[cabfpub] Minutes of CA/B Forum Teleconference Apr 30, 2015

Dean Coclin Dean_Coclin at symantec.com
Wed May 20 20:05:11 UTC 2015

These have been approved and posted to the CA/B Forum website



Minutes Apr. 30, 2015

Attendees: Dean Coclin, Ben Wilson, Doug Beattie, Gerv Markham, Atsushi
Inaba, Kirk Hall, Volkan Nergiz, Rick Andrews, Moudrick Dadshov, Kubra
Zeray, Eddy Nigg, Wayne Thayer, Mads Henriksveen, Sisel Hoel, Tim Hollebeek,
Billy VanCannon, Jeremy Rowley, Tim Shirley, Peter Miskovic, Robin Alden,
Ryan Sleevi


1.       Minutes of 16 April meeting were approved. These will be posted to
the public list. 

2.       Ballot 146 (Conversion of BRs): Ballot passed.  

Ballot 149 (Bylaw updates from Kirk): This ballot adds a WebTrust BR
requirement for CAs and also requests that applicants provide an example URL
of a site that uses their cert (among some minor procedural changes). Ryan
said the ballot changes the WebTrust for CAs to Baseline Requirements which
is a concern for Google. The BR audit is currently reflected in the
requirements of root stores, membership of which is required for CA/B Forum
admission. Ryan said that this new requirement significantly narrows
membership to a work product of the forum. Kirk couldn't understand why any
CA would want to join the forum if they didn't follow the BRs. Ryan said
this was irrelevant to the topic and said the primary concern was that the
public would have to be subject to rules which the public had no input on.
Kirk countered that we require WebTrust for CAs which is in the same
category (i.e. no public input). Ryan said this was not a work product of
the forum. Gerv gave a scenario whereby some CA may have a problem with the
BRs and would like to join to help correct the problem but would be
prohibited under Kirk's proposal. Gerv continued to say that membership in
the forum shouldn't be subject to a forum work product as it gives incumbent
members some advantage. Kirk said such an example was not realistic. Gerv
said that membership in the CA/B Forum isn't equivalent to that or root
programs. Eddy said before BR guidelines were effective, there was never a
requirement to comply with the EV guidelines, as an example. Hence making a
requirement to comply with BRs doesn't make sense. Dean said that if this
was the only potential "issue" in the ballot and if the ballot doesn't pass,
we may "decouple" the other issues and propose a separate ballot for those.
Both Gerv and Ryan didn't express concerns on the other parts of the ballot.

Domain Validation Ballot: Working on re-drafting the ballot. Kirk suggested
bringing it back to Validation WG for further discussion. 

3.       Browser Security Indicators: Rick reiterated what he stated at the
Cupertino F2F meeting: Chrome and Firefox intend to deprecate RC4 (as an
example) and are starting to reflect in their security indicators, whether
RC4 is used or not. It may be confusing to website owners and relying
parties to understand why they are not seeing the proper security UI because
of this reason. Rick asked the browsers for some help in researching why the
particular UI is indicated (developer console, debug log files). Rick
indicated that Richard Barnes of Mozilla acknowledged this at the F2F
meeting and would like a way to formally track this. Gerv suggested he reach
out to Richard directly. Ryan also acknowledged the request on behalf of
Google and said it is being worked. Some diagnostic capabilities exist today
and more are coming (in Chrome). Rick can also file a bug in Chromium if
there are specific "pain points" so they can be actioned and tracked. 

4.       Membership Application, National Certification Authority RUS: We
have received an application from a Qualified CA in Russia. IPR was signed
by an appropriate party. They don't have a WebTrust or ETSI audit nor are
publicly trusted by the major browsers (Gerv confirmed they are not in
Mozilla and Rick confirmed they are not in Microsoft). It was recommended
that they be given the opportunity to join as an Interested Party. Moudrick
mentioned that he knows this CA from a separate work group and is the one
that encouraged them to join the forum but acknowledged they do not meet
membership rules for a full member, but it would be good to have them as an
interested party.

A separate application came from Access Company (NetFront Browser). They had
some questions about the IPR which Ben will respond to.


5.       Email from the public on Validation: An email with a pointer to a
document was received. Dean asked other members for comments and a
recommendation for a response. Ryan and Kirk suggested he submit it to the
IETF instead.

6.       Validation Working Group: No further updates other than domain

7.       CSWG: Someone suggested we re-format the draft into the 3647
format. Ben and Inigo wanted to see this done. Jeremy had mixed feelings; on
one hand, it would be nice to have this done. On the other, we've spent so
much time to get to this point that any further delay is not desired. Dean
suggested we try to get the document passed as is since it won't go into
effect for another year. During that time, we can propose another ballot
with a reformated version so that the ETSI and WebTrust teams can get it
into a version they will use. Everyone agreed on this approach.

8.       Policy Review Working Group: Since the ballot passed, Ben will go
back through the document to check all the cross references to the older
version. Will have something for the next meeting to discuss. 

9.       Info Sharing Working Group: No update.

10.   Other Business: Dean said the EU representative invited to the Zurich
meeting cannot make it but will try to attend the Istanbul meeting in the
fall.  Dean also said that an EU "TrustMark" was announced. Moudrick said
that it is not clear on how it will be used yet. Mads said the TrustMark
will be used for all types of Trust Services. We will hear more about this
at the fall meeting.   There is a one hour slot open for the F2F meeting.
Please let Dean know if there are any additional topics to add. 

11.   Next meeting: May 14th. Adjourned.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150520/72a806be/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6130 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150520/72a806be/attachment.p7s>

More information about the Public mailing list