[cabfpub] Final Minutes of CA/B Forum Call April 28, 2016

Thu May 12 19:45:48 UTC 2016

Final minutes April 28, 2016

Attendees: Andrew Whalley (Google), Alex Wight (Cisco), Atsushi Inaba
(Globalsign), Ben Wilson (Digicert), Billy VanCannon (Trustwave), Cap Hayes
(Cisco), Dean Coclin (Symantec), Dimitris Zacharopoulos (Harica), Doug
Beattie (Globalsign), Gervase Markham (Mozilla), JC Jones (Mozilla), Jeremy
Rowley (Digicert), Jody Cloutier (Microsoft), Li-Chun Chen (Chunghwa
Telecom),Mads Henriksveen (BuyPass), Moudrick Dadashov (SSC), Neil Dunbar
(Trustcor), Patrick Tonnier (OATI), Peter Bowen (Amazon), Rich Smith
(Comodo), Rick Andrews (Symantec), Robin Alden (Comodo), Ryan Sleevi
(Google), Sissel Hoel (Buypass), Tim Hollebeek (Trustwave), Tim Shirley
(Trustwave),Volkan Nergiz (TurkTrust), Wayne Thayer (GoDaddy)

1.       Roll Call completed.

2.       Antitrust Statement was read by Robin.

3.       Agenda Reviewed.  

4.       Minutes of 14 April meeting: The minutes were approved and will be
sent to the public list.  

5.       Ballot Status: Ballots 167 failed due to lack of quorum (as some
concerns were raised during voting period) but Peter has posted a revised
ballot (168) and has found endorsers (Harica and Comodo). Therefore the
ballot is "live" and in the review period. It's primarily the same as ballot
167 but the language around RFCs has been removed as the focus is 100% on
corrections. One of the big items corrected is the OCSP reference to RFC
6960 from the old 2960 (which now allows for SHA2).  Peter asked everyone to
please review and make comments during the review period.

6.       Domain Validation draft ballot and IP/SAN proposal: A draft of the
ballot has been sent out and is seeking 2 endorsers. Jeremy said the changes
were minor and are evident in the ballot based on input from the group. He
would like to get it endorsed by this Friday. Regarding the IP/SAN address
proposal, Jeremy said Microsoft products below Win 10 don't support IP
address in the IP address field of the SAN extension. It must be in the DNS
field of the SAN extension (unless it's the only name in the certificate).
Digicert said they found about 2000 certs issued with the IP address in the
DNS name in the wild which is currently prohibited by the BRs. 1500 of these
certs included them both in the IP address and the DNS name, which works
fine. Jeremy said there seemed to be a current unawareness of this in the
BRs by CAs and they have customers asking them to do it but Digicert is
rejecting them. Customers said there wasn't a logical decision to
prematurely deprecate Windows products prior to version 10. Digicert would
like an extension to permit inclusion of the IP address in the SAN
extension. Jeremy said Ryan had raised 2 objections, namely it would break
technical constraints and it doesn't comply with RFC 