<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
Here are the final minutes of F2F#60.<br>
<br>
<br>
Dimitris Zacharopoulos<br>
CA/B Forum Chair<br>
<br>
<br>
------- BEGIN FINAL F2F #60 CA/B Forum Plenary Meeting minutes
------- <br>
<br>
<h1 class="break-text" id="bkmrk-page-title">Meeting 60 minutes</h1>
<h1 id="bkmrk-cabf-face-to-face-me">CABF Face-to-Face Meeting 60:
Day 1 October 3, 2023</h1>
<p id="bkmrk-these-are-draft-minu">THESE ARE DRAFT MINUTES</p>
<h2 id="bkmrk-ca%2Fbrowser-forum-mee">CA/Browser Forum level Meeting</h2>
<h2 id="bkmrk-attendance">Attendance</h2>
<p id="bkmrk-aaron-gable---%28let%27s">Aaron Gable - (Let's
Encrypt), Aaron Poulsen - (Amazon), Abhishek Bhat - (eMudhra),
Adam Jones - (Microsoft), Adrian Mueller - (SwissSign), Adriano
Santoni - (Actalis S.p.A.), Aleksandra Kurosz (Asseco Data Systems
S.A.), Andrea Holland - (VikingCloud), Andreas Henschel (D-Trust),
Aneta Wojtczak-Iwanicka - (Microsoft), Anna-Marie Christian
(WebTrust / CPA Canada), Antti Backman - (Telia Company), Arno
Fiedler - (ETSI), Arnold Essing (Telekom Security), Arvid Vermote
- (GlobalSign), Ben Wilson - (Mozilla), Brianca Martin - (Amazon),
Brittany Randall - (GoDaddy), Bruce Morton - (Entrust), Chris
Clements - (Google), Christophe Bonjean - (GlobalSign), Clemens
Wanko - (ACAB'c / TUV Austria), Clint Wilson - (Apple), Corey
Bonnell - (DigiCert), Corey Bonnell (DigiCert), Corey Rasmussen -
(OATI), Daryn Wright - (GoDaddy), Dave Chin - (CPA
Canada/WebTrust), Dean Coclin (DigiCert), Dimitris Zacharopoulos -
(HARICA), Don Sheehy (WebTrust), Doug Beattie - (GlobalSign),
Ellie Lu - (TrustAsia Technologies Inc.), Enrico Entschew
(D-Trust), Eva Vansteenberge - (GlobalSign), Hannah Sokol -
(Microsoft), Hogeun Yoo - (NAVER Cloud), Ian McMillan -
(Microsoft), Inaba Atsushi - (GlobalSign), Inigo Barreira -
(Sectigo), Janet Hines - (VikingCloud), Jeremy Rowley -
(DigiCert), Joanna Fox - (TrustCor Systems), Jochem van den Berge
- (Logius PKIoverheid), John Mason (Microsoft), John Sarapata
(Google Trust Services), Joseph Ramm - (OATI), Jozef Nigut -
(Disig), Kateryna Aleksieieva - (Asseco Data Systems SA (Certum)),
Keshava Nagaraju - (eMudhra), Kiran Tummala - (Microsoft), Leo
Grove (SSL.com), Li-Chun Chen (ChungHwa Telecom), Lynn Jeun -
(Visa), Mads Henriksveen - (Buypass AS), Marcelo Silva - (Visa),
Marco Schambach - (IdenTrust), Martijn Katerbarg - (Sectigo),
Michael Guenther - (SwissSign), Michael Slaughter - (Amazon),
Michelle Coon - (OATI), Mohit Kumar (GlobalSign), Nargis Mannan -
(VikingCloud), Nate Smith - (GoDaddy), Naveen Kumar - (eMudhra),
Nicol So - (CommScope), Nikolaos Soumelidis (QMSCERT), Nitesh
Bakliwal (Microsoft), Paul van Brouwershaven - (Entrust), Pedro
Fuentes - (OISTE Foundation), Pekka Lahtiharju - (Telia Company),
Raffaela Achermann - (SwissSign), Rebecca Kelley - (Apple), Rich
Kapushinski - (CommScope), Rob Brand (Ministry of Economic Affairs
and climate Policy (NL)), Rob Stradling - (Sectigo), Rollin Yu -
(TrustAsia Technologies Inc.), Roman Fischer (SwissSign AG), Ryan
Dickson - (Google), Scott Rea - (eMudhra), Sissel Hoel - (Buypass
AS), Stephen Davidson - (DigiCert), Steven Deitte - (GoDaddy),
Sven Rajala - (Keyfactor), Tadahiko Ito - (SECOM Trust Systems),
Tim Callan (Sectigo), Tim Crawford - (CPA Canada/WebTrust), Tim
Hollebeek (DigiCert), Tobias Josefowitz - (Opera Software AS), Tom
Zermeno (SSL.com), Trevoli Ponds-White - (Amazon), Tsung-Min Kuo -
(Chunghwa Telecom), Vijayakumar (Vijay) Manjunatha - (eMudhra),
Wayne Thayer - (Fastly), Wen-Chun Yang (ChungHwa Telecom), Wendy
Brown - (US Federal PKI Management Authority), Xiu Lei - (GDCA).</p>
<h3 id="bkmrk-approval-of-cabf-min">Approval of CABF Minutes from
last teleconference</h3>
<p id="bkmrk-leader%3A-dean-coclin-"><strong>Leader:</strong>
Dimitris Zacharopoulos (HARICA)<br>
</p>
<p id="bkmrk-prior-minutes-were-n">Minutes were approved.<br>
</p>
<h3 id="bkmrk-future-face-to-face-">Future face to face meeting
schedule<br>
</h3>
<p id="bkmrk-leader%3A-dean-coclin--1"><strong>Leader:</strong> <span
class="author-a-ez72z1pz122z3iz69zz89zz76z4z65zz71zihq">Dimitris
Zacharopoulos (HARICA)</span> <br>
<strong>Presentation link: </strong><a
href="https://cabforum.org/wp-content/uploads/1-CABF_Future-meetings.pdf"
class="moz-txt-link-freetext" moz-do-not-send="true">https://cabforum.org/wp-content/uploads/1-CABF_Future-meetings.pdf</a></p>
<div aria-live="assertive" id="bkmrk-spring-2024-meeting-"
class="ace-line">
<ul class="list-bullet1">
<li><span
class="author-a-z77zz65zabefz87zmz82zz71zz73zz78zz87zz82zz70zy">Spring
2024 meeting will be hosted by eMudhra in New Delhi, India</span></li>
</ul>
</div>
<div aria-live="assertive" id="bkmrk-summer-2024-meeting-"
class="ace-line">
<ul class="list-bullet1">
<li><span
class="author-a-z77zz65zabefz87zmz82zz71zz73zz78zz87zz82zz70zy">Summer
2024 meeting will be hosted by Actalis in Bergamo, Italy</span></li>
</ul>
</div>
<div aria-live="assertive" id="bkmrk-fall-2024-meeting-wi"
class="ace-line">
<ul class="list-bullet1">
<li><span
class="author-a-z77zz65zabefz87zmz82zz71zz73zz78zz87zz82zz70zy">Fall
2024 meeting will be hosted by Amazon in Seattle, WA</span></li>
</ul>
</div>
<p id="bkmrk-discussion-outside-t"><strong>Discussion outside the
presentation:</strong> No further discussion.</p>
<h3 id="bkmrk-infrastructure-subco">Forum Infrastructure
Subcommittee</h3>
<p id="bkmrk-leader%3A-jos-purvis-%28-1"><strong>Leader:</strong>
Jos Purvis (Fastly), Ben Wilson (Mozilla) <br>
<strong>Minutes:</strong> Tim Callan (Sectigo)<br>
<strong>Presentation link:</strong> No presentation</p>
<p id="bkmrk-discussion-minutes%3A"><strong>Discussion minutes:<br>
</strong></p>
<div aria-live="assertive" id="bkmrk-jos-purvis-%28fastly%29%3A"
class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">Jos
Purvis (Fastly):</span></div>
<div aria-live="assertive"
id="bkmrk-%C2%A0%C2%A0%C2%A0-jos-thanks-the-g" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">
Jos thanks the guest speaker for being flexible in schedule.</span></div>
<div aria-live="assertive" id="bkmrk-%C2%A0%C2%A0%C2%A0%C2%A0"
class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z"> </span></div>
<div aria-live="assertive"
id="bkmrk-%C2%A0%C2%A0%C2%A0-jos-raises-the-q" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">
Jos raises the question for how the Wiki is going for everyone.</span></div>
<div aria-live="assertive" id="bkmrk-%C2%A0%C2%A0%C2%A0%C2%A0-1"
class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z"> </span></div>
<div aria-live="assertive" id="bkmrk-paul-van-brouwershav"
class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">Paul
van Brouwershaven (Entrust):</span></div>
<div aria-live="assertive"
id="bkmrk-%C2%A0%C2%A0%C2%A0-when-we-first-pr" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">
When we first previewed the wiki, it was very well organized.
But now in production I'm having trouble finding things.</span></div>
<div aria-live="assertive"
id="bkmrk-%C2%A0%C2%A0%C2%A0-we-also-tend-to-" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">
We also tend to find earlier drafts and I don't know if this is
real work or something that is being accidentally drafted.</span></div>
<div aria-live="assertive" id="bkmrk-%C2%A0%C2%A0%C2%A0%C2%A0-2"
class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z"> </span></div>
<div aria-live="assertive" id="bkmrk-jos%3A" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">Jos:</span></div>
<div aria-live="assertive"
id="bkmrk-%C2%A0%C2%A0%C2%A0-i-have-gotten-th" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">
I have gotten that impression as well. It has been bumpier than
we thought. Some aspects got better but other things got
harder.</span></div>
<div aria-live="assertive" id="bkmrk-%C2%A0%C2%A0%C2%A0%C2%A0-3"
class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z"> </span></div>
<div aria-live="assertive" id="bkmrk-dimitris-zacharopoul"
class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">Dimitris
Zacharopoulos (Harica):</span></div>
<div aria-live="assertive"
id="bkmrk-%C2%A0%C2%A0%C2%A0-i%27m-also-having-" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">
I'm also having some difficulty finding things. I'm also having
trouble understanding the terminology and structure of the new
wiki. Perhaps some instructions for working group chairs, etc.
might be helpful.</span></div>
<div aria-live="assertive"
id="bkmrk-%C2%A0%C2%A0%C2%A0-for-today-i-want" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">
For today I wanted to add a page for the minutes, and I didn't
know if I should create a page or put it under another page or
what.</span></div>
<div aria-live="assertive" id="bkmrk-%C2%A0%C2%A0%C2%A0%C2%A0-4"
class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z"> </span></div>
<div aria-live="assertive" id="bkmrk-jos%3A-1" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">Jos:</span></div>
<div aria-live="assertive"
id="bkmrk-%C2%A0%C2%A0%C2%A0-each-particular-" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">
Each particular wiki is opinionated about how it thinks your
info should be laid out. In the initial evalatation, the
sructure seemed to make sense, but the more we have rearranged,
we are running into friction with how it thinks it should be
laid out. If it's creating more work than it's solving, then
it's not a helpful tool.</span></div>
<div aria-live="assertive"
id="bkmrk-%C2%A0%C2%A0%C2%A0-i-would-rather-b" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">
I would rather back up a step and consider a different tool than
trying to adjust everyone's thinking to a different way of
laying out information. I think maybe this hasn't been the
right tool.</span></div>
<div aria-live="assertive" id="bkmrk-%C2%A0%C2%A0%C2%A0%C2%A0-5"
class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z"> </span></div>
<div aria-live="assertive" id="bkmrk-dimitris%3A" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">Dimitris:</span></div>
<div aria-live="assertive"
id="bkmrk-%C2%A0%C2%A0%C2%A0-maybe-it%27s-not-t" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">
Maybe it's not the tool. Maybe people don't know how to
organize and use it.</span></div>
<div aria-live="assertive" id="bkmrk-%C2%A0%C2%A0%C2%A0%C2%A0-6"
class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z"> </span></div>
<div aria-live="assertive" id="bkmrk-clint-wilson-%28apple%29"
class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">Clint
Wilson (Apple):</span></div>
<div aria-live="assertive"
id="bkmrk-%C2%A0%C2%A0%C2%A0-overall-it%27s-a-l" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">
Overall it's a lot easier to actually work in the editor. The
main issue I have is finding stuff that was in the old wiki.
But maybe it's more about documentation of the wiki and how to
use it and structure it. Not as far as a style guide, but
something to help.</span></div>
<div aria-live="assertive" id="bkmrk-%C2%A0%C2%A0%C2%A0%C2%A0-7"
class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z"> </span></div>
<div aria-live="assertive" id="bkmrk-paul%3A" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">Paul:</span></div>
<div aria-live="assertive"
id="bkmrk-%C2%A0%C2%A0%C2%A0-looking-at-meeti" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">
Looking at meetings, there are 142 pages in Records. When I go
to face to face meetings, it sends me to face to face meetings
calendar. It seems like we have</span> <span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">a
tree structure in th</span><span
class="author-a-puz66zjz85zz87zoz90zz122z9z86zfz82zez79zj">e</span><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">
left, but it seems like w're missing some information there. and
we have a tree structure at the top that doesn't make sense.</span></div>
<div aria-live="assertive"
id="bkmrk-%C2%A0%C2%A0%C2%A0-perhaps-the-temp" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">
Perhaps the template could really be a template.</span></div>
<div aria-live="assertive"
id="bkmrk-%C2%A0%C2%A0%C2%A0-maybe-the-tool-i" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">
Maybe the tool is fine but we put some effort into organization.</span></div>
<div aria-live="assertive" id="bkmrk-%C2%A0%C2%A0%C2%A0%C2%A0-8"
class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z"> </span></div>
<div aria-live="assertive" id="bkmrk-jos%3A-2" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">Jos:</span></div>
<div aria-live="assertive"
id="bkmrk-%C2%A0%C2%A0%C2%A0-in-the-course-of" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">
In the course of moving things over, maybe stuff got garbled.
It's very difficult for the old archival information not to come
up in a search. If we would find it useful, Iw ould be happy to
write up a quick summary of how we think about information. I
think that's a good idea. We tried to dump everytihng to the
wiki. That didn' work well. so maybe we start with a clean
wiki with no info in it and turn it over to the committee chairs
to organization as they see fit. Migrate content, and create
new content as they see fit.</span></div>
<div aria-live="assertive" id="bkmrk-%C2%A0%C2%A0%C2%A0%C2%A0-9"
class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z"> </span></div>
<div aria-live="assertive" id="bkmrk-aaron-poulsen-%28amazo"
class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">Aaron
Poulsen (Amazon):</span></div>
<div aria-live="assertive"
id="bkmrk-%C2%A0%C2%A0%C2%A0-i-would-love-to-" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">
I would love to see some consistency in the wiki. I have found
navigation convoluted with the new wiki to the ponit where I no
longer come to the wiki for information.</span></div>
<div aria-live="assertive" id="bkmrk-%C2%A0%C2%A0%C2%A0%C2%A0-10"
class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z"> </span></div>
<div aria-live="assertive" id="bkmrk-jos%3A-3" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">Jos:</span></div>
<div aria-live="assertive"
id="bkmrk-%C2%A0%C2%A0%C2%A0-that%27s-what-we-w" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">
That's what we want to avoid.</span></div>
<div aria-live="assertive" id="bkmrk-%C2%A0%C2%A0%C2%A0%C2%A0-11"
class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z"> </span></div>
<div aria-live="assertive" id="bkmrk-trevoli-ponds-white-"
class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">Trevoli
Ponds-White (Amazon):</span></div>
<div aria-live="assertive"
id="bkmrk-%C2%A0%C2%A0%C2%A0-something-i-alwa" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">
Something I always want on the wiki is a landing page for the
groups. When I left, I wanted to send messages to chairs of the
groups, and we didn't have basic stuff for most of the working
groups on the wiki with the relevant informaiton for that WG.</span></div>
<div aria-live="assertive" id="bkmrk-%C2%A0%C2%A0%C2%A0%C2%A0-12"
class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z"> </span></div>
<div aria-live="assertive" id="bkmrk-jos%3A-4" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">Jos:</span></div>
<div aria-live="assertive"
id="bkmrk-%C2%A0%C2%A0%C2%A0-i-will-commit-ne" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">
I will commit next meeting to talking about how the wiki tihnks
about information. Let's use that as a starting poing.</span></div>
<div aria-live="assertive" id="bkmrk-%C2%A0%C2%A0%C2%A0%C2%A0-13"
class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z"> </span></div>
<div aria-live="assertive" id="bkmrk-trev%3A" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">Trev:</span></div>
<div aria-live="assertive"
id="bkmrk-%C2%A0%C2%A0%C2%A0-i-wouldn%27t-purge" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">
I wouldn't purge all the content just because it's hard to
navigate.</span></div>
<div aria-live="assertive" id="bkmrk-%C2%A0%C2%A0%C2%A0%C2%A0-14"
class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z"> </span></div>
<div aria-live="assertive" id="bkmrk-jos%3A-5" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">Jos:</span></div>
<div aria-live="assertive"
id="bkmrk-%C2%A0%C2%A0%C2%A0-i-will-pull-some" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">
I will pull somethign together about what it can do and how it
thinks about information so we can make better decisions.</span></div>
<div aria-live="assertive" id="bkmrk-%C2%A0%C2%A0%C2%A0%C2%A0-15"
class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z"> </span></div>
<div aria-live="assertive" id="bkmrk-aaron-gable%3A"
class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">Aaron
Gable:</span></div>
<div aria-live="assertive"
id="bkmrk-%C2%A0%C2%A0%C2%A0-two-additional-c" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">
Two additional comments.</span></div>
<div aria-live="assertive"
id="bkmrk-%C2%A0%C2%A0%C2%A0-i-think-we%27re-in" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">
I think we're in a situation where for any given item of
information there's a lack of clarity for if it's true home is
the wiki or the website. Server Certificiate Working group has
pages for every ballot. Is the page on the wiki or the website
the authoritiative source for that ballot? Why do we have
both? We should clarify things like that.</span></div>
<div aria-live="assertive"
id="bkmrk-%C2%A0%C2%A0%C2%A0-we-have-a-habit-" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">
We have a habit of not cross linking very much. Cross linking
(and our emails) don't do that very much. Like there was a
recent email saying the agenda has been updated, but there was
no link to the meeting 60 agenda page in the wiki. There is a
culture change we can make about using links, which would make
navigation much easier.</span></div>
<div aria-live="assertive" id="bkmrk-%C2%A0%C2%A0%C2%A0%C2%A0-16"
class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z"> </span></div>
<div aria-live="assertive" id="bkmrk-jos%3A-6" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">Jos:</span></div>
<div aria-live="assertive"
id="bkmrk-%C2%A0%C2%A0%C2%A0-i-very-much-agre" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">
I very much agree with the information heirarchy problem between
the wiki, the website, and GitHub. Where do I create things?
