[cabfpub] Notes of meeting, CAB Forum, 25 October 2012

Ben Wilson ben at digicert.com
Sun Nov 11 01:16:26 UTC 2012

Here are the minutes of the penultimate CABF telecon.  




[cabfman] Notes of meeting, CAB Forum, 25 October 2012, Version 1

Notes of meeting

CAB Forum 

25 October 2012

Version 1


1.   Present:  Ben Wilson, Atsushi Inaba, Kirk Hall, Gerv Markham, Brad
Hill, Jeremy Rowley, Wayne Thayer, Rick Andrews, Dean Coclin, Eddy Nigg,
Ryan Koski, Mads Henriksveen, Marc Braner, Yngve Pettersen, and Geoff


2. Agenda review


The agenda was reviewed and Item 7 (Review of IPR Policy) was moved ahead of
Item 4 (Ballot 89).


3. Minutes of Meeting 11-October-2012


Minutes of 11 October 2012 were approved as published.  


7.  IPR Policy


Marc Braner explained that the IPR working group had met and created version
1.03 to address the concerns of Entrust, Identrust, and others while making
as few changes as possible.  He said that in his opinion we may now have a
viable solution for everyone, but that there is no such thing as a perfect
IPR Policy.  There is nothing that precludes further work on the IPR Policy
down the road, but it is very important that we have an IPR Policy in place.
One issue identified is in section 5.1 for which there was recent discussion
on whether or not to remove a subsection.  Also, resolution he attached
would terminate the current IPR (v. 1.0) on December 1, 2012, and then v.
1.03 would come into effect, with a time period for members to file
exclusion notices.

Kirk asked for an overview of the changes.  Marc said that there were only
two major changes -- (1) to make licensing obligations participation-based
to address stand-around liability, and (2) change the definition of
affiliates for portfolios of companies that are indirectly related.  The
goal of the proposed participation-based model, is that if you don't
participate, there is no obligation.  If you do participate, then you have a
duty to license, but you also have the opportunity to exclude IP from


Kirk asked whether general forum meetings would be considered as
participation.  Marc said he left that specific issue open for the Forum to
decide.  He also said that under the existing policy, signing the agreement
and compliance with the IPR Policy was a condition of membership.  His
understanding is that this practice would continue under version 1.03, so
you would sign the Membership Agreement, but the Forum could designate
meetings as either General Meetings or Technical Meetings.  


Yngve asked whether, considering that with the previous IPR ballot some
major objections showed up just before the deadline (because they finally
reviewed the IPR Policy and Agreement and decided they could not sign), such
would happen again?  Marc said he didn't know, but that he had attempted to
flesh out and address the issues in a way that would not offend the
companies who have signed version 1.0, but there are no guarantees.  Yngve
would like to make sure there are no last-minute objections.  Dean said that
the only way to know is to put it to ballot.  Marc agreed that he would like
to bring closure.


Kirk asked the difference between general and technical and how to tell when
something is designated or not as technical.  Marc said that while the IPR
Policy is modeled on the W3C Policy, which only makes you bound to the
extent you actually participate in a workgroup creating a W3C
Recommendation.  That was envisioned here, even though we all know that the
Forum doesn't work that way.  What we'll need to do is develop rules
defining participation.  For example, if you attend two technical meetings,
you are deemed to have participated.  Marc offered to help the Forum develop
rules.  A general meeting would only deal with administrative issues like
governance and the adoption of the IPR Policy.  A technical meeting is one
in which the member works on a guideline.


Kirk asked whether a vote would also be considered participation, and Marc
affirmed that it would.  The IPR Policy, however, contemplates that you can
only vote if you participated.   Kirk asked whether we could just designate
that everything we're working on 100% of the time is Working Group.  Marc
said you could do that, but then you'd have a problem.  Ben said that what
Marc is proposing is a way to adopt the IPR Policy, and get something in
place that could be modified by defining the details without having to have
all of the members re-sign a new agreement.  Ben said he'd prefer that the
default be that everything be designated as not technical, but that you
specify when something is technical.  


