<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Georgia;
panose-1:2 4 5 2 5 4 5 2 3 3;}
@font-face
{font-family:"Times New Roman \(Body CS\)";
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Georgia",serif;
color:windowtext;
font-weight:normal;
font-style:normal;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style></head><body lang=EN-US link="#0563C1" vlink="#954F72"><div class=WordSection1><p class=MsoNormal><span style='font-family:"Georgia",serif'>Published!<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:"Georgia",serif'><o:p> </o:p></span></p><div><p class=MsoNormal><span style='font-size:9.0pt;font-family:Consolas;color:black'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:Consolas;color:black'>-- <br>Jos Purvis (</span><a href="mailto:jopurvis@cisco.com"><span style='font-size:9.0pt;font-family:Consolas;color:#954F72'>jopurvis@cisco.com</span></a><span style='font-size:9.0pt;font-family:Consolas;color:black'>)<br>.:|:.:|:. cisco systems | Cryptographic Services<br>PGP: 0xFD802FEE07D19105 | Controls and Trust Verification</span><o:p></o:p></p></div><p class=MsoNormal><span style='font-family:"Georgia",serif'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Georgia",serif'><o:p> </o:p></span></p><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:12.0pt;color:black'>From: </span></b><span style='font-size:12.0pt;color:black'>Public <public-bounces@cabforum.org> on behalf of CA/B Forum Public List <public@cabforum.org><br><b>Reply-To: </b>"Dimitris Zacharopoulos (HARICA)" <dzacharo@harica.gr>, CA/B Forum Public List <public@cabforum.org><br><b>Date: </b>Tuesday, September 8, 2020 at 5:26 AM<br><b>To: </b>CA/B Forum Public List <public@cabforum.org><br><b>Subject: </b>[SUSPICIOUS] [cabfpub] Final minutes of CA/B Forum call August 20, 2020<o:p></o:p></span></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><p class=MsoNormal>Final Minutes of the CA/B Forum Meeting<o:p></o:p></p><p class=MsoNormal>2020-08-20<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>Present:<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>Amanda Mendieta (Apple)<o:p></o:p></p><p class=MsoNormal>Andrea Holland (SecureTrust)<o:p></o:p></p><p class=MsoNormal>Andreas Hentschel (D-TRUST)<o:p></o:p></p><p class=MsoNormal>Ben Wilson (Mozilla)<o:p></o:p></p><p class=MsoNormal>Bruce Morton (Entrust Datacard)<o:p></o:p></p><p class=MsoNormal>Clint Wilson (Apple)<o:p></o:p></p><p class=MsoNormal>Corey Bonnell (SecureTrust)<o:p></o:p></p><p class=MsoNormal>Chris Kemmerer (SSL.com)<o:p></o:p></p><p class=MsoNormal>Curt Spann (Apple)<o:p></o:p></p><p class=MsoNormal>Daniela Hood (GoDaddy)<o:p></o:p></p><p class=MsoNormal>Dean Coclin (Digicert)<o:p></o:p></p><p class=MsoNormal>Doug Beattie (GlobalSign)<o:p></o:p></p><p class=MsoNormal>Dustin Hollenback (Microsoft)<o:p></o:p></p><p class=MsoNormal>Hazhar Ismail (MSC Trustgate)<o:p></o:p></p><p class=MsoNormal>Inaba Atsushi (GlobalSign)<o:p></o:p></p><p class=MsoNormal>Joanna Fox (GoDaddy)<o:p></o:p></p><p class=MsoNormal>Jos Purvis (Cisco Systems)<o:p></o:p></p><p class=MsoNormal>Karina Sirota (Microsoft)<o:p></o:p></p><p class=MsoNormal>Kirk Hall (Entrust Datacard)<o:p></o:p></p><p class=MsoNormal>Mads Henriksveen (Buypass AS)<o:p></o:p></p><p class=MsoNormal>Mayur Manchanda (Visa)<o:p></o:p></p><p class=MsoNormal>Michelle Coon (OATI)<o:p></o:p></p><p class=MsoNormal>Neil Dunbar (TrustCor Systems)<o:p></o:p></p><p class=MsoNormal>Niko Carpenter (SecureTrust)<o:p></o:p></p><p class=MsoNormal>Patrick Nohe (GlobalSign)<o:p></o:p></p><p class=MsoNormal>Pedro Fuentes (OISTE Foundation)<o:p></o:p></p><p class=MsoNormal>Rae Ann Gonzales (Godaddy)<o:p></o:p></p><p class=MsoNormal>Robin Alden (Sectigo)<o:p></o:p></p><p class=MsoNormal>Ryan Sleevi (Google)<o:p></o:p></p><p class=MsoNormal>Stephen Davidson (Digicert)<o:p></o:p></p><p class=MsoNormal>Tim Callan (Sectigo)<o:p></o:p></p><p class=MsoNormal>Tim Hollebeek (Digicert)<o:p></o:p></p><p class=MsoNormal>Tobias Josefowitz (Opera Software AS)<o:p></o:p></p><p class=MsoNormal>Trevoli Ponds-White (Amazon)<o:p></o:p></p><p class=MsoNormal>Wayne Thayer (Mozilla)<o:p></o:p></p><p class=MsoNormal>Wendy Brown (US Federal PKI Management Authority)<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>1. Roll Call<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>The Roll Call was taken.