We could use a step back to think about what we want our
information flow to be. It's okay to say we're going to do this
function at only one place and not anywhere else.</span></div>
<div aria-live="assertive" id="bkmrk-%C2%A0%C2%A0%C2%A0%C2%A0-17"
class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z"> </span></div>
<div aria-live="assertive" id="bkmrk-paul%3A-1" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">Paul:</span></div>
<div aria-live="assertive"
id="bkmrk-%C2%A0%C2%A0%C2%A0-we-heard-a-few-s" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">
We heard a few sources about where ballots can be located and
also recording votes etc. It would be valuable if we more
formally used the pull request to actually hold the ballot
language and could have approvals of code owners assigned to
that.</span></div>
<div aria-live="assertive" id="bkmrk-%C2%A0%C2%A0%C2%A0%C2%A0-18"
class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z"> </span></div>
<div aria-live="assertive" id="bkmrk-aaron-p%3A" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">Aaron
P:</span></div>
<div aria-live="assertive"
id="bkmrk-%C2%A0%C2%A0%C2%A0-jos%2C-this-isn%27t-"
class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">
Jos, this isn't easy so we really appreciate you and the team
working on this.</span></div>
<div aria-live="assertive" id="bkmrk-%C2%A0%C2%A0%C2%A0%C2%A0-19"
class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z"> </span></div>
<div aria-live="assertive" id="bkmrk-jos%3A-7" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">Jos:</span></div>
<div aria-live="assertive"
id="bkmrk-%C2%A0%C2%A0%C2%A0-we-may-also-come" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">
We may also come back with a suggestion for what we think the
information flow and heirarchy should be, to consider. This is
exactly the kind of feedback I was hoping to get today. Please
contact me or the infrastructure subcommittee if you have any
more input.</span></div>
<div aria-live="assertive" id="bkmrk-%C2%A0%C2%A0%C2%A0%C2%A0-20"
class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z"> </span></div>
<div aria-live="assertive" id="bkmrk-other-pieces-on-the-"
class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">Other
pieces on the project list include:</span></div>
<div aria-live="assertive" id="bkmrk-wayne-was-working-on"
class="ace-line">
<ul class="list-indent1">
<li><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">Wayne was
working on some of the issues with email bouncing. We need
some adjustments to our setup.</span></li>
</ul>
</div>
<div aria-live="assertive" id="bkmrk-ben%3A" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">Ben:</span></div>
<div aria-live="assertive"
id="bkmrk-%C2%A0%C2%A0%C2%A0-we-don%27t-have-an" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">
We don't have anything structural on web site changes.</span></div>
<div aria-live="assertive" id="bkmrk-%C2%A0%C2%A0%C2%A0%C2%A0-21"
class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z"> </span></div>
<div aria-live="assertive" id="bkmrk-jos%3A-8" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">Jos:</span></div>
<div aria-live="assertive"
id="bkmrk-%C2%A0%C2%A0%C2%A0-onboarding-instr" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">
Onboarding instructions were a significant project that we want
some movement around. It's a documenting-how-things-work
project that is on our slate for this next term.</span></div>
<div aria-live="assertive"
id="bkmrk-%C2%A0%C2%A0%C2%A0-is-there-any-oth" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">
Is there any other new business to discuss?</span></div>
<div aria-live="assertive" id="bkmrk-%C2%A0%C2%A0%C2%A0%C2%A0-22"
class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z"> </span></div>
<div aria-live="assertive"
id="bkmrk-%C2%A0%C2%A0%C2%A0-%28no-new-business" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">
(No new business is raised.)</span></div>
<div aria-live="assertive"
id="bkmrk-%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0"
class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z"> </span></div>
<div aria-live="assertive" id="bkmrk-dimitris%3A-1" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">Dimitris:</span></div>
<div aria-live="assertive"
id="bkmrk-%C2%A0%C2%A0%C2%A0-thanks-to-the-in" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">
Thanks to the infrastructure subcommittee for doing such great
work and keeping things running.</span></div>
<div aria-live="assertive" id="bkmrk-" class="ace-line"><br>
</div>
<h3 id="bkmrk-open-mic" class="ace-line" aria-live="assertive"><span
class="author-a-z77zz65zabefz87zmz82zz71zz73zz78zz87zz82zz70zy b">Open
Mic</span></h3>
<div aria-live="assertive" id="bkmrk-discussion-leader%3A-d"
class="ace-line"><span
class="author-a-z77zz65zabefz87zmz82zz71zz73zz78zz87zz82zz70zy b"><strong>Discussion
leader:</strong> <span
class="author-a-puz66zjz85zz87zoz90zz122z9z86zfz82zez79zj">Dimitris
Zacharopoulos (HARICA)</span></span></div>
<div aria-live="assertive" id="bkmrk-minutes%3A-dimitris-za"
class="ace-line"><span
class="author-a-z77zz65zabefz87zmz82zz71zz73zz78zz87zz82zz70zy b"><strong>Minutes:</strong></span><span
class="author-a-puz66zjz85zz87zoz90zz122z9z86zfz82zez79zj">
Dimitris Zacharopoulos (HARICA) & Kiran Tummala (Microsoft)</span></div>
<div aria-live="assertive" id="bkmrk--1" class="ace-line"><br>
</div>
<div aria-live="assertive" id="bkmrk-%28paul%29%3A-the-cabf-is-"
class="ace-line"><span
class="author-a-9jz87ziz78zz81zz67z6z66zz85zz86z0z79zz86zbu">(Paul):
The CABF is usually re-active. We are missing the pro-active
work. We usually do not engage in controversial topics where we
should be discussing what is making a topic controversial. Try
to set goals and what needs to be accomplished. Make documents
more readable.</span></div>
<div aria-live="assertive" id="bkmrk--2" class="ace-line"><br>
</div>
<div aria-live="assertive" id="bkmrk-clint-asked-for-a-sp"
class="ace-line"><span
class="author-a-9jz87ziz78zz81zz67z6z66zz85zz86z0z79zz86zbu">Clint
asked for a specific example</span></div>
<div aria-live="assertive" id="bkmrk--3" class="ace-line"><br>
</div>
<div aria-live="assertive" id="bkmrk-paul-mentioned-that-"
class="ace-line"><span
class="author-a-9jz87ziz78zz81zz67z6z66zz85zz86z0z79zz86zbu">Paul
mentioned t</span><span
class="author-a-puz66zjz85zz87zoz90zz122z9z86zfz82zez79zj">hat
it would be more efficient to if the forum would evaluate for
example the objective for proposing somthing such as the </span><span
class="author-a-z82zco8z80zz65zz75zjqthez81zz80zot">Google's </span><span
class="author-a-9jz87ziz78zz81zz67z6z66zz85zz86z0z79zz86zbu">90-days</span><span
class="author-a-z82zco8z80zz65zz75zjqthez81zz80zot"> cert
validity proposal</span><span
class="author-a-puz66zjz85zz87zoz90zz122z9z86zfz82zez79zj"> as a
collaborative effort, instead something that is driven outside
the forum. By collaboratively looking at the issue (instead of
the solution) we create a better perspective, look at different
mitigations, and create broader support from the members.</span></div>
<div aria-live="assertive" id="bkmrk--4" class="ace-line"><br>
</div>
<div aria-live="assertive" id="bkmrk-another-example-give"
class="ace-line"><span
class="author-a-puz66zjz85zz87zoz90zz122z9z86zfz82zez79zj">Another
example given by Paul is </span><span
class="author-a-9jz87ziz78zz81zz67z6z66zz85zz86z0z79zz86zbu">Post-Quantum</span><span
class="author-a-puz66zjz85zz87zoz90zz122z9z86zfz82zez79zj">.</span>
<span class="author-a-puz66zjz85zz87zoz90zz122z9z86zfz82zez79zj">How
is the forum going to prepare for PQC, are we going to endorse</span>
<span class="author-a-puz66zjz85zz87zoz90zz122z9z86zfz82zez79zj">h</span><span
class="author-a-9jz87ziz78zz81zz67z6z66zz85zz86z0z79zz86zbu">ybrid</span><span
class="author-a-puz66zjz85zz87zoz90zz122z9z86zfz82zez79zj">/composite
certificates</span><span
class="author-a-9jz87ziz78zz81zz67z6z66zz85zz86z0z79zz86zbu">? </span><span
class="author-a-puz66zjz85zz87zoz90zz122z9z86zfz82zez79zj">What
quantum-resistant algorithms do we select for TLS, SMIME, or
CodeSigning, certificates, these might not be the same because
of the different use case and algorithm characteristics. </span><span
class="author-a-9jz87ziz78zz81zz67z6z66zz85zz86z0z79zz86zbu">What
about the size of the certificates and Root Stores</span><span
class="author-a-puz66zjz85zz87zoz90zz122z9z86zfz82zez79zj"> now
we also move to single purpose hierarchies, root stores are
going to become significantly larger.</span> <span
class="author-a-puz66zjz85zz87zoz90zz122z9z86zfz82zez79zj">The
impact of SCT signatures, etc. While for TLS the harvest now,
decrypt later attack can be mostly addressed in the TLS session
key-exchange (i.e., PFS), this does not protect the
client/server authentication.</span></div>
<div aria-live="assertive" id="bkmrk--5" class="ace-line"><br>
</div>
<div aria-live="assertive" id="bkmrk-paul-also-mentioned-"
class="ace-line"><span
class="author-a-9jz87ziz78zz81zz67z6z66zz85zz86z0z79zz86zbu">Paul
also mentioned about the compliance risks and audit costs when
there are standards with similar requirements, similar language
with different titles.</span></div>
<div aria-live="assertive" id="bkmrk--6" class="ace-line"><br>
</div>
<div aria-live="assertive" id="bkmrk-trev%3A-sometimes-we-c"
class="ace-line"><span
class="author-a-9jz87ziz78zz81zz67z6z66zz85zz86z0z79zz86zbu">Trev:
Sometimes we can present problems and solutions and data to
support that.</span></div>
<div aria-live="assertive" id="bkmrk--7" class="ace-line"><br>
</div>
<div aria-live="assertive" id="bkmrk-paul-said-we-should-"
class="ace-line"><span
class="author-a-9jz87ziz78zz81zz67z6z66zz85zz86z0z79zz86zbu">Paul
said we should present issues with concrete data, even without a
solution, and let the Forum propose solutions. We should always
talk about the problem we're trying to resolve.</span></div>
<div aria-live="assertive" id="bkmrk--8" class="ace-line"><br>
</div>
<div aria-live="assertive" id="bkmrk-tim-callan%3A-what-you"
class="ace-line"><span
class="author-a-9jz87ziz78zz81zz67z6z66zz85zz86z0z79zz86zbu">Tim
Callan: What you get out of it is what you put in it. Members
need to bring in more issues and drive them. If it's a
reasonable issue, it will be discussed and proposals will be
presented.</span></div>
<div aria-live="assertive" id="bkmrk--9" class="ace-line"><br>
</div>
<div aria-live="assertive" id="bkmrk-trev%3A-we-need-a-high"
class="ace-line"><span
class="author-a-9jz87ziz78zz81zz67z6z66zz85zz86z0z79zz86zbu">Trev:
We need a higher-bar for the presentations. Dig into the data
behind it and then make policy changes. We see many bugs on a
certain issue that can drive policy changes.</span></div>
<div aria-live="assertive" id="bkmrk--10" class="ace-line"><br>
</div>
<div aria-live="assertive" id="bkmrk-nitesh%3A-driving-with"
class="ace-line"><span
class="author-a-z82zco8z80zz65zz75zjqthez81zz80zot">Nitesh:
Driving with focus on objectives with data backing is critical,
v/s jumping to solutions directly. Another aspect that forum
should consider is to publish each year ahead goals/objectives
for each sub-workstream, to drive future looking aspects more
predictably </span></div>
<div aria-live="assertive" id="bkmrk--11" class="ace-line"><br>
</div>
<div aria-live="assertive" id="bkmrk-dimitris%3A-if-a-membe"
class="ace-line"><span
class="author-a-9jz87ziz78zz81zz67z6z66zz85zz86z0z79zz86zbu">Dimitris:
If a Member has an issue that wants to be discussed but doesn't
have time to drive it, the issue should be shared with the
larger group because there might be others that face the same
issue, and perhaps another person can drive it.</span></div>
<div aria-live="assertive" id="bkmrk--12" class="ace-line"><br>
</div>
<div aria-live="assertive" id="bkmrk-share-lessons-learne"
class="ace-line"><span
class="author-a-9jz87ziz78zz81zz67z6z66zz85zz86z0z79zz86zbu">Share
lessons learned from CAs and continuous improvement.
