[cabfpub] Draft Agenda for CA-Browser Forum conference call on January 7th

Sigbjørn Vik sigbjorn at opera.com
Thu Jan 7 13:02:33 UTC 2016


On 07-Jan-16 12:16, Doug Beattie wrote:
> Do we have a clear definition of what we mean by mississued?

The ballot states "In the event that a CA issues a certificate in
violation of these requirements".

> For the most
> part I understand, but here's one topic I'm not sure about: Peter posted a
> list of certificates didn’t exactly follow proper encoding of IP addresses,
> are all of these in violation of the BRs and would these need to be
> reported?

If the BRs require certificates to properly encode IP addresses, and a
certificate doesn't, then that certificate would be issued in violation
of the BRs. It would thus need to be reported.

Whether or not a certificate is in violation of the BRs may in some
cases be debatable. That would be an ambiguity elsewhere in the BRs, not
in this ballot, and should be clarified where the ambiguity exists.

> -----Original Message-----
> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
> Behalf Of Sigbjørn Vik
> Sent: Thursday, January 7, 2016 3:28 AM
> To: public at cabforum.org
> Subject: Re: [cabfpub] Draft Agenda for CA-Browser Forum conference call on
> January 7th
> 
> Some background on the misissuance ballot, before the discussion in the
> meeting today.
> 
> This proposal has several intended benefits, and publication of misissued
> certificates is key to achieving these:
> * Openness and transparency benefits the industry at large, in particular in
> getting the public to trust it.
> * Full details allows researchers to look for patterns and find weak spots,
> or tempting targets.
> * It allows e.g. browsers to implement targeted protections.
> * It allows stakeholders to better understand what happened, and ask
> relevant follow-up questions.
> * It allows CAs to learn from each other, which will strengthen the overall
> industry.
> * It gives CAs a real incentive to avoid misissuance.
> * It gives subscribers a way to check on CAs past history.
> * It gives subscribers an incentive to pick secure CAs over cheap CAs.
> 
> The ballot proposal:
> 
> 2.2.1 Notification of incorrect issuance
> 
> In the event that a CA issues a certificate in violation of these
> requirements, the CA SHALL publicly disclose a report within one week of
> becoming aware of the violation.
> 
> public at cabforum.org SHALL be informed about the report. If the CA cannot
> post directly, it SHALL inform questions at cabforum.org, and the CA/B Forum
> chair SHALL forward to the list.
> 
> The report SHALL publicize details about what the error was, what caused the
> error, time of issuance and discovery, and public certificates for all
> issuer certificates in the trust chain.
> 
> The report SHALL publicize the full public certificate, with the following
> exception: For certificates issued prior to 01-Mar-16 the report MAY
> truncate Subject Distinguished Name fields and subjectAltName extension
> values to the registerable domain name.
> 
> The report SHALL be made available to the CAs Qualified Auditor for the next
> Audit Report.
> 
> 
> On 06-Jan-16 18:43, Dean Coclin wrote:
>> I’ve added one item to the agenda during the former open slot.
>>
>>
>> Dean
>>
>>  
>>
>> *From:* public-bounces at cabforum.org 
>> [mailto:public-bounces at cabforum.org]
>> *On Behalf Of *Dean Coclin
>> *Sent:* Tuesday, January 05, 2016 10:10 AM
>> *To:* CABFPub <public at cabforum.org>
>> *Subject:* [cabfpub] Draft Agenda for CA-Browser Forum conference call 
>> on January 7th
>>
>>  
>>
>> Here is the agenda for the first Forum call of 2016. We have one open 
>> slot if someone has anything new to discuss.
>>
>>  
>>
>> *Note: Please announce yourself when dialing in. This helps in 
