[cabfpub] Final Minutes of CA/B Forum call Oct. 29th 2015

Dean Coclin Dean_Coclin at symantec.com
Thu Nov 12 13:56:09 MST 2015


Attendees: Atsushi Inaba, Ben Wilson, Billy VanCannon, Bruce Morton, Cecilia
Kam, Dean Coclin, Dimitris Zacharopoulos, Doug Beattie, Eddy Nigg, Gervase
Markham, Jody Cloutier, Kirk Hall, Li-Chun Chen, Mads Hernriksveen, Marcelo
Silva, Peter Miskovic, Rick Andrews, Robin Alden, Sissel Hoel, Stephen
Davidson, Tim Shirley, Tyler Myers, Wayne Thayer, Wendy Brown, Neil Dunbar


1.       Antitrust Statement Read

2.       Roll Call completed

3.       Agenda Reviewed. Guest from AT&T could not join this time. Perhaps
next call

4.       Minutes of F2F Istanbul: The minutes were approved after some
clarifications from Dimitris and Ben on the Matthias Wiedenhorst section.
They will be posted to the website along with any associated presentation.

5.       Ballot Status: The policy working group has 2 ballots (154 and 155)
which now have endorsers and will be presented to the forum shortly. These
are to convert the current format to RFC 3647 for EV and Network Security. A
ballot on Short Lived certs (153) has started the discussion period which
ends on Nov. 3rd.

6.       Help with Forum Tasks: Dean stated that forum could use some
volunteers to help with various tasks. Currently, the chair, vice-chair and
chair emeritus perform most of the admin tasks (with assistance for specific
tasks from Wayne-email lists, Eddy-questions). We could use help with our
website updates (Word Press), Github, and Bugzilla. Marcelo stated that he
would be willing to help with WordPress. Kirk suggested we enumerate the
tasks with specific duties so that people can have a chance to review and
volunteer. Ben said that the git piece is becoming more crucial as we use it
for ballots and BRs. That requires more technical expertise. Gerv said he
would discuss with Ryan (the git piece). Dean will take a stab at producing
a complete list.

7.       CAA: Dean said we had a ballot last year (Oct 2014) where an
"optional" effort for CAA was approved. Rick mentioned in the spring that he
would like to see it become mandatory but got pushback from those that said
it needed more time before that could be put forth. Rick said that Symantec
has implemented it and it hasn't caused any performance problems and would
like to restart the discussion about doing more with CAA. Robin said they
also support it without any issues but understands why there would be
resistance. Rick said he would start discussing it again via email. Kirk
asked how many CAA records have been encountered. The answer was "very few".
Kirk asked if customers valued it. Dean said it may be an education issue,
are customers aware of it? Robin said some large customers have policies
about what CAs they can use and this enables them to express that policy.
Rick said CAA isn't a mandate on all customers. Anyone can self-select and
implement. Rick said that Ryan Sleevi voiced support in the past because he
thought it was a way that large enterprises (like Google) could enforce this
CA policy as new acquisitions were made. Discussions will continue on the
mailing list.

8.       SHA-1 Deadline: Dean commented that he and Rick have been on 5-6
calls with F50 companies and governments since the Istanbul meeting that are
having major issues with the Dec 31 issuance deadline. The options given
are: (1) Get all your SHA-1 certs before 12/31/15 because the sale will be
over at midnight, (2) look at using private roots that were once in browsers
but have been removed at the request of the CA. The latter option may work
with non-browser applications that trusted those roots at one time. Examples
such as IBM MQ series and older Java versions were mentioned. Non-browser
applications seem to be the larger problem and these customers don't
understand why these are being restricted by the forum. Dean invited some of
these customers with these use cases to speak on a forum call. Unfortunately
many need clearance from their corporate security to do so. Some customers
did not understand how stopping issuance on 12/31/15 yet having valid SHA1
certs till 12/31/16 made sense. Bruce stated there are 2 different attacks:
the collision attack happens at the time of issuance. The longer we issue,
then you are not mitigating the collision attack. The latest research report
indicates that this possibility is much closer than we thought it would be.
For certs that are already out there, those are subject to pre-image or
second image attack which are not yet realistic. Doug asked if there is
sufficient entropy in the cert, are we really susceptible to the pre-image
attack? Bruce said the entropy will drastically reduce that attack. He also
said if you only issue SHA-1 certs to specific customers, this mitigates the
attack because the customers are known entities. Rick said while that was
possible, browser vendors are considering pulling in the timelines to
distrust SHA-1 certs. Bruce didn't understand that because what are you
mitigating from certs that have already been issued? How does bringing in
the deadline help anything? Geoff said the lesson learned from the MD5 case
was that it's never over till the browser shuts it down. There will always
be someone that "never got the memo". You have to turn it off in the
browser. If you wait too long and it becomes too painful for customers, it
will never get shut off. Rick said that many customers are using it for
server to server (w/o browser) and they can't move fast enough because the
vendor support for SHA2 is poor. Marcelo said VISA has exactly this problem
and that for this environment, it doesn't matter if the browser trusts it or
not. They would be very interested in being able to get SHA1 certs for
non-browser use cases. Geoff said they intend to shut it off not just in the
browser but also in the OS and that users have been warned. Rick asked that
browser/OS vendors should be cognizant of these large enterprises when
making decisions.  Dean summed up by stating there was a misunderstanding of
how the CA/Browser forum works, among large enterprises, and that they all
asked who was speaking on behalf of them in the forum? He explained to them
how they can participate and follow the forum, barring another governance

9.       PAG Update: A deadline of Oct 31st is coming whereby domain
validation patent holders (CAB members) need to inform the forum. 

10.   Validation WG Update: No other updates other than the ballots
discussed above

11.   Code Signing WG Update: No further updates to the draft are being
accepted. There will be a meeting next week to prepare the document for
final shipment to the forum.

12.   Policy WG Update: Update already given above in terms of the ballots.

13.   Information WG Update: CISA bill is being addressed in the US
Government and is moving forward. Group is monitoring that. 

14.   Other Business: Let's Encrypt membership question: A question was
received whether a Point in Time Readiness Audit (PITRA) is sufficient for
membership. Jody said he didn't think so and they need a full audit. Gerv
thought it was odd that an organization that is capable of issuing
certificates to any domain, and is trusted by the browsers and is covered by
other's audits, cannot be qualified for membership. Eddy said there were
other CAs that had to wait until their audits were done, namely WoSign and
AffirmTrust. Gerv said those circumstances were slightly different and we
should look at equivalent precedent.  A discussion ensued between Eddy and
Gerv citing various examples. Kirk pointed out several technical questions
with their sub CA and would like to know more info. He suggested we go back
and tell them what they need to do. Dean disagreed and said we should answer
their question since they haven't applied yet. Once they apply, if members
have questions, then we can pose them. Gerv said a helpful answer would be
to include other reasons why they may not be qualified. Rick said that we
should stick to the bylaws. Gerv asked what other reasons we should give
that may be helpful in their future application. A discussion about the
audit ensued. In the end the group felt that the PITRA was not sufficient
for membership. Dean will respond to the question with some advice which
Kirk will enumerate.

15.   Next teleconference scheduled for November 12th

16.   Meeting Adjourned

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20151112/45685cb8/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5747 bytes
Desc: not available
Url : https://cabforum.org/pipermail/public/attachments/20151112/45685cb8/attachment-0001.bin 

More information about the Public mailing list