Presentation from ATS with important lessons learned. Share
these initiatives more broadly. Codifying these implementations
in the BRs later.</span></div>
<div aria-live="assertive" id="bkmrk--13" class="ace-line"><br>
</div>
<div aria-live="assertive" id="bkmrk-paul%3A-should-we-make"
class="ace-line"><span
class="author-a-puz66zjz85zz87zoz90zz122z9z86zfz82zez79zj">Paul:
</span><span
class="author-a-9jz87ziz78zz81zz67z6z66zz85zz86z0z79zz86zbu">Should
we make the recordings available because of the different
geographical locations</span><span
class="author-a-puz66zjz85zz87zoz90zz122z9z86zfz82zez79zj"> of
our members?</span></div>
<div aria-live="assertive" id="bkmrk--14" class="ace-line"><br>
</div>
<div aria-live="assertive" id="bkmrk-perhaps-share-on-the"
class="ace-line"><span
class="author-a-9jz87ziz78zz81zz67z6z66zz85zz86z0z79zz86zbu">Perhaps
share on the Management List, don't share, don't store it.</span></div>
<div aria-live="assertive" id="bkmrk-start-with-a-slide-w"
class="ace-line"><span
class="author-a-9jz87ziz78zz81zz67z6z66zz85zz86z0z79zz86zbu">Start
with a slide with the Notewell, you are not suppored to make
this public.</span></div>
<div aria-live="assertive" id="bkmrk--15" class="ace-line"><br>
</div>
<div aria-live="assertive" id="bkmrk-archival-bit%2C-after-"
class="ace-line"><span
class="author-a-9jz87ziz78zz81zz67z6z66zz85zz86z0z79zz86zbu">Archival
bit, after some specific times.</span></div>
<div aria-live="assertive" id="bkmrk--16" class="ace-line"><br>
</div>
<div aria-live="assertive" id="bkmrk-clint%3A-add-the-recor"
class="ace-line"><span
class="author-a-9jz87ziz78zz81zz67z6z66zz85zz86z0z79zz86zbu">Clint:
Add the recording and transcript to the member's tool for a
certain amount of time.</span></div>
<div aria-live="assertive" id="bkmrk--17" class="ace-line"><br>
</div>
<div aria-live="assertive" id="bkmrk-agree-to-stop-the-re"
class="ace-line"><span
class="author-a-9jz87ziz78zz81zz67z6z66zz85zz86z0z79zz86zbu">Agree
to stop the recording when there is a confidential issue to
discuss. That topic will not be added in the minutes.</span></div>
<div aria-live="assertive" id="bkmrk--18" class="ace-line"><br>
</div>
<div aria-live="assertive" id="bkmrk-put-on-the-agenda-at"
class="ace-line"><span
class="author-a-9jz87ziz78zz81zz67z6z66zz85zz86z0z79zz86zbu">Put
on the Agenda at the next F2F Teleconferences for action items.</span></div>
<h3 id="bkmrk-guest-speaker" class="ace-line" aria-live="assertive"><span
class="author-a-9jz87ziz78zz81zz67z6z66zz85zz86z0z79zz86zbu">Guest
Speaker</span></h3>
<p id="bkmrk-presenter%3A-rob-brand"><span
class="author-a-9jz87ziz78zz81zz67z6z66zz85zz86z0z79zz86zbu"><strong>Presenter:</strong>
Rob Brand - Ministry of Economic Affairs and climate Policy (NL)
<br>
<strong>Title: </strong>Building Trust, Empowering the Digital
Economy - eIDAS Trust Services<br>
</span><span
class="author-a-9jz87ziz78zz81zz67z6z66zz85zz86z0z79zz86zbu"><strong>Presentation
link:</strong> <a
href="https://cabforum.org/wp-content/uploads/2-Guest-Speaker-231003CABForum-Presentation-NL-v1.0.pdf"
class="moz-txt-link-freetext" moz-do-not-send="true">https://cabforum.org/wp-content/uploads/2-Guest-Speaker-231003CABForum-Presentation-NL-v1.0.pdf</a><br>
<span
class="author-a-z77zz65zabefz87zmz82zz71zz73zz78zz87zz82zz70zy b"><strong>Minutes:</strong></span><span
class="author-a-puz66zjz85zz87zoz90zz122z9z86zfz82zez79zj">
Kiran Tummala (Microsoft)</span></span></p>
<p id="bkmrk-presentation-notes%3A"><span
class="author-a-9jz87ziz78zz81zz67z6z66zz85zz86z0z79zz86zbu"><span
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">Presentation
Notes:</span></span></p>
<div class="elementToProof" id="bkmrk-management-audit-and"><span
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);"><strong>Management
Audit and Certification Process in the Netherlands:</strong></span></div>
<ul id="bkmrk-rob-discussed-a-mana">
<li
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);"><span
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">Rob
discussed a management audit that was conducted in the
Netherlands regarding the certification process for trust
services.</span></li>
<li
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);"><span
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">It
was noted that the supervisory body in the Netherlands did not
have the authority to provide a second opinion on the
certification process.</span></li>
<li
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);"><span
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">The
process seemed less robust, leading to concerns about the
quality of trust services certification in the past.</span></li>
</ul>
<div id="bkmrk-telecommunications-a"><span
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);"><strong>Telecommunications
and Digital Hack in 2011:</strong></span></div>
<ul id="bkmrk-rob-highlighted-that">
<li
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);"><span
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">Rob
highlighted that the supervisory body's limited knowledge in
the telecommunications sector contributed to a significant
digital hack in 2011.</span></li>
<li
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);"><span
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">A
man-in-the-middle attack with fake certificates exposed weak
security practices.</span></li>
<li
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);"><span
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">The
impact was significant, affecting qualified certificates and
leading to the shutdown of government services.</span></li>
<li
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);"><span
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">A
certification authority even went bankrupt.</span></li>
</ul>
<div id="bkmrk-security-awareness-a"><span
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);"><strong>Security
Awareness and Regulatory Adjustments:</strong></span></div>
<ul id="bkmrk-after-the-2011-incid">
<li
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);"><span
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">After
the 2011 incident, the Netherlands took steps to increase
security awareness.</span></li>
<li
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);"><span
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">Efforts
were made to adjust regulations within Europe regarding
certificates.</span></li>
<li
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);"><span
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">Three
key areas of improvement were identified: increased security
awareness, legal improvements, and organizational measures.</span></li>
</ul>
<div id="bkmrk-role-of-the-inspecto"><span
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);"><strong>Role
of the Inspector for Digital Infrastructure:</strong></span></div>
<ul id="bkmrk-a-new-supervisory-bo">
<li
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);"><span
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">A
new supervisory body, known as the Inspector for Digital
Infrastructure, was established in the Netherlands.</span></li>
<li
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);"><span
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">This
body took on supervisory tasks and aimed to become a knowledge
center for trust services.</span></li>
<li
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);"><span
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">This
development was considered a positive step in improving
oversight.</span></li>
</ul>
<div id="bkmrk-yearly-crisis-exerci"><span
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);"><strong>Yearly
Crisis Exercises and Multi-Vendor Strategy:</strong></span></div>
<ul id="bkmrk-the-netherlands-init">
<li
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);"><span
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">The
Netherlands initiated yearly crisis exercises and developed a
crisis manual for digital affairs.</span></li>
<li
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);"><span
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">A
multi-vendor strategy was implemented to avoid dependency on a
single organization in case of a disaster.</span></li>
<li
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);"><span
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">This
strategy aimed to ensure continued government operation in the
event of a similar crisis.</span></li>
</ul>
<div id="bkmrk-impact-of-eidas-regu"><span
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);"><strong>Impact
of eIDAS Regulation:</strong></span></div>
<ul id="bkmrk-the-eidas-regulation">
<li
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);"><span
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">The
eIDAS regulation was hailed as a dramatic improvement over the
previous signature directive.</span></li>
<li
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);"><span
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">It
harmonized requirements and introduced product certification
based on standard 1765.</span></li>
<li
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);"><span
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">Auditors
could now assess systems directly, not just the management
system.</span></li>
</ul>
<div id="bkmrk-supervisory-body-ind"><span
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);"><strong>Supervisory
Body Independence:</strong></span></div>
<ul id="bkmrk-the-eidas-regulation-1">
<li
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);"><span
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">The
eIDAS regulation gave supervisory bodies the autonomous
responsibility to accept or decline applications for
qualification.</span></li>
<li
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);"><span
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">Even
if a service provider met the assessment requirements, the
supervisory body could still refuse qualification based on
their assessment of the data center, enhancing oversight.</span></li>
<li
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);"><span
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">Government
Use of Qualified Trust Services:</span></li>
<li
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);"><span
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">Government
organizations in the Netherlands were required to use
qualified trust services to ensure their identity and
legitimacy.</span></li>
<li
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);"><span
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">This
requirement was seen as crucial for secure communication
within NATO and to build trust.</span></li>
</ul>
<div id="bkmrk-transition-away-from"><span
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);"><strong>Transition
Away from Green Bar:</strong></span></div>
<ul id="bkmrk-the-transition-away-">
<li
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);"><span
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">The
transition away from the green bar indicator for
trustworthiness in websites had posed some challenges.</span></li>
<li
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);"><span
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">It
was noted that the shift occurred around 2018 and continued.</span></li>
<li
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);"><span
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">Discussions
around new indicators were ongoing to maintain user
confidence.</span></li>
</ul>
<div id="bkmrk-eidas-regulation-upd"><span
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);"><strong>eIDAS
Regulation Updates and Future Considerations:</strong></span></div>
<ul id="bkmrk-the-eidas-regulation-2">
<li
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);"><span
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">The
eIDAS regulation was undergoing updates, with a target
effective date around 2024.</span></li>
<li
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);"><span
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">Specific
articles and requirements were still under negotiation.</span></li>
<li
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);"><span
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">Discussions
around uniformity, user-friendly indications, and potential
changes in root stores were being considered.</span></li>
</ul>
<div id="bkmrk-cooperation-and-glob"><span
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);"><strong>Cooperation
and Global Trust:</strong></span></div>
<ul id="bkmrk-cooperation-between-" style="list-style-type: disc;"
data-editing-info="{"orderedStyleType":1,"unorderedStyleType":1}">
<li
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);"><span
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">Cooperation
between stakeholders, including browser vendors and
certificate authorities, was seen as essential.</span></li>
<li
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);"><span
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">Efforts
were made to ensure that unilateral decisions did not
jeopardize trust.</span></li>
<li class="elementToProof"
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);"><span
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">Trust
services and their regulation were expected to play a crucial
role in the digital economy's autonomy and sovereignty.</span></li>
</ul>
<div id="bkmrk-eu-participation-in-"><span
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);"><strong>EU
Participation in the CA/Browser Forum:</strong></span></div>
<ul id="bkmrk-the-possibility-of-t">
<li
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);"><span
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">The
possibility of the EU participating more formally in the
CA/Browser Forum was discussed.</span></li>
<li
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);"><span
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">Concerns
about the requirement to sign an Intellectual Property Rights
(IPR) agreement were raised.</span></li>
<li
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);"><span
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">The
need for further discussion and potential adjustments to
participation requirements was acknowledged.</span></li>
</ul>
<div id="bkmrk-future-trends%3A"><span
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);"><strong>Future
Trends:</strong></span></div>
<ul id="bkmrk-trust-regulation-was">
<li
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);"><span
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">Trust
regulation was expected to become more prevalent in various
sectors.</span></li>
<li
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);"><span
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">The
geopolitical situation and the emphasis on digital autonomy
and sovereignty were influencing trust services.</span></li>
<li
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);"><span
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">Trust
services were being viewed from a perspective of autonomy and
sovereignty</span></li>
</ul>
<h2 id="bkmrk-browser-updates">Browser Updates</h2>
<h3 id="bkmrk-mozilla-root-program">Mozilla Root Program Update</h3>
<p id="bkmrk-leader%3A-ben-wilson-%28"><strong>Leader:</strong> Ben
Wilson (Mozilla) <br>
<strong>Minutes:</strong> Doug Beattie (Globalsign)<br>
<strong>Presentation link:</strong> <span
class="author-a-q0sjsgjz83zb4z122zz73zmgl5 b u url"><a
href="https://cabforum.org/wp-content/uploads/2023-October-Mozilla-Browser-News.pdf"
rel="noreferrer noopener" moz-do-not-send="true"><u>https://cabforum.org/wp-content/uploads/2023-October-Mozilla-Browser-News.pdf</u></a></span><strong><br>
</strong></p>
<p id="bkmrk-discussion-outside-t-1"><strong>Discussion outside the
presentation: </strong></p>
<div aria-live="assertive" id="bkmrk-there-were-no-materi"
class="ace-line"><span
class="author-a-z66zz78zaz85z5z86zz74zyeaz74zz72zz79zafy">There
were no material discussion beyond what was presented.</span></div>
<h3 id="bkmrk-google-root-program-">Google Root Program Update</h3>
<p id="bkmrk-leader%3A-ryan-dickson"><strong>Leader:</strong> Chris
Clements & Ryan Dickson (Google Chrome) <br>
<strong>Minutes:</strong> Stephen Davidson (DigiCert) <br>
<strong>Presentation link: </strong><a
class="moz-txt-link-freetext"
href="https://cabforum.org/wp-content/uploads/5-CABF-F2F-60-Chrome-Browser-Update.pdf"
moz-do-not-send="true">https://cabforum.org/wp-content/uploads/5-CABF-F2F-60-Chrome-Browser-Update.pdf</a></p>
<p id="bkmrk-discussion-outside-t-4"><strong>Discussion outside the
presentation:</strong></p>
<p dir="ltr" id="bkmrk-1%29-chrome-root-progr">1) Chrome Root
Program Updates:</p>
<div aria-live="assertive" class="ace-line"
id="bkmrk-modern-infrastructur">
<div aria-live="assertive" class="ace-line">
<ul>
<li aria-level="1">
<p dir="ltr" role="presentation">Modern Infrastructures
Survey Background and Motivation</p>
</li>
<ul>
<li aria-level="2">
<p dir="ltr" role="presentation">Chrome believes that
encryption makes the web more secure and protects users.
In order for encryption to provide this security
benefit, it must be consistently and reliably deployed.</p>
</li>
<li aria-level="2">
<p dir="ltr" role="presentation">Promoting modern
infrastructures enhances that consistency and
reliability - through simplicity and agility.</p>
</li>
<ul>
<li aria-level="3">
<p dir="ltr" role="presentation">when systems are simple
they are easier to understand, use, and manage,
leading to fewer errors and more consistent results.</p>
</li>
<li aria-level="3">
<p dir="ltr" role="presentation">when systems are agile
they can adapt to change and promote continuous
improvement and reliability - while delivering their
service.</p>
</li>
</ul>
<li aria-level="2">
<p dir="ltr" role="presentation">Promoting Modern
Infrastructures aligns with higher-level Chrome Root
Program goals of promoting simplicity and agility. </p>
</li>
<li aria-level="2">
<p dir="ltr" role="presentation">Shared background on
“Moving Forward, Together" initiative</p>
</li>
<ul>
<li aria-level="3">
<p dir="ltr" role="presentation">Long-term grouping of
initiatives, first introduced at F2F 55.</p>
</li>
<li aria-level="3">
<p dir="ltr" role="presentation">Non-normative, and
therefore not policy. </p>
</li>
<li aria-level="3">
<p dir="ltr" role="presentation">Shared publicly and in
advance of any corresponding implementation timelines
to identify existing and create new opportunities to
help.</p>
</li>
</ul>
<li aria-level="2">
<p dir="ltr" role="presentation">Described a tentative,
phased approach for achieving the goals of “Moving
Forward, Together.”</p>
</li>
<ul>
<li aria-level="3">
<p dir="ltr" role="presentation">Since MFT was first
introduced, the Chrome team has had a lot of
conversations about milestone sequencing, and coupled
with the results from this most recent survey - heard
and saw a desire for general sequencing.</p>
</li>
<ul>
<li aria-level="4">
<p dir="ltr" role="presentation">Naturally, by
conveying an ordering or phasing, stakeholders can
better prepare.</p>
</li>
<li aria-level="4">
<p dir="ltr" role="presentation">The plan presented is
tentative. The order may change as the Chrome team
collects more data, studies community feedback, and
as new threats emerge. </p>
</li>
<li aria-level="4">
<p dir="ltr" role="presentation">If during
exploration, it’s determined a goal cannot be
achieved at the stated time without significant
negative impact to the ecosystem, plans will be
adjusted. </p>
</li>
</ul>
<li aria-level="3">
<p dir="ltr" role="presentation">Immediate focus is
support for automation and term limit for roots
included in the Chrome Root Store</p>
</li>
<ul>
<li aria-level="4">
<p dir="ltr" role="presentation">Both of these
initiatives represent a commitment to simplicity and
agility - and are fundamental for achieving many of
the other goals described in MFT. </p>
</li>
</ul>
</ul>
<li aria-level="2">
<p dir="ltr" role="presentation">Chrome’s approach is
influenced by data collected from a number of sources to
include public tools like <a href="http://crt.sh"
moz-do-not-send="true">crt.sh</a> and Censys, results
from Chrome’s own experimentation, evaluating
peer-reviewed research, and through using CA owner
surveys. These tools help improve perspective and
predict impact of areas of exploration.</p>
</li>
</ul>
</ul>
</div>
</div>
<div aria-live="assertive" class="ace-line"
id="bkmrk-survey%2C-findings%2C-an">
<div aria-live="assertive" class="ace-line">
<ul>
<li aria-level="1">
<p dir="ltr" role="presentation">Survey, Findings, and
Themes</p>
</li>
<ul>
<li aria-level="2">
<p dir="ltr" role="presentation">Survey background:</p>
</li>
<ul>
<li aria-level="3">
<p dir="ltr" role="presentation">Goal: understand CA
owner perspective related to impacts of “modern
infrastructures" initiatives like term limit, reduced
certificate lifetime, reduced domain validation reuse,
etc. </p>
</li>
<li aria-level="3">
<p dir="ltr" role="presentation">100% of CA owners
responded.</p>
</li>
<ul>
<li aria-level="4">
<p dir="ltr" role="presentation">47% of CA owners
provided comments to an open-ended question at the
end of the survey. </p>
</li>
<li aria-level="4">
<p dir="ltr" role="presentation">Chrome interpreted
these results to indicate what was top of mind for
most CA owners.</p>
</li>
<ul>
<li aria-level="5">
<p dir="ltr" role="presentation">47% cited a
negative impact or otherwise expressed concern
associated with the proposed root term limit</p>
</li>
<li aria-level="5">
<p dir="ltr" role="presentation">26% expressed
appreciation for the opportunity to offer
feedback, and</p>
</li>
<li aria-level="5">
<p dir="ltr" role="presentation">22% asked for
sufficient migration time before any future
requirements should become effective.</p>
</li>
</ul>
<li aria-level="4">
<p dir="ltr" role="presentation">Chrome appreciates
the candid responses provided by CA owners and will
continue this approach in future surveys. </p>
</li>
</ul>
</ul>
<li aria-level="2">
<p dir="ltr" role="presentation">Survey results:</p>
</li>
<ul>
<li aria-level="3">
<p dir="ltr" role="presentation">Automation</p>
</li>
<ul>
<li aria-level="4">
<p dir="ltr" role="presentation">Chrome believes
adoption of modern practices like automated
certificate issuance and management help realize the
full security value of TLS.</p>
</li>
<li aria-level="4">
<p dir="ltr" role="presentation">Goals for and
motivation related to automation were shared at F2F
59. If interested in learning more, refer back to
that presentation. </p>
</li>
<li aria-level="4">
<p dir="ltr" role="presentation">76% of CA owners
included in the Chrome Root Store stated support for
automated solutions</p>
</li>
<li aria-level="4">
<p dir="ltr" role="presentation">~99.99 of the
certificates issued in the Web PKI today are issued
by these CA owners, estimated by combining survey
responses and publicly available data.</p>
</li>
<ul>
<li aria-level="5">
<p dir="ltr" role="presentation">Noted that this
data analysis was a point-in-time analysis,
performed the week of September 21st.</p>
</li>
</ul>
<li aria-level="4">
<p dir="ltr" role="presentation">~82 of the
certificates issued by the Web PKI today are issued
using some form of automation.</p>
</li>
<ul>
<li aria-level="5">
<p dir="ltr" role="presentation">This was
extrapolated by considering CA owner survey
responses against data from tools like crt.sh.</p>
</li>
</ul>
<li aria-level="4">
<p dir="ltr" role="presentation">The described data
points, along with other feedback in response to the
survey was interpreted by the Chrome team to
indicate:</p>
</li>
<ul>
<li aria-level="5">
<p dir="ltr" role="presentation">broader support for
automation by CA owners and corresponding service
providers will continue to create better
opportunities for website owners to improve the
consistency and reliability of TLS
implementations. </p>
</li>
<li aria-level="5">
<p dir="ltr" role="presentation">support and
innovation related to automation can help reduce
the trade offs related to the time and effort
required to adopt these practices. </p>
</li>
<li aria-level="5">
<p dir="ltr" role="presentation">there are
opportunities to improve the state of automation
across the ecosystem to include increased
availability of services, development of new
features and product enhancements that will make
adopting automation a better fit for certain types
of subscribers, and opportunities to educate the
user community on the opportunity automation
presents. </p>
</li>
<ul>
<li aria-level="6">
<p dir="ltr" role="presentation">Chrome is
planning a blog post about automation, to be
published in the next week or so.</p>
</li>
</ul>
</ul>
</ul>
<li aria-level="3">
<p dir="ltr" role="presentation">Term Limits</p>
</li>
<ul>
<li aria-level="4">
<p dir="ltr" role="presentation">The Chrome Root
Program feels a term limit for roots included in the
Chrome Root Store will:</p>
</li>
<ul>
<li aria-level="5">
<p dir="ltr" role="presentation">Help promote and
realize the gains of continuous improvement. </p>
</li>
<li aria-level="5">
<p dir="ltr" role="presentation">Promote agility
while discouraging potentially dangerous practices
and eliminating single points of failure. It also
allows adoption of new standards and security
features not available when earlier roots were
established.</p>
</li>
<li aria-level="5">
<p dir="ltr" role="presentation">Reduce risk by
re-establishing “known good" security baselines
that may have been unknowingly lost over a period
of time that is now sometimes up to 35 years. By
reducing the period a root is relied upon, we
reduce the maximum window of potential abuse. </p>
</li>
</ul>
<li aria-level="4">
<p dir="ltr" role="presentation">Refresher, MFT
describes a proposal for a 7-year term limit. Survey
questions were focused at understanding how that
proposal impacts the ecosystem.</p>
</li>
<li aria-level="4">
<p dir="ltr" role="presentation">Results:</p>
</li>
<ul>
<li aria-level="5">
<p dir="ltr" role="presentation">On average, CAs
reported the “Active Signing Lifetime" which was
described as “how long root CAs are used to sign
new ICA certificates responsible for leaf
certificate issuance — before transitioning to a
new root?” - was about 15 years.</p>
</li>
<li aria-level="5">
<p dir="ltr" role="presentation">Most respondents
indicated “Active Signing Lifetime" was between 10
and 20 years. </p>
</li>
<li aria-level="5">
<p dir="ltr" role="presentation">Though about 15% of
CA owners aligned with the 7-year proposal, most
do not. </p>
</li>
<ul>
<li aria-level="6">
<p dir="ltr" role="presentation">The most common
theme shared by CA owners indicated that the
proposed term limit would exacerbate the
challenges of achieving root ubiquity - a
critical user and device support story.</p>
</li>
</ul>
</ul>
<li aria-level="4">
<p dir="ltr" role="presentation">Conclusions:</p>
</li>
<ul>
<li aria-level="5">
<p dir="ltr" role="presentation">Chrome identified
concern, and some degree of risk communicated in
response to the proposed 7 year term limit.