Marc said he's left it open in order to get something in place.  Kirk said
his counsel will want to know exactly what it is going to apply to before
they approve it.  Marc said that Section 3 of the IPR Policy says that "as a
condition of participation in a technical work group" but that we don't
define "technical work group."  Kirk said his counsel will not let him sign
it unless his counsel knows what the IPR Policy applies to in terms of the
Forum's work.  Ben said he hoped that this would only require a minor
modification to this draft that would satisfy Trend Micro's counsel, for
example, by defining "technical work group" as flagging technical
discussions with the word [Technical], which would make the IPR Provisions
apply, similar to the way an NDA requires that confidential communications
be flagged with the word [Confidential].   Marc said that to keep it simple,
if you attend two meetings, then you'd be considered to have participated.


Kirk asked who would object to just saying that 100% of our meetings are
considered "technical meetings"?  Marc said that would work and would be the
simplest approach.  Ben said that he thought Entrust and others would object
because that is why we've gone through these edits in the first place and
why would we try to distinguish between participation and non-participation.


Gerv said that it is possible for everything we do to be part of a "work
group," even general discussions.  The purpose would be to segment the work
of the CAB Forum into sections so that people could participate in some
sections but not other sections.  Then, everything would be part of a
section, and nothing would be missed.  Then, you could consider the general
group to cover discussions of everything else.  So, if you had a discussion
and someone was unhappy that a technical topic was being discussed within
the general group, then the person could say, "actually, the discussion
about that has to happen over here in this other group."


Ben said that he liked Gerv's concept of segmentation.   Kirk asked Ben to
give an example, besides deciding when to have lunch, that would not be
technical, and therefore, we wouldn't have to worry about who is
participating.  Gerv said the general CAB Forum call that we're having now
is not a technical discussion - we're not the revocation working group, and
we're not the EV working group, we're just the general discussion group.
And in a general call, we wouldn't determine the exact details of technical
standards, but if there needed to be technical discussions, those could be

Jeremy said that he was concerned that we are discussing an IPR with working
groups, but that the governance proposal doesn't establish a working group


Kirk asked whether Entrust had explained why they wanted this segmentation.
Marc said that it wasn't just Entrust, but several of them were concerned
about stand-around liability.  Their representatives may or may not be
paying attention, and then they would be obligated to provide royalty-free
licenses.  They said, "we're fine with granting licenses, but we want that
to be based on an affirmative action."  Kirk said, "well, if they forget to
get up and leave the room when a technical subject comes up, it's the same
problem, they're going to have to be on their toes, whether we adopt this or
don't adopt it."  

Yngve said that these concerns should be written up in email so that they
can be discussed more closely to see what the issues really are.  Marc said
that that was supposed to have been done by members who convened as part of
the IPR working group.  Marc said that it was also discussed that the CAB
Forum just adopt the IPR Policy of another organization, such as ISO, ICT,
ITU, W3C, and IETF, which brought us back to where we were two years ago.
Everyone was invited to those meetings, and we fleshed out the issues, and
these are the issues.  It would be much easier to adopt a process along the
lines of what Gerv has suggested than to come to a new agreement on an IPR


Yngve said that if we state the reasons for the changes in the IPR Policy,
and then Kirk can delineate what is a work group versus what is not a work
group, and if this happens in the entire Forum and not just the IPR working
group, then we can look at what the arguments are in each direction and see
if something can be worked out.  Ben said we should move this discussion to
the list, and have people speak or forever hold their peace, before we put
it to a ballot, and that the deadline should be Wednesday of next week and
that a ballot be submitted at that time.  


Dean suggested that Entrust and Identrust should be involved in the
discussion.  Ben said that Entrust and Identrust representatives could be
copied on all discussions.   Dean said we do need to move forward with a new
IPR policy.  He also thanked Marc for his contribution.  Marc said he would
be happy to help suggest a process around the participation issue.


Kirk said that next Wednesday would be way too soon because he gave it to
his counsel but told his counsel to hold off any review until he could
understand what it was about.   Kirk said that Trend Micro would have to
know exactly all of the details on what is and isn't a working group, and so
on and so forth before he would ask his counsel's opinion, so in no way
would he support moving forward.   Ben asked why Trend Micro's counsel had
not participated and that it was frustrating when others do all of the work,
and then Kirk expects that it be fully developed.  Kirk said he could not
vote on it without a definition of "working group" and that he would vote
"no" if it came to ballot.