<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>2. Read Antitrust Statement<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>The Antitrust statement was read.<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>3. Review Agenda<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>Dimitris still being on vacation, Dean chaired this meeting.<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>The agenda was accepted with no modifications. <o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>4. Approval of minutes from last teleconference<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>The minutes were approved.<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>5. Forum Infrastructure Subcommittee update<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>Jos provided the update. The subcommittee met on the 12th August.<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>Password reminders have been removed from the list, following requests from<o:p></o:p></p><p class=MsoNormal>some participants that this be done. Jos asked to be notified if those<o:p></o:p></p><p class=MsoNormal>reminders are still being received. The team are still reviewing the various<o:p></o:p></p><p class=MsoNormal>lists to ensure this feature has been turned off.<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>Forum Infrastructure is now tracking GitHub IDs as part of the repository<o:p></o:p></p><p class=MsoNormal>management, in the Google Docs spreadsheet of membership. This is being done<o:p></o:p></p><p class=MsoNormal>to allow validation of pull requests against the repository. Jos noted that<o:p></o:p></p><p class=MsoNormal>not everyone's GitHub ID looks like their name, thus it is advantageous to be<o:p></o:p></p><p class=MsoNormal>able to recognize the identity of the pull requestor.<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>A password solution is now online, and the team is busy moving things like<o:p></o:p></p><p class=MsoNormal>saved list server and infrastructure passwords into that tool. The team will<o:p></o:p></p><p class=MsoNormal>work with the various committee chairs and vice chairs to ensure that they <o:p></o:p></p><p class=MsoNormal>have access to the solution.<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>The subcommittee completed a review of the GitHub account and organization<o:p></o:p></p><p class=MsoNormal>and has removed a number of people who are no longer part of the CA/B Forum. <o:p></o:p></p><p class=MsoNormal>Jos believes that they are down to members and interested parties now. <o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>Wayne renamed the "master" branch of the GitHub repository to "main", as part<o:p></o:p></p><p class=MsoNormal>of the ongoing industry trend to remove that kind of language. No difficulties<o:p></o:p></p><p class=MsoNormal>have been observed stemming from the rename, but Jos did say that if<o:p></o:p></p><p class=MsoNormal>parties are having any difficulties it might be useful to check if the renamed<o:p></o:p></p><p class=MsoNormal>branch could be the source of any problem.<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>The subcommittee also discussed a proposal to separate out the GitHub<o:p></o:p></p><p class=MsoNormal>repository to separate documents owned by each working group. At the moment,<o:p></o:p></p><p class=MsoNormal>all documents exist within a single repository, meaning that if a working<o:p></o:p></p><p class=MsoNormal>group needs changes to the documents for which they are responsible, that<o:p></o:p></p><p class=MsoNormal>change needs to be approved by the whole Github organization, and the<o:p></o:p></p><p class=MsoNormal>changes are against the same repository as the EV Guidelines, the Baseline<o:p></o:p></p><p class=MsoNormal>Requirements, or even the Bylaws.