>> documenting attendance when recording is played back later.*
>>
>>  
>>
>> /Antitrust Statement/: As you know, this meeting includes companies 
>> that compete against one another. This meeting is intended to discuss 
>> technical standards related to the provision of existing and new types 
>> of digital certificates without restricting competition in developing 
>> and marketing such certificates. This meeting is not intended to share 
>> competitively-sensitive information among competitors, and therefore 
>> all participants agree not to discuss or exchange information related to:
>>
>> (a)  Pricing policies, pricing formulas, prices or other terms of 
>> sale;
>>
>> (b)  Costs, cost structures, profit margins,
>>
>> (c)   Pending or planned service offerings,
>>
>> (d)  Customers, business, or marketing plans; or
>>
>> (e)  The allocation of customers, territories, or products in any way.
>>
>>  
>>
>>  
>>
>> * *
>>
>> *Here is the proposed agenda:*
>>
>> / /
>>
>>  
>>
>> *Time*
>>
>> 	
>>
>> *Start(UTC)*
>>
>> 	
>>
>> *Stop*
>>
>> 	
>>
>> *Slot*
>>
>> 	
>>
>> *Description*
>>
>> 	
>>
>> *Notes / Presenters*
>>
>> *(Thur) 7th January 2016*
>>
>> 	
>>
>>  
>>
>> 0:01
>>
>> 	
>>
>> 16:00
>>
>> 	
>>
>> 16:01
>>
>> 	
>>
>> 1
>>
>> 	
>>
>> *Read Antitrust Statement *
>>
>> 	
>>
>> Robin
>>
>> 0:02
>>
>> 	
>>
>> 16:01
>>
>> 	
>>
>> 16:03
>>
>> 	
>>
>> 2
>>
>> 	
>>
>> *Roll Call*
>>
>> 	
>>
>> Dean
>>
>> 0:01
>>
>> 	
>>
>> 16:03
>>
>> 	
>>
>> 16:04
>>
>> 	
>>
>> 3
>>
>> 	
>>
>> *Review Agenda*
>>
>> 	
>>
>> Dean
>>
>> 0:01
>>
>> 	
>>
>> 16:04
>>
>> 	
>>
>> 16:05
>>
>> 	
>>
>> 4
>>
>> 	
>>
>> *Approve Minutes of 10 Dec 2015*
>>
>> 	
>>
>> Sent by Dean on Dec 21st
>>
>> 0:05
>>
>> 	
>>
>> 16:05
>>
>> 	
>>
>> 16:10
>>
>> 	
>>
>> 5
>>
>> 	
>>
>> *Upcoming Policy WG Ballots*
>>
>> 	
>>
>> Ben
>>
>> 0:15
>>
>> 	
>>
>> 16:10
>>
>> 	
>>
>> 16:25
>>
>> 	
>>
>> 6
>>
>> 	
>>
>> *Any further discussion on LV certs?*
>>
>> 	
>>
>> Jeremy and potential guest speaker
>>
>> 0:10
>>
>> 	
>>
>> 16:25
>>
>> 	
>>
>> 16:35
>>
>> 	
>>
>> 7
>>
>> 	
>>
>> *Proposed “Mis-issuance” Ballot from Opera*
>>
>> 	
>>
>> Sigbjorn
>>
>> 0:05
>>
>> 	
>>
>> 16:35
>>
>> 	
>>
>> 16:40
>>
>> 	
>>
>> 8
>>
>> 	
>>
>> *Discussion of “generic names” as mentioned in BR 7.1.2.2.h*
>>
>> 	
>>
>> *Dean*
>>
>> 0:05
>>
>> 	
>>
>> 16:40
>>
>> 	
>>
>> 16:45
>>
>> 	
>>
>> 9
>>
>> 	
>>
>> *PAG Status? and upcoming ballot*
>>
>> 	
>>
>> Ben
>>
>> 0:05
>>
>> 	
>>
>> 16:45
>>
>> 	
>>
>> 16:50
>>
>> 	
>>
>> 10
>>
>> 	
>>
>> *Validation Working Group* *Status Update and proposed ballots*
>>
>> 	
>>
>> Jeremy/Kirk
>>
>> 0:02
>>
>> 	
>>
>> 16:50
>>
>> 	
>>
>> 16:52
>>
>> 	
>>
>> 11
>>
>> 	
>>
>> *Code Signing Working Group* *Status: Ballot results and next steps*
>>
>> 	
>>
>> Dean
>>
>> 0:02
>>
>> 	
>>
>> 16:52
>>
>> 	
>>
>> 16:54
>>
>> 	
>>
>> 12
>>
>> 	
>>
>> *Policy Review Working Group Status Update*
>>
>> 	
>>
>> Ben
>>
>> 0:02
>>
>> 	
>>
>> 16:54
>>
>> 	
>>
>> 16:56
>>
>> 	
>>
>> 13
>>
>> 	
>>
>> *Information Sharing Working Group Update*
>>
>> 	
>>
>> Ben
>>
>> 0:03
>>
>> 	
>>
>> 16:56
>>
>> 	
>>
>> 16:59
>>
>> 	
>>
>> 14
>>
>> 	
>>
>> *Any Other Business – Bilbao date adjustment, update on Feb F2F 
>> meeting*
>>
>> 	
>>
>> Dean
>>
>> 0:00
>>
>> 	
>>
>> 17:00
>>
>> 	
>>
>> 17:00
>>
>> 	
>>
>> 15
>>
>> 	
>>
>> *Next teleconference scheduled for Jan 21st.  *
>>
>> 	
>>
>> 0:00
>>
>> 	
>>
>> 17:00
>>
>> 	
>>
>> 17:00
>>
>> 	
>>
>> 16
>>
>> 	
>>
>> *Adjourn*
>>
>> 	
>>
>>
>>  
>>
>>
>>
>> _______________________________________________
>> Public mailing list
>> Public at cabforum.org
>> https://cabforum.org/mailman/listinfo/public
>>
> 
> 
> --
> Sigbjørn Vik
> Opera Software
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
> 


-- 
Sigbjørn Vik
Opera Software



More information about the Public mailing list