Wayne asked whether he was correct that the expectation is that members run
the document past their legal teams and be in a position next week to either
oppose it or move forward with it.  Ben said, "yes."


4.  Ballot 89 - Guidelines for Processing EV SSL


Rick said that Brian Smith has requested that the following language be
removed from the document:  "certificates for which revocation information
cannot be obtained should not be treated as trusted certificates."  Yngve
asked whether it was an issue of EV treatment, and Rick said that the
document says "should not be granted EV treatment" but it also has the other
statement that Brian has concerns with.  Gerv explained that Mozilla is
developing Firefox OS based on web applications, which are served over
https.   If the display of the status of the application is displayed to the
user, that might cause a security indicator to flicker on and off, even
though the application is operating properly in an offline state.  So there
is a problem with a requirement that you have to remove a security
indication while you are offline because you cannot get revocation
information.  Brian would like wording that if the certificate has been
presented and validated at least once, including for EV status, then that UI
treatment should persist even if the user is offline.  Yngve said that if
the content is downloaded to cache via HTML5 then you already have security
status for that content, and that is checked at TLS download.  Rick agreed
that offline mode is different, and that he was assuming that the document
applied only for the handshake, and if offline mode needs to be discussed,
that it be done separately.  Yngve added that when you resume a server
session, you are not doing a full handshake, and you would not be expected
to do revocation checking for that.  


Another of Brian's concerns is that an intermittent changes in security
display (EV UI indicators) might would also be required if due to the
inability to access OCSP information from time to time.  What if an EV
certificate has been revoked?  Yngve said that a well-configured server
would be active for a long period of time during the day, but Gerv asked
what about when you shut your phone on and off and log in and out of your
bank, and OCSP fails, would the CABF want the EV condition not to appear?
Yngve said that CRL and OCSP responses could also be cached for a longer
time than the duration of several sessions and that the only instance where
he has seen a similar issue arise with EV / non-EV  display in Opera was
when a Japanese bank had installed two different EV certificates of
different key lengths and the site switched between certificates.  Opera
treats failed revocation as a "no-padlock" condition so you wouldn't get to
the issue of EV indication. 


Rick said that if you fail revocation checking for the first time, you
should not display EV-ness, and you should not treat it as a trusted
certificate.  But, if we can establish an appropriate time frame for
situations where you've previously validated an EV certificate, then you
should be able to continue to trust it.  Gerv said we just need
clarification on whether that is allowed.   The discussion on this topic
then closed and moved back to the listserv.


5.  Ballot 92 - RFC 6125 and Subject Alt. Names


Kirk said he raised this issue because if you look at issues list it is not
clear how these are an improvement and there are a lot of complex changes so
he would like to have a written explanation of the changes so that people
who are not on the calls can understand what the sponsors are trying to
accomplish, but that he would like a walk-through of the ballot during the
call.  Ben said that part of the issue may be that the discussion of this
issue has been going on for quite some time and that all of the changes may
not be related to just the identified BR issues so it might be difficult to
catch up.  Brad and Jeremy had worked on Ballot 92 and were on the call, but
it was presented by Steve Roylance, who was not on the call.   So Ben asked
whether either of them would be willing to attempt a review of it.  Brad
said that he did not have it up and would have to get it in front of him,
but asked what the specific issues were.  Kirk said that in the past the
proponents of a measure had explained the measure so he wanted the
proponents to explain it to the whole group.  Brad said he had explained it
multiple times over the course of work on the issue.   Kirk said he was a
member and entitled to know what was in the ballot and was upset that Brad
was unwilling to explain the ballot.  Brad said that he was willing to
explain it. Kirk said that Brad should explain it. Brad asked if anyone else
shared the concerns, and Kirk said it didn't matter if anyone else shared
the same concerns and that he wanted the ballot explained to him.    


