[cabfpub] Notes of meeting, CAB Forum, 24 May 2012, Version 1

[Steve Roylance]

Hi Tim.

In the AOB section, I also raised the subject of retention of Personal
Identifiable Information.  Within both the EV and BR guidelines the CABForum
mandates times to store information beyond the expiry of a certificate.
Given that under BR SSL certificates 'may' be purchased by individuals and
noting that individuals may already be somehow involved in a face to face
meetings or investigation by a CA during the vetting process, then we need
to be mindful of current and future European Regulations such that we don't
unnecessarily burden CA's with requirements that could be deemed
incompatible with legislation.  It's not one for immediate discussion and
possibly not one for the next F2F, but maybe one for the meeting beyond
that, especially if we could aim to locate a guest speaker knowledgeable on
the subject.

I don't feel it's necessary to up-issue the meeting minutes for this item,
but please feel free to add if any other changes are necessary.

Steve

From:  Tim Moses <tim.moses at entrust.com>
Date:  Friday, 25 May 2012 15:10
To:  CABFPub <public at cabforum.org>
Subject:  [cabfpub] Notes of meeting, CAB Forum, 24 May 2012, Version 1

Notes of meeting
CAB Forum
24 May 2012
Version 1
 
1.  Present
 
Tim Moses, Ben Wilson, Wayne Thayer, Atsushi Inaba, Brad Hill, Jeremy
Rowley, Dean Coclin, Eddy Nigg, Kirk Hall, Robin Alden, Bruce Morton, Mads
Henriksveen, Sissel Hoel, Gerv Markham, Geoff Keating, Carsten Dahlenkamp,
Rick Andrews, Chris Bailey, Tom Albertson, Sid Stamm, Wendy Brown, Ryan
Sleevi, Renne Rodriguez, Yngve Pettersen, Chris Palmer, John Johansen, Steve
Roylance, Ryan Hurst, Simon Labram, Phill Hallem-Baker, Bill Madell, John
Espinosa, Tom Ritter
 
2.  Agenda review
 
Eddy asked that requirements for the inclusion of the German ³state² in an
EV certificate be discussed under Item 14.
 
3.  Minutes of meetings on 10 May
 
The minutes were accepted as published.
 
4.  Ballots status
 
Ballot 72 is open.  Ballot 74 opens later today.
 
Yngve said that he has circulated a motion to address the BR issues that
were assigned to him.  He is seeking endorsers.
 
Tim said that he, too, has circulated a motion for BR Issue 14 and is
seeking endorsers.
 
5.  Gjovik agenda, logistics and RSVP
 
Mads has provided logistical information for Meeting 26 in Gjovik.
 
https://www.cabforum.org/wiki/Face-to-face%20meeting%20calendar
 
He requests that those who plan to attend let him know as soon as possible.
 
The meeting agenda is also posted there.  Tim asked that members review the
draft agenda and identify topics for inclusion.
 
6.  Process for IPR Agreement submission
 
Tim said that the deadline for submitting executed IPR agreements (for
continuity of membership) was 7 June.  Eleven members have submitted to
date.
 
Jeremy said that he felt the motion for Ballot 67 was unclear.  Dean said
that his legal adviser told him that it could be interpreted as allowing 120
days from the effective date for submission of exclusion notices.  Tim
disagreed.  He said that he thought the motion was clear, and that 60 days
was the allowed period.  Jeremy said that nothing important would be lost by
extending the period.  Tim said that the result of a formal ballot could
only be overturned by another formal ballot.  If such ballot were to
complete before 7 June, it would have to be announced today.
 
Wayne asked whether, in light of Entrust¹s exclusion notice, there would be
a Patent Advisory Group.  Tim said that he believed that to be the case.  He
said that that should be determined once the 7 June deadline had passed.
 
7.  Options for governance reform
 
Chris P said that the Governance working group was almost ready to return
the discussion to the Forum as a whole.  There are four complete proposals;
those from PayPal, Microsoft, DigiCert and TrendMicro.  The next step was to
post the proposals on cabforum.org.
 
Brad said that the TrendMicro proposal mischaracterizes the content of the
submissions that have been received concerning problems with the current
organization and procedures.  He asked that, if it is to be posted in such a
way that rebuttal is not feasible, then it should limit itself to a
description of the proposal.  Kirk disagreed.  He said that, if he were to
make the requested changes, he would expect the other proposals to similarly
remove any criticism of the Forum¹s operations to date.
 
Brad agreed to send Kirk a revised version of the TrendMicro proposal for
his consideration.  Dean said that Kirk will simply reject Brad¹s version.
Brad said that an alternative approach would be to publish all the
discussion related to the proposals.  The issue was returned to the
Governance working group for further discussion and resolution.
 
Tim asked about the next step.  He voiced a concern that to simply put
multiple proposals to the vote may not produce a result that fairly reflects
the members¹ views.
 