Because of that feedback, Chrome will change its
proposed approach. Specifics will be shared later
in the presentation. </p>
</li>
<li aria-level="5">
<p dir="ltr" role="presentation">A more agile
approach is still preferred, and might be explored
again in the future. It’s possible that over time,
barriers to reduced functional life of roots will
be removed - without additional active effort.</p>
</li>
<li aria-level="5">
<p dir="ltr" role="presentation">Opportunities for
innovation may also improve opportunities for
agility. </p>
</li>
<li aria-level="5">
<p dir="ltr" role="presentation">Chrome encourages
CA owners to explore how they can adopt more
frequent root rotation.</p>
</li>
</ul>
</ul>
</ul>
</ul>
</ul>
</div>
</div>
<div aria-live="assertive" class="ace-line"
id="bkmrk-future-areas-of-expl">
<div aria-live="assertive" class="ace-line">
<ul>
<li aria-level="1">
<p dir="ltr" role="presentation">Future Areas of Exploration</p>
</li>
<ul>
<li aria-level="2">
<p dir="ltr" role="presentation">Described upcoming Chrome
areas of exploration to include linting, phasing-out
multi-purpose roots, and phasing out client
authentication use cases.</p>
</li>
<li aria-level="2">
<p dir="ltr" role="presentation">Brief motivation for
exploring these areas:</p>
</li>
<ul>
<li aria-level="3">
<p dir="ltr" role="presentation">Broader adoption of
linting has the opportunity to reduce common
mis-issuance events, resulting in fewer Web PKI
incidents that typically do not materially affect the
underlying security of TLS connections.</p>
</li>
<li aria-level="3">
<p dir="ltr" role="presentation">Today, Chrome
transitively trusts over 2,300 CA certificates</p>
</li>
<ul>
<li aria-level="4">
<p dir="ltr" role="presentation">About half of these
CAs support use cases other than server
Authentication — the only use case applicable for
Chrome – and presumably other web-browser
certificate consumers.</p>
</li>
<li aria-level="4">
<p dir="ltr" role="presentation">Given that each CA
trusted represents added attack surface, and given
that the comingling of use cases minimally increases
complexity, Chrome intends to phase out roots not
dedicated to server authentication in the future.</p>
</li>
</ul>
<li aria-level="3">
<p dir="ltr" role="presentation">Chrome wants to
understand the applicability of clientAuthentication
use cases for web browsers and corresponding root
store’s, like Chrome’s - whose use case for TLS is
website authentication — not server-to-server or
device authentication.</p>
</li>
</ul>
<li aria-level="2">
<p dir="ltr" role="presentation">For these areas, CA
owners can expect opportunities to share use cases and
impact related to Chrome’s proposals. CA owner feedback
is considered and valued.</p>
</li>
<li aria-level="2">
<p dir="ltr" role="presentation">If requirements are
drafted, Chrome will do so in a way that attempts to
minimize unintended impact and allows stakeholders time
to prepare for and respond to changes. </p>
</li>
<li aria-level="2">
<p dir="ltr" role="presentation">Finally, these proposals
will take time. As an example, Chrome began studying
automation requirements almost a year ago, but the
Chrome Root Program Policy does not yet have
requirements related to automation. </p>
</li>
<ul>
<li aria-level="3">
<p dir="ltr" role="presentation">This point was again
emphasized as it relates to leaf validity. </p>
</li>
</ul>
<li aria-level="2">
<p dir="ltr" role="presentation">Described that exploring
a reduction in maximum certificate validity is still and
will remain a priority for the Chrome Root Program. </p>
</li>
<ul>
<li aria-level="3">
<p dir="ltr" role="presentation">Chrome is often
motivated by thinking about the impact of “worst case"
scenarios. </p>
</li>
<ul>
<li aria-level="4">
<p dir="ltr" role="presentation">For example, if we
imagined an event like Heartbleed happening again….
are we adequately prepared to respond as an
ecosystem? Are our collective users and customers in
a position to respond quickly and completely to a
vulnerability or incident that puts the foundation
of web security at risk?</p>
</li>
</ul>
<li aria-level="3">
<p dir="ltr" role="presentation">As a community, and as
leaders in this space, it is our combined
responsibility to continue improving such that when we
need to respond, we can - and without delay.</p>
</li>
<li aria-level="3">
<p dir="ltr" role="presentation">Chrome believes the
combination of automation and reduced certificate
validity best positions us to manage risk and promote
agility moving forward — and remains committed to
exploring this further. </p>
</li>
</ul>
</ul>
</ul>
</div>
</div>
<div aria-live="assertive" class="ace-line"
id="bkmrk-policy-updates-chrom">
<div aria-live="assertive" class="ace-line">
<ul>
<li aria-level="1">
<p dir="ltr" role="presentation">Policy Updates</p>
</li>
<ul>
<li aria-level="2">
<p dir="ltr" role="presentation">Chrome will be
introducing a new “pre-flight" process, introduced at
the last Face-to-Face, where CA owners can offer
comments or request clarifications prior to a new policy
version becoming final and effective. </p>
</li>
<li aria-level="2">
<p dir="ltr" role="presentation">Described the pre-flight
process, and what CAs should expect related to timelines
and next steps. </p>
</li>
<li aria-level="2">
<p dir="ltr" role="presentation">A summary of the updates
included in the policy update were described. A point of
emphasis was removing language from the Chrome Root
Program policy and instead relying on reference to the
CCADB policy, especially as it relates to incident
reporting. </p>
</li>
<li aria-level="2">
<p dir="ltr" role="presentation">New subsections related
to Root CA Key Material Freshness, Automation Support,
and the Root CA Term-Limit</p>
</li>
<ul>
<li aria-level="3">
<p dir="ltr" role="presentation">Key Freshness: Updates
are intended to be clarifying to more clearly describe
expectations related to how CA owners can illustrate
that pre-existing key freshness requirements are
satisfied.</p>
</li>
<li aria-level="3">
<p dir="ltr" role="presentation">Automation: New
requirements such that applicants applying to the
Chrome Root Program after January 15, 2024 must
support some form of automation. ACME is preferred,
however other solutions can also be acceptable. This
outcome was influenced by CA owner feedback, as
originally, Chrome intended to require use of ACME.
There is no expectation or requirement that
subscribers must use automation, just that CAs must
make it an option for their use. </p>
</li>
<li aria-level="3">
<p dir="ltr" role="presentation">Term-limit: New
requirements that will limit a root’s inclusion in the
Chrome Root Store to 15 years. This timeline was
influenced by CA owner feedback provided during the
recent CA owner survey. A specific phase-out plan is
described in the policy update to reduce negative
impact to the ecosystem as this change is implemented.</p>
</li>
</ul>
</ul>
</ul>
</div>
</div>
<div aria-live="assertive" class="ace-line"
id="bkmrk-feature-launch-roadm">
<div aria-live="assertive" class="ace-line">
<ul>
<li aria-level="1">
<p dir="ltr" role="presentation">Feature Launch Roadmap: The
Chrome Certificate Verifier and Root Store have been
deployed on all platforms, where possible. A FAQ link in
the presentation materials describes more information
about when specific platforms transitioned to the new
Chrome tools.</p>
</li>
</ul>
</div>
</div>
<p dir="ltr" id="bkmrk-2%29-certificate-trans">2) Certificate
Transparency Updates</p>
<div aria-live="assertive" class="ace-line"
id="bkmrk-chrome-security-team">
<div aria-live="assertive" class="ace-line">
<ul>
<li aria-level="1">
<p dir="ltr" role="presentation">Chrome Security team
members sent notice on 9/15 and 9/29 that several logs
have been approved for inclusion in Chrome and are marked
as Qualified.</p>
</li>
<li aria-level="1">
<p dir="ltr" role="presentation">Chrome is always looking
for new CAs to responsibly operate CT logs, and that these
types of community contribution are evaluated when
reviewing root store applications. </p>
</li>
<li aria-level="1">
<p dir="ltr" role="presentation">Reach out to the Chrome
team if interested in running a CT log.</p>
</li>
</ul>
</div>
</div>
<p dir="ltr" id="bkmrk-3%29-general-browser-n">3) General Browser
News</p>
<div aria-live="assertive" id="bkmrk-wayne-thayer-asked-a"
class="ace-line">
<div aria-live="assertive" id="bkmrk-chrome-116-introduce"
class="ace-line">
<ul>
<li aria-level="1">
<p dir="ltr" role="presentation">Beginning in Chrome 116,
Chrome began offering support for Kyber.</p>
</li>
<ul>
<li aria-level="2">
<p dir="ltr" role="presentation">This is not post quantum
x.509 support, this is from the perspective of
establishing symmetric secrets during the TLS
handshake. </p>
</li>
</ul>
<li aria-level="1">
<p dir="ltr" role="presentation">Interested parties can
learn more about this change in a blog post that’s linked
from the slides.</p>
</li>
</ul>
<span class="author-a-h7xz89zvmuz79zp0z87zjjtdz79z"><strong
id="bkmrk--20"></strong></span></div>
</div>
<h3 id="bkmrk-apple-root-program-u">Apple Root Program Update</h3>
<p id="bkmrk-leader%3A-clint-wilson"><strong>Leader:</strong> Clint
Wilson (Apple) <br>
<strong>Minutes:</strong> Corey Bonnel (Digicert)<br>
<strong>Presentation link:</strong> <a
class="moz-txt-link-freetext"
href="https://cabforum.org/wp-content/uploads/6-2023-October-Apple.pdf"
moz-do-not-send="true">https://cabforum.org/wp-content/uploads/6-2023-October-Apple.pdf</a><br>
</p>
<p id="bkmrk-discussion-outside-t-5"><strong>Discussion outside the
presentation:</strong> <br>
</p>
<div aria-live="assertive" id="bkmrk-clint-asked-ct-log-o"
class="ace-line"><span
class="author-a-z81zvjz70z22z90z9wz66zuz81zz87zz80zn6">Clint
asked CT log operators to prepare sharded logs for 2026.
Additionally, he would like to drive discussion on the state of
CT log operators.</span></div>
<div aria-live="assertive" id="bkmrk--26" class="ace-line"><br>
</div>
<div aria-live="assertive" id="bkmrk-clint-provided-a-rev"
class="ace-line"><span
class="author-a-z81zvjz70z22z90z9wz66zuz81zz87zz80zn6">Clint
provided a review of 2023:</span></div>
<div aria-live="assertive" id="bkmrk--27" class="ace-line"><br>
</div>
<div aria-live="assertive" id="bkmrk-earlier-this-year%2C-a"
class="ace-line"><span
class="author-a-z81zvjz70z22z90z9wz66zuz81zz87zz80zn6">Earlier
this year, a new version of Apple root policy was published. The
primary intention was to document previously undocumented
requirements.</span></div>
<div aria-live="assertive" id="bkmrk-additionally%2C-a-feed"
class="ace-line"><span
class="author-a-z81zvjz70z22z90z9wz66zuz81zz87zz80zn6">Additionally,
a feedback cycle was introduced. This feedback cycle was very
beneficial in terms of improving the root policy.</span></div>
<div aria-live="assertive" id="bkmrk--28" class="ace-line"><br>
</div>
<div aria-live="assertive" id="bkmrk-several-cas-opted-to"
class="ace-line"><span
class="author-a-z81zvjz70z22z90z9wz66zuz81zz87zz80zn6">Several
CAs opted to remove their S/MIME-issuing CAs from the Apple
program instead of complying with the S/MIME Baseline
Requirements, which came into effect on September 1st. Overall,
the S/MIME BR implementation in preparation of the effective
date was relatively smooth.</span></div>
<div aria-live="assertive" id="bkmrk--29" class="ace-line"><br>
</div>
<div aria-live="assertive" id="bkmrk-clint-provided-a-rem"
class="ace-line"><span
class="author-a-z81zvjz70z22z90z9wz66zuz81zz87zz80zn6">Clint
provided a reminder of upcoming effective dates:</span></div>
<div aria-live="assertive" id="bkmrk--30" class="ace-line"><br>
</div>
<div aria-live="assertive" id="bkmrk-apple-will-no-longer"
class="ace-line"><span
class="author-a-z81zvjz70z22z90z9wz66zuz81zz87zz80zn6">Apple
will no longer accept multi-purpose root inclusion requests
after April 15, 2024.</span></div>
<div aria-live="assertive" id="bkmrk-apple-will-require-c"
class="ace-line"><span
class="author-a-z81zvjz70z22z90z9wz66zuz81zz87zz80zn6">Apple
will require CAs to support at least domain validation method
for the issuance of serverauth TLS certificates that can be
automated as of August 15, 2024.</span></div>
<div aria-live="assertive" id="bkmrk-apple-will-require-t"
class="ace-line"><span
class="author-a-z81zvjz70z22z90z9wz66zuz81zz87zz80zn6">Apple
will require that S/MIME-issuing CAs provide a S/MIME BR audit
report uploaded to CCADB by December 1st, 2024.</span></div>
<div aria-live="assertive" id="bkmrk--31" class="ace-line"><br>
</div>
<div aria-live="assertive" id="bkmrk-clint-reminded-cas-t"
class="ace-line"><span
class="author-a-z81zvjz70z22z90z9wz66zuz81zz87zz80zn6">Clint
reminded CAs that they need to share incident reports with
Apple. If the report is available in Bugzilla, then a link to
the incident is sufficient.</span></div>
<div aria-live="assertive" id="bkmrk--32" class="ace-line"><br>
</div>
<div aria-live="assertive" id="bkmrk-clint-said-that-seve"
class="ace-line"><span
class="author-a-z81zvjz70z22z90z9wz66zuz81zz87zz80zn6">Clint
said that several inclusion requests have been received where
not all the requisite information has been provided. To move the
request along, all required information must be provided.</span></div>
<div aria-live="assertive" id="bkmrk--33" class="ace-line"><br>
</div>
<div aria-live="assertive" id="bkmrk-clint-provided-a-pre"
class="ace-line"><span
class="author-a-z81zvjz70z22z90z9wz66zuz81zz87zz80zn6">Clint
provided a preview of 2024 changes:</span></div>
<div aria-live="assertive" id="bkmrk--34" class="ace-line"><br>
</div>
<div aria-live="assertive" id="bkmrk-addressing-backlog-i"
class="ace-line"><span
class="author-a-z81zvjz70z22z90z9wz66zuz81zz87zz80zn6">Addressing
backlog items:</span></div>
<div aria-live="assertive" id="bkmrk--35" class="ace-line"><br>
</div>
<div aria-live="assertive" id="bkmrk-1.-website-improveme"
class="ace-line"><span
class="author-a-z81zvjz70z22z90z9wz66zuz81zz87zz80zn6">1.
Website improvements to provide an archive of previous versions
of the policy as well as a changelog</span></div>
<div aria-live="assertive" id="bkmrk-2.-clarify-how-updat"
class="ace-line"><span
class="author-a-z81zvjz70z22z90z9wz66zuz81zz87zz80zn6">2.
Clarify how updated versions of external documents that are
referenced in the policy affect the policy</span></div>
<div aria-live="assertive" id="bkmrk-3.-improve-language-"
class="ace-line"><span
class="author-a-z81zvjz70z22z90z9wz66zuz81zz87zz80zn6">3.
Improve language on key generation and protection requirements</span></div>
<div aria-live="assertive" id="bkmrk-4.-high-level-discus"
class="ace-line"><span
class="author-a-z81zvjz70z22z90z9wz66zuz81zz87zz80zn6">4.
