[cabfpub] Meeting Tomorrow - Follow Up to Munich F2F

Steve Roylance steve.roylance at globalsign.com
Thu Jun 27 10:38:45 UTC 2013

Hi Ben,

A huge list to chew through!  I'll be helping Simon on the consumer info.

Concerning my proposals for Name Constraints, I'm very close in that I have
a document for review by Stephen and Kathleen and will 'hopefully' be in a
position to circulate and discuss tonight.   It's one I'd like to move
forward with a vote is complete prior to the August 1st deadline for DB
based OCSP responses.   I like many others no doubt have holidays in July so
I'd like to front end discussion if possible.

I updated the Wiki for Ballot 100 to be withdrawn completely (i.e. I took
out the 'for more work' line) as the core of that Ballot will be in the
proposal on Name Constraints and therefore I want to have a new number and
new thread on all areas.



From:  Ben Wilson <ben at digicert.com>
Organization:  DigiCert
Reply-To:  Ben Wilson <ben at digicert.com>
Date:  Wednesday, 26 June 2013 21:03
To:  <public at cabforum.org>
Subject:  [cabfpub] Meeting Tomorrow - Follow Up to Munich F2F

During tomorrow¹s telephone call I¹d like to review the take-aways from our
Munich F2F.  
Here are some of the items:
Sunsetting of 1024-bit certificates ­ Who would like to write up and
circulate an updated, post-F2F synopsis of what they believe is the status
on how CAs, Browsers, and Subscribers are doing in their efforts to sunset
1024-bit certificates?
Ben will work on a ³SHOULD² recommendation / proposed ballot that CAs
³should² offer SHA2 as the default option for certificate signatures.   That
way applicants would opt-out of SHA2 and select SHA1 and this would push
³natural attenuation² away from SHA1.
Guidelines Hand-off Date
If we are to begin implementing a new hand-off-date approach for CABF
guideline documents (i.e. Sept. 30 off each year), then are there any tasks
that we should try to accomplish in the next 90 days to get the most benefit
from a cyclical process?  What can we do to improve upon the concept now?
For instance, would any of you like to work on an update to Exhibit C of the
Bylaws?  (Section 5.6 of the Bylaws states, ³Project Lifecycle - In general,
Forum projects will follow the model Project Lifecycle attached as Exhibit
C.  However, the Members may modify this model as appropriate by their
subsequent actions.²)  Also, the minutes indicate that Kirk would circulate
his prior proposal re: an annual cycle for changes to CABF standards and
WebTrust/ETSI standards with modifications based on the discussion by the
group, with input from Jeremy and Don.  How might this be harmonized with
the foregoing?   Finally, there were comments that CAs would appreciate it
if browsers could provide clarity and uniformity on effective dates for
audit requirements.  Can browser members take on a task to develop a
coordinated policy/process on this?
Who would like to take on an assignment to draft amendments to the
guidelines that will remove specific references within them to WebTrust and
ETSI version numbers?   (That would mainly be in the audit criteria
sections, not in the new explanatory introduction sections).
Governance- Kirk is working on a proposed definition of Observer Status for
the bylaws.
Lightweight IPR Agreement ­ Ben is working on this.
Website revision assignments
1.       Assignments will be made for CABF members for preparing the
sections of the web site.
a.       Info for Auditors: Don and Inigo
b.      Info for Consumers: Simon
c.       Info for Web Site Owners and Sys Admins: Robin
d.      Info for Manufacturers and Developers: Rick
e.      Info for Potential CABF Members: Dean
f.        Info for the Press: Gerv
g.       Mission, Governance, Procedures, Bylaws and Leadership: Ben
h.      Mailing Lists: Ben
i.         IPR: Ben
j.        EV Guidelines: Mads
k.       BR: Mert
l.         Working Groups - Code Signing: Dean
m.    Browser, root and Other Info: Cornelia
n.      Liaisons: Arno
o.      Proceedings: John
p.      Browser OS Versions: Sig
q.      Research Statistics: Don
Do we need to form an informal WG / discussion thread to review EV choke
Should we reconvene a subcommittee to work on security enhancements to CA
practices?   See attachment to email from Jeremy sent prior to the Mozilla
F2F with subject line [cabfpub] DRAFT Certificate System Operational
Security Requirements and dated 1 Feb. 2013.
Ben needs to circulate a revised Ballot 103 (OCSP Stapling) for discussion.
Revocation checking needs to work across the board.  Browsers should be
blocking negotiation of certs without an OCSP URL, and auditors should
review whether CAs are complying with this Baseline Requirement (that all
SSL certificates contain an OCSP URL).
Where do we take the discussion about browser test suites from the F2F?
Where do we go from here?  (get
arget=Revocation_Discussion_notes_6-12-13.doc or view
We covered a lot of territory during the above-referenced Revocation
Discussion.  Members should review those notes carefully for more action
Update on technical constraints ballot from Steve Roylance.
Ben has incorporated Steve Roylance¹s correction into the minutes, but there
are certainly other changes / corrections that need to be made to the
minutes.  How do we want to tackle this (sign-off on the Munich F2F
Rick suggested that browsers take the first steps in experimenting with CAA
records.  So far, Google has taken a step, and there have been discussions
online, but have the other browsers discussed implementing this yet
internally, and if so, do they have anything to report?
Any suggestions on how we prioritize the foregoing items so that we can
cover some or all of this during tomorrow¹s call?
_______________________________________________ Public mailing list
Public at cabforum.org https://cabforum.org/mailman/listinfo/public

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130627/3b3d5939/attachment-0003.html>

More information about the Public mailing list