[cabfpub] Final Minutes of CA/B Forum call Jan 7th 2016

Dean Coclin Dean_Coclin at symantec.com
Thu Jan 21 22:16:39 UTC 2016

Final Minutes 


Attendees: Atsushi Inaba, Ben Wilson, Bruce Morton, Burak Kalkan, Connie
Enke, Dean Coclin, Dimitris Zacharopoulos, Gervase Markham, Jeremy Rowley,
Kirk Hall, Li-Chun Chen, Marcelo Silva, Mat Caughron, Moudrick Dadashov,
Patrick Tronnier, Peter Bowen, Peter Miscovic, Rich Smith, Rick Andrews,
Robin Alden, Sigjborn Vik, Tim Hollebeek, Tim Shirley, Tyler Myers, Volkan
Nergiz, Wayne Thayer


1.       Antitrust Statement Read by Kirk


2.       Roll Call completed


3.       Agenda Reviewed.  Guest speaker on LV certificates could not


4.       Minutes of 10 December meeting: The minutes were approved and will
be sent to the public list.


5.       Policy Working Group Ballot Status: Ben posted a proposed ballot
for Section 4 of the BRs and is discussing it on the list. A minor comment
from Sig was mentioned and agreed to by the ballot endorsers. Ben will
circulate an update. Section 5.1 will be the next ballot (160). The working
group will be discussing section 5.2 next. Dean noted an email comment from
Ryan Sleevi had not been addressed and Ben said he would look for it. 


6.       Proposed "LV" Certificates: Jeremy said that we should come up with
a better way of deprecating things that need to be deprecated. The recent
SHA-1 experience highlights this. Although the LV cert proposal probably
won't pass, it does illustrate the need for a better way for deprecation.
Dean said the proponents of LV published some information but follow-up
questions from Peter Bowen asking for additional details were never
provided. Peter's data showed that 7.5% of Mozilla connections were not
coming from NSS (Peter's call connection dropped while talking). Jeremy said
he will communicate this to the proponents but doesn't believe they will
push it further. Jeremy continued by saying this process was painful for
many. Dean commented that he saw Mozilla was rolling back a change they
instituted on SHA-1 as proof that it's not easy. Jeremy suggested that we
move this topic to a working group, likely the Policy WG. But he wasn't sure
what algorithm migration topic would come up next. Rick said it could be
towards NIST/NSA "quantum-resistant" key sizes (i.e. RSA 3072 and ECC 256),
as an example. Dean thought the "internal name" issue was handled well, with
less complaints, possibly because it was well documented and a timeline was
agreed to by all. 


7.       Proposed Mis-Issuance ballot:   Sig gave an update on the proposed
ballot. The intention is to get mis-issuance out in the open as he believes
this will increase the overall security of the ecosystem. The goal is to get
the info out there, the details don't have to be perfect. Dean mentioned a
concern that came from a UK partner about SSL certs they issue for the UK
tax authority which contain some private info (this was brought up several
months ago) and asked Gerv if he had looked into it. Gerv thought the issue
was resolved a while ago. Peter B said the ballot should be changed and a
new mailing list should be created for reporting purposes. A discussion
about having this in individual root store requirements vs. the BRs ensued.
Kirk said there was one reason in favor of that.  If it is in the BRs, and
the CA doesn't report it, then the CA should fail its next WebTrust audit.
Whereas if it's simply a Browser root program requirement, it's not an
automatic WebTrust failure and the browsers can decide the appropriate
penalty without failing the audit. Sig said that doesn't really matter as
the root store will still decide what to do in either case. Jeremy agreed
with Kirk, in that the root program rules is a better place. The CA/B Forum
isn't in the business of reporting issues or a repository as we are more of
a standards body. Rick said Microsoft's root policy says you have to
disclose mis-issuance (not defined) to Microsoft. Jeremy said that is good
because a discussion with the root program can be had to determine if it
needs to be disclosed. Mat said clarity should be made in what needs to be
disclosed. Apple would also weigh a failed audit heavily. Dean clarified
that there hasn't been a "failed" audit. Rather there are "findings" that
are disclosed to the browsers which decide what action, if any, they want to
take. Jeremy said this is called a "qualified audit". Mat said they are in
favor of more reporting rather than less. Jeremy agreed but said that this
reporting should be to the browsers not the forum. Mat agreed. Dean said, as
a corollary, during the development of the code signing BRs, there was
discussion about having the forum be the repository for the "bad actors"
list but that idea was turned down as the forum is not in the business of
managing such a list. Sig said the intent is to make the disclosure public
instead of a CA publishing something "hidden" that wouldn't necessarily be
seen and that the Forum is a nice mechanism for that. Peter said the Forum
is really a standards group and isn't the right place for this. 


8.       Discussion of "generic names": Dean said the context is the
creation of an intermediate CA and the rules in the BRs surrounding this.
One of the rules is that the names cannot be generic. Peter gave an example
in an email of a name, "Admin-Root" which would be considered generic and
wouldn't be allowed. Dean asked about "Admin-Root-CA GmbH" since it could be
a registered name in Germany. Dean believes the rule was instituted so that
relying parties could find out who the issuer of the cert is and hence a
registered name would allow for that. Jeremy said as further context, if a
CA operated a sub CA for Company A within the CA's infrastructure, then you
might want to indicate this in the cert. Peter said the way the BRs read, it
could also be a trademark. Shouldn't be an issue for something that can pass
standard OV validation. A discussion on trademark names ensued. Kirk agreed
with Peter that as long as it's a registered trademark, it should be ok, as
long as it's not misleading. He also said it's up to CAs to turn down
customer requests if the CA feels it doesn't meet the rules and if they are
not comfortable with it. Perhaps a revision to this section is necessary to
include only Org validated names. 


9.       PAG Status: Ben said a ballot will be coming on the new IPR policy
with an effective date of 1 February. The ballot will give companies 30 days
to sign the agreement and 60 days to disclose patents. Peter said he had not
seen the pre-ballot. Ben said he will circulate it again. 


10.   Validation WG Update: Kirk said a call is scheduled for next week. He
will send out some info to the working group in preparation for the meeting.


11.   Code Signing WG Update: Dean reviewed the ballot results. The working
group respects the vote of the forum but is not disbanding. A meeting is
planned for next week to discuss other options for the work product. The
forum will be updated once the working group comes up with a plan. 


12.   Policy WG Update: No further update.


13.   Information Sharing WG Update: The CyberSecurity Act of 2015 passed
and was signed the US President. It provides liability protection for
sharing information. 


14.   Other Business: Scottsdale meeting: all attendees should book hotels
on their own with information provided on the wiki. If you are unable to
book online, then call the hotel directly. Please continue to sign up on the
wiki. We have about 25 participants signed up so far. 


Dates for Bilbao meeting: Dean sent out an expanded poll for Bilbao dates.
The week of May 17th seems to be the new favorite. Dean will confirm before
the next call. 


15.   Next teleconference scheduled for January 21st


16.   Meeting Adjourned

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160121/2ffcc212/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5747 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160121/2ffcc212/attachment.p7s>

More information about the Public mailing list