High-level discussion on:</span></div>
<div aria-live="assertive" id="bkmrk-%C2%A0-a.-certificate-val"
class="ace-line"><span
class="author-a-z81zvjz70z22z90z9wz66zuz81zz87zz80zn6"> a.
certificate validity periods and validation data re-use periods</span></div>
<div aria-live="assertive" id="bkmrk-%C2%A0-b.-use-of-subject-"
class="ace-line"><span
class="author-a-z81zvjz70z22z90z9wz66zuz81zz87zz80zn6"> b. use
of subject DN attributes</span></div>
<div aria-live="assertive" id="bkmrk-%C2%A0-c.-requirements-fo"
class="ace-line"><span
class="author-a-z81zvjz70z22z90z9wz66zuz81zz87zz80zn6"> c.
requirements for the annual self-assessment</span></div>
<div aria-live="assertive" id="bkmrk-%C2%A0-d.-pqc%3A-tls-certif"
class="ace-line"><span
class="author-a-z81zvjz70z22z90z9wz66zuz81zz87zz80zn6"> d. PQC:
TLS certificates are not high priority, but other certificate
use cases are</span></div>
<div aria-live="assertive" id="bkmrk--36" class="ace-line"><br>
</div>
<div aria-live="assertive" id="bkmrk-clint-would-like-inp"
class="ace-line"><span
class="author-a-z81zvjz70z22z90z9wz66zuz81zz87zz80zn6">Clint
would like input and suggestions for next steps, as it may be
helpful to pilot initiatives in root policy before introduction
of a requirement in the BRs. The IETF strongly recommends
running code that implements a draft standard to ensure its
feasibility. Clint also alluded to a hesitation by implementers
to not implement something that is not yet required. It's
desired to understand the potential impact of a proposed
requirement before it actually comes into effect and becomes a
compliance issue.</span></div>
<div aria-live="assertive" id="bkmrk--37" class="ace-line"><br>
</div>
<div aria-live="assertive" id="bkmrk-trev-agreed-that-it-"
class="ace-line"><span
class="author-a-z81zvjz70z22z90z9wz66zuz81zz87zz80zn6">Trev
agreed that it is an involved process to add something to the
BRs. She asked Clint if he's implying that root policy is easier
to implement as opposed to the BRs, as it is a compliance
incident regardless of the source of the requirement.</span></div>
<div aria-live="assertive" id="bkmrk--38" class="ace-line"><br>
</div>
<div aria-live="assertive" id="bkmrk-clint-said-that-it%27s"
class="ace-line"><span
class="author-a-z81zvjz70z22z90z9wz66zuz81zz87zz80zn6">Clint
said that it's not necessarily easier to modify root policy as
opposed to the BRs, but rather that beneficial items have been
originally introduced in root policies and later incorporated
into the BRs. If there's value in piloting a requirement before
it becomes a compliance-impacting requirements, then the
requirements better account for edge cases without CAs
experiencing non-compliance incidents.</span></div>
<div aria-live="assertive" id="bkmrk--39" class="ace-line"><br>
</div>
<div aria-live="assertive" id="bkmrk-jeremy-asked-if-the-"
class="ace-line"><span
class="author-a-z81zvjz70z22z90z9wz66zuz81zz87zz80zn6">Jeremy
asked if the scope of investigation on data re-use includes
organization validation data, or is domain validation and
mailbox validation reuse being considered. Clint clarified that
the domain names expressed in the nameConstraints of technically
constrained CA certificates was one facet. A wider view of all
aspects of validation data re-use is being considered, but few
concrete items yet.</span></div>
<div aria-live="assertive" id="bkmrk--40" class="ace-line"><br>
</div>
<div aria-live="assertive" id="bkmrk-clint-said-that-in-q"
class="ace-line"><span
class="author-a-z81zvjz70z22z90z9wz66zuz81zz87zz80zn6">Clint
said that in Q1 or Q2 2024, a preview of an upcoming policy
update in Q3 or Q4 next year will be circulated.</span></div>
<h3 id="bkmrk-microsoft-root-progr">Microsoft Root Program Update</h3>
<p id="bkmrk-leader%3A-karina-sirot"><strong>Leader:</strong> <span
class="author-a-z86z1oz72zz67zlz67zcz90zc7z77zz73zxz87zg">Hannah
Sokol and Nitesh Bakliwal (Microsoft)</span> <br>
<strong>Minutes:</strong> Dean Coclin (Digicert) <br>
<strong>Presentation link:</strong>
<a class="moz-txt-link-freetext"
href="https://cabforum.org/wp-content/uploads/7-Microsoft_F2F60_Presentation.pdf"
moz-do-not-send="true">https://cabforum.org/wp-content/uploads/7-Microsoft_F2F60_Presentation.pdf</a><br>
</p>
<p id="bkmrk-discussion-outside-t-6"><strong>Discussion outside the
presentation:</strong> <br>
</p>
<div aria-live="assertive" id="bkmrk-question-about-the-c"
class="ace-line">
<ul>
<li class="null"><span
class="author-a-z80zfy2z90zmz74z5z86zz74zpz82zmnqv b">Question
about the change in code signing certs accepting only RSA,
what is the rationale for that? </span></li>
<li class="null"><span
class="author-a-z80zfy2z90zmz74z5z86zz74zpz82zmnqv b">Answer:
Not a change, that is what they currently support. </span></li>
</ul>
</div>
<div aria-live="assertive" class="ace-line"
id="bkmrk-they-looked-at-ecdsa"><span
class="author-a-z80zfy2z90zmz74z5z86zz74zpz82zmnqv b">They
looked at ECDSA but the ROI to implement that isn't there at
this time.</span><span
class="author-a-z82zco8z80zz65zz75zjqthez81zz80zot b"> Microsoft
believes that exploring the approaches to support PQC as future,
is better investment.</span><span
class="author-a-z80zfy2z90zmz74z5z86zz74zpz82zmnqv b"> </span></div>
<div aria-live="assertive" id="bkmrk-question%3A-what%27s-the"
class="ace-line">
<ul>
<li class="null"><span
class="author-a-z80zfy2z90zmz74z5z86zz74zpz82zmnqv b">Question:
What's the plan for MSFT to support PQC? Answer: Will be
investing time to look at that now.</span><span
class="author-a-z82zco8z80zz65zz75zjqthez81zz80zot b"> It is
the future approach and reason why we are not investing in
ECDSA support exploration.</span></li>
<li class="null"><span
class="author-a-z80zfy2z90zmz74z5z86zz74zpz82zmnqv">Question:
Which CT logs will be trusted. Answer: Not published yet.</span>
<p> </p>
</li>
<li class="null">
<p><span class="author-a-z80zfy2z90zmz74z5z86zz74zpz82zmnqv">Question:
Regarding upcoming SCT policy, is this a technical
restriction or a root policy? </span><span
class="author-a-z80zfy2z90zmz74z5z86zz74zpz82zmnqv">Answer:
Starting with a technical implementation but moving toward
a root policy.</span></p>
</li>
<li class="null">
<p><span class="author-a-z80zfy2z90zmz74z5z86zz74zpz82zmnqv">Question:
With audits, will you notify CAs if they have issues? With
so many different root policies, we have to harmonize or
else it's not feasible. </span><span
class="author-a-z80zfy2z90zmz74z5z86zz74zpz82zmnqv">Answer:
</span><span
class="author-a-z82zco8z80zz65zz75zjqthez81zz80zot">Yes,
we intend to notify CAs. Also, </span><span
class="author-a-z80zfy2z90zmz74z5z86zz74zpz82zmnqv">Good
point</span><span
class="author-a-z82zco8z80zz65zz75zjqthez81zz80zot">
around harmonization</span><span
class="author-a-z80zfy2z90zmz74z5z86zz74zpz82zmnqv">, will
likely piggyback on another root polic</span><span
class="author-a-z82zco8z80zz65zz75zjqthez81zz80zot">ies</span><span
class="author-a-z80zfy2z90zmz74z5z86zz74zpz82zmnqv">.</span><span
class="author-a-z82zco8z80zz65zz75zjqthez81zz80zot">
However, all Mozilla, Apple, Google and Apple should meet
and syncronize their CT policy.</span></p>
</li>
<li class="null">
<p><span class="author-a-z80zfy2z90zmz74z5z86zz74zpz82zmnqv">Comment:
It would be preferable instead of having root policies,
that these things go thru the CA/B Forum. </span></p>
</li>
<li class="null">
<p><span class="author-a-z80zfy2z90zmz74z5z86zz74zpz82zmnqv">Comment:
Sometimes there are things that are out of scope of the
forum. </span></p>
</li>
<li class="null">
<p><span class="author-a-z80zfy2z90zmz74z5z86zz74zpz82zmnqv">Comment:
We should try to put as much in the forum as possible. CT
is not part of BRs. Couldn't that be part of the BRs?
Would be good to discuss in forum.</span></p>
</li>
<li class="null">
<p><span class="author-a-z80zfy2z90zmz74z5z86zz74zpz82zmnqv">Comment:
CT Log operators are an entity not envisioned in BRs and
may not be CAs or Browsers. But you can make a
conditional requirement, ( if you are a CA or brownser and
operate a log then you must....).</span></p>
</li>
</ul>
</div>
<h3 id="bkmrk-ccadb-update">CCADB Update</h3>
<p id="bkmrk-leader%3A-chris-clemen"><strong>Leader:</strong> Ben
Wilson (Mozilla, <span
class="author-a-ez72z1pz122z3iz69zz89zz76z4z65zz71zihq">on
behalf of the CCADB Steering Committee</span>)<br>
<strong>Minutes:</strong> <span
class="author-a-z86z1oz72zz67zlz67zcz90zc7z77zz73zxz87zg">Hannah
Sokol</span> (Microsoft)<br>
<strong>Presentation link: </strong><a
class="moz-txt-link-freetext"
href="https://cabforum.org/wp-content/uploads/8-CAB-F2F-60-CCADB-Update.pdf"
moz-do-not-send="true">https://cabforum.org/wp-content/uploads/8-CAB-F2F-60-CCADB-Update.pdf</a><br>
</p>
<p id="bkmrk-discussion-outside-t-8"><strong>Discussion outside the
presentation:</strong> </p>
<div aria-live="assertive" id="bkmrk-updates-to-the-ccadb"
class="ace-line"><span
class="author-a-z85zwz80zymfdmz79zz74z0z68z3jc1">Updates to the
CCADB.org</span></div>
<div aria-live="assertive" id="bkmrk-august-this-past-yea"
class="ace-line"><span
class="author-a-z85zwz80zymfdmz79zz74z0z68z3jc1">August this
past year, added policy on CCADB usage as well as tooling</span></div>
<div aria-live="assertive" id="bkmrk--42" class="ace-line"><br>
</div>
<div aria-live="assertive" id="bkmrk-usage" class="ace-line"><span
class="author-a-z85zwz80zymfdmz79zz74z0z68z3jc1">Usage</span></div>
<div aria-live="assertive" id="bkmrk---ran-into-problem-w"
class="ace-line"><span
class="author-a-z85zwz80zymfdmz79zz74z0z68z3jc1">- Ran into
problem with license with Salesforce due to overuse. Had to add
guidance around usage. < 5 log on per month (~ once per week)</span></div>
<div aria-live="assertive" id="bkmrk---halved-the-use-and"
class="ace-line"><span
class="author-a-z85zwz80zymfdmz79zz74z0z68z3jc1">- halved the
use and we appreciate all the compliance around this</span></div>
<div aria-live="assertive" id="bkmrk--43" class="ace-line"><br>
</div>
<div aria-live="assertive" id="bkmrk-tooling" class="ace-line"><span
class="author-a-z85zwz80zymfdmz79zz74z0z68z3jc1">Tooling</span></div>
<div aria-live="assertive" id="bkmrk---trouble-maintainin"
class="ace-line"><span
class="author-a-z85zwz80zymfdmz79zz74z0z68z3jc1">- trouble
maintaining the tools and se we moved to the GitHub. PEM Tool
which is built into CCADB. Processes PEM file and processes
CCADB with read only information (fixed bugs related to this
parser)</span></div>
<div aria-live="assertive" id="bkmrk---ev-readiness-tool-"
class="ace-line"><span
class="author-a-z85zwz80zymfdmz79zz74z0z68z3jc1">- E</span><span
class="author-a-puz66zjz85zz87zoz90zz122z9z86zfz82zez79zj">V</span><span
class="author-a-z85zwz80zymfdmz79zz74z0z68z3jc1"> Readiness tool
- paste in a PEM and run EV OID and the name of the server you
are testing and test the cert against EV guidelines. URL will
say what the testing does as well as a URL to the tool itself</span></div>
<div aria-live="assertive" id="bkmrk--44" class="ace-line"><br>
</div>
<div aria-live="assertive" id="bkmrk-feature-updates%3A-ca-"
class="ace-line"><span
class="author-a-z85zwz80zymfdmz79zz74z0z68z3jc1">Feature
Updates: CA reports and Communications</span></div>
<div aria-live="assertive" id="bkmrk-working-on-audit-tea"
class="ace-line"><span
class="author-a-z85zwz80zymfdmz79zz74z0z68z3jc1">Working on
Audit Team Qualifications that is to come out this month</span></div>
<div aria-live="assertive" id="bkmrk--45" class="ace-line"><br>
</div>
<div aria-live="assertive" id="bkmrk-click-on-%22my-ca%22--%3E-"
class="ace-line"><span
class="author-a-z85zwz80zymfdmz79zz74z0z68z3jc1">Click on "My
CA" -> CA Reports</span></div>
<div aria-live="assertive" id="bkmrk-report-on-all-your-c"
class="ace-line"><span
class="author-a-z85zwz80zymfdmz79zz74z0z68z3jc1">Report on all
your certs and show your root / intermediate root ect. Helps
with your audits and self-assessment</span></div>
<div aria-live="assertive" id="bkmrk--46" class="ace-line"><br>
</div>
<div aria-live="assertive" id="bkmrk-generate-this-report"
class="ace-line"><span
class="author-a-z85zwz80zymfdmz79zz74z0z68z3jc1">Generate this
report, export to CSV, remove columns you dont need, and you
then can use it for one of those two use cases</span></div>
<div aria-live="assertive" id="bkmrk--47" class="ace-line"><br>
</div>
<div aria-live="assertive" id="bkmrk-ca-communications"
class="ace-line"><span
class="author-a-z85zwz80zymfdmz79zz74z0z68z3jc1">CA
Communications</span></div>
<div aria-live="assertive" id="bkmrk-shows-all-your-comms"
class="ace-line"><span
class="author-a-z85zwz80zymfdmz79zz74z0z68z3jc1">Shows all your
comms that you have been partied to and things that have been
sent out from your Root CA</span></div>
<div aria-live="assertive" id="bkmrk--48" class="ace-line"><br>
</div>
<div aria-live="assertive" id="bkmrk-working-on-audit-tea-1"
class="ace-line"><span
class="author-a-z85zwz80zymfdmz79zz74z0z68z3jc1">Working on
audit teams qualifications - upload button instead of
referencing a URL. You would upload Auditing qualifications.
This is for when something is separate (WebTrust) other roots
stores are wanting it and so we added functionality to upload
audit team qualifications</span></div>
<div aria-live="assertive" id="bkmrk--49" class="ace-line"><br>
</div>
<div aria-live="assertive" id="bkmrk-under-audit-team-the"
class="ace-line"><span
class="author-a-z85zwz80zymfdmz79zz74z0z68z3jc1">Under audit
team there would be an upload button, what do you want to
upload, upload file, and it will show the place where that is
saved within CCADB </span></div>
<div aria-live="assertive" id="bkmrk--50" class="ace-line"><br>
</div>
<div aria-live="assertive" id="bkmrk-is-this-for-etsi%3F-th"
class="ace-line"><span
class="author-a-z85zwz80zymfdmz79zz74z0z68z3jc1">Is this for
ETSI? This is mainly for WebTrust or any other auditor where
auditing qualifications need to be used</span></div>
<div aria-live="assertive" id="bkmrk--51" class="ace-line"><br>
</div>
<div aria-live="assertive" id="bkmrk-check-box-where-we-l"
class="ace-line"><span
class="author-a-z85zwz80zymfdmz79zz74z0z68z3jc1">Check box where
we look at auditor team qualifications and if it satisfies the
qualifications</span></div>
<div aria-live="assertive" id="bkmrk--52" class="ace-line"><br>
</div>
<div aria-live="assertive" id="bkmrk-what-else-is-going-o"
class="ace-line"><span
class="author-a-z85zwz80zymfdmz79zz74z0z68z3jc1">What else is
going on?</span></div>
<div aria-live="assertive" id="bkmrk-if-you-want-to-see-r"
class="ace-line"><span
class="author-a-z85zwz80zymfdmz79zz74z0z68z3jc1">If you want to
see request enhancements or bugs there is a link to the
dashboard</span></div>
<div aria-live="assertive" id="bkmrk-we-prioritize-and-tr"
class="ace-line"><span
class="author-a-z85zwz80zymfdmz79zz74z0z68z3jc1">We prioritize
and triage the bugs</span></div>
<div aria-live="assertive" id="bkmrk-can-see-the-status-a"
class="ace-line"><span
class="author-a-z85zwz80zymfdmz79zz74z0z68z3jc1">Can see the
status and you are welcome to submit those as well</span></div>
<div aria-live="assertive" id="bkmrk-add-s%2Fmime-fields-to"
class="ace-line"><span
class="author-a-z85zwz80zymfdmz79zz74z0z68z3jc1">Add S/MIME
fields to upload or populating data about SBRs </span></div>
<div aria-live="assertive" id="bkmrk--53" class="ace-line"><br>
</div>
<div aria-live="assertive" id="bkmrk-3.1-announce-inciden"
class="ace-line"><span
class="author-a-z85zwz80zymfdmz79zz74z0z68z3jc1">3.1 Announce
incident reporting format</span></div>
<div aria-live="assertive" id="bkmrk-taken-current-criter"
class="ace-line"><span
class="author-a-z85zwz80zymfdmz79zz74z0z68z3jc1">Taken current
criteria and reorganized it into 7 different categories and will
publish it at the end of the week. Ask that CAs start giving
incident reports in this formal language and paste this into a
Bug and it will break it into these categories</span></div>
<div aria-live="assertive" id="bkmrk-put-attached-files-i"
class="ace-line"><span
class="author-a-z85zwz80zymfdmz79zz74z0z68z3jc1">Put attached
files in the appendix (ex. crt.sh hashes)</span></div>
<div aria-live="assertive" id="bkmrk--54" class="ace-line"><br>
</div>
<div aria-live="assertive" id="bkmrk-don%3A-when-do-you-fee"
class="ace-line"><span
class="author-a-z85zwz80zymfdmz79zz74z0z68z3jc1">Don: When do
you feel you will be ready for SMIME reports? To receive them?</span></div>
<div aria-live="assertive" id="bkmrk--55" class="ace-line"><br>
</div>
<div aria-live="assertive" id="bkmrk-ben%3A-we-are-ready-no"
class="ace-line"><span
class="author-a-z85zwz80zymfdmz79zz74z0z68z3jc1">Ben: We are
ready now, it is just not stored in the CCADB. We will
communicate among the root operators that here is the audit
report. The person on call would review the SMIME audit reports
along with other reports. It is not recorded in CCADB until we
get this functionality. This should be delivered near the end of
Q4</span></div>
<div aria-live="assertive" id="bkmrk--56" class="ace-line"><br>
</div>
<div aria-live="assertive" id="bkmrk-don%3A-delayed-parsing"
class="ace-line"><span
class="author-a-z85zwz80zymfdmz79zz74z0z68z3jc1">Don: Delayed
parsing out Network Security report until you are ready to
receive it in a separate template. We have the report and are
drafting new reports to req the separation of Network Security.
