<div dir="ltr">Do you want me to post these to the website?<br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Jan 24, 2023 at 12:08 AM Dimitris Zacharopoulos (HARICA) via Public <<a href="mailto:public@cabforum.org">public@cabforum.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<p class="MsoNormal">These are the approved Minutes of the
Teleconference described in the subject of this message, prepared
by Andrea Holland (VikingCloud).</p>
<p class="MsoNormal"><b>Forum Meeting: January 5, 2023</b></p>
<p class="MsoNormal"><b>Attendance (in alphabetical order):</b></p>
<p class="MsoNormal">Aaron Gable (ISRG), Aaron Poulsen (Amazon Trust
Services), Adam Jones (Microsoft), Andrea Holland (VikingCloud),
Atsushi Inaba (GlobalSign), Ben Wilson (Mozilla), Bruce Morton
(Entrust), Chris Clements (Google Chrome), Chris Kemmerer
(SSL.com), Clint Wilson (Apple), Corey Bonnell (DigiCert), Corey
Rasmussen (OATI), Daryn Wright (GoDaddy), Dean Coclin (DigiCert),
Dimitris Zacharopoulos (HARICA), Dustin Hollenback (Microsoft),
Ellie (TrustAsia), Enrico Entschew (D-TRUST), Eva Van Steenberge
(GlobalSign), Fumi Yoneda (JPRS), Hazhar Ismail (MSC Trustgate),
Inigo Barreira (Sectigo), Jamie Mackey (FPKI), Janet Hines
(VikingCloud), Joanna Fox (TrustCor), Jos Purvis (Fastly), Karina
Sirota Goodley (Microsoft), Kiran Tummala (Microsoft), Lynn Jeun
(Visa), Mads Henriksveen (Buypass), Marcelo Silva (Visa), Marco
Schambach (IdenTrust), Michelle Coon (OATI), Mrugesh Chandarana
(IdenTrust), Nargis Mannan (VikingCloud), Peter Miskovic (Disig),
Rich Smith (DigiCert), Rollin Yu (Trust Asia), Sissel Hoel
(Buypass), Stephen Davidson (DigiCert), Steve Topletz (Cisco),
Tadahiko Ito (SECOM), Tim Hollebeek (DigCert), Tobias Josefowitz
(Opera), Trevoli Ponds-White (Amazon Trust Services), Wayne Thayer
(Fastkt), Wendy Brown (FPKI), Yoshiro Yoneya (JPRS)</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal"><b><u>Minutes</u></b></p>
<ol style="margin-top:0in" type="1" start="1">
<li> <b>Roll called</b></li>
<li> <b>Antitrust statement read</b></li>
<li> <b>Reviewed Agenda</b></li>
<li> <b>Approval of minutes</b>: December 29<sup>th</sup>
meeting minutes approved</li>
<li> <b>Forum Infrastructure Subcommittee</b> – Jos P.</li>
</ol>
<ul style="margin-top:0in" type="disc">
<li style="margin-left:0in"> Did not meet last week, no significant updates</li>
<li style="margin-left:0in"> Working on migration to new wiki which involves archiving
the existing wiki and pulling items from there into the new wiki</li>
<li style="margin-left:0in"> Will be posting details and invitations to the management
list</li>
</ul>
<ol style="margin-top:0in" type="1" start="6">
<li> <b>Code Signing Certificate Working Group</b> – Dean C.
and Bruce M.</li>
</ol>
<ul style="margin-top:0in" type="disc">
<li style="margin-left:0in"> Did not meet last week, no significant updates</li>
<li style="margin-left:0in"> Continuing to work on ballot for cert revocation due to
malware, signing service requirements and removing TLS BR
references from CS BRs</li>
</ul>
<ol style="margin-top:0in" type="1" start="7">
<li> <b>S/MIME Certificate Working Group</b> – Dean C., Corey
B., Inigo B., Dimitris Z.</li>
</ol>
<ul style="margin-top:0in" type="disc">
<li style="margin-left:0in"> IPR period finished for the new BRs</li>
<li style="margin-left:0in"> Discussion on auditors developing audit criteria for the
new requirements. WebTrust is aware and will do further
discussions during their Toronto meeting</li>
<li style="margin-left:0in"> CAA discussion in IETF’s LAMPs WG, general support for
adopting draft proposal for CAA for SMIME </li>
<li style="margin-left:0in"> Stephen also had some ERATA for future updates, he is
generating GitHub issues for these minor issues</li>
</ul>
<ol style="margin-top:0in" type="1" start="8">
<li> <b>NetSec Working Group</b> – Clint W.</li>
</ol>
<ul style="margin-top:0in" type="disc">
<li style="margin-left:0in"> Did not meet last week</li>
<li style="margin-left:0in"> Continued discussion around the separation of concepts of
offline vs air gapped vs unpowered HSMs and key materials to
make sure the BRs clearly address the differences</li>
<li style="margin-left:0in"> Organization of NSRs to provide better introduction of
NSRs without changing the goals but language to describe the
intent of the various sections and components</li>
<li style="margin-left:0in"> Trev P.: Issues with the meeting it looked to be
cancelled</li>
<ul style="margin-top:0in" type="circle">
<li style="margin-left:0in"> Clint W.: Wiki has latest calendar invite for the
meeting</li>
