[cabfpub] Notes of meeting, CAB Forum, 23 August 2012
ben at digicert.com
Thu Sep 6 21:26:40 UTC 2012
Here are the most recent approved minutes of the CA/Browser Forum.
Notes of meeting
23 August 2012
1. Present: Ben Wilson, Eddy Nigg, Jeremy Rowley, Mads Henriksveen,
Sissel Hoel, Atsushi Inaba, Gerv Markham, Rick Andrews, Yngve Pettersen,
Rich Smith, Brad Hill, Bill Madell, Robin Alden, Geoff Keating, and Ryan
Sleevi. Quorum equals 6.
2. Agenda review
The agenda was reviewed.
3. Minutes of Meeting 9-Aug-2012
Minutes of 9 August 2012 were approved as published.
4. Ballot status
Ballots 85 and 86 were reviewed. Rich mentioned that if Ballot 86 passes,
then the ISO-3166 directorate will need to be notified that the CAB Forum is
using the single user-defined country code of "XX" when an official ISO code
has not been assigned. On the ballot for BR Issues 15 & 29, Rick noted that
he had received comments from Steve Roylance who wanted to (a) disallow
non-FQDNs and internal IP addresses in the CN and (b) require that the CA
put Org Info in certificates with internal names/IP addresses. Jeremy
stated that DigiCert was in support of Steve's request. Rick said that the
second request would require additional engineering, since it wasn't in the
original BRs. Ben said that there was a discussion about this previously,
and Jeremy said that a resolution of the issue was postponed and that it is
the right time to bring the discussion up again for resolution. It was
decided that further discussion on the issue of organizational validation
was needed. Rick also noted that the part of the proposal dealing with IDNs
raised engineering concerns because Unicode can be tricky. It is not just
an issue of confusion caused by mixed character sets, but it also must be
screened for mixing of scripts, bi-directional characters, etc. He said it
was essential that we identify Unicode libraries in this area because it can
be just as susceptible to mistake as crypto, and that is why we have crypto
libraries. Brad said he would contact Chris Weber of Casaba Security who
has worked on Unicode libraries in this area and see if he has anything to
5. Status of IPR Policy
Jeremy said that there will be an IPR Committee call next week. He also
said that because of ETSI, Entrust, and others comments about the IPR, and
because something needs to be in place temporarily while the governance
reform process runs its course, he would like to introduce a motion to allow
observer status and have a set of rules that allow them to participate upon
invitation only and without providing contributions covered by the IPR.
Robin volunteered to work with Jeremy on a proposed set of rules that would
provide the needed restrictions.
6. Liaison Agreement with ETSI
Ben said that if the proposal above to temporarily reinstate an observer
status works, then it would obviate the need for a special IPR agreement
7. Status of Revocation Improvements
Rick reviewed Brian Smith's responses on the CAB Forum's OCSP
Recommendations for Clients document. He said that Brian was concerned
about various instances where it appears to mandate browser behavior. Rick
said that he thought those instances were pretty minimal. For instance, if
an OCSP client gets a status of revoked, the client should block access to
the web site.
Rick asked whether there was any sentiment one way or the other with Brian's
suggestion that we work on other solutions rather than OCSP. Rick and
Jeremy said that they thought we should describe what is here today and move
forward with this document. Ben asked whether a single OCSP stapling
document should be created to discuss it from both the client and server
Ryan from Google said that they were working on a post in response and that
they agree, in large part, with Brian's position. He felt there were more
UI requirements in the white paper on how to handle things like expired
certificates, for example. Gerv said that he would chime in on the topic as
Yngve said that Opera has a number of hints when revocation lookup fails.
He also said that the W3C may have some helpful UI guidelines for browsers
in the web security context working group. Rick asked whether Yngve could
post a link to it.
Rick said that if we're trying to increase security, and you get revoked
status, the browser should not let the user go through. Yngve agreed.
8. Agenda Planning for Face to Face
Ben explained that he had copied the agenda template over from the meeting
in Norway and that there would be certain items on the agenda that re-appear
as a matter of course like audit updates and reviews of issues with the
Baseline Requirements and the EV Guidelines. Additional discussion items
for the face-to-face agenda include: a review of the Network Security
Requirements; an update on the IPR Policy, if any; a preliminary review of
organizational documents for the reformed entity; a short discussion on the
work of the new IETF wpkops group; application developer guidelines for EV;
browser UIs; and the status of revocation work. Ben asked those planning
to attend, including browser representatives, to provide any other topics
that they would like to discuss during the face-to-face.
9. Any other business
Yngve said that version 12.02 of Opera will address "unauthorized" and
"unknown" responses and that there may be other changes for when no status
information is received from the CA. He said that he had looked at other
browser responses "unauthorized" and "unknown" and that responses varied
(Mozilla had a warning message in one case, and in another case IE 9 on
Windows 7 had provided no error message). Additional information and
downloads of release candidates for 12.02 were available on the My Opera
Desktop Team blog, http://my.opera.com/desktopteam/blog/.
10. Next meeting
The next teleconference will be on Thursday, September 6th, same time and
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Public