What is the timeline around that?</span></div>
<div aria-live="assertive" id="bkmrk--57" class="ace-line"><br>
</div>
<div aria-live="assertive" id="bkmrk-ben%3A-we-have-talked-"
class="ace-line"><span
class="author-a-z85zwz80zymfdmz79zz74z0z68z3jc1">Ben: We have
talked about this. Yes, it looks like we can do it at the same
time as SMIME. There are time budgeting restrictions with our
outsourced software dev. However, that was the planned approach
to add the network security with (might be wrong, other members
call me out)</span></div>
<div aria-live="assertive" id="bkmrk--58" class="ace-line"><br>
</div>
<div aria-live="assertive" id="bkmrk-chris%3A-confirming-th"
class="ace-line"><span
class="author-a-z85zwz80zymfdmz79zz74z0z68z3jc1">Chris:
Confirming that the desire is to align with those two new audit
types. Work through CCADB steering committee requirements</span></div>
<div aria-live="assertive" id="bkmrk--59" class="ace-line"><br>
</div>
<div aria-live="assertive" id="bkmrk-clint%3A-more-conversa"
class="ace-line"><span
class="author-a-z85zwz80zymfdmz79zz74z0z68z3jc1">Clint: More
conversation around timing around separation of the root
reports. That the criteria is separate. Will have emails back
and forth to make sure</span></div>
<h3 id="bkmrk-q%26a-root-program-dis" class="ace-line"
aria-live="assertive"><span
class="author-a-z85zwz80zymfdmz79zz74z0z68z3jc1"><span
class="author-a-z77zz65zabefz87zmz82zz71zz73zz78zz87zz82zz70zy b">Q&A
Root program discussions</span></span></h3>
<div aria-live="assertive" class="ace-line"
id="bkmrk-minutes%3A-arvid-vermo">
<div aria-live="assertive" class="ace-line"><br>
</div>
<div aria-live="assertive" id="bkmrk-minutes%3A-arvid-vermo-1"
class="ace-line"><span
class="author-a-z77zz65zabefz87zmz82zz71zz73zz78zz87zz82zz70zy b"><strong>Minutes:</strong></span>
<span class="author-a-puz66zjz85zz87zoz90zz122z9z86zfz82zez79zj">Arvid
Vermote (GlobalSign)</span></div>
<div aria-live="assertive" class="ace-line"><br>
</div>
</div>
<div aria-live="assertive" class="ace-line"
id="bkmrk-question%3A-are-root-p">
<div aria-live="assertive" id="bkmrk-question%3A-are-root-p-1"
class="ace-line"><span
class="author-a-37oz78zz79zz86zuz65z4j0z83z06z67ze">Question:
Are root programs open for CT harmonization? </span></div>
<div aria-live="assertive" id="bkmrk-mozilla%3A-yes%2C-as-we-"
class="ace-line"><span
class="author-a-37oz78zz79zz86zuz65z4j0z83z06z67ze">Mozilla:
Yes, as we drafted our policy we were under the assumption
there would be consistency between root programs. Agreement it
would be better to come to a common language. </span></div>
<div aria-live="assertive" id="bkmrk-feedback%3A-suggestion"
class="ace-line"><span
class="author-a-37oz78zz79zz86zuz65z4j0z83z06z67ze">Feedback:
Suggestion to have the CT policy under CABF. Having multiple
policies does not mean they are the same, the continue to
require monitoring. Should have one document, one policy, one
list of CT logs.</span></div>
<div aria-live="assertive" id="bkmrk-apple%3A-there-are-som"
class="ace-line"><span
class="author-a-37oz78zz79zz86zuz65z4j0z83z06z67ze">Apple:
there are some outstanding quesitons: are the current policies
causing conflicts / complexitieis or is it more a risk we see
for the future? Other thought: if we shift it to CABF it would
inherently end up being a different set of entities the policy
applies to (right now, voluntary CA but might change if we
move it to CABF)</span></div>
<div aria-live="assertive" id="bkmrk-feedback%3A-multiple-e"
class="ace-line"><span
class="author-a-37oz78zz79zz86zuz65z4j0z83z06z67ze">Feedback:
multiple examples were given about the potential complexitiies
of the current "multiple policies" approach</span></div>
<div aria-live="assertive" id="bkmrk-apple%3A-open-to-conso"
class="ace-line"><span
class="author-a-37oz78zz79zz86zuz65z4j0z83z06z67ze">Apple:
open to consolidating but hoping everyone understands the
implications</span></div>
<div aria-live="assertive" id="bkmrk-microsoft-is-also-op"
class="ace-line"><span
class="author-a-z82zco8z80zz65zz75zjqthez81zz80zot">Microsoft
is also open to jontly review and explore opportunity for
consolidation and is already looking at Chrome and Apple
policies as baseline</span></div>
<div aria-live="assertive" id="bkmrk-chrome%3A-ct-policy-is"
class="ace-line"><span
class="author-a-37oz78zz79zz86zuz65z4j0z83z06z67ze">Chrome: CT
policy is seperate from root program policy. There is an
opportunity to align were the beliefs are common but there
will always be independent root program requirements. Just
because common requirements are aligned it does not mean the
programs still might have seperate requirements.</span></div>
<div aria-live="assertive" id="bkmrk-feedback%3A-complying-"
class="ace-line"><span
class="author-a-37oz78zz79zz86zuz65z4j0z83z06z67ze">Feedback:
complying to all the different policies is diffirent, question
to the root programs to make sure requirements are aigned.
There is no reason why the root programs should come together,
compare and make sure things aligned. </span></div>
<div aria-live="assertive" id="bkmrk-aligned%3A-alignment-e"
class="ace-line"><span
class="author-a-37oz78zz79zz86zuz65z4j0z83z06z67ze">Aligned:
alignment excercises are done during CT days. </span></div>
<div aria-live="assertive" id="bkmrk-feedback%3A-it-makes-s"
class="ace-line"><span
class="author-a-37oz78zz79zz86zuz65z4j0z83z06z67ze">Feedback:
it makes sense for the browsers to have unique products, as
long as the browsers continue to discuss stuff and work
together to make sure a shared product does not break in a
single browser because of their CT policy, that is what the
CAs want to avoid</span></div>
<div aria-live="assertive" id="bkmrk--60" class="ace-line"><br>
</div>
<div aria-live="assertive" id="bkmrk-question-for-chrome%3A"
class="ace-line"><span
class="author-a-37oz78zz79zz86zuz65z4j0z83z06z67ze">Question
for Chrome: you said you wanted to phase out client auth. What
would be the driver for that?</span></div>
<div aria-live="assertive" id="bkmrk-chrome-answer%3A-we-no"
class="ace-line"><span
class="author-a-37oz78zz79zz86zuz65z4j0z83z06z67ze">Chrome
answer: we noticed that only 10% of certificates in scope
within the Chrome root program contained client auth, not
clear on the use case and no insights on what it would be.
Awaiting feedback from further surveys what the consumer
impact on removing client auth would be. </span></div>
<div aria-live="assertive" id="bkmrk-feedback%3A-the-trust-"
class="ace-line"><span
class="author-a-37oz78zz79zz86zuz65z4j0z83z06z67ze">Feedback:
the trust anchor for client auth is configured server side so
having it chained to public trust anchors seems not needed,
but maybe there are cases were there needs to be
interoperability / consumers need multiple issuers for their
client auth certificates. </span></div>
<div aria-live="assertive" id="bkmrk-chrome%3A-no-intent-to"
class="ace-line"><span
class="author-a-37oz78zz79zz86zuz65z4j0z83z06z67ze">Chrome: no
intent to prohibit it from private PKI / other uses cases,
only to remove it from TLS certificates</span></div>
</div>
<h2 id="bkmrk-audit-updates">Audit Updates</h2>
<h3 id="bkmrk-etsi-update">ETSI Update</h3>
<p id="bkmrk-leader%3A-nick-pope-an"><strong>Leader:</strong> <span
class="author-a-z77zz65zabefz87zmz82zz71zz73zz78zz87zz82zz70zy">Nick
Pope and Arno Fiedler (Chairs ETSI ESI)</span><br>
<strong>Minutes:</strong> Clemens Wanko (TUV AUSTRIA)<br>
<strong>Presentation link: </strong><a
class="moz-txt-link-freetext"
href="https://cabforum.org/wp-content/uploads/10-ETSI-ESI-Activities-CABFORUM2023-10.pdf"
moz-do-not-send="true">https://cabforum.org/wp-content/uploads/10-ETSI-ESI-Activities-CABFORUM2023-10.pdf</a></p>
<div aria-live="assertive" id="bkmrk-etsi-summary-of-most"
class="ace-line"><span
class="author-a-z77zz65zabefz87zmz82zz71zz73zz78zz87zz82zz70zy b"><strong>ETSI
summary of most important news (see slides for details):</strong></span></div>
<div aria-live="assertive" id="bkmrk-arno-reported-latest"
class="ace-line"><span
class="author-a-hmkpkz76zsxqz86z7cz81ze2z76z">Arno reported
latest developments and updates from the ETSI/ESI normative
developments. The overall map of available standards shows not
only full coverage now but several updates supporting ongoing
developments in all the different areas like:</span></div>
<div aria-live="assertive" id="bkmrk-legal-devs.-at-eu-le"
class="ace-line">
<ul class="list-bullet1">
<li><span class="author-a-hmkpkz76zsxqz86z7cz81ze2z76z">legal
devs. at EU-level, like NIS2 and eIDAS2 as well as </span></li>
</ul>
</div>
<div aria-live="assertive" id="bkmrk-supporting-ca%2Fb-foru"
class="ace-line">
<ul class="list-bullet1">
<li><span class="author-a-hmkpkz76zsxqz86z7cz81ze2z76z">supporting
CA/B Forum specifics, like S/MIME BR with the ETSI TS 119
411-6.</span></li>
</ul>
</div>
<div aria-live="assertive" id="bkmrk-see-slides-for-furth"
class="ace-line"><span
class="author-a-hmkpkz76zsxqz86z7cz81ze2z76z">See slides for
further details.</span></div>
<div aria-live="assertive" id="bkmrk-discussion-outside-t-2"
class="ace-line"><span
class="author-a-z77zz65zabefz87zmz82zz71zz73zz78zz87zz82zz70zy b"><strong>Discussion
outside the presentation:</strong> </span><span
style="background-color: rgb(241, 196, 15);"><span
style="background-color: rgb(255, 255, 255);">No additional
discussion.</span></span></div>
<h3 id="bkmrk-acab%27c-update">ACAB'C Update</h3>
<p id="bkmrk-leader%3A-clemens-wank"><strong>Leader:</strong>
Clemens Wanko (TÜV AUSTRIA)<br>
<strong>Minutes:</strong> Arno Fiedler (Vice Chair ETSI ESI)<br>
<strong>Presentation link: </strong><a
class="moz-txt-link-freetext"
href="https://cabforum.org/wp-content/uploads/11-20231003_CAB-Forum_60_ACABc_presentation_V1.4.pdf"
moz-do-not-send="true">https://cabforum.org/wp-content/uploads/11-20231003_CAB-Forum_60_ACABc_presentation_V1.4.pdf</a></p>
<div aria-live="assertive" id="bkmrk-acab%27c-summary-of-mo"
class="ace-line"><span
class="author-a-z77zz65zabefz87zmz82zz71zz73zz78zz87zz82zz70zy b"><strong>ACAB'C
summary of most important news (see slides for details):</strong></span></div>
<div aria-live="assertive" id="bkmrk-updates" class="ace-line"><span
class="author-a-hmkpkz76zsxqz86z7cz81ze2z76z b"><strong>Updates</strong></span></div>
<div aria-live="assertive" id="bkmrk-nis2%2Fcybersecurity-r"
class="ace-line">
<ul class="list-bullet1">
<li><span class="author-a-hmkpkz76zsxqz86z7cz81ze2z76z b"><strong>NIS2/Cybersecurity
requirements for EU-based CA/TSP</strong></span></li>
</ul>
</div>
<div aria-live="assertive" id="bkmrk-clemens-reminded-ca%2F"
class="ace-line">
<ul class="list-indent1">
<li><span class="author-a-hmkpkz76zsxqz86z7cz81ze2z76z">Clemens
reminded CA/TSP based on EU grounds on upcoming
caybersecurity requirements derived from th eEU directive on
NIS2 (DIRECTIVE (EU) 2022/2555. Requrements following the
directive will be defined, released by EU MS and adhered to
by CA/TSP from 18th Oct. 2024 (Art. 41). Requirements for
CA/TSP (mainly!) are addressed in updated ETSI EN 319 401.
National MS specifics to be added to show full compliance.</span></li>
</ul>
</div>
<div aria-live="assertive" id="bkmrk-s%2Fmime-br-audit-inte"
class="ace-line">
<ul class="list-bullet1">
<li><span class="author-a-hmkpkz76zsxqz86z7cz81ze2z76z b"><strong>S/MIME
BR audit integration</strong></span></li>
</ul>
</div>
<div aria-live="assertive" id="bkmrk-etsi-ts-119-411-6-is"
class="ace-line">
<ul class="list-indent1">
<li><span class="author-a-hmkpkz76zsxqz86z7cz81ze2z76z">ETSI TS
119 411-6 is interfacing between ETSI EN 319 411-1/2
requirements for CA/TSP issuing PTC </span></li>
</ul>
</div>
<div aria-live="assertive" id="bkmrk-and-s%2Fmime-br.-ca%2Fts"
class="ace-line">
<ul class="list-indent1">
<li><span class="author-a-hmkpkz76zsxqz86z7cz81ze2z76z">and
S/MIME BR. CA/TSP shall ensure that their CAB base audits on
the ...411-6 plus S/MIME BR and mention those in their
reports including the AAL.</span></li>
</ul>
</div>
<div aria-live="assertive" id="bkmrk-policy-based-aal-tem"
class="ace-line">
<ul class="list-bullet1">
<li><span class="author-a-hmkpkz76zsxqz86z7cz81ze2z76z b"><strong>Policy
based AAL templates </strong></span></li>
</ul>
</div>
<div aria-live="assertive" id="bkmrk-aal-concept-change-t"
class="ace-line">
<ul class="list-indent1">
<li><span class="author-a-hmkpkz76zsxqz86z7cz81ze2z76z">AAL
concept change to improve CCADB AALV. </span></li>
</ul>
</div>
<div aria-live="assertive" id="bkmrk-new-concept%3A-a-set-o"
class="ace-line">
<ul class="list-indent1">
<li><span class="author-a-hmkpkz76zsxqz86z7cz81ze2z76z">New
concept: a </span><span
class="author-a-hmkpkz76zsxqz86z7cz81ze2z76z u"><u>set of
different attestations letters</u></span><span
class="author-a-hmkpkz76zsxqz86z7cz81ze2z76z"> is required </span><span
class="author-a-hmkpkz76zsxqz86z7cz81ze2z76z u"><u>to form
one complete audit attestation</u></span></li>
</ul>
</div>
<div aria-live="assertive" id="bkmrk-there-is-1-standardl"
class="ace-line">
<ul class="list-indent1">
<li><span class="author-a-hmkpkz76zsxqz86z7cz81ze2z76z">There is
1 standardletter template and 4 specific ones.</span></li>
</ul>
</div>
<div aria-live="assertive" id="bkmrk-standard-audit-attes"
class="ace-line">
<ul class="list-bullet2">
<li><span class="author-a-hmkpkz76zsxqz86z7cz81ze2z76z">Standard
Audit Attestation Letter</span></li>
</ul>
</div>
<div aria-live="assertive" id="bkmrk-lists-all-roots-and-"
class="ace-line">
<ul class="list-indent2">
<li><span class="author-a-hmkpkz76zsxqz86z7cz81ze2z76z">Lists
all Roots and all corresponding SubCA (Intermediate &
Issuing CA) that have been in the scope of the conformity
assessment</span></li>
</ul>
</div>
<div aria-live="assertive" id="bkmrk-smime-br-audit-attes"
class="ace-line">
<ul class="list-bullet2">
<li><span class="author-a-hmkpkz76zsxqz86z7cz81ze2z76z">SMIME-BR
Audit Attestation Letter</span></li>
</ul>
</div>
<div aria-live="assertive" id="bkmrk-list-only-the-roots-"
class="ace-line">
<ul class="list-indent2">
<li><span class="author-a-hmkpkz76zsxqz86z7cz81ze2z76z">List
only the Roots and only the corresponding SubCA to the Roots
(Intermediate & Issuing CA) that have been assessed
against the SMIME BR (=> ETSI TS 119 411-6)</span></li>
</ul>
</div>
<div aria-live="assertive" id="bkmrk-tls-br-audit-attesta"
class="ace-line">
<ul class="list-bullet2">
<li><span class="author-a-hmkpkz76zsxqz86z7cz81ze2z76z">TLS-BR
Audit Attestation Letter</span></li>
</ul>
</div>
<div aria-live="assertive" id="bkmrk-list-only-the-roots--1"
class="ace-line">
<ul class="list-indent2">
<li><span class="author-a-hmkpkz76zsxqz86z7cz81ze2z76z">List
only the Roots and only the corresponding SubCA to the
Roots (Intermediate & Issuing CA) that have been
assessed against the TLS BR (ETSI policies DVCP, IVCP, OVCP,
QNCP-w)</span></li>
</ul>
</div>
<div aria-live="assertive" id="bkmrk-tls-ev-audit-attesta"
class="ace-line">
<ul class="list-bullet2">
<li><span class="author-a-hmkpkz76zsxqz86z7cz81ze2z76z">TLS-EV
Audit Attestation Letter</span></li>
</ul>
</div>
<div aria-live="assertive" id="bkmrk-list-only-the-roots--2"
class="ace-line">
<ul class="list-indent2">
<li><span class="author-a-hmkpkz76zsxqz86z7cz81ze2z76z">List
only the Roots and only the corresponding SubCA to the
Roots (Intermediate & Issuing CA) that have been
assessed against the TLS EV Guidelines (=> ETSI policies
EVCP, QEVCP-w)</span></li>
</ul>
</div>
<div aria-live="assertive" id="bkmrk-code-signing-br-audi"
class="ace-line">
<ul class="list-bullet2">
<li><span class="author-a-hmkpkz76zsxqz86z7cz81ze2z76z">Code
Signing-BR Audit Attestation Letter</span></li>
</ul>
</div>
<div aria-live="assertive" id="bkmrk-list-only-the-roots--3"
class="ace-line">
<ul class="list-indent2">
<li><span class="author-a-hmkpkz76zsxqz86z7cz81ze2z76z">List
only the Roots and only the corresponding SubCA to the Roots
(Intermediate & Issuing CA) that have been assessed
against the Code Signing BR (=> ETSI policies NCP, NCP)</span></li>
</ul>
</div>
<div aria-live="assertive" id="bkmrk-see-slides-for-furth-1"
class="ace-line"><span
class="author-a-hmkpkz76zsxqz86z7cz81ze2z76z">See slides for
further details.</span></div>
<p id="bkmrk-discussion-outside-t-14"><strong>Discussion outside the
presentation:<span style="background-color: rgb(255, 255, 255);">
</span></strong><span
style="background-color: rgb(241, 196, 15);"><span
style="background-color: rgb(255, 255, 255);">No additional
discussion.</span><br>
</span></p>
<h3 id="bkmrk-webtrust-update">WebTrust Update</h3>
<p id="bkmrk-leader%3A-don-sheehy-%28"><strong>Leader:</strong> <span
class="author-a-ez72z1pz122z3iz69zz89zz76z4z65zz71zihq">Tim
Crawford, Don Sheehy, Dave Chin, (CPA Canada)</span><br>
<strong>Minutes:</strong> Bruce Morton (Entrust)<br>
<strong>Presentation link: </strong><a
class="moz-txt-link-freetext"
href="https://cabforum.org/wp-content/uploads/12-Webtrust-CABF-update-Oct-2023-New-Format-v4.pdf"
moz-do-not-send="true">https://cabforum.org/wp-content/uploads/12-Webtrust-CABF-update-Oct-2023-New-Format-v4.pdf</a><br>
</p>
<div aria-live="assertive" id="bkmrk-some-notes-from-the-"
class="ace-line"><strong><span
class="author-a-z88zz80zaeg58z89zmz65zz122zz73zexz89zz88z">Some
notes from the presentation:</span></strong></div>
<div aria-live="assertive" id="bkmrk-webtrust-for-s%2Fmime-"
class="ace-line">
<ul class="list-bullet1">
<li><span
class="author-a-z88zz80zaeg58z89zmz65zz122zz73zexz89zz88z">WebTrust
for S/MIME v1.0.1 has been issued.</span></li>
</ul>
</div>
<div aria-live="assertive" id="bkmrk-webtrust-for-ca-2.2."