<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>The proposal is that there would be a repository for the Bylaws, one for<o:p></o:p></p><p class=MsoNormal>the Server Certificate Working Group which would cover the EV Guidelines and<o:p></o:p></p><p class=MsoNormal>the Baseline Requirements, one for the Code Signing Working Group, one for<o:p></o:p></p><p class=MsoNormal>the S/MIME Working Group, and another which would cover tools like document<o:p></o:p></p><p class=MsoNormal>templates and graphics to be shared amongst the others. This proposal is <o:p></o:p></p><p class=MsoNormal>still under examination - there would need to be rules established for managing<o:p></o:p></p><p class=MsoNormal>the Github repositories, rules for merges, and rules for adding users to roles<o:p></o:p></p><p class=MsoNormal>within the repository and so on. This proposal is expected to integrate these<o:p></o:p></p><p class=MsoNormal>rules as some sort of ballot, but probably not as an update to the Bylaws, but<o:p></o:p></p><p class=MsoNormal>rather a separate document.<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>Jos reiterated his offer of GitHub training - he has had a few requests for<o:p></o:p></p><p class=MsoNormal>training, and if people want answers to questions like "What is Github?", "how<o:p></o:p></p><p class=MsoNormal>does Git work?", Jos is happy to put something together if those interested<o:p></o:p></p><p class=MsoNormal>would let him know.<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>6. Code Signing Working Group update<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>Dean provided the update.<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>The combined document has been voted in, which is currently in the IPR review<o:p></o:p></p><p class=MsoNormal>period. In the past call, the working group reviewed the many emails which have<o:p></o:p></p><p class=MsoNormal>been submitted in the last six months regarding additions, changes and corrections<o:p></o:p></p><p class=MsoNormal>to the document. <o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>The group has a list of items which are being maintained on the group Google<o:p></o:p></p><p class=MsoNormal>Drive. The link is in the Code Signing Working Group minutes, so anyone can<o:p></o:p></p><p class=MsoNormal>follow that link to see what is being worked on. Dean said that the link will<o:p></o:p></p><p class=MsoNormal>be in the minutes of the call from last Thursday, which should be out shortly.<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>This list shows the status and disposition of each of the items being considered,<o:p></o:p></p><p class=MsoNormal>as well as what the group thinks should be done to address each issue.<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>The group is about half way through the list; some of the items are relatively<o:p></o:p></p><p class=MsoNormal>easy to fix; some require more input and study. For such items requiring input<o:p></o:p></p><p class=MsoNormal>and study, the group will be inviting specialists and other experts to help<o:p></o:p></p><p class=MsoNormal>sort through the list. Dean stated that there has been good progress, with some<o:p></o:p></p><p class=MsoNormal>excellent participation by a diverse group covering a global audience, who<o:p></o:p></p><p class=MsoNormal>have worked on, and continue to work on, addressing those issues.<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>The next meeting of the Code Signing Working Group will be next Thursday [27<o:p></o:p></p><p class=MsoNormal>September 2020].<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>7. S/MIME Working Group update<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>Stephen provided the update.<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>The S/MIME Certificate Working Group met yesterday [Wednesday 19 August 2020].<o:p></o:p></p><p class=MsoNormal>This was the third meeting of the group.<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>Some new members have been added, including a certificate consumer, being an<o:p></o:p></p><p class=MsoNormal>email gateway provided called Zertificon. A Swiss university has asked to join<o:p></o:p></p><p class=MsoNormal>as an interested party. The group continues to look for interested members of<o:p></o:p></p><p class=MsoNormal>the community to join.