[cabfpub] Notes of meeting - CAB Forum - 8 August 2013 - Version 1

Ben Wilson ben at digicert.com
Thu Aug 22 21:47:55 UTC 2013

Here are the Notes of the CABF Meeting held Thursday, 8 August 2013.

Notes of meeting

CAB Forum 

8 August 2013

Version 1

1.  Present:   Atsushi Inaba, Ben Wilson, Jeremy Rowley,  Wayne Thayer, Kirk
Hall, Eddy Nigg, Richard Wang, Steve Roylance, Dean Coclin, Robin Alden,
Connie Enke, Rick Andrews, Ryan Sleevi

2.  Agenda review:  Approved as published.  Steve  asked that the latest
version of the EV Guidelines be posted to the website.  Ben and Wayne will
coordinate after the call to get the current version up.

3.  Minutes:   The minutes of July 11, 2013 were approved.  (We didn’t vote
to approve them last meeting, but they are already published because the
rules say that after 2 weeks of circulating them they are to be published.)
The minutes of the teleconference of July 25, 2013, and the Munich
face-to-face meeting were also approved.  

4.  Ballots:  Dean said that he thought that Microsoft still wanted to
discuss Ballot 106 and Ben said that even though Ballot 106 (to extend the
deadline for no "good" response for non-issued certificates) was withdrawn,
he wondered how we could keep a placeholder without keeping it as an agenda
item but stated the issue will likely come up again in due course.   Ballot
107 has only received a few votes and it closes tomorrow.  Kirk said that we
are seeing a problem when things go to ballot too quickly and that maybe we
can have more discussion before they go to ballot.  Ben said he thought we
could go ahead and give it a ballot number if it looked clear it was going
to become a ballot.  Kirk said he wouldn’t give it a number, but just send
around the draft stating that the proponent was considering a ballot with
such text and solicit pre-ballot comments.  Jeremy and Robin said they liked
having a proposed number because it’s easier to track in their email and
suggested that a subject line that makes it clear that it’s not an official
ballot might work – like “proposed ballot 108a” “pre-ballot 108b”,
etc.--then going back to “Ballot 108” could work.  Rick suggested that we
consider creating a pre-ballot stage.  


Jeremy said that he withdrew Ballot 108 to replace the proposal with one
that just requires an FQDN or internal server name and a Server
Authentication EKU.  He asked for any other suggestions to the proposed


Ballot 89 (EV Processing Guidelines) – Rick said that he has tried to update
the document but that the browsers are still not satisfied.  Tom recently
doubted whether they can be followed.  Rick would like to remove the old
version as soon as Wayne can get to it.  Ben said he didn’t think we needed
a ballot to remove the EV Processing Guidelines from the website.  Eddy said
that if we’ve had an important document on the website for 7 years, then we
shouldn’t just remove it without more discussion and the browsers should
vote to remove it if they want to.  Rick will revise Ballot 89, and Ben said
that he would discuss a revised ballot with Rick that could be to the effect
that a “no” vote meant that the current version would be removed and a “yes”
vote would mean that version 2 gets posted.  Rick said that the
pre-discussion period has been going on for two years.  He’s going to start
the official discussion period next week.


5. Application of Firmaprofessional and Disig A.S.:   The group reviewed the
applications of Firmaprofessional and Disig and noted that they appeared to
qualify as CA members of the Forum.  Ben suggested that Dean write to their
representatives and acknowledge acceptance of their membership. 

6.  Definition of "rekey" and applicability of BRs to legacy certificates:
Wayne said that there has been a lot of debate on the mailing list about
this.  There are two aspects to the issue – the conflict between contractual
provisions and compliance with new requirements.  He said that Robin had a
good suggestion for dealing with the first aspect by requiring a contractual
provision that subscribers must agree to if the Baseline Requirements
change.   Kirk said we are not a standards body and that enforcement depends
on browsers.  Ryan said that each CA that applies for inclusion in a root
store is responsible for complying with the requirements and that whatever
that CA is able to offer commercially is already constrained by what is
allowed by the browser root programs--so at the end of the day, every CA
needs to conform to industry standards.  Eddy said that whatever we offer
the customer is of course limited to what we can offer by being in the root
store and he thought that most CAs have provisions that provide for this
circumstance.  Wayne said that there seems to be general agreement that
there’s not a reason to not put Robin’s suggestion in Subscriber Agreements.
Ryan said that the Subscriber Agreements should specifically reference that
changes to the Baseline Requirements are foreseeable.   Wayne asked whether
someone would write a ballot.  Ben said he and Jeremy would write something
up.  Kirk asked whether it would address the “rekey” issue, and Ben said we
hadn’t fully discussed that yet.  