class="ace-line">
<ul class="list-bullet1">
<li><span
class="author-a-z88zz80zaeg58z89zmz65zz122zz73zexz89zz88z">WebTrust
for CA 2.2.2 in progress.</span></li>
</ul>
</div>
<div aria-live="assertive" id="bkmrk-reporting-templates-"
class="ace-line">
<ul class="list-bullet1">
<li><span
class="author-a-z88zz80zaeg58z89zmz65zz122zz73zexz89zz88z">Reporting
templates being updated.</span></li>
</ul>
</div>
<div aria-live="assertive" id="bkmrk-practioner-guidance-"
class="ace-line">
<ul class="list-bullet1">
<li><span
class="author-a-z88zz80zaeg58z89zmz65zz122zz73zexz89zz88z">Practioner
guidance updated.</span></li>
</ul>
</div>
<div aria-live="assertive" id="bkmrk-details-controls-rep"
class="ace-line">
<ul class="list-bullet1">
<li><span
class="author-a-z88zz80zaeg58z89zmz65zz122zz73zexz89zz88z">Details
controls reporting updated which is not a public report. The
report is made up of 6 major sections.</span></li>
</ul>
</div>
<div aria-live="assertive" id="bkmrk-impact-of-assessment"
class="ace-line">
<ul class="list-bullet1">
<li><span
class="author-a-z88zz80zaeg58z89zmz65zz122zz73zexz89zz88z">Impact
of assessment of ISO 27099 on WebTrust. There were many
changes. The rough draft showed too many issues. So now ISO
21188 is under review which will be updated and may contain
items from ISO 27099. So WebTrust for CA should not be
impacted until effort is done.</span></li>
</ul>
</div>
<div aria-live="assertive" id="bkmrk-webtrust-for-network"
class="ace-line">
<ul class="list-bullet1">
<li><span
class="author-a-z88zz80zaeg58z89zmz65zz122zz73zexz89zz88z">WebTrust
for Network Security report will be effective 1 April 2024.</span></li>
</ul>
</div>
<div aria-live="assertive" id="bkmrk-still-working-on-web"
class="ace-line">
<ul class="list-bullet1">
<li><span
class="author-a-z88zz80zaeg58z89zmz65zz122zz73zexz89zz88z">Still
working on WebTrust for CA supporting X9 and IoT programs.</span></li>
</ul>
</div>
<div aria-live="assertive" id="bkmrk-added-two-new-member"
class="ace-line">
<ul class="list-bullet1">
<li><span
class="author-a-z88zz80zaeg58z89zmz65zz122zz73zexz89zz88z">Added
two new members to the WebTrust task force.</span></li>
</ul>
</div>
<div aria-live="assertive" id="bkmrk-for-a-webtrust-audit"
class="ace-line">
<ul class="list-bullet1">
<li><span
class="author-a-z88zz80zaeg58z89zmz65zz122zz73zexz89zz88z">For
a WebTrust audit a Signing Practioner is needed who must be
WTCA licensed and PKI trained. Quality </span></li>
</ul>
</div>
<div aria-live="assertive" id="bkmrk-new-seal-pricing-and"
class="ace-line">
<ul class="list-bullet1">
<li><span
class="author-a-z88zz80zaeg58z89zmz65zz122zz73zexz89zz88z">New
seal pricing and bundles.</span></li>
</ul>
</div>
<div aria-live="assertive" id="bkmrk-seal-updates-for-ras"
class="ace-line">
<ul class="list-bullet1">
<li><span
class="author-a-z88zz80zaeg58z89zmz65zz122zz73zexz89zz88z">Seal
updates for RAs, S/MIME and Qualified Seal.</span></li>
</ul>
</div>
<p id="bkmrk-discussion-outside-t-15"><strong>Discussion outside the
presentation:</strong> none</p>
<h3 id="bkmrk-q%26a-audits-and-stand" class="ace-line"
aria-live="assertive"><span
class="author-a-z77zz65zabefz87zmz82zz71zz73zz78zz87zz82zz70zy b">Q&A
Audits and Standards</span></h3>
<div aria-live="assertive" id="bkmrk-minutes%3A-kiran-tumma"
class="ace-line"><span
class="author-a-z77zz65zabefz87zmz82zz71zz73zz78zz87zz82zz70zy b"><strong>Minutes:</strong></span><span
class="author-a-puz66zjz85zz87zoz90zz122z9z86zfz82zez79zj b">
Kiran Tummala (Microsoft)</span></div>
<p id="bkmrk-adjurned-forum-plena"><strong>ADJURNED Forum Plenary
Meeting for Day 1</strong><br>
</p>
<h1 id="bkmrk-cabf-face-to-face-me-1">CABF Face-to-Face Meeting 60:
Day 2 October 4, 2023</h1>
<h2 id="bkmrk-ca%2Fbrowser-forum-mee-1">CA/Browser Forum Meeting</h2>
<h2 id="bkmrk-attendance-1">Attendance</h2>
<p id="bkmrk-....">Aaron Gable - (Let's Encrypt), Aaron Poulsen -
(Amazon), Abhishek Bhat - (eMudhra), Adam Jones - (Microsoft),
Adrian Mueller - (SwissSign), Adriano Santoni - (Actalis S.p.A.),
Aleksandra Kurosz (Asseco Data Systems S.A.), Andrea Holland -
(VikingCloud), Andreas Henschel (D-Trust), Aneta Wojtczak-Iwanicka
- (Microsoft), Anna-Marie Christian (WebTrust / CPA Canada), Antti
Backman - (Telia Company), Arno Fiedler - (ETSI), Arnold Essing
(Telekom Security), Arvid Vermote - (GlobalSign), Ben Wilson -
(Mozilla), Brianca Martin - (Amazon), Brittany Randall -
(GoDaddy), Bruce Morton - (Entrust), Chris Clements - (Google),
Christophe Bonjean - (GlobalSign), Clemens Wanko - (ACAB'c / TUV
Austria), Clint Wilson - (Apple), Corey Bonnell - (DigiCert),
Corey Bonnell (DigiCert), Corey Rasmussen - (OATI), Daryn Wright -
(GoDaddy), Dave Chin - (CPA Canada/WebTrust), Dean Coclin
(DigiCert), Dimitris Zacharopoulos - (HARICA), Don Sheehy
(WebTrust), Doug Beattie - (GlobalSign), Ellie Lu - (TrustAsia
Technologies Inc.), Enrico Entschew (D-Trust), Eva Vansteenberge -
(GlobalSign), Hannah Sokol - (Microsoft), Hogeun Yoo - (NAVER
Cloud), Ian McMillan - (Microsoft), Inaba Atsushi - (GlobalSign),
Inigo Barreira - (Sectigo), Janet Hines - (VikingCloud), Jeremy
Rowley - (DigiCert), Joanna Fox - (TrustCor Systems), Jochem van
den Berge - (Logius PKIoverheid), John Mason (Microsoft), John
Sarapata (Google Trust Services), Joseph Ramm - (OATI), Jozef
Nigut - (Disig), Kateryna Aleksieieva - (Asseco Data Systems SA
(Certum)), Keshava Nagaraju - (eMudhra), Kiran Tummala -
(Microsoft), Leo Grove (SSL.com), Li-Chun Chen (ChungHwa Telecom),
Lynn Jeun - (Visa), Mads Henriksveen - (Buypass AS), Marcelo Silva
- (Visa), Marco Schambach - (IdenTrust), Martijn Katerbarg -
(Sectigo), Michael Guenther - (SwissSign), Michael Slaughter -
(Amazon), Michelle Coon - (OATI), Mohit Kumar (GlobalSign), Nargis
Mannan - (VikingCloud), Nate Smith - (GoDaddy), Naveen Kumar -
(eMudhra), Nicol So - (CommScope), Nikolaos Soumelidis (QMSCERT),
Nitesh Bakliwal (Microsoft), Paul van Brouwershaven - (Entrust),
Pedro Fuentes - (OISTE Foundation), Pekka Lahtiharju - (Telia
Company), Raffaela Achermann - (SwissSign), Rebecca Kelley -
(Apple), Rich Kapushinski - (CommScope), Rob Brand (Ministry of
Economic Affairs and climate Policy (NL)), Rob Stradling -
(Sectigo), Rollin Yu - (TrustAsia Technologies Inc.), Roman
Fischer (SwissSign AG), Ryan Dickson - (Google), Scott Rea -
(eMudhra), Sissel Hoel - (Buypass AS), Stephen Davidson -
(DigiCert), Steven Deitte - (GoDaddy), Sven Rajala - (Keyfactor),
Tadahiko Ito - (SECOM Trust Systems), Tim Callan (Sectigo), Tim
Crawford - (CPA Canada/WebTrust), Tim Hollebeek (DigiCert), Tobias
Josefowitz - (Opera Software AS), Tom Zermeno (SSL.com), Trevoli
Ponds-White - (Amazon), Tsung-Min Kuo - (Chunghwa Telecom),
Vijayakumar (Vijay) Manjunatha - (eMudhra), Wayne Thayer -
(Fastly), Wen-Chun Yang (ChungHwa Telecom), Wendy Brown - (US
Federal PKI Management Authority), Xiu Lei - (GDCA).</p>
<h3 id="bkmrk-updates-to-forum-web">Definitions and Glossary WG</h3>
<p id="bkmrk-leader%3A-clint-wilson-1"><strong>Leader:</strong> Tim
Hollebeek (DigiCert)<br>
<strong>Minutes:</strong> <span
class="author-a-puz66zjz85zz87zoz90zz122z9z86zfz82zez79zj">Stephen
Davidson (DigiCert)</span><br>
<strong>Presentation link:</strong> No presentation<br>
</p>
<p id="bkmrk-discussion-outside-t-11"><strong>Discussion outside the
presentation:</strong></p>
<div aria-live="assertive" id="bkmrk-there-was-discussion"
class="ace-line"><span
class="author-a-h7xz89zvmuz79zp0z87zjjtdz79z">There was
discussion to clarify the Charter language, including on end
date currently included in the Charter, questioning if this
creates unnecessary administration or accidental landmine to
step on. Clint Wilson thought that end date would set impetus
to deliver, and give the opportunity to revisit the charter
after the initial deliverable. Dean Coclin questioned what
happens if the WG initial task is not completed. Trevoli Ponds
White supported the idea of setting milestones, but did not want
to create Charter busy work. Scott Rea supported this. It was
agreed to change the language to set a milestone rather than end
the Charter. Paul van Brouwershaven suggested adding language
for the WG to periodically reevaluate its goals.</span></div>
<div aria-live="assertive" id="bkmrk--64" class="ace-line"><br>
</div>
<div aria-live="assertive" id="bkmrk-there-was-discussion-1"
class="ace-line"><span
class="author-a-h7xz89zvmuz79zp0z87zjjtdz79z">There was
discussion regarding changing name to Document Reform, with
initial scope being definitions and glossary. Initial chair to
get the group started is Tim Hollebeek, and vice is Brianca
Martin from Amazon. Tim Callan also offering assistance.</span></div>
<div aria-live="assertive" id="bkmrk--65" class="ace-line"><br>
</div>
<div aria-live="assertive" id="bkmrk-there-was-discussion-2"
class="ace-line"><span
class="author-a-h7xz89zvmuz79zp0z87zjjtdz79z">There was
discussion of the Charter language for goals and objectives.
Stephen Davidson asked that procedures be clearly defined for
interactions with other WG. Tim suggested that GitHub issues
would be a good way to transparently track that work.</span></div>
<div aria-live="assertive" id="bkmrk--66" class="ace-line"><br>
</div>
<div aria-live="assertive" id="bkmrk-tim-described-that-t"
class="ace-line"><span
class="author-a-h7xz89zvmuz79zp0z87zjjtdz79z">Tim described that
the WG will not create normative requirements into definitions.
It is only normative by its incorporation into other BR. This
may include some restating of existing definitions.</span></div>
<div aria-live="assertive" id="bkmrk--67" class="ace-line"><br>
</div>
<div aria-live="assertive" id="bkmrk-tim-and-clint-descri"
class="ace-line"><span
class="author-a-h7xz89zvmuz79zp0z87zjjtdz79z">Tim and Clint
described how the consensus and ballot process matched the CABF
bylaws.</span></div>
<div aria-live="assertive" id="bkmrk--68" class="ace-line"><br>
</div>
<div aria-live="assertive" id="bkmrk-next-steps-are-to-ge"
class="ace-line"><span
class="author-a-h7xz89zvmuz79zp0z87zjjtdz79z">Next steps are to
get the charter letter finalized and out for vote. The goal
would be start meetings in November. ??? commented that changes
made by this WG can impact the requirements by other WG; this
may require other WG to substantively update their own
standards.</span></div>
<h3 id="bkmrk-proof-of-concept-for" class="ace-line"
aria-live="assertive"><span
class="author-a-z77zz65zabefz87zmz82zz71zz73zz78zz87zz82zz70zy b">Proof-of-Concept
for BR of BRs with requirements Matrix </span></h3>
<p id="bkmrk-leader%3A-dimitris-zac"><strong>Leader:</strong> <span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">Paul
van Brouwershaven (Entrust)</span> <br>
<strong>Minutes: </strong><span
class="author-a-puz66zjz85zz87zoz90zz122z9z86zfz82zez79zj">Tim
Callan (Sectigo)</span><br>
<strong>Presentation link: </strong><a
class="moz-txt-link-freetext"
href="https://cabforum.org/wp-content/uploads/15-20231004-Proof-of-concept-for-BR-of-BRs.pdf"
moz-do-not-send="true">https://cabforum.org/wp-content/uploads/15-20231004-Proof-of-concept-for-BR-of-BRs.pdf</a><span
class="author-a-z77zz65zabefz87zmz82zz71zz73zz78zz87zz82zz70zy">Paul
van Brouwershaven (Entrust)</span></p>
<p id="bkmrk-discussion-outside-t-3"><strong>Discussion outside the
presentation:</strong></p>
<p id="bkmrk-paul-van-brouwershav-1"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">Paul
van Brouwershaven (Entrust):</span><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z"> I
have included links in the chat for this code if you want to see
for yourself</span></p>
<div aria-live="assertive"
id="bkmrk-%C2%A0%C2%A0%C2%A0-let%27s-look-at-ho" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">
Let's look at how we manage documents, avoid duplication of
content, and become more effective. This is my proposal and I
wanted to demonstrate how it might work. This isn't an attempt
to get us to decide to do it this way. It is a demonstration.</span></div>
<div aria-live="assertive"
id="bkmrk-%C2%A0%C2%A0%C2%A0-why-i%27m-doing-th" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">
Why I'm doing this. Objective is reducing duplication and
enhancing clarity.</span></div>
<div aria-live="assertive"
id="bkmrk-%C2%A0%C2%A0%C2%A0-benefits-include" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">
Benefits include, when we centralize baseline requirements into
one document, it becomes much easier to manage and update.
