[cabfpub] Draft Meeting Minutes, CAB Forum, 7 June 2012, Version 1

Ben Wilson ben at digicert.com
Fri Jun 8 21:47:55 UTC 2012

Here are the draft minutes of yesterday's meeting.


Notes of meeting

CAB Forum 

7 June 2012

Version 1


1.   Present:  John Espinoza, Rich Smith, Ben Wilson, Atsushi Inaba, Renne
Rodriguez, Kirk Hall, Jeremy Rowley, Wayne Thayer, Brad Hill, Stephen
Davidson, Mads Henriksveen, Eddy Nigg, Dean Coclin, Carsten Dahlenkamp, Gerv
Markham, Chris Palmer, Yngve Pettersen, Ryan Sleevi, Robin Alden, Rick
Andrews, Steve Roylance, and Bruce Morton 


2.   Agenda review

Discussion of the emergency motion to postpone IPR Agreement submission
deadline added to discussion before Item 5.


3.  Minutes of Meeting on 24 May

Minutes of 24 May 2012 unanimously approved.


4.  Ballots status

Ballot 75 - NameConstraints criticality flag closes at 21:00 UTC on 8 June

Ballot 76-  Public Review of Network Security Controls will close at 21:00
UTC on 12 June 2012

Emergency Ballot closes at 23:59 UTC on 7 June 2012


Emergency Ballot Discussion Item

It was stated that if this ballot passes that those who have not signed and
submitted the IPR Agreement should engage in good faith to inform everyone
of their intentions at the earliest point possible and not hold off until
the last minute.  If any review of the IPR Policy occurs, it should occur
sooner rather than later.   IdenTrust has volunteered to facilitate
discussions in this regard.   Members should have everything squared away
with their material reviews and any modifications to address inclusive or
exclusive effects of the IPR policy should be conducted before August 1st.
It was noted that much conversation, debate, and negotiation took place over
many months on this issue and that any defects should have been worked out
before now.  There is also the concern that changing the balance from one
side to the other might mean that other members drop out.   

According to the IPR Policy, observers (anyone commenting on CAB Forum
topics) are also covered by the IPR Policy, so converting non-signing
existing members into observers will not solve the problem.  The practical
solution may be decided by the Emergency Ballot, which is likely to pass.
Several members expressed concern about the way that the vote was handled.
Some acknowledged that many organizations have such procedures that allow
exceptions or suspension of procedure in certain cases.  It was also
acknowledged that formal written procedures for such situations are needed.


5.  Gjovik agenda

Item 7 on the agenda (EV Code Signing) is a remnant of the copied agenda
from the last face-to-face meeting.  It is being replaced with extended
discussion of agenda item 6 (Baseline Requirement Issues List) and new item
7 IPR Policy and IPR implementation.


6.  IPR boilerplate

The draft IPR policy click-through agreement and agenda notice disclosure
(for contributors) reads, "By submitting a contribution to the CA/Browser
Forum ("Forum"), you hereby grant the Forum  and its members an unlimited,
irrevocable, worldwide, and sublicensable right to publish, modify, use,
distribute, sell, display, license, and create derivative works of the
contribution in any manner the Forum sees fit and without attribution of
authorship.  You hereby agree that the contribution discloses all patents or
patent applications of which you are aware that are necessary to implement
the ideas described in the contribution. You acknowledge that your failure
to disclose such patents and patent applications as part of the contribution
grants the Forum, its members, and any entity implementing a Forum work
product an irrevocable, non-exclusive, worldwide, and royalty-free license
to any registered, pending, or unregistered intellectual property rights in
the contribution that you or the entity you represent possesses or may
possess in the future." 


7.   Individual name as commonName attribute

This is related to Ballot 69 and BR Issue Item Number 14.  Further
discussion is needed to determine whether Ballot 69 can be amended to go
forward to a vote.


8.   BR Issues list

Ballot 74 (Updates to Domain and IP Validation, High Risk Requests, and Data
Source in the Baseline Requirements) failed for lack of a quorum and is
being reintroduced as Ballot 78.  Yngve is looking for two endorsers to a
motion that would resolve BR 1.1 issues #5, #6, #7, #8, #10, and #21 (#16
was superseded by #15).  See his email of 24-May-2012 13:43 GMT titled,
[cabfman] Update of Yngve's BR 1.1 issues + #10.  He will separate E.
(13.2.7 Response for non-issued certificates) from that motion in order to
simplify the motion by avoiding debate about responding with a status reason
code for an unauthorized certificate (DigiNotar). 


9.  Governance reform

The Committee has been meeting on Wednesdays.  Four proposals are currently
on table, and recent efforts have been made to consolidate the proposals
down to three for simplification.  The group does not plan to present any
ballot or poll until after the meeting in Norway, but there are efforts to
get the proposals out to the Forum for review.  Generally, the proposals can
be identified as follows:   TrendMicro - current Forum governance but with
added participation from public/observers; PayPal - a governing Board with
Board voting by all groups (CAs, Browsers, and Interested Parties);
Microsoft - a representative governing Board with a set number of Board
members (e.g., 4 CAs, 3 Browser Reps., 2 Interested Party representatives);
and DigiCert - guidelines adopted by membership at large, but Board of
unlimited size must ratify (only CAs and Browsers contributing $10,000
annually are Board Members).


10.  Any other business

Extension-of-Deadlines Voting -- One suggestion to resolve the granting of
extensions to deadlines (like the IPR Policy instance) would be a specific
procedure to allow a one-time extension based on normal voting process (one
week of ballot review followed by one week of voting).   In addition, a
shortened emergency ballot with different criteria is also needed.


Also, the Flame incident is making a lot of news lately.  It appears to be
sophisticated and combines several vulnerability exploits, including MD5,
predictable serial numbers, prefix attacks, etc., and it also involves good
computing power and expertise.  More information is available from a
Microsoft release and an article posted on arstechnica.com.


11.  Next meeting is on 21 June 2012


12.  Meeting adjourned.



Benjamin T. Wilson, JD CISSP 
General Counsel and SVP Industry Relations
DigiCert, Inc.

 <http://www.digicert.com/> Visit DigiCert.com

Online:  <http://www.digicert.com/> www.DigiCert.com
Email:  <mailto:ben at digicert.com> ben at digicert.com
Toll Free: 1-800-896-7973 (US & Canada)
Direct: 1-801-701-9678
Fax: 1-866-842-0223 (Toll Free if calling from the US or Canada) 


The information contained in this transmission may contain privileged and
confidential information. It is intended only for the use of the person(s)
named above. If you are not the intended recipient, you are hereby notified
that any review, dissemination, distribution or duplication of this
communication is strictly prohibited. If you are not the intended recipient,
please contact the sender by reply email and destroy all copies of the
original message. Thank You


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20120608/3e7d9a10/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.gif
Type: image/gif
Size: 2926 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20120608/3e7d9a10/attachment-0003.gif>

More information about the Public mailing list