<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>The group has started the discussion on S/MIME certificate profiles, similar<o:p></o:p></p><p class=MsoNormal>to the work performed in other working groups, going through the fields one by<o:p></o:p></p><p class=MsoNormal>one, looking at known, existing standards and requirements, such as the Mozilla<o:p></o:p></p><p class=MsoNormal>Root Store Policy, or the GMail policy, or the US Federal PKI Certificate Policy.<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>This is a useful exercise in rapidly converging on the common ground which<o:p></o:p></p><p class=MsoNormal>exists, but is leading to a more detailed discussion on what the use cases <o:p></o:p></p><p class=MsoNormal>are for S/MIME, which may be more varied than individual providers in the<o:p></o:p></p><p class=MsoNormal>chain might have formed a view upon. Stephen said the group is making good<o:p></o:p></p><p class=MsoNormal>progress, and continues to invite parties with knowledge of relevant standards<o:p></o:p></p><p class=MsoNormal>and policies to submit them to the group; at the same time welcoming<o:p></o:p></p><p class=MsoNormal>additional participants to join. <o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>The next meeting of the S/MIME Certificate Working Group is Wednesday, 2 September<o:p></o:p></p><p class=MsoNormal>2020.<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>8. Elections update<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>Dean said that Dimitris had sent out an email on August 17, stating that the<o:p></o:p></p><p class=MsoNormal>nominations for Officers of the CA/B Forum is now open, and those nominations<o:p></o:p></p><p class=MsoNormal>remain open through the 23rd. Dean noted that this was interesting, as the wiki says that<o:p></o:p></p><p class=MsoNormal>the nominations are open through the 31st. He was unsure of which was correct.<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>Dimitris has asked people to post nominations on the wiki, which is different to<o:p></o:p></p><p class=MsoNormal>how it has been done in the past, which was to post to the mailing list. On the<o:p></o:p></p><p class=MsoNormal>wiki page there are nominations for the position of CA/B Forum Chair, Server<o:p></o:p></p><p class=MsoNormal>Certificate Working Group Chair and the Code Signing Working Group Chair.<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>At the moment, it shows Dean's name as candidate for CA/B Forum Chair. For<o:p></o:p></p><p class=MsoNormal>Server Certificate, Wayne Thayer has declined nomination, so an open spot remains<o:p></o:p></p><p class=MsoNormal>for that position. For Code Signing, Bruce Morton gets an automatic nomination<o:p></o:p></p><p class=MsoNormal>unless he declines. Those being the positions, Dean asks that people seriously<o:p></o:p></p><p class=MsoNormal>consider nominating themselves, other people at their companies or other candidates,<o:p></o:p></p><p class=MsoNormal>if they think those people would be suitable for these <o:p></o:p></p><p class=MsoNormal>two year positions. Dean would like to see a good level of participation from<o:p></o:p></p><p class=MsoNormal>the global CA/B Forum membership. <o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>Tim (Hollebeek) added a quick observation that anyone nominating another should<o:p></o:p></p><p class=MsoNormal>seek the permission of that party to be nominated first. Tim noted that a couple<o:p></o:p></p><p class=MsoNormal>of years ago, someone got nominated by surprise, and this was an unfortunate<o:p></o:p></p><p class=MsoNormal>case which shouldn't be repeated. Dean concurred.<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>Dean said that only the three Chair positions are open now - the Vice Chair positions<o:p></o:p></p><p class=MsoNormal>open in October.<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>9. Any Other Business<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>There was no other business.<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>10. Adjourn<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>The meeting was adjourned and will reconvene on September 3, 2020 at 11:30 am Eastern Time<o:p></o:p></p></div></body></html>