[cabfpub] Minutes of CA/B Forum call Dec 10th 2015

Dean Coclin Dean_Coclin at symantec.com
Mon Jan 11 17:54:58 UTC 2016



Attendees: Atsushi Inaba, Atilla Biller, Ben Wilson, Bruce Morton, Burak
Kalkan, Davut Tokgoz, Dean Coclin, Dimitris Zacharopoulos, Doug Beattie,
Eddy Nigg, Jeremy Rowley, Kirk Hall, Li-Chun Chen, Mads Henriksveen, Patrick
Tronnier, Peter Miscovic, Rick Andrews, Robin Alden, Ryan Sleevi, Sisel
Hoel, Tim Hollebeek, Tim Shirley, Tyler Myers, Wayne Thayer, Wendy Brown


1.       Antitrust Statement Read


2.       Roll Call completed


3.       Agenda Reviewed.  New topic on LV certificates added.


4.       Minutes of 12 November meeting: The minutes were approved and will
be publicized.


5.       Ballot Status: Ben is updating github with new policy working group
ballots. A new policy working group ballot (159) is forthcoming for section
4 of the BRs. Ballot 157 (amend IPR) has been assigned but not yet balloted.


6.       Proposed "LV" Certificates: Jeremy brought forward an item
regarding "LV" or Legacy Verified certificates. This was brought up by
Facebook and Cloudflare in order to find a better way to deprecate the SHA-1
certificates. They would be distinguished by an OID. Jeremy didn't have a
specific proposal but just wanted to get a feel how forum members thought
about it.  Dean asked how this improves the security of the ecosystem?
Jeremy said that older browsers would have no security (if they don't work
with SHA-2) so this provides some security to them (since they can't move to
SHA-2). Kirk said he has some sympathy for the older browsers but is
concerned about enforceability. Jeremy said the website would use SHA-2
first but fall back to SHA-1 if there was an issue. Wayne said the
enforcement should be in the browsers by blocking SHA-1. Kirk said it comes
down to allowing some encryption (via SHA-1) or no encryption by not
allowing it. Wayne said that sites could conceivable get a 3 year SHA-1 cert
from some CAs now and avoid this issue.


7.       Domain Validation Ballot:   The Validation Working Group went
through 5 remaining questions and is working through "random values" and
"test certs". He is hoping to have something for full review at the
Scottsdale meeting, if not sooner. 


8.       Membership Applications: We received a membership application from
the Ministry of Interior of Korea. All items were in order. No objections
from the Forum members. Full membership approved. A second application was
received from Amazon Trust Services for Associate membership (while waiting
for completion of their WebTrust audit). Membership approved.


9.       PAG Status: Ben said that Gerv had asked what the transition period
would be if we adopt the new IPR policy. What would the disclosure framework
be? Ben assumed we would give people 30-60 days to submit exclusions. Dean
suggested if a new IPR ballot had to be adopted, then members will need
considerable time for their corporate attorneys review it. The normal 2 week
period is too short and will likely fail because folks won't have time to
review. Kirk and Ryan suggested we be clear about how the policy affects
members and structure a timeline accordingly. Ben suggested that anyone that
would like to discuss further, stay on the call for a short meeting. 


10.   Validation WG Update: Kirk said there was some discussion about
proceeding with the IPR ballot before the domain validation ballot. Ryan
said they are related and we need to understand how it affects existing
disclosures as this will affect the timing. If we do domain validation
before modifying IPR policy, there is some ambiguity as to whether it will
apply. This is Google's concern. Kirk said there is another path: Pass DV
first, pass IPR second and re-pass DV. Kirk also said that a CA using "any
other method" could be violating someone's patent and not know it. Ben
suggested holding off on the DV ballot until IPR passes. Kirk said the
danger is that it could be a year off. Ryan asked if that is realistic given
that we have 60 days as a limit in the current IPR for ballots. He thought
it was doable much more quickly. One-two months to review ballot followed by
1 week voting period. Kirk suggested that companies that do not sign be
suspended from membership, rather than kicked out of the program as he feels
many legal departments will not start looking at it until it becomes a
formal ballot. But we need straw man dates to kick this off. 


11.   Code Signing WG Update: Ballot voting starts today to approve the Code
Signing Baseline Requirements. Dean and Jeremy met with the WebTrust Task
Force to review the document. Some minor comments received and will be
incorporated in the next release of the doc. 


12.   Policy WG Update: Update already given above in terms of the ballots.


13.   Information Sharing WG Update: Meeting tomorrow. 


14.   Other Business: Dates for Bilbao meeting: Seems to be conflicts for
the weeks of June 7th and June 21st so we are looking at the week of June
14th. Wayne cannot make it then. Need to check with Gerv. Inigo will be
absent for 1 evening.  For the February meeting, the wiki registration is
open. The hotel has been selected and guests should book it per the
instructions on the wiki. Meeting will be held at the GoDaddy office in
North Scottsdale. Attendees should book their hotel now as rooms in
Scottsdale are at a premium in February. A shuttle to the meeting will be
provided from the hotel. 


15.   Next teleconference scheduled for January 7th


16.   Meeting Adjourned

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160111/b7c60566/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5747 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160111/b7c60566/attachment.p7s>

More information about the Public mailing list