[cabfpub] Notes of meeting, CAB Forum, 26 July 2012, Version 1

Ben Wilson ben at digicert.com
Thu Aug 9 14:52:32 MST 2012


The following minutes from the last CAB Forum meeting were approved during
today’s CAB Forum meeting.

Notes of meeting
CAB Forum
26 July 2012
Version 1

1.  Present

Tim Moses, Wayne Thayer, Atsushi Inaba, Brad Hill, Dean Coclin, Eddy Nigg,
Bruce Morton, Geoff Keating, Rick Andrews, Renne Rodriguez, Yngve Pettersen,
Jeremy Rowley, Carsten Dahlenkamp

2.  Agenda review

The agenda was accepted as published.

3.  Minutes of meetings on 12 July

The minutes were accepted as published.

4.  Ballots status

Ballot 80 opens for voting later today.
Ballot 82 closes next Tuesday.
Ballot 83 opens for voting tomorrow.

5.  CABForum Network Security Controls Ballot Draft 1

Rick said that he would like to propose a change.  It has to do with air-gap
requirements for root CAs.  Symantec has one or two legacy CAs that have
issued end-entity certificates.  They need to keep them online to issue
CRLs.  He said that he has circulated a proposed revision to allow this
case.

Tim said that Ben is the only one with the authority to modify or withdraw
the motion.  Absent such a move, the voting period will commence at 2100 UTC
(Friday) 27 July.  Jeremy said that he would be able to talk to Ben and make
sure that the issue was addressed before the voting period commenced.

Rick said that his proposal is specific to existing roots that must issue
CRLs on a short time-base.  Eddy said that having these root CAs online
should not be allowed beyond the expiry of the last end-entity certificate. 
Rick agreed.  He thought that other CAs shared his concern.  Bruce asked to
see Rick’s proposed revision.  Rick said that he would send the proposal to
the public list.  Jeremy said that he would make sure the ballot was amended
prior to commencement of the voting period.

6.  BR Issues list

Yngve said that those who have objected to Ballot 80 agree with the
principle of the motion, but they had trouble with the timeline.

Yngve said that previous ballots commonly contained grace periods of seven
months or less.  Tim said that, in this case, we are dealing with a
third-party software supplier.  So, implementation is not entirely under the
CA’s control.  For this reason, they need a way of convincing the supplier
that a product change is required.  Eddy agreed, saying that the Baseline
Requirements contain some “softened” requirements where software or hardware
changes are involved.

Yngve said that he can understand the problem.  But, in his view, CAs have
been on notice since October that this change was coming.  Tim said that
Yngve had to decide whether to let the ballot proceed as currently worded
and face the possibility that it will fail.  Alternatively, he could accept
an amendment, in which case the ballot might pass.  It was his choice.

Yngve said that he preferred to make this requirement “mandatory” with (if
necessary) an extended grace period, and “recommended” with an earlier
introduction date.

Rick asked what would happen if he was unable to convince his supplier to
update the product.  Tim said that, if, when we approach the deadline, a
suitable product has not become available, then another ballot could be
introduced to deal with the situation.  Eddy thought that one year should be
sufficient.

Yngve suggested eleven months for introduction of the mandatory
requirement.  Rick said that he thought twelve months would be required. 
Yngve suggested recommending the practice from 1 Feb 2013 and making it
mandatory from 1 Aug 2013.  Rick agreed.  He said that he would monitor
progress closely, and in case it becomes impossible to meet the 1 Aug
deadline, he will reintroduce the topic.

Eddy asked about related client changes.  Rick said that it would be easier
to “sell” changes like this one inside his organization if there were
corresponding moves on the client front to deal with revocation behaviour
(for instance, if browsers were required to block a site on receipt of an
affirmative “revoked” status).

Yngve said that Opera already hard-fails on “revoked” status.  But,
uncertainty persists around the “unknown” and “unauthorized” values.  Rick
asked about the other browsers.  Yngve said that he was uncertain about
Google’s plans for using OCSP responses.  He said that he thought that
Firefox and IE hard-fail on “revoked”.  Geoff said that Safari displays a
dialog box.  But, he believes that there is still a way to click around
that.  However, if there were an industry position that this behaviour
should be deprecated, then Apple would revisit the decision.  Rick said that
he would like to see an industry position that; in case the browser gets a
“revoked” status for any certificate in the chain, then it must block with
no option for proceeding to the Web-site.  He said that, if we can’t agree
on that, then we’ll never be able to agree on how to deal with “no response”
or an “unknown” response.

Tim speculated on the proper vehicle for making such a statement.  Rick said
that it should be a CABForum Requirements document.  He hasn’t written it
into the “Guidelines for the Processing of EV Certificates”, because he
wants to get agreement first.

Yngve said that he had just tested Firefox and it doesn’t allow
click-through.  Rick said that he would like to see all browser vendors
state for the record that, for DV, OV and EV, for desktop and mobile, they
don’t allow navigation to a site when an affirmative “revoked” status is
received.  He said that IE9 appears to allow the user to click-through, but
this may be an artifact of the particular certificate.

Geoff said that Apple would likely respond to something as simple as a CABF
ballot calling on browsers to behave a certain way.

Tim said that we obviously have to hear from a Windows/IE representative,
but, it sounds like a possibility that CABF could take a stance on an issue
like this one and that it might have an effect on browser design.

Eddy said that he would like to see such a ballot coincident with Yngve’s
ballot.  Tim said that that would cause a delay to Yngve’s ballot.

