[cabfpub] Final Minutes of CA/B Forum call March 17, 2016
Dean_Coclin at symantec.com
Tue Apr 5 18:08:00 UTC 2016
Attendees: Alex Wight (Cisco), Andrew Whalley (Google), Atsushi Inaba, Ben
Wilson, Bruce Morton, Burak Kalkan, Cap Hayes (Cisco), Connie Enke, Davut
Tokgoz, Dean Coclin, Dimitris Zacharopoulos, Doug Beattie, Geoff Keating,
Gervase Markham, Jeremy Rowley, JC Jones, Jos Purvis (Cisco), JP Hamilton
(Cisco), Kirk Hall, Li-Chun Chen, Mads Henriksveen, Moudrick Dadashov, Neil
Dunbar, Patrick Tronnier, Peter Bowen, Peter Miscovic, Richard Barnes, Rich
Smith, Robin Alden, Ryan Sleevi, Sissel Hoel, Tim Hollebeek, Tim Shirley,
Tyler Myers, Wayne Thayer, Wendy Brown
1. Antitrust Statement was read by Kirk.
2. Roll Call completed
3. Agenda Reviewed.
4. Minutes of 4 February meeting: The minutes were approved and will
be sent to the public list. Minutes from the Scottsdale face to face were
incomplete and will be re-sent to the management list once completed.
5. Ballot Status: Two ballots were discussed. Ballot 162 (Sunset of
Exceptions) has passed. Ballot 163 (Fix errata in EV Guidelines) looks
likely to pass. A new ballot to form a Governance Change working group was
announced. Dean will send out the ballot after the call. The ballot is only
to authorize the working group, not to make any changes.
6. Domain Validation draft ballot: Jeremy said that they are close to
finishing the ballot. They are working on some of the nuances on a couple of
the methods. They expect to be ready after the next call.
7. Membership Applications: We received an application from Let's
Encrypt as a CA. It all appears valid and there was no objection to
admitting Let's Encrypt as a full member. Dean will notify the applicant. We
also received an updated application from Amazon Trust Services which
contained their full period audit. Amazon was approved as a full member.
8. Update from eIDAS meeting: Dean, Ryan and Andrew attended the
eIDAS meeting in Brussels last week which was specific to Qualified Website
Authentication Certificates (QWACs). The purpose was to explain more about
the reason for QWACs and how they are supposed to work. The regulation goes
into effect on July 1, 2016. Dean said it was a response to the Diginotar
and other incidents. QWACs can only be issued by Qualified CAs but there is
no requirement to use or buy them. Dean and Ryan were on a panel along with
representatives from Austria and Luxembourg. There are a number of
controversial items which are still being clarified namely the Trusted
Status List (TSL) and potential browser UI changes. Presentations from the
meeting will made public soon. Kirk asked why this was happening and what
the perceived benefits are to this legislation. Ryan said the certs are
similar to EV but with the backing of the EU and that the legislation
regulates all CAs. He also said that it would introduce another UI which
users would have to be conditioned to look for. And if they were in some way
harmed, the liability would fall in the CA. Moudrick asked if the
requirements for EV and QWACs were the same. Andrew said there were
incompatible standards between the 2 requirements. For example, QWACs would
not automatically get EV treatment. A Qualified CA can put in a Qualified
OID but may not be able to assert the EV OID. This needs to be reconciled.
Peter asked if there was an action for the CA/B forum to work closer with
eIDAS. Ryan said there was some confusion among eIDAS members as to what CAs
had to comply with as many thought it was just the CA/B Forum BRs. This
misperception was corrected at the meeting. A discussion on the trust list
ensued, how it could work, the obstacles to making it work, etc. It's still
a fluid situation. Dean said that more meetings are likely and encouraged
others to attend.
9. PAG/IPR Status: Dean said that the IPR agreements are now due but
quite a few members have not submitted them yet. Peter said the ballot said
those that haven't signed should be "suspended" but it's not clear what that
means. Dean said we would have to remove their wiki access, suspend from
public list access, remove voting privileges, etc. which is a bunch of work
vs. just waiting another week for the agreements to come in. A discussion
continued and it was decided to give people 2 more weeks to comply. On a
related topic, Cisco had raised an issue with the IPR agreement which
relates to undisclosed (unpublished) patents which need to be disclosed.
Cisco wants to insure trade secrets and IPR are secure before something has
been patented. Hence they feel there is a problem with the language. Josh
from Cisco said unpublished patent applications are part of the company's IP
strategy. The current IPR says that you must disclose the entirety of an
unpublished patent as it relates to an essential claim and there is concern
on their part about that. Discussion will continue in the PAG to see if that
language can be revised. Peter said that Cisco signed the current IPR.
10. Validation WG Update: No further updates
11. Code Signing WG Update: No update. Next meeting March 24
12. Policy WG Update: Working on Sections 5.1 and 5.2 of BRs. Forum will
receive additional ballots shortly.
13. Information Sharing WG Update: No update, meeting every other Friday.
14. Other Business: Members were urged to vote for their preference of
fall meeting dates (Redmond) on the Doodle poll. There are 34 people signed
up for Bilbao and more are expected. The guest speaker for Bilbao will be
15. Next teleconference scheduled for March 31st
16. Meeting adjourned
-------------- next part --------------
An HTML attachment was scrubbed...
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 5747 bytes
Desc: not available
More information about the Public