[cabfpub] Notes of meeting, CAB Forum, 6 Sept 2012, Version 1

[Ben Wilson]

Below are the minutes from the penultimate meeting held two weeks ago.

 

Notes of meeting, CAB Forum, 6 Sept 2012, Version 1

Notes of meeting

CAB Forum 

6 September 2012

Version 1

 

1.   Present:  Phill Hallam-Baker, Chris Palmer, Ben Wilson, Eddy Nigg,
Jeremy Rowley, Simon Labramm, Kirk Hall, Steve Roylance, Wayne Thayer,
Atsushi Inaba, Rick Andrews, Rich Smith, Brad Hill, Robin Alden, Geoff
Keating, Mads Henriksveen, Patricia Forsyth.   Quorum equals 6.

 

2. Agenda review

 

The agenda was reviewed.

 

3. Minutes of Meeting 23-Aug-2012

 

Minutes of 23 August 2012 were approved as published.  

 

4.  Ballot status

 

Three items were discussed under this agenda item:  (1) abbreviating the
voting process for replacement proposals; (2) the adoption/publication of
Requirements for the Processing of EV SSL Certificates v.2; and (3) BR
Issues 15 and 29.

 

(1)  Ben noted that Ballot 88 was out for vote and asked whether members
would support a revision to the voting rules to provide an abbreviated
ballot process when a proposal has already been discussed but withdrawn for
minor edits during the voting period.  Rich mentioned that he favored having
a shortened review period in such cases.  Ben said that he didn't want our
review processes to bog us down unnecessarily.  Kirk and Eddy opposed the
idea of shortening the review period.  Kirk said that sometimes people need
more time, for example, when they are unavailable for a few days.  Eddy said
that there haven't been situations requiring immediate changes to the
guideline documents.  Ben said that he wouldn't push for an amendment to the
voting rules at this time, but that he thought that there would be times in
the future when those opposed to idea might think differently.  

 

(2) Rick mentioned that he had previously proposed the release of an updated
version of the guidance for applications relying on EV certificates.  He
stated that he had addressed issues raised by Ryan Sleevi, and that he had
responded to comments from Kathleen Wilson.  He said a recent question has
been what the document says about a CA that does not pass an audit.  Phill
said the browser wouldn't ordinarily receive a report that a CA didn't pass
an audit.  In most cases, the audit is not renewed and/or no audit report is
provided, and at that point the browser should begin deactivating EV
treatment.   Rick said that the EV Guidelines have been in place for 5 years
and that is one of the reasons why the title is being changed from
"Guidelines" to "Requirements."  He said he was looking for endorsers and
DigiCert and TrendMicro agreed to endorse. 

 

(3) Steve Roylance and Jeremy Rowley discussed what has been labeled on the
discussion list as BR Issues 15 and 29, dealing with organizational
validation for mixed content / multiple SAN certificates.  Steve said that
he had recently circulated a proposal for review and discussion.   Kirk
queried why this was currently an issue.  Steve said it was not a new idea,
that it had been raised before, but not thoroughly, and that in reviewing
GlobalSign's implementation of the Baseline Requirements he had identified a
few holes where a potential bad practice could cause security issues.
Wayne disagreed that the issue hadn't been discussed in great depth.  Kirk
said that this proposal would deprecate DV certificates and had no added
security value.  Steve said it would enhance security and be good practice
to identify the subject of a mixed-type certificate.  Wayne said that the
proposal would not improve security any more than issuing multiple separate
DV certificates.  Steve said he had not heard why it was not a good idea to
put the requirement in place.  Wayne said that is misleads the user into
thinking that the named organization is the site, when it is one of the
other entities listed by the SAN.  Steve said that someone must be holding
the private key, and that is what the certificate is supposed to identify.
Wayne said that what the proposal essentially does is attempt to remove
multi-domain certificates.   Steve said that they could be eliminated some
day in the future, but that is not the issue, today there is a need to
identify the holder of the key.  Eddy said that he agreed that where domains
are owned by different parties it is a different situation and that he could
see that Steve wants to give transparency on the holder of the key, but if
you have 50 companies under the same key, then that is a bad thing.  Steve
urged people to read his proposal.  

 

5.  Review Voting Procedure

 

Ben asked whether there were any questions about how the voting procedure
would work.  Kirk asked when the proposals were due, and Ben said 5:00 pm
Eastern Time on Friday, September 14.  There were no further questions.

 

6.  Plan Agenda for Face-to-Face meeting

 

Proposed items for the face-to-face agenda were reviewed and Ben said that
he would post an updated schedule to the wiki.   During the discussion, Kirk
and Jeremy discussed the IPR Policy and observer status.  Kirk said he
disfavored having a policy that allowed an exception for an observer
category.   He suggested that one way to accommodate observer entities like
ETSI would be to adopt a motion that specifically identifies them.  

 

7.  Any other business

 

None.

 

8.  Next meeting

 

The next teleconference will be on Thursday, September 20th, same time and
place. 

 

9.  Close

 

Meeting adjourned.

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://cabforum.org/pipermail/public/attachments/20120920/27a207ce/attachment-0001.html