Think about org val information in code signing, S/MIME, and
TLS. It's mostly duplicated data.</span></div>
<div aria-live="assertive"
id="bkmrk-%C2%A0%C2%A0%C2%A0-this-will-promot" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">
This will promote consisstency. We don't have to worry about
inconconsistiences between documeemtns. Easier to adhere to
because you only have to understand that section.</span></div>
<div aria-live="assertive"
id="bkmrk-%C2%A0%C2%A0%C2%A0-efficiency.%C2%A0" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">
Efficiency. </span></div>
<div aria-live="assertive" id="bkmrk-%C2%A0%C2%A0%C2%A0-clarity."
class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">
Clarity.</span></div>
<div aria-live="assertive"
id="bkmrk-%C2%A0%C2%A0%C2%A0-this-might-requi" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">
This might require some challenges with IPR clearance. If we
are separating or combining source documents, where do you
review IPR. Definitions WG has a similar problem. Probably it
means IPR clearance has to happen at a forum level rather than
at a WG level. Perhaps everyone will be required to
particiapate in that WG.</span></div>
<div aria-live="assertive"
id="bkmrk-%C2%A0%C2%A0%C2%A0-i%27m-sure-we-can-" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">
I'm sure we can deal with this, but we might need to rethink
some things.</span></div>
<div aria-live="assertive"
id="bkmrk-%C2%A0%C2%A0%C2%A0-layered-approach" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">
Layered approach. These things extend each other. DV is the
minimum level. Then OV sits on that. And then EV on top of
that. Certificate profile requirements are up at the top. You
can simply exclude layers to drop to a lower authentication
level.</span></div>
<div aria-live="assertive"
id="bkmrk-%C2%A0%C2%A0%C2%A0-transforming-the" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">
Transforming the RFC 3647 formatted documents. Each chapter has
a subdirectory. That means we have small documents, each
containing a single section. The small documents are easier to
manage.</span></div>
<div aria-live="assertive"
id="bkmrk-%C2%A0%C2%A0%C2%A0-with-full-brs%2C-m" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">
With full BRs, migration takes a long time. Large docs are hard
to navigate. Identifiying changes is difficult. It's easy to
mess up a large document. Merging layers of documents can be
very difficult.</span></div>
<div aria-live="assertive"
id="bkmrk-%C2%A0%C2%A0%C2%A0-these-layers-are" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">
These layers are created based on the weight of what they are
saying. There is an explanation of this in the slide deck, p.
10.</span></div>
<div aria-live="assertive"
id="bkmrk-%C2%A0%C2%A0%C2%A0-right-now-we-wri" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">
Right now we write paragraphs, which can require interpretation
for what the distinct requirements are. In this format, the
actual requirements are spelled out. We can filter documents
based on target profiles. Allows control statements. Allows
CAs to incorporate in a GRC system. Helps with
self-assessments.</span></div>
<div aria-live="assertive"
id="bkmrk-%C2%A0%C2%A0%C2%A0-this-is-a-lot-li" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">
This is a lot like what they're doing in ETSI.</span></div>
<div aria-live="assertive"
id="bkmrk-%C2%A0%C2%A0%C2%A0-advanced-instruc" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">
Advanced instructions are a possibility. I built instructions
for appendices to include only in the BRs and ignore everywhere
else.</span></div>
<div aria-live="assertive"
id="bkmrk-%C2%A0%C2%A0%C2%A0-the-generated-br" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">
The generated BR doc is equal to the source doc.</span></div>
<div aria-live="assertive"
id="bkmrk-%C2%A0%C2%A0%C2%A0-code-signing-and" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">
Code signing and S/MIME include some TLS specific requirements.
This is easily solved.</span></div>
<div aria-live="assertive"
id="bkmrk-%C2%A0%C2%A0%C2%A0-there-is-also-an" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">
There is also an option to specify a level of assurance.</span></div>
<div aria-live="assertive" id="bkmrk-%C2%A0%C2%A0%C2%A0%C2%A0-23"
class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z"> </span></div>
<div aria-live="assertive"
id="bkmrk-%C2%A0%C2%A0%C2%A0-let%27s-look-at-ho-1"
class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">
Let's look at how this actually works. (Paul gives a demo of
the data structure.)</span></div>
<div aria-live="assertive" id="bkmrk-%C2%A0%C2%A0%C2%A0%C2%A0-24"
class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z"> </span></div>
<div aria-live="assertive" id="bkmrk-dimitris-zacharopoul-1"
class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">Dimitris
Zacharopoulos (HARICA):</span></div>
<div aria-live="assertive"
id="bkmrk-%C2%A0%C2%A0%C2%A0-i-understand-we-" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">
I understand we should align the different sections of the
different documents. It's an easy concept but I imagine there
is some work to get to this.</span></div>
<div aria-live="assertive" id="bkmrk-%C2%A0%C2%A0%C2%A0%C2%A0-25"
class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z"> </span></div>
<div aria-live="assertive" id="bkmrk-paul%3A-2" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">Paul:</span></div>
<div aria-live="assertive"
id="bkmrk-%C2%A0%C2%A0%C2%A0-the-nice-thing-i" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">
The nice thing is we can migrate paragraph by paragraph over
time.</span></div>
<div aria-live="assertive" id="bkmrk-%C2%A0%C2%A0%C2%A0%C2%A0-26"
class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z"> </span></div>
<div aria-live="assertive" id="bkmrk-tim-hollebeek-%28digic"
class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">Tim
Hollebeek (DigiCert):</span></div>
<div aria-live="assertive"
id="bkmrk-%C2%A0%C2%A0%C2%A0-agreed.%C2%A0-the-har"
class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">
Agreed. The hard part is building it out and figuring out how
things work and whatnot. Talking in abstract is easier then
getting the details right. I'm keen to give this a run and see
how it works. If we don't run into too many problems, we can
continue to maintain this and let it evolve as we move over.</span></div>
<div aria-live="assertive" id="bkmrk-%C2%A0%C2%A0%C2%A0%C2%A0-27"
class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z"> </span></div>
<div aria-live="assertive" id="bkmrk-paul%3A-3" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">Paul:</span></div>
<div aria-live="assertive"
id="bkmrk-%C2%A0%C2%A0%C2%A0-right-now-we-don" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">
Right now we don't use the same headers across documents. This
would solve that.</span></div>
<div aria-live="assertive"
id="bkmrk-%C2%A0%C2%A0%C2%A0-%5Bpaul-demonstrat" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">
[Paul demonstrates how to use an existing section from the BRs
and extend with an additional text. Paul shows how to add an
additional layer in the middle of a section.]</span></div>
<div aria-live="assertive" id="bkmrk-%C2%A0%C2%A0%C2%A0%C2%A0-28"
class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z"> </span></div>
<div aria-live="assertive" id="bkmrk-trevoli-ponds-white--1"
class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">Trevoli
Ponds-White (Amazon):</span></div>
<div aria-live="assertive"
id="bkmrk-%C2%A0%C2%A0%C2%A0-i-love-the-idea-" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">
I love the idea of having a BR of BRs. I thought the intent was
to capture requirements that are similar. I can see how this is
an IPR challenge. It looks like the proposal is the group would
maintain the section that goes in all the BRs. I would think it
would be for the individual working groups to pull in the
sections they want.</span></div>
<div aria-live="assertive" id="bkmrk-%C2%A0%C2%A0%C2%A0%C2%A0-29"
class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z"> </span></div>
<div aria-live="assertive" id="bkmrk-paul%3A-4" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">Paul:</span></div>
<div aria-live="assertive"
id="bkmrk-%C2%A0%C2%A0%C2%A0-if-you-look-at-w" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">
If you look at what we're doing, maybe 80% to 90% of content is
the same. If we have a WG that works on the BRs, that would be
baseline rquirements that everyone is based on. The WGs
shouldn't question them. Then these groups would add
requirements specific to their certificate types.</span></div>
<div aria-live="assertive" id="bkmrk-%C2%A0%C2%A0%C2%A0%C2%A0-30"
class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z"> </span></div>
<div aria-live="assertive" id="bkmrk-trev%3A-1" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">Trev:</span></div>
<div aria-live="assertive"
id="bkmrk-%C2%A0%C2%A0%C2%A0-your-first-state" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">
Your first statement was it's 80% the same. There should be one
requirement. I'm trying to connect the dots between the text is
the same and so I made individual files to make them different.</span></div>
<div aria-live="assertive" id="bkmrk-%C2%A0%C2%A0%C2%A0%C2%A0-31"
class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z"> </span></div>
<div aria-live="assertive" id="bkmrk-tim%3A" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">Tim:</span></div>
<div aria-live="assertive"
id="bkmrk-%C2%A0%C2%A0%C2%A0-paul%2C-the-sectio" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">
Paul, the sections you wrote about underscore CS, for example,
would be the responsibility of the code signing working group.</span></div>
<div aria-live="assertive" id="bkmrk-%C2%A0%C2%A0%C2%A0%C2%A0-32"
class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z"> </span></div>
<div aria-live="assertive" id="bkmrk-paul%3A-5" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">Paul:</span></div>
<div aria-live="assertive"
id="bkmrk-%C2%A0%C2%A0%C2%A0-i%27ve-demonstrate" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">
I've demonstrated that here in the code owners. EVGs is server
cert WG. Code signing is code signing WG. Nobody else can
change that. The different files help us to do this on a slow
pace where we think it's needed. If we stay within one
document, this will be a multiyear project that may never
finish.</span></div>
<div aria-live="assertive" id="bkmrk-%C2%A0%C2%A0%C2%A0%C2%A0-33"
class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z"> </span></div>
<div aria-live="assertive" id="bkmrk-aaron-gable-%28le%29%3A"
class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">Aaron
Gable (LE):</span></div>
<div aria-live="assertive"
id="bkmrk-%C2%A0%C2%A0%C2%A0-i-love-this.%C2%A0-i-"
class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">
I love this. I love the ability of individual CAs to
automatically generate their CP/CPS.</span></div>
<div aria-live="assertive" id="bkmrk-%C2%A0%C2%A0%C2%A0%C2%A0-34"
class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z"> </span></div>
<div aria-live="assertive" id="bkmrk-paul%3A-6" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">Paul:</span></div>
<div aria-live="assertive"
id="bkmrk-%C2%A0%C2%A0%C2%A0-you-could-add-yo" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">
You could add your own files and instead of writing
requirements, put control statements in those files. You could
automatically generate a self-assessment. We could support that
from the forum to help the members maintain it.</span></div>
<div aria-live="assertive" id="bkmrk-%C2%A0%C2%A0%C2%A0%C2%A0-35"
class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z"> </span></div>
<div aria-live="assertive" id="bkmrk-aaron%3A" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">Aaron:</span></div>
<div aria-live="assertive"
id="bkmrk-%C2%A0%C2%A0%C2%A0-minor-concerns.%C2%A0"
class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">
Minor concerns. One, it seems like what you're talking about
here is three separate initiatives. Changing the way the
maintian these documents. Take advantage of that tooling to
unify and harmonize these documents. Let's make it possible to
automatically extract reqiurements. I love all three of these,
but it seems like we should focus on the restucturing and do it
with no diff to the documents, knowing it is groundwork. Let's
discuss and decide on these as three separate things.</span></div>
<div aria-live="assertive"
id="bkmrk-%C2%A0%C2%A0%C2%A0-when-a-wg-decide" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">
When a WG decides the text in the BRs isn't sufficient for us
and we need to modify it to change the verbiage, Git is bad at
displaying small diffs in modified files. Eventually we may
have to band aid the fact that Git is bad at that.</span></div>
<div aria-live="assertive" id="bkmrk-%C2%A0%C2%A0%C2%A0%C2%A0-36"
class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z"> </span></div>
<div aria-live="assertive" id="bkmrk-paul%3A-7" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">Paul:</span></div>
<div aria-live="assertive"
id="bkmrk-%C2%A0%C2%A0%C2%A0-i-included-a-scr" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">
I included a script that when we transform documents, it will
compare each section to the BR and remove if it's exactly the
same. The next step is to identify documents that were the same
for 90% or 99%. This is the low hanging fruit for modification.</span></div>
<div aria-live="assertive" id="bkmrk-%C2%A0%C2%A0%C2%A0%C2%A0-37"
class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z"> </span></div>
<div aria-live="assertive" id="bkmrk-trev%3A-2" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">Trev:</span></div>
<div aria-live="assertive"
id="bkmrk-%C2%A0%C2%A0%C2%A0-the-infrastructu" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">
The infrastructure WG set up all these docs in GitHub. It feels
to me like this just the structure of what was set up. I figure
most people don't care. I don't know if we need to BRs group to
even care how these documents are created.</span></div>
<div aria-live="assertive" id="bkmrk-%C2%A0%C2%A0%C2%A0%C2%A0-38"
class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z"> </span></div>
<div aria-live="assertive" id="bkmrk-aaron%3A-1" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">Aaron:</span></div>
<div aria-live="assertive"
id="bkmrk-%C2%A0%C2%A0%C2%A0-in-my-opinion%2C-s" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">
In my opinion, step one is tighten up the scripts so the output
is virtually identical to the existing documents. And then
let's just start working. That first step doesn't need a
working group.</span></div>
<div aria-live="assertive" id="bkmrk-%C2%A0%C2%A0%C2%A0%C2%A0-39"
class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z"> </span></div>
<div aria-live="assertive" id="bkmrk-trev%3A-3" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">Trev:</span></div>
<div aria-live="assertive"
id="bkmrk-%C2%A0%C2%A0%C2%A0-it-has-a-working" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">
It has a working group.</span></div>
<div aria-live="assertive" id="bkmrk-%C2%A0%C2%A0%C2%A0%C2%A0-40"
class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z"> </span></div>
<div aria-live="assertive" id="bkmrk-paul%3A-8" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">Paul:</span></div>
<div aria-live="assertive"
id="bkmrk-%C2%A0%C2%A0%C2%A0-if-we-want-to%2C-t" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">
If we want to, this can be done by infrastructure WG.</span></div>
<div aria-live="assertive" id="bkmrk-%C2%A0%C2%A0%C2%A0%C2%A0-41"
class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z"> </span></div>
<div aria-live="assertive" id="bkmrk-clemens-wanko-%28acab%27"
class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">Clemens
Wanko (ACAB'c):</span></div>
<div aria-live="assertive"
id="bkmrk-%C2%A0%C2%A0%C2%A0-do-i-understand-" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">
Do I understand the idea is to support the WGs but not to use
that as a final version to use? Remember, we need a stable
version to work on.</span></div>
<div aria-live="assertive" id="bkmrk-%C2%A0%C2%A0%C2%A0%C2%A0-42"
class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z"> </span></div>
<div aria-live="assertive" id="bkmrk-paul%3A-9" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">Paul:</span></div>
<div aria-live="assertive"
id="bkmrk-%C2%A0%C2%A0%C2%A0-all-these-docume" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">
All these documents will be merged into the same documents we
have today. The BR of BRs is exactly the same except space and
no stipulation. Code signing is almost the same except renaming
files. Similar for S/MIME.</span></div>
<div aria-live="assertive" id="bkmrk-%C2%A0%C2%A0%C2%A0%C2%A0-43"
class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z"> </span></div>
<div aria-live="assertive" id="bkmrk-dimitris%3A-2" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">Dimitris:</span></div>
<div aria-live="assertive"
id="bkmrk-%C2%A0%C2%A0%C2%A0-i-think-the-byli" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">
I think the bylines and WGs already cover this. Are there any
objections to proceeding? This is just a transformation of
GitHub that will product the exact same documents. We will need
some poeple to support Paul in this.</span></div>
<div aria-live="assertive" id="bkmrk-%C2%A0%C2%A0%C2%A0%C2%A0-44"
class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z"> </span></div>
<div aria-live="assertive" id="bkmrk-clint-wilson-%28apple%29-1"
class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">Clint
Wilson (Apple):</span></div>
<div aria-live="assertive"
id="bkmrk-%C2%A0%C2%A0%C2%A0-i-like-the-way-t" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">
I like the way this is shaping up. Careful how we move
forward. There are a lot of people where this is foreign space
for them. Anything we can do to help anybody's ability to
engage with the BRs might make it easier. They only have to do
one tiny document. Keeping the changes we initially make as
additive, so there's familiarity while we transition.</span></div>
<div aria-live="assertive"
id="bkmrk-%C2%A0%C2%A0%C2%A0-i%27d-love-to-have" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">
I'd love to have conversation about how you work with this
written up, so folks can reference it as they start working with
this.</span></div>
<div aria-live="assertive" id="bkmrk-%C2%A0%C2%A0%C2%A0%C2%A0-45"
class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z"> </span></div>
<div aria-live="assertive" id="bkmrk-dimitris%3A-3" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">Dimitris:</span></div>
<div aria-live="assertive"
id="bkmrk-%C2%A0%C2%A0%C2%A0-to-propose-chang" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">
To propose changes, you don't need to use GitHub if you're not
fluid in it. Use Word with track changes and work with someone
who knows the GitHub process.</span></div>
<div aria-live="assertive" id="bkmrk-%C2%A0%C2%A0%C2%A0%C2%A0-46"
class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z"> </span></div>
<div aria-live="assertive" id="bkmrk-paul%3A-10" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">Paul:</span></div>
<div aria-live="assertive"
id="bkmrk-%C2%A0%C2%A0%C2%A0-i-think-this-wil" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">
I think this will make contributions easier because the files
are smaller and the risk is lower. I hope this encourages more
collaboration.</span></div>
<div aria-live="assertive" id="bkmrk-%C2%A0%C2%A0%C2%A0%C2%A0-47"
class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z"> </span></div>
<div aria-live="assertive" id="bkmrk-clint%3A" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">Clint:</span></div>
<div aria-live="assertive"
id="bkmrk-%C2%A0%C2%A0%C2%A0-if-we-have-a-lis" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">
If we have a list of ballot shepherds, that will help.</span></div>
<div aria-live="assertive" id="bkmrk-%C2%A0%C2%A0%C2%A0%C2%A0-48"
class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z"> </span></div>
<div aria-live="assertive" id="bkmrk-paul%3A-11" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">Paul:</span></div>
<div aria-live="assertive"
id="bkmrk-%C2%A0%C2%A0%C2%A0-we-need-to-take-" class="ace-line"><span
class="author-a-87nkz75zz79zbz66zz88zz69zz75zo3z70zz122zz74z">
We need to take this on in the infrastructure WG and take this
to the next step.</span></div>
<p id="bkmrk-adjurned-forum-plena-1"><span
class="author-a-z81zz88z2dqaoz90zz77z9pmr5z81zd"><strong>ADJURNED
Forum Plenary Meeting for Day 2</strong></span></p>
------- END FINAL F2F #60 CA/B Forum Plenary Meeting minutes -------
<br>
<br>
</body>
</html>