[cabfpub] Approved minutes August 6, 2015 CA/Browser Forum Teleconference

Dean Coclin Dean_Coclin at symantec.com
Thu Aug 20 21:01:17 UTC 2015


Final Minutes August 6, 2015


Attendees: An Ying (CNNIC), Atsushi Inaba, Ben Wilson, Billy VanCannon,
Christy McKinley, Dean Coclin, Charlotte Yan (CNNIC), Doug Beattie, Eddy
Nigg, Gerv Markham, Jeremy Rowley, , Kirk Hall, Mads Henriksveen, Marcelo
Silva, Patrick Tonnier, Peter Miscovic, Rick Andrews, Robin Alden, Ryan
Sleevi, Sisel Hoel, Tim Shirley, Tim Hollebeek, Volkan Nergiz, Wayne Thayer


1.       Antitrust statement was read by Dean


2.       Roll Call completed


3.       Review Agenda: No items added


4.       Approve minutes of July 23, 2015 meeting: Minutes approved. Ben to
post on website.


5.       Ballot Status: Domain Validation: Undergoing revisions. Kirk said
that a revised draft will come up in next week's working group meeting. IV
OIDs Ballot 150: A revised ballot including the EV OID will be circulated


6.       Microsoft Root Program Updates: Jody was not on the call but
Christy responded to the questions. Rick asked about the change in policy of
OCSP responses to a 2 day lifetime. This may have unintended consequences,
especially for those using CDNs, as caching will be reduced and there will
be a lot more hits. Another unintended consequence might be to folks
interested in short lived certs w/o revocation information. Christy took it
under advisement and asked for Rick to send the issue in an email. Gerv
asked if Rick could produce a graph with OCSP lifetime along the horizontal
axis and relative costs on the vertical axis. Jeremy asked why do the costs
matter? Gerv clarified that he is asking about OCSP lifetime, not short
lived certs. Doug had a concern about SHA-1 vs. SHA-2. The agreement states
that all OCSP signatures must be signed with SHA-2 starting Jan 2016. For
SHA-2 hierarchies this is fine but for SHA-1 certs that have been issued and
allowed to be used in 2016, Doug is concerned about the effect of this.
Clarity around this is needed and he believes that CAs should continue to be
able to sign using SHA-1 thru the end of 2016. Christy said Jody is still
researching it but asked that another message be sent in to their list. Dean
asked if the section on subcontracting had been updated. Christy will
follow-up on the list.


7.       Corrections to F2F minutes: Gerv asked for a correction to the
minutes on Domain validation methods. Ben suggested deleting the words
relating the comment to Gerv. There were no objections.


8.       PAG/Working Group minutes clarification: The PAG is not a Working
Group as defined by our bylaws but operates under the IPR Policy. Ryan asked
if the PAG list should be public or private as the bylaws can be construed
both ways. He also brought up the topic of regular working group minutes and
if those were being made public. Kirk said that the minutes from the PAG may
not be ready for discussion right away but it's a question of when, not
whether. Ryan said we could make the archives public which would be
discoverable by a search engine. Dean suggested that the PAG itself should
make a recommendation at their next meeting on this topic and bring it back
to the forum. Ryan agreed. On the topic of working groups, Dean said the
working groups aren't generally taking detailed minutes but do produce new
drafts and agendas which are distributed to their list. The list is only
open to members that have signed the IPR. If you make the list public, then
the list is open to those that have not agreed to the IPR policy. The CABF
meeting minutes do contain summary of the working groups. Ryan said a
concern is the "why" of the working group, i.e. why was a particular item
added but conceded there is a balance to be struck. Lastly, Ryan asked if
the PAG should be considered the same as a Working Group (per the bylaw
definitions). Kirk said it should. 


9.       Short Lived Certs: Ben said we discussed this at the F2F meeting
(allowing short lived certs w/o revocation information). There was some
objection from some CAs (notably Eddy). Dean asked why experiments couldn't
be done with private certs. Both Jeremy and Ryan said you need some
scalability from public clients and roots to do a real test.  Eddy suggested
that Ben talk to browser vendors. Doug said that not all browsers check for
revocation during this time frame and hence it would be an interesting test.
Ryan said that if you use OCSP stapling, you could remove that data. The
discussion ended as we ran out of time. Dean suggested the proponents send
out a message to the list to see if we have any consensus. 


10.   Working Group Updates: Validation: Kirk said he'd like to see a final
ballot come up before the membership for discussion. He believes they are
very close to having that ready.   Code Signing: Dean sent out the final
draft to the management list and will post it to the public list shortly to
get it ready for a vote in the forum.  Policy: The working group will have a
face to face meeting on Sept 9th at Symantec in Washington, DC. We have 7
people signed up so far. Ben said they were looking at taking the Network
Security guidelines and adding into the new document and asked the forum for
comments. Doug said we discussed at the F2F that we would first put the EV
Guidelines into the new format. Kirk said we should add the Network Security
reqts in and then the EV reqts. Then delay adding other items until the
first 2 pass.   Information Sharing: Meeting tomorrow at 1600 UTC. Ben said
the Senate didn't vote on the Information Sharing act in this session. When
they return they will review and decide whether to adopt. Dean said the
group is concerned about putting people on a "black list" and then trying to
remove them or face liability issues by putting them on a black list. Ben
believes this bill would resolve some of those issues. 


11.   Other business: The Istanbul meeting will be either at the Divan or
Crowne Plaza, both of which are near Taksim Square. A dinner will be held
Wednesday night. We expect to have a final hotel by next week. Please
register for the conference on the wiki. 


12.   Other business: 


13.   Next Teleconference Aug 20th.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150820/c079f690/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5747 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150820/c079f690/attachment.p7s>

More information about the Public mailing list