[cabfpub] Notes of meeting, CAB Forum, 9 August 2012, Version 1

[Ben Wilson]

Below are the minutes of the CAB Forum meeting held on August 9, 2012.

  

Notes of meeting

CAB Forum 

9 August  2012

Version 1

 

1.   Present:  Ben Wilson, Eddy Nigg, Jeremy Rowley, Gerv Markham, Sid
Stamm, Rick Andrews, Kirk Hall, Dean Coclin, Joe Kaluzny, Chris Bailey,
Wayne Thayer, Steve Roylance, Yngve Pettersen, Rich Smith, Brad Hill, Robin
Alden, Stephen Davidson,  Tom Albertson, Phill Hallam-Baker, Moudrick
Dadashov, Ryan Koski, and Geoff Keating.   Quorum equals 7.

 

2. Agenda review

The agenda was reviewed.

 

3. Minutes of Meeting 26-Jul-2012

Minutes of 26 July 2012 were approved as published.  

 

4.  Ballot status.  

Ballots 79 and 83 passed.  Ballot 82 was rejected.  Ballot 84 is pending for
user-assigned country codes.   Rich mentioned that Eddy had proposed a
possible alternative solution that would assign a single code "XX" when an
official ISO code has not been assigned.   The other fields would then be
used to provide geographic location of the subscriber.    Ballot 84 was then
withdrawn, to be replaced with a new ballot.

 

5.  Update on status of BR Issues list

Bruce Morton was working on a motion to address BR Issues 15 and 29.  Jeremy
had endorsed the previous version.  Dean and Rick will review it, and it may
be ready again to submit to vote.  Yngve noted that a ballot to address BR
Issue 7 (AIA URL) had been endorsed by Wen-Cheng Wang.  Jeremy mentioned
that his proposal regarding short-lived certificates could be combined in
the same motion.  Rick said he thought that the concept of short-lived
certificates are too new to justify eliminating revocation information.  

 

Yngve said that he had submitted a proposal to resolve BR issues 6, 8, 20 &
21 (reasons for revocation). 

Rick said that that before CAs should adjust revocation of intermediate CAs,
browsers should be required to check intermediates.  Yngve and Gerv
mentioned that Opera, IE, and Firefox have ways of checking for revocation,
including the use of blacklists for situations like Diginotar, Digicert
Malaysia, and Trustwave.  Jeremy noted that the proposed revision to Section
13.1.5 treated the reasons for revocation the same for end entities and
intermediate CAs and that some reasons for revocation did not apply so that
two separate lists were needed.  He said he would work with Yngve on a
revised version.

 

6.  Discussion re:  Membership, Observers, and Leadership

Ben introduced the idea of having co-chairs.  Several members said they
favored having a single point of contact and that a chair / vice-chair
arrangement would be better.  Tom said he thought the chair should be
interim until a new organization is formed, and it was generally agreed.
Ben said that he and Dean would work together to prepare a ballot for the
election of a chair and vice-chair.

 

7.  Discussion of IETF and the Web PKI

Ben said that the IETF had requested an indication of member interest in an
IETF working group on Web PKI.  Chris said that he was opposed to the CAB
Forum taking on a relationship with the IETF but that members should be free
to participate in such a group.

 

8.  Status of IPR Legal Committee Meeting

Ben explained that the IPR committee had met on Wednesday and that two items
were discussed-whether to "blow up" the IPR and whether members would be
open to adopting a work-group-centric model.  Ben said he thought there
would be no barrier to following a work group model, but that there were
some who had indicated we might want to adopt an IETF model.  Tom said that
we have an IPR in place as of August 1, and there are now members and
non-members but that we need to ensure that there are ways for non-members
to participate in IPR and governance discussions.  While we worked long and
hard for the IPR policy, and we're appreciative of the time involved, we did
lose several members on Aug. 1st.   Gerv said that we should stop hacking at
the IPR and focus on getting the governance structure in place with a
governance board that can adopt a good IPR with minimal changes.  Dean asked
Brad what his thoughts were.  Brad said it would have been better to have
had something like W3C that was easier to analyze and that the current IPR
policy was rather broad.  

 

Conversation then turned to the mailing lists.  Because of the IPR, several
parties were taken off of the management list but left on the governance and
revocation mailing lists.  Because of the conflicts that this posed with the
IPR Policy and governance reform efforts, it was decided to eliminate both
lists. 

 

Stephen had previously mentioned in an email that the IPR Policy should be
posted publicly on the CAB Forum site and that patent disclosure statements
should also be placed on the internal wiki for review, and it was generally
agreed that those two actions should take place.  Ben said he would create a
patent list on the wiki.   Wayne will post the IPR Policy in the Documents
section of the web site.

 

9.  Status of Straw Poll on Governance Reform

Ballot 85 has been published.  The ballot review period is from 10 August
2012 to 2100 UTC on 17 August 2012.

 

10.  Status of Discussion on Revocation and Certificate Validity Discussions

Rick has reviewed documentation about client behavior for EV certificates
found on the wiki and has finalized the white paper on the revocation
checking to be performed by SSL clients.   He will circulate a ballot
requesting that they be publicly posted.  

 

11.  Next steps on CAB Forum Network Security Controls - errata and review

Ben said that he would work to harmonize the document with WebTrust and ETSI
provisions and create an issues tracking page on the wiki similar to the one
used for the Baseline Requirements.

 

12.  Next Face-to-Face meeting

Less than 10 people have RSVP'd so far.  Robin urged that those planning to
attend RSVP as soon as possible. 

 

Dean confirmed that a location in Munich would accommodate the size of our
group and that we just need to pick date.

 

13.  Any other business

Joe expressed concern that the 1 August 2013 deadline to comply with Ballot
80 regarding issuing "good" responses for unknown certificates would not be
enough time according to discussions with a vendor.  Others responded that
it was understood when the ballot was passed that if next year it appears
that a particular vendor will not meet the deadline that it will be adjusted
by another ballot. 

 

14.  Next meeting

The next teleconference will be on August 23rd. 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20120823/ac22a47b/attachment-0003.html>