Chris P said that he foresaw more discussion taking place within the Forum
membership on the individual elements of the decision process as laid out by
Jeremy in his summary of progress to date.  This will probably result in
refined/combined proposals.  It was also agreed that the working group would
meet one more time and that it would consider the question of how to get to
_one_ proposal from the current four.
 
7.  The way forward for the network security project
 
Ben said that the Network Requirements document was ready for public review.
There was some discussion about whether this step should be approved by
ballot.  It seems clear that our lifecycle process demands this.  Jeremy
said that, now that we have more public scrutiny on the document
development, a ballot should be unnecessary.
 
Tom said that he had been expecting a ballot and was preparing to review the
document once the ballot was announced.
 
It was agreed that any revisions to the lifecycle document could await the
outcome of the governance deliberations.
 
Gerv and Eddy agreed to endorse Ben¹s motion to move the document to public
review.
 
8.  Qualified CSPs
 
Tim said that both Tom and Stephen Davidson had expressed concerns that
there is (potentially) a significant number of CSPs in Europe to whom the
Baseline Requirements may apply, and who may not even be aware of the BRs¹
existence.
 
Tim said that any CSP in the Mozilla program should be aware as a result of
Kathleen Wilson¹s communication.  Tom said that he could also contact
members of Microsoft¹s program and make them aware of the existence and
relevance of the Baseline Requirements.
 
Tom said that he would also make his embedding partners aware of the Forum¹s
upcoming Meeting 26.
 
10.  MITM with bogus certificates
 
Yngve said that he has posted an article on recent uses of malware to
perform MITM attacks.
 
http://my.opera.com/securitygroup/blog/2012/05/16/suspected-malware-performs
-man-in-the-middle-attack-on-secure-connections
 
11.   Non-member contributions
 
Tim pointed out that there exist some anomalies in our handling of
non-member contributions.  1. We have indicated that current members who
don¹t sign the IPR agreement ahead of Meeting 26 should not plan to attend,
yet we have invited non-members to attend.  2. The point of application of
the IPR obligation is the 60-day review period, but non-members who have
made a contribution may no longer be active at that time.
 
Ben and Jeremy agreed to provide a short notice indicating the expectation
that contributions be identified as encumbered where that is the case.  The
notice would be added to the notices that are currently attached to the
agenda, to the anti-trust statement read out at the beginning of in-person
meetings, and to a boilerplate slide for inclusion in non-members¹
presentations.
 
12.  Luxembourg audit scheme and EV
 
Tim recapped his understanding of the audit scheme in Luxembourg as
described by ILNAS.  ILNAS is a public institution that audits private CSPs
in Luxembourg.  They are (apparently) self-accrediting.  This precise
situation is not contemplated in the BR and EV Audit Requirements.  If the
CSP had been a public-sector operation, then it would have been allowed.
ILNAS has asked if their EV audit of a private-sector CSP (LuxTrust)  would
be acceptable to the CAB Forum.
 
Two suggestions were considered: 1. We could ask LuxTrust to become a member
of the Forum and make a proposal to modify the EV Guidelines to accommodate
their situation.  2. We could recommend that LuxTrust approach each of the
embedding programs with a request that their situation be allowed.  Then the
embedding programs would make a proposal to modify the EV Guidelines
accordingly.  It was decided to take the latter approach.  Tim agreed to
contact Nick Pope and ask him to put this to ILNAS.
 
13.  Use of the "public" list
 
There was some discussion about which topics should be discussed on the
public mail list and which on the private mail list.  The Governance working
group was asked to consider the question and provide guidance within their
governance proposals.
 
It was decided that the agenda and minutes of teleconferences and other
meetings would be circulated on the public list, but teleconference dial-in
details would be available only on the members-only Wiki.
 
14.  Any other business
 
Eddy brought up the question of EV certificates and the need to identify the
German state.  It was agreed that German states should be treated in a
manner similar to US states.
 
Eddy said that he had attempted to contact a member concerning a
non-conformant certificate that they had issued.  He had not received a
reply.  He wondered when it would be appropriate to escalate.  It was agreed
that researchers should (as Eddy has done) contact the relevant CA whenever
a non-conformance is discovered.  The researcher should use his or her own
discretion in deciding when to escalate.  But, that escalation could take
the form of posting the certificate in the ³Observed Problems² section of
the Wiki.
 
John E asked for clarification concerning the requirements for signing the
IPR Agreement and exclusion notice.  Tim said that, for continuity of
membership, the deadline for submission of both is 7 June.  John pointed out
that those who miss the deadline will be required to make a royalty-free
grant without exclusions.
 
15. Next meeting
 
7 June.
 
 
 
T: +1 613 270 3183
 
_______________________________________________ Public mailing list
Public at cabforum.org http://cabforum.org/mailman/listinfo/public

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20120525/32edb3f2/attachment-0004.html>