Yngve said that he thought Opera could be more agile than other browsers. 
He thought that Opera could release a change of this nature in half a year. 
Security features could have a faster turn-around.

Rick said that he could agree to letting Yngve’s ballot proceed, while we
progress the other issue separately.  He asked how the Forum’s resolution
would be communicated.  Should it result in a change to the Baseline
Requirements, for instance?  Somehow, it should appear on the CABF
“Documents” page.  Geoff agreed that a public statement would be better than
a simple ballot result.

Yngve said that we could have a “notes” section on the “Documents” page.

Tim asked if we should introduce the statement into the “Guidelines for the
Processing of Certificates”.  Rick said that the current document is
specific to EV.  He said that he could extend it to cover other certificate
types.  He suggested that we complete the EV document, and style it as
“requirements”, not “guidelines”.  Then we can use that as a model for a
document on non-EV certificates.  The first draft would likely contain
nothing other than a statement about behaviour on receipt of a “revoked”
status response.  Subsequent drafts would state a broader range of
requirements.  This was agreed.

Eddy said that he was happy with Rick’s proposal.

Tim summarized: Yngve has agreed to require two implementation dates: SHOULD
by 1 Feb 2013 and MUST by 1 Aug 2013.  And Rick will start drafting a
document that records requirements on browsers processing publicly-trusted
SSL certificates.

Bruce said that he is working on a ballot for two issues (15 and 29).  He
has received comments from Rick and Yngve that he plans to accommodate. 
But, he is lacking endorsers.  Rick said that he would be willing to
endorse.

Jeremy said that he doesn’t support deprecating domain names in the subject
common name attribute because he is uncertain of the impact on legacy
clients.  We already require that a domain name in the subject common name
attribute be selected from those in the subject alternative name extension. 
This requirement addresses the concerns, so there is no good reason to risk
breaking legacy clients.

Rick said that, if we are to modify CA behaviour in relation to domain names
in the subject common name attribute, we should simultaneously impose
requirements on browsers to deal with the common name attribute properly.

Yngve said that there has been an SSL client requirement for some years
that, where a subject alternative name extension is present, it should be
used in place of the subject common name attribute.  This is what Opera
does.

Brad said that he is more concerned about the gTLD and the Internationalized
Domain Name requirements than the common name requirement.  He would be
willing to drop the common name requirement.

Yngve said that he proposed using a newer IDN reference (RFC 5890 instead of
RFC 3490).  Also, he had concerns about the definition of the term
“operationalize”.  Brad said that this means the time at which the name is
resolvable on the public Internet.  Yngve said that he is concerned about
private names remaining in use after they have become resolvable on the
public Internet.  Brad agreed.  But, the current text was an acceptable
compromise, given the difficulties that customers may confront in removing
the names from their private networks.  Yngve said that a user on the
private network would remain vulnerable.  Brad said that he would accept a
grace period in return for agreement to phase out the practice.  Yngve said
that there will be a delay between the announcement of a new gTLD and its
being available for registrations.  In his opinion, they are “operational”
once announced.

Yngve said that the point of “operationalization” should be defined.  Brad
said that he would propose some language on that topic.  Jeremy said that he
would likely endorse the revised motion.

7.  Any other business

Dean said that we have been operating under the Baseline Requirements for a
few weeks now.  The CABForum should issue a statement to the effect that
members are now operating under the requirements.  He also suggested that
the statement include guidance on how to check which certificates are issued
in conformance and which are not.  Dean said that the Forum should provide a
resource for dereferencing policy identifiers.

Rick said that we should do the same thing for EV.

Tim pointed out that, probably, as of today’s date, not all members are
issuing conformant certificates.  Dean said that we would list the subset of
members that were issuing, and wanted to be identified as issuing,
conformant certificates.  This is an opportunity for the Forum to step
forward with information about ongoing improvements in the Web PKI.  Dean
agreed to take the lead on the topic.

Dean said that there appears to an impetus to form an industry group for SSL
CAs.  The purpose is to educate the public and provide unified messaging
around SSL CAs and respond to issues that come up in the press.  A group of
CAs could be more responsive than the Forum can be.  Dean said that this is
just in the discussion phase.  Consideration had been given to making this a
part of the Forum.  But, it was decided that this was not the best way
forward.  He wanted to make others aware of the initiative.

Yngve said that through the incidents in 2011, there had been involvement
of, and sharing with, the browsers.  He was concerned that that
collaboration might suffer.  Dean said that the intent is public education
and coordinating response to incidents when necessary; working WITH the
CABForum, not INSTEAD OF the CABForum.

Jeremy said that there is no plan to duplicate or conflict with CABForum. 
He said that DigiCert was in the spotlight last year over the Digicert
Malaysia incident, and this made them keenly aware of the need for an
industry body to represent CAs.

Dean said that Munich is looking more likely than Reading for Meeting 29.

8.  Next meeting

9 Aug.

Tim said that today’s is the last meeting before some significant changes in
membership.  He mentioned the names of some previous participants who will
not be participating henceforth based on the situation as it exists today. 
He said that this will necessitate some administrative changes, including
the teleconference number.  A new chair will have to be appointed.

Tim said that he has a list of members’ email addresses that he has
correlated with the list of executed IPR agreements.  He sent messages to
the addresses of those whose organizations had not executed the agreement,
warning them that they will be deleted from the list and the Wiki ACL on 1
Aug.  He offered to update the list of 31 July and send the result to Wayne,
asking him to make the necessary changes to the mail list and Wiki ACL.





More information about the Public mailing list