Wayne said the second aspect was the debate between rekey and reissue.  Rick
said we need to address how to handle certificates that were issued prior to
adoption of the Baseline Requirements.  Wayne noted that there were limited
exceptions to the Baseline Requirements for certain cases and that he has
proposed what he thinks is a workable solution to clarify what is allowed
when a certificate was issued prior to adoption of the Baseline
Requirements, and that a couple members have seconded the motion, but others
have been strongly opposed.  

Wayne said that contractual obligations to issue long-term multi-domain
certificates are impacted because they cannot be changed unless they fall
into an allowed category.  Eddy said his understanding is that when adding
or removing host names, for example, if host name rules change, then you
have to be compliant with the Baseline Requirements every time when you

Wayne said that the ballot he is proposing has a very narrow in scope in
that it only exempts a CA from the duration limitation of the Baseline
Requirements and nothing else.   Eddy said that he remembers a couple of
years ago, when we were talking about the same issue that Wayne had agreed
to the 60 months and that previously issued certificates would comply to
that as well.  Ryan said that even though the scope of the ballot is
limited, there should still be more discussion about what this means for CA
practices.  If you are going to reissue a certificate, then all of the
business implications must really be understood and agreed upon because
different parties might have different ideas about what the ballot means.
Wayne said the ballot will help define the scope of the Baseline
Requirements and help us when we find these cases to address them and so he
will put forth the ballot and hopefully get more discussion.  

7.  Review status of website revisions:   Ben reviewed his tracking sheet
and gave the following status report:

·         He hasn’t been able yet to do a full review of the draft web site.

·         Info for Consumers - Dean worked on it most recently, but Simon
was also asked to edit it.

·         Info for Website Owners - Robin was assigned to it, but it was
last worked on by Ben in February.

·         Info for System Administrators - Mert was in charge of that one.

·         Info for Manufacturers and Developers - Rick worked on that on
July 22nd.

·         Info for Potential CAs and Browser Members  -  Dean worked on that
in July.

·         Info for Auditors – Iñigo, Don and Reema need to take a look at

·         Info for Press - Gerv worked on it.  (The news articles doesn’t
need much editing -- that’s in the “About” section.)

·         Mission and Governance pages have been combined, as discussed
during the F2F.  

·         Bylaws page hasn’t been worked on since February – Ben will take a

·         Members page - Ryan Koski worked on that in February.

·         Leadership - Ryan K. worked on that, too, in February. 

·         Mailing list – also needs a little work by Robin and Jeremy.

·         IPR Policy page – Ben needs to do that still. 

·         Ben sent Connie a reminder on July 10th - she has been off on
holiday and will get to it next week.

·         Research statistics - Ryan Sleevi had put things up there in
February.  Ryan S. had also worked on several other pages in February.  Don
was going to look at it.


Ben will send out another reminder email to give the status of where things
are and make the tracking sheet available for everyone’s review.


Wayne said that due to the passage of time after volunteering GoDaddy
resources to modify the website, those resources are no longer available to
him, and he will likely have problems in the next six months or so getting
those resources.  GoDaddy can continue hosting the site, but we need to
select a WordPress template.  Ben said he would put out a call for suggested
Wordpress themes to use on the revised website.


Dean said that he would draft something for the current home page to
announce/welcome new CABF members.


8.   Other Business–Ankara Logistics:  Ben noted that the meetings would be
held at Swissotel.  Dean said the rate of around 100 Euros looked
reasonable, but he also said that he thinks that Turktrust might be making
the reservations and then we would pay with our own credit cards at check


9.  Meeting adjourned:   Next meeting is set for Thursday, August 22nd.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130822/b6178259/attachment-0002.html>

More information about the Public mailing list