Kirk asked, "why are you outlawing DV SANs certificates?"  Brad said he
would have to look at the ballot.  Jeremy offered to forward all of the
discussions on it to Kirk for review.  Kirk said that he could find those
himself, but that he'd rather have a new explanation of the ballot because
the ballot was very complex.  Jeremy said that there was not have enough
time during the telephone call to go over all of the details and that
another email explanation could be sent.  Kirk said he would look forward to
the email.  Gerv said that if would take an hour to explain the ballot, then
it should be broken into multiple ballots.   Wayne said that the problem is
that the ballot originally started as two BR issues that has now morphed to
a ban on DV certificates.  Gerv said that the purpose of the BR issues list
was to limit the scope to things that could be resolved, and he asked
whether the proponents believe that the ballot falls squarely in Issues 15
and 29.  Jeremy said that it was not because he didn't think it had to
because we have been working on the BR issues list for over a year and
ongoing issues should be resolved as well.   Brad said that for section, that was not language that he proposed, and that he could only
speak to his own recollection and not anything he didn't know about.  Ben
said that some of the language is from Steve, who was not on the call.  Brad
said that it appeared the language was added to provide contact information
for at least one responsible party in the case of a multi-domain
certificate.  Rick said that he recalled from discussions that someone had
mentioned that there was no evidence of this every causing harm and that if
you wanted to put in information about who the controlling party was, it was
difficult to determine who that party was, and that there was no consensus
on this issue.  Brad repeated that it wasn't his language, and he couldn't
address it.  


Rick also noted that he had previously stated that Unicode checks are very
complex, and that he opposed this unless there were a Unicode library that
was freely available to be used by all and that by using that library you
would meet all requirements, because this is very complicated.  Brad said
that he had permission from counsel to contribute the code to the ITU
library and that he would submit the patch and see if they were willing to
accept the patch, and that he was willing in making that open source
contribution to share the code so that the specifics and the algorithms are
available to members of the CAB Forum, regardless of whether the library
maintainers choose to accept it.  Rick thanked Brad and said that he would
still like language that said by using the code a CA fulfills the


Mads noted that the review period closed and that it was now in the voting
period.  Ben acknowledged that when these kinds of things happen it becomes
unclear how to proceed and that the ballot should probably be withdrawn.
Jeremy said he did not want to have it withdrawn.  Yngve said that in some
similar situation we had extended the review period for a week.  Dean said
that such approach would have to be proposed by the people who put the
ballot together, and that approach would make sense where there is a good
consensus because nobody likes to see ballots resubmitted because it wastes
time.  Wayne said that he recalled Steve indicating that he wanted to move
it to a vote because there was no room for compromise, but Dean said that
the other contributors may want to review their strategy and move it to


Brad noted that he disagreed with Rick's position that a CA would be
absolutely always safe if they used the Unicode library-code always has
bugs, standards evolve and change, new attacks are discovered, and things
are refined, and it would not be a good practice to write the Guidelines as
dependent on code.  Guidelines should state what the objective is and not
how it should be accomplished.  Rick said he agreed, but usually that the
requirements have been relatively simple and straightforward to implement,
but that is not true with Unicode.  Brad said that even if we allow it for
the present time, it could later be found to be deficient, so we should not
commit to it long term, because it will create a vulnerability in the
ecosystem.  Rick said that if there is a problem we'll fix it, it's better
than having 50 different CAs creating 50 different sets of code and having
most of them incorrect in one way or another.  Yngve said that "test suite"
is better than "code base".  


6.  Ballot 93 - BR Reasons for Revocation


Ben asked if there were any questions.  Rick said he had one comment-that in
the last paragraph there was a typographical error, that it should read
2^16+1 and then 2^256-1.  Yngve acknowledged that the superscript got lost
at some point.  Rick said his other concern is that it will force a CA to
revoke a certificate when it is misused, and that has a lot of uncertainty
associated with it.   What does it mean for a CA to discover that a
certificate has been "misused"?  Yngve said that "misused" is language that
was already in section 13.1.5-it was just moved.  Rick said he still has an
objection, because if a customer indicates that a certificate has been
"misused" we don't want to revoke it immediately if there is more harm that
will be done than good.  Yngve said that "misused" will have more relevance
from what is defined in you practice statements than what is defined here
and that because the language is just being moved, if it needs to be fixed
then that would be something for another ballot.  Rick said that this
presents a gray area that needs to be addressed, probably with a ballot,
because this doesn't recognize that there are reasons why you wouldn't want
to revoke it within 24 hours, and you'd be in violation if you don't.  Yngve
also said that the original ballot didn't have an effective date, but it
should say effective immediately.


