate out the GitHub<o:p></o:p></p>
<p class="MsoNormal">repository to separate documents owned by
each working group. At the moment,<o:p></o:p></p>
<p class="MsoNormal">all documents exist within a single
repository, meaning that if a working<o:p></o:p></p>
<p class="MsoNormal">group needs changes to the documents for
which they are responsible, that<o:p></o:p></p>
<p class="MsoNormal">change needs to be approved by the whole
Github organization, and the<o:p></o:p></p>
<p class="MsoNormal">changes are against the same repository as
the EV Guidelines, the Baseline<o:p></o:p></p>
<p class="MsoNormal">Requirements, or even the Bylaws.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The proposal is that there would be a
repository for the Bylaws, one for<o:p></o:p></p>
<p class="MsoNormal">the Server Certificate Working Group which
would cover the EV Guidelines and<o:p></o:p></p>
<p class="MsoNormal">the Baseline Requirements, one for the Code
Signing Working Group, one for<o:p></o:p></p>
<p class="MsoNormal">the S/MIME Working Group, and another which
would cover tools like document<o:p></o:p></p>
<p class="MsoNormal">templates and graphics to be shared amongst
the others. This proposal is <o:p></o:p></p>
<p class="MsoNormal">still under examination - there would need to
be rules established for managing<o:p></o:p></p>
<p class="MsoNormal">the Github repositories, rules for merges,
and rules for adding users to roles<o:p></o:p></p>
<p class="MsoNormal">within the repository and so on. This
proposal is expected to integrate these<o:p></o:p></p>
<p class="MsoNormal">rules as some sort of ballot, but probably
not as an update to the Bylaws, but<o:p></o:p></p>
<p class="MsoNormal">rather a separate document.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Jos reiterated his offer of GitHub training -
he has had a few requests for<o:p></o:p></p>
<p class="MsoNormal">training, and if people want answers to
questions like "What is Github?", "how<o:p></o:p></p>
<p class="MsoNormal">does Git work?", Jos is happy to put
something together if those interested<o:p></o:p></p>
<p class="MsoNormal">would let him know.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">6. Code Signing Working Group update<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Dean provided the update.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The combined document has been voted in,
which is currently in the IPR review<o:p></o:p></p>
<p class="MsoNormal">period. In the past call, the working group
reviewed the many emails which have<o:p></o:p></p>
<p class="MsoNormal">been submitted in the last six months
regarding additions, changes and corrections<o:p></o:p></p>
<p class="MsoNormal">to the document. <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The group has a list of items which are being
maintained on the group Google<o:p></o:p></p>
<p class="MsoNormal">Drive. The link is in the Code Signing
Working Group minutes, so anyone can<o:p></o:p></p>
<p class="MsoNormal">follow that link to see what is being worked
on. Dean said that the link will<o:p></o:p></p>
<p class="MsoNormal">be in the minutes of the call from last
Thursday, which should be out shortly.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">This list shows the status and disposition of
each of the items being considered,<o:p></o:p></p>
<p class="MsoNormal">as well as what the group thinks should be
done to address each issue.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The group is about half way through the list;
some of the items are relatively<o:p></o:p></p>
<p class="MsoNormal">easy to fix; some require more input and
study. For such items requiring input<o:p></o:p></p>
<p class="MsoNormal">and study, the group will be inviting
specialists and other experts to help<o:p></o:p></p>
<p class="MsoNormal">sort through the list. Dean stated that there
has been good progress, with some<o:p></o:p></p>
<p class="MsoNormal">excellent participation by a diverse group
covering a global audience, who<o:p></o:p></p>
<p class="MsoNormal">have worked on, and continue to work on,
addressing those issues.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The next meeting of the Code Signing Working
Group will be next Thursday [27<o:p></o:p></p>
<p class="MsoNormal">September 2020].<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">7. S/MIME Working Group update<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Stephen provided the update.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The S/MIME Certificate Working Group met
yesterday [Wednesday 19 August 2020].<o:p></o:p></p>
<p class="MsoNormal">This was the third meeting of the group.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Some new members have been added, including a
