[cabfpub] Final Minutes of CA/B Forum call March 17, 2016

Mads Egil Henriksveen Mads.Henriksveen at buypass.no
Tue Apr 5 23:31:54 MST 2016 

Hi Dean

I was also attending the eIDAS meeting and have some additional comments.

My understanding of QWACs (qualified certificates for website authentication) is that this is essentially the same as EV certificates.  As a CA issuing EV certificates we have to satisfy the browser's root certificate program requirements with respect to EV certificates in order to get the green bar in browsers.  In addition, we will have to satisfy the eIDAS requirements for QWAC in order to be included in the EU Trusted List (TL) as an issuer of QWACs. Fortunately, the eIDAS QWAC requirements are very close to the browser's root certificate program requirements with respect to EV certificates. We must perform an ETSI audit similar to what we already do. The ETSI audit scheme will change, but basically the audit requirements are close to the current requirements. We must send the audit report both to the browser root certificate programs and to the national supervisory body according to eIDAS. The latter to ensure that we are registered on the EU TL as an issuer of QWAC. The EU TL will also cover other qualified trust services we provide, e.g. as an issuer of qualified certificates for natural persons, as an issuer of qualified certificates for legal persons etc. We must also satisfy additional requirements as a Qualified Trust Service Provider, but these are not directly related to, or limited to QWACs.

Whether the application vendors eventually will use the EU TL or not is another discussion. We know that Adobe already has integrated the EU TL with their own AATL, but there seems to be more resistance against this from browsers.

Regards
Mads


From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Dean Coclin
Sent: 5. april 2016 20:08
To: CABFPub
Subject: [cabfpub] Final Minutes of CA/B Forum call March 17, 2016

Final Minutes

Attendees: Alex Wight (Cisco), Andrew Whalley (Google),  Atsushi Inaba, Ben Wilson, Bruce Morton, Burak Kalkan, Cap Hayes (Cisco), Connie Enke, Davut Tokgoz, Dean Coclin, Dimitris Zacharopoulos, Doug Beattie, Geoff Keating, Gervase Markham, Jeremy Rowley, JC Jones, Jos Purvis (Cisco), JP Hamilton (Cisco),  Kirk Hall, Li-Chun Chen, Mads Henriksveen, Moudrick Dadashov, Neil Dunbar, Patrick Tronnier, Peter Bowen, Peter Miscovic, Richard Barnes, Rich Smith, Robin Alden, Ryan Sleevi, Sissel Hoel, Tim Hollebeek, Tim Shirley, Tyler Myers, Wayne Thayer, Wendy Brown


1.       Antitrust Statement was read by Kirk.


2.       Roll Call completed


3.       Agenda Reviewed.


4.       Minutes of 4 February meeting: The minutes were approved and will be sent to the public list.  Minutes from the Scottsdale face to face were incomplete and will be re-sent to the management list once completed.


5.       Ballot Status: Two ballots were discussed. Ballot 162 (Sunset of Exceptions) has passed. Ballot 163 (Fix errata in EV Guidelines) looks likely to pass. A new ballot to form a Governance Change working group was announced. Dean will send out the ballot after the call. The ballot is only to authorize the working group, not to make any changes.



6.       Domain Validation draft ballot: Jeremy said that they are close to finishing the ballot. They are working on some of the nuances on a couple of the methods. They expect to be ready after the next call.


7.       Membership Applications: We received an application from Let's Encrypt as a CA. It all appears valid and there was no objection to admitting Let's Encrypt as a full member. Dean will notify the applicant. We also received an updated application from Amazon Trust Services which contained their full period audit. Amazon was approved as a full member.


8.       Update from eIDAS meeting:  Dean, Ryan and Andrew attended the eIDAS meeting in Brussels last week which was specific to Qualified Website Authentication Certificates (QWACs). The purpose was to explain more about the reason for QWACs and how they are supposed to work. The regulation goes into effect on July 1, 2016. Dean said it was a response to the Diginotar and other incidents. QWACs can only be issued by Qualified CAs but there is no requirement to use or buy them. Dean and Ryan were on a panel along with representatives from Austria and Luxembourg.  There are a number of controversial items which are still being clarified namely the Trusted Status List (TSL) and potential browser UI changes. Presentations from the meeting will made public soon. Kirk asked why this was happening and what the perceived benefits are to this legislation. Ryan said the certs are similar to EV but with the backing of the EU and that the legislation regulates all CAs. He also said that it would introduce another UI which users would have to be conditioned to look for. And if they were in some way harmed, the liability would fall in the CA. Moudrick asked if the requirements for EV and QWACs were the same. Andrew said there were incompatible standards between the 2 requirements. For example, QWACs would not automatically get EV treatment. A Qualified CA can put in a Qualified OID but may not be able to assert the EV OID. This needs to be reconciled. Peter asked if there was an action for the CA/B forum to work closer with eIDAS. Ryan said there was some confusion among eIDAS members as to what CAs had to comply with as many thought it was just the CA/B Forum BRs. This misperception was corrected at the meeting. A discussion on the trust list ensued, how it could work, the obstacles to making it work, etc. It's still a fluid situation. Dean said that more meetings are likely and encouraged others to attend.


9.       PAG/IPR Status: Dean said that the IPR agreements are now due but quite a few members have not submitted them yet. Peter said the ballot said those that haven't signed should be "suspended" but it's not clear what that means. Dean said we would have to remove their wiki access, suspend from public list access, remove voting privileges, etc. which is a bunch of work vs. just waiting another week for the agreements to come in. A discussion continued and it was decided to give people 2 more weeks to comply.  On a related topic, Cisco had raised an issue with the IPR agreement which relates to undisclosed (unpublished) patents which need to be disclosed. Cisco wants to insure trade secrets and IPR are secure before something has been patented. Hence they feel there is a problem with the language. Josh from Cisco said unpublished patent applications are part of the company's IP strategy. The current IPR says that you must disclose the entirety of an unpublished patent as it relates to an essential claim and there is concern on their part about that. Discussion will continue in the PAG to see if that language can be revised. Peter said that Cisco signed the current IPR.


10.   Validation WG Update: No further updates


11.   Code Signing WG Update: No update. Next meeting March 24


12.   Policy WG Update: Working on Sections 5.1 and 5.2 of BRs.  Forum will receive additional ballots shortly.


13.   Information Sharing WG Update: No update, meeting every other Friday.


14.   Other Business: Members were urged to vote for their preference of fall meeting dates (Redmond) on the Doodle poll. There are 34 people signed up for Bilbao and more are expected. The guest speaker for Bilbao will be Ivan Ristic.


15.   Next teleconference scheduled for March 31st


16.   Meeting adjourned
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20160406/accc5346/attachment-0001.html

More information about the Public mailing list