8.  Review Governance Proposal and Ratification Process 


Kirk noted that there has been a review period.  Kirk said that the only
comments were from Ben, and that while some of them were good, they went
beyond TrendMicro's proposal so they would not be included because people
would say that it wasn't what they had voted on.  He also noted that if a
member of the public wanted to respond, we haven't got a means for them to
do it, but we could have them use the "information@" link, but he wasn't
sure how to communicate that to them.  Gerv had mentioned it could be posted
on the Mozilla list, but Kirk did not feel he should do that, unless the
members felt it should.  T-Systems also indicated that their counsel wanted
to review it, but he hasn't heard back from them.  So the two questions are:
1- do we want to post this on our web site, with an email address for anyone
wanting to post comments, and 2 - should it be posted on the Mozilla list
for comments?  Jeremy asked, since the proposal is similar to what we
already have and the bylaws are the current rules, whether it would be
simpler to have a separate ballot on just the changes, split into 4 ballots,
and that way the ballot wouldn't have to stand all together and we could
pass these changes easier and quicker.  He also asked whether we should wait
until the IPR Policy is resolved.  Kirk said that he was ready to go forward
with the governance vote and people can accept it or not, and that he wanted
to go with what he had circulated.  He said that based on the previous
ballot TrendMicro could put the ballot forward whenever they want to, and it
doesn't need any second endorsers.  Jeremy said that he thought that the
ballot had said that you'd follow the current forum procedures.  Kirk said
his questions are whether we should put it up on our web site or circulate
it on the Mozilla list so that the public can comment.  Jeremy said he would
like to have Entrust and Identrust back in.  Kirk said he was not willing to
delay it.  Kirk said that since it didn't look like anyone had any comments
he would not ask for any public participation and that he would put it to a
vote and if it failed then we'd be back where we started.  Gerv said that
the right way to break this cycle is to do the governance vote first because
the IPR Policy cannot take its final form until we know what the governance
is.  If Kirk's proposal does not include work groups, and the governance
proposal passes, and the IPR Policy requires work groups, that doesn't work,
but we can't let the tail wag the dog.  So we should do the governance, then
the IPR, and then ask the other CAs whether they want to join based on the
governance and IPR that we have chosen.


9.  Scheduling of next F2F Meetings


Mozilla has committed to 5th and 6th, of February, 2013, with the revocation
working group meeting on February 7th.    Dean noted that the room was
available in Munich whenever we wanted to schedule the meeting, but it would
be good to reserve it now.  He asked whether June would work.  Wayne asked
that some May and June dates be proposed.  Arno had mentioned that ETSI was
meeting in the first week of June.  Also, Memorial Day in the US is on May
27th.   so possibilities are the week of May 20th or the week of June 10th
or the week of June 17th.  So people should look at their calendars, and
Dean will circulate a poll with those 3 options.


10.  Status Review


Ben will send out a follow-up email asking for volunteers for the web site
standing committee.


Yngve noted that he still is looking for another endorser for BR issue #7.
Ryan Hurst said he would look at it.  Yngve said he wants some endorsers. 

Gerv provided an update on Mozilla OCSP Stapling.  There is a technical
disagreement that is being arbitrated on how this issue will be resolved.
It is being worked on and reviewed by the NSS module owners.


11.  Other Business


Yngve noted that he had emailed updated statistics on OCSP stapling server
support and TLS renego  patching. 


12.  Next meeting


Next meeting will be 8 November 2012.  Please note that daylight savings
time will have ended and that for those members going off of daylight
savings the meeting will be an hour earlier.  



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20121110/7372f3de/attachment-0003.html>

More information about the Public mailing list