[cabfpub] Final Minutes of CA/B Forum call March 31, 2016

Dean Coclin Dean_Coclin at symantec.com
Tue Apr 19 22:59:01 UTC 2016

Final Minutes


Attendees: Andrew Whalley (Google), Arno Fiedler, Atsushi Inaba, Ben Wilson,
Bruce Morton, Jody Cloutier, Dean Coclin, Dimitris Zacharopoulos, Doug
Beattie, Jacob Hoffman-Andrews, Jeremy Rowley, Josh Aas (Let's Encrypt) Kirk
Hall, Li-Chun Chen, Mads Henriksveen, Patrick Tronnier, Peter Bowen, Peter
Miscovic, Rich Smith, Rick Andrews, Robin Alden, Ryan Sleevi, Tim Hollebeek,
Volkan Nergiz, Wayne Thayer


1.       Antitrust Statement was read by Dean.


2.       Roll Call completed


3.       Agenda Reviewed.  


4.       Minutes of 17 March meeting: The minutes were approved and will be
sent to the public list.  Minutes from the Scottsdale face to face were also
approved and a link to the posted minutes (which include presentations) will
be sent out to the public list.


5.       Ballot Status: Two ballots were discussed. Ballot 165 (Governance
change WG) looks like it will pass. Ballot 166 (Membership reqts update to
bylaws) also looks likely to pass. A new "BR clean up" ballot from Peter
Bowen was announced and a redline was sent to the public list.  Rick said
there was a Microsoft tech note that allows  <http://www.*.example.com>
ww*.example.com. Jody confirmed the platform supports it. Rick suggested the
BRs be updated to include that. Ryan said that is not a good thing as there
are multiple specs that treat this differently and historical context which
would make it hard for Google to support such a ballot. Kirk asked why Peter
put this in the ballot. He responded that this was raised in the past where
people found a discrepancy in relation to other docs. However, given there
was not consensus, he would remove from the proposed ballot. Ryan said there
is a need for clarification because CAs seem to be interpreting this
differently. Peter said he would create a new definition called "wildcard
domain name" with an exact definition to avoid confusion and add clarity.
Rick said that ideally Microsoft should remove that functionality and update
the tech notes. Jody said he would need to consult with his expert on this.
Peter said the goal of this ballot was to make it a "consensus" ballot and
would remove anything controversial. 


6.       Domain Validation draft ballot: Jeremy said the document was
circulated to the forum list. There were a few minor redlines that need
cleanup but should be ready to go before the next call. 


7.       SHA-1 Situation: Jody said they had been approached by members of
the payment industry with the problems they have had with terminals that do
not support SHA-2.   Some solutions floated are to reissue the certs they
currently have and the other is to issue from a root not enrolled in a
trusted root program. The problem with the latter is that their
certification body requires it come from a trusted source. Jody said a
conference in mid-April hosted by ETA trade group will be discussing this.
Jody wondered if the forum should propose a solution as this issue isn't
going away. Responding to a question, Jody thinks that issuing from a
non-publicly trusted root was the better solution and that the payments
industry should accept that. Peter asked if there was any more info on the
ETA. Jody said Microsoft was a member as well as Google. Dean confirmed the
extent of the issues as Symantec has received many calls from payment
processors in the last month but has solved many by issuing certs from
removed roots. While this has solved most of the issues, there is still a
percentage that is not solved.  Ryan said Google was open to exploring
solutions but wants to better understand the problem by posting info to the
public list, using the set of questions he posted on the list earlier. Dean
said he explained this to one particular bank that has a particular issue
and that customer is deciding whether to come forward to the forum with
answers to those questions. Jody said that we should try to have the right
people in the room at the ETA conference to help guide a more general
solution so we can be part of the solution, rather than the problem.


8.       Membership Applications: Dean stated that he was in discussion with
the Electronic Transactions Association (ETA) about a potential Associate
membership status in the forum.  Dean reminded all the difference between
Associate members and Interested party, the biggest difference being that
AMs can attend meetings. AMs are people like ETSI, WebTrust, Paypal, Federal
PKI. They cannot vote. ETA is a large organization with about 5000 members
that specialize in the payment industry (payment processors, terminals,
etc). As a result of the SHA-1 situation, they would like to be more
involved in the forum on behalf of their members and believe they can also
contribute to the forum in some fashion. The consensus from members on the
call was that they would like to see something in writing from the ETA and
reconsider on the next call. Kirk said it would positive to have a group
like this participating but thought that we didn't need more than one such
group from this industry. Andrew wanted to know what continuing benefit they
could provide going forward given their particular niche interest. Dean said
that should be in their application. Peter questioned what the advantage was
in having them as an Associate member vs. an Interested party. Dean replied
that the major difference was that if a topic of interest was on the agenda,
they could join a call or F2F meeting.  Patrick said he expected more of
these types of groups to join the forum, especially those representing
devices (not browser based). Ryan said that this will continue to be a
challenge until these groups move off of public roots and had a slight
concern with these groups joining the forum for what should be a short term
problem. Dean said these groups are actively moving off public roots but
until fully migrated, don't want to be caught off guard again.  Peter
suggested the Governance Working Group should consider this as part of their
scope discussion. Rich said that there is value to the forum as well as the
participants and overall security of the entire ecosystem to have these
groups participate in forum discussions and hear the expertise of our
members. Discussion to be continued on the next call. 


9.       PAG/IPR Status: Dean said the list of non-signed IPR agreements has
dropped to a handful. Those that have not signed will be suspended from the
forum, meaning they will not be able to vote, participate in meetings or
working groups, login into the wiki or post to the list. Once they sign the
IPR, they will  not have to re-apply. They will just have their privileges
restored. Peter suggested we should not make a further attempt to contact
anyone as we have published this on the public and management lists several
times. Ben and Dean will review the list and provide the info to Wayne to
suspend their access. Bruce suggested we have a period for their suspension
and that if they don't respond within that period, they would have to
reapply. Jeremy said this would need a ballot. Jeremy said the Governance
working group should consider this as part of the bylaws reform. Dean
commented that ETSI and WebTrust were not required to sign the IPR in the
past and won't be required to sign the new one. Arno said that historically
the ETSI lawyers had a problem signing one with an unincorporated
organization. There had been an MOU with Tim Moses when he was chair of the
Forum. Kirk said he believed the IPR was an agreement among members
(corporate entities) and not the organization itself. Arno said he would
have to check. 


10.   Validation WG Update: No further updates


11.   Code Signing WG Update: At the last working group meeting, Microsoft
agreed to adopt the Code Signing Baseline Requirements as of Feb 1, 2017,
One concern among WG members was that since the document is not an official
forum document (having been voted down by the forum), that the rights to the
document were owned by the WG members. Jeremy and Ben suggested that the
contributors to the WG would sign a release form to allow Microsoft to use
the document. 


12.   Policy WG Update: The group reviewed section 5 and there was a
discussion on Trusted Roles. Ben sent around a draft to the working group. 


13.   Information Sharing WG Update: No update, meeting every other Friday.


14.   Other Business: The Fall meeting date in Redmond was decided to be on
October 18-20. There are 38 people signed up for Bilbao and more are
expected. Members are urged to make hotel reservations quickly as rooms are
selling out in many properties. Dean asked for members to send him agenda


15.   Next teleconference scheduled for April 14th 


16.   Meeting adjourned 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160419/ca6ee06e/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5747 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160419/ca6ee06e/attachment.p7s>

More information about the Public mailing list