<li style="margin-left:0in"> Dimitris Z.: Same issue with forum calendar invite. An
alias was created, so that whenever there is a change in chair
positions only the password needs to be reset. This allows for
management of the invitations without needing to create a new
series of meetings. This would be a good idea for other
meetings as well. But for WebEx best way to cancel the
meetings is through the UI so all registrants get the notice.</li>
</ul>
<li style="margin-left:0in"> GitHub Approvals </li>
<ul style="margin-top:0in" type="circle">
<li style="margin-left:0in"> Dimitris Z.: Each WG has its own repository with review
and approval from Chair and Vice Chair</li>
<li style="margin-left:0in"> Jos P.: A Code owner’s file exists in each of the
repositories for each of the working groups. To publish
anything to the main branch of that repository (to formally
update the BRs) requires two people to approve and one must be
on the code owners list. So if someone wants to make a change,
they go through the balloting process and then the chair
approves the update and it requires another person for
approval for sanity purposes to add to the main branch. At the
moment only the Chair and Vice Chair can approve, so if either
of them is out (especially for a long period) then we cannot
get approval. If for instance, the Chair does the pull
request, then the Chair cannot approve those changes and there
is only one person, the Vice Chair, able to approve. There is
no guidance or formal policy in this instance. </li>
<li style="margin-left:0in"> Dimitris Z.: That is the only corner case. If someone
else (not the Chair or Vice Chair) does the pull request, then
there are two people available to approve.</li>
<li style="margin-left:0in"> Jos P.: Yes, that could be one workaround making sure
neither the Chair or Vice Chair does the pull request. Another
idea is to leave the previous Chair and Vice Chair in the
approvers group for use only in the corner case. </li>
<li style="margin-left:0in"> Dimitris Z.: The bylaws are clear on who does the
change and it's either the chair or the vice chair. So, if we
want to consider the GitHub repository as a normative, um, for
the documents, I think we need to find a work around that.
Absolutely requires one of the Chair or Vice Chair to perform
an action there.</li>
<li style="margin-left:0in"> Aaron G.: The difference is between who can approve and
who can merge. A larger group of people could perform the
code review effectively, but only the Chair or Vice Chair is
allowed to click the merge button. We limit it to only the
Chair or Vice Chair can merge to the repository, so we remain
within the bylaws.</li>
<li style="margin-left:0in"> Tim H.: I agree with that. I think we're fine with the
bylaws as long as the Chair/Vice Chair is the one actively
making the change they can ask whoever they want for review.
The bylaws don't say anything about who needs to review the
change. I don't like the idea of giving any weight to
previous chairs as we have moved on from previous chairs.</li>
<li style="margin-left:0in"> Dimitris Z.: Aaron’s proposal great. Any comments on
that?</li>
<li style="margin-left:0in"> Jos P.: That would be fine. Anybody can do any of the
work and it'll be a four eye's approval process but only the
Chair/Vice Chair can actually merge the code.</li>
<li style="margin-left:0in"> Dimitris Z.: Aaron can work with Jos to make the
changes. </li>
</ul>
</ul>
<ol style="margin-top:0in" type="1" start="9">
<li> <b>Any Other</b></li>
</ol>
<ul style="margin-top:0in" type="disc">
<li style="margin-left:0in"> Dean C.: F2F has guest speaker lined up to discuss BGP
hijacking and requested to have an additional person join with
knowledge on the subject. They will be sharing the same
timeslot.</li>
<li style="margin-left:0in"> Dimitris Z.: No objections.</li>
<li style="margin-left:0in"> Dimitris Z.: Other F2F </li>
<ul style="margin-top:0in" type="circle">
<li style="margin-left:0in"> June 6-8 in Redmond, WA hosted by Microsoft</li>
<li style="margin-left:0in"> Sept/Oct in Portsmouth, NH hosted by GlobalSign</li>
</ul>
</ul>
<ol style="margin-top:0in" type="1" start="10">
<li> <b>Next Meeting</b>: Jan 19<sup>th</sup> with Ben Wilson
for minutes</li>
<li> <b>Adjourned</b></li>
</ol>
</div>
_______________________________________________<br>
Public mailing list<br>
<a href="mailto:Public@cabforum.org" target="_blank">Public@cabforum.org</a><br>
<a href="https://lists.cabforum.org/mailman/listinfo/public" rel="noreferrer" target="_blank">https://lists.cabforum.org/mailman/listinfo/public</a><br>
</blockquote></div>