[cabfpub] Meeting Tomorrow - Follow Up to Munich F2F

Ben Wilson ben at digicert.com
Wed Jun 26 20:03:14 UTC 2013



During tomorrow's telephone call I'd like to review the take-aways from our
Munich F2F.  


Here are some of the items:


Sunsetting of 1024-bit certificates - Who would like to write up and
circulate an updated, post-F2F synopsis of what they believe is the status
on how CAs, Browsers, and Subscribers are doing in their efforts to sunset
1024-bit certificates?


Ben will work on a "SHOULD" recommendation / proposed ballot that CAs
"should" offer SHA2 as the default option for certificate signatures.   That
way applicants would opt-out of SHA2 and select SHA1 and this would push
"natural attenuation" away from SHA1.  


Guidelines Hand-off Date 

If we are to begin implementing a new hand-off-date approach for CABF
guideline documents (i.e. Sept. 30 off each year), then are there any tasks
that we should try to accomplish in the next 90 days to get the most benefit
from a cyclical process?  What can we do to improve upon the concept now?
For instance, would any of you like to work on an update to Exhibit C of the
Bylaws?  (Section 5.6 of the Bylaws states, "Project Lifecycle - In general,
Forum projects will follow the model Project Lifecycle attached as Exhibit
C.  However, the Members may modify this model as appropriate by their
subsequent actions.")  Also, the minutes indicate that Kirk would circulate
his prior proposal re: an annual cycle for changes to CABF standards and
WebTrust/ETSI standards with modifications based on the discussion by the
group, with input from Jeremy and Don.  How might this be harmonized with
the foregoing?   Finally, there were comments that CAs would appreciate it
if browsers could provide clarity and uniformity on effective dates for
audit requirements.  Can browser members take on a task to develop a
coordinated policy/process on this?


Who would like to take on an assignment to draft amendments to the
guidelines that will remove specific references within them to WebTrust and
ETSI version numbers?   (That would mainly be in the audit criteria
sections, not in the new explanatory introduction sections).  


Governance- Kirk is working on a proposed definition of Observer Status for
the bylaws.


Lightweight IPR Agreement - Ben is working on this.


Website revision assignments

1.       Assignments will be made for CABF members for preparing the
sections of the web site.

a.       Info for Auditors: Don and Inigo

b.      Info for Consumers: Simon

c.       Info for Web Site Owners and Sys Admins: Robin

d.      Info for Manufacturers and Developers: Rick

e.      Info for Potential CABF Members: Dean

f.        Info for the Press: Gerv

g.       Mission, Governance, Procedures, Bylaws and Leadership: Ben

h.      Mailing Lists: Ben

i.         IPR: Ben

j.        EV Guidelines: Mads

k.       BR: Mert

l.         Working Groups - Code Signing: Dean

m.    Browser, root and Other Info: Cornelia

n.      Liaisons: Arno

o.      Proceedings: John

p.      Browser OS Versions: Sig

q.      Research Statistics: Don

Do we need to form an informal WG / discussion thread to review EV choke


Should we reconvene a subcommittee to work on security enhancements to CA
practices?   See attachment to email from Jeremy sent prior to the Mozilla
F2F with subject line [cabfpub] DRAFT Certificate System Operational
Security Requirements and dated 1 Feb. 2013.


Ben needs to circulate a revised Ballot 103 (OCSP Stapling) for discussion.


Revocation checking needs to work across the board.  Browsers should be
blocking negotiation of certs without an OCSP URL, and auditors should
review whether CAs are complying with this Baseline Requirement (that all
SSL certificates contain an OCSP URL). 


Where do we take the discussion about browser test suites from the F2F?
Where do we go from here?  (get
&do=get&target=Revocation_Discussion_notes_6-12-13.doc or view


We covered a lot of territory during the above-referenced Revocation
Discussion.  Members should review those notes carefully for more action

Update on technical constraints ballot from Steve Roylance.


Ben has incorporated Steve Roylance's correction into the minutes, but there
are certainly other changes / corrections that need to be made to the
minutes.  How do we want to tackle this (sign-off on the Munich F2F


Rick suggested that browsers take the first steps in experimenting with CAA
records.  So far, Google has taken a step, and there have been discussions
online, but have the other browsers discussed implementing this yet
internally, and if so, do they have anything to report?  


Any suggestions on how we prioritize the foregoing items so that we can
cover some or all of this during tomorrow's call?





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130626/85944b1d/attachment-0002.html>

More information about the Public mailing list