certificate consumer, being an<o:p></o:p></p>
<p class="MsoNormal">email gateway provided called Zertificon. A
Swiss university has asked to join<o:p></o:p></p>
<p class="MsoNormal">as an interested party. The group continues
to look for interested members of<o:p></o:p></p>
<p class="MsoNormal">the community to join.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The group has started the discussion on
S/MIME certificate profiles, similar<o:p></o:p></p>
<p class="MsoNormal">to the work performed in other working
groups, going through the fields one by<o:p></o:p></p>
<p class="MsoNormal">one, looking at known, existing standards and
requirements, such as the Mozilla<o:p></o:p></p>
<p class="MsoNormal">Root Store Policy, or the GMail policy, or
the US Federal PKI Certificate Policy.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">This is a useful exercise in rapidly
converging on the common ground which<o:p></o:p></p>
<p class="MsoNormal">exists, but is leading to a more detailed
discussion on what the use cases <o:p></o:p></p>
<p class="MsoNormal">are for S/MIME, which may be more varied than
individual providers in the<o:p></o:p></p>
<p class="MsoNormal">chain might have formed a view upon. Stephen
said the group is making good<o:p></o:p></p>
<p class="MsoNormal">progress, and continues to invite parties
with knowledge of relevant standards<o:p></o:p></p>
<p class="MsoNormal">and policies to submit them to the group; at
the same time welcoming<o:p></o:p></p>
<p class="MsoNormal">additional participants to join. <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The next meeting of the S/MIME Certificate
Working Group is Wednesday, 2 September<o:p></o:p></p>
<p class="MsoNormal">2020.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">8. Elections update<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Dean said that Dimitris had sent out an email
on August 17, stating that the<o:p></o:p></p>
<p class="MsoNormal">nominations for Officers of the CA/B Forum is
now open, and those nominations<o:p></o:p></p>
<p class="MsoNormal">remain open through the 23rd. Dean noted that
this was interesting, as the wiki says that<o:p></o:p></p>
<p class="MsoNormal">the nominations are open through the 31st. He
was unsure of which was correct.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Dimitris has asked people to post nominations
on the wiki, which is different to<o:p></o:p></p>
<p class="MsoNormal">how it has been done in the past, which was
to post to the mailing list. On the<o:p></o:p></p>
<p class="MsoNormal">wiki page there are nominations for the
position of CA/B Forum Chair, Server<o:p></o:p></p>
<p class="MsoNormal">Certificate Working Group Chair and the Code
Signing Working Group Chair.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">At the moment, it shows Dean's name as
candidate for CA/B Forum Chair. For<o:p></o:p></p>
<p class="MsoNormal">Server Certificate, Wayne Thayer has declined
nomination, so an open spot remains<o:p></o:p></p>
<p class="MsoNormal">for that position. For Code Signing, Bruce
Morton gets an automatic nomination<o:p></o:p></p>
<p class="MsoNormal">unless he declines. Those being the
positions, Dean asks that people seriously<o:p></o:p></p>
<p class="MsoNormal">consider nominating themselves, other people
at their companies or other candidates,<o:p></o:p></p>
<p class="MsoNormal">if they think those people would be suitable
for these <o:p></o:p></p>
<p class="MsoNormal">two year positions. Dean would like to see a
good level of participation from<o:p></o:p></p>
<p class="MsoNormal">the global CA/B Forum membership. <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Tim (Hollebeek) added a quick observation
that anyone nominating another should<o:p></o:p></p>
<p class="MsoNormal">seek the permission of that party to be
nominated first. Tim noted that a couple<o:p></o:p></p>
<p class="MsoNormal">of years ago, someone got nominated by
surprise, and this was an unfortunate<o:p></o:p></p>
<p class="MsoNormal">case which shouldn't be repeated. Dean
concurred.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Dean said that only the three Chair positions
are open now - the Vice Chair positions<o:p></o:p></p>
<p class="MsoNormal">open in October.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">9. Any Other Business<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">There was no other business.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">10. Adjourn<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The meeting was adjourned and will reconvene
on September 3, 2020 at 11:30 am Eastern Time<o:p></o:p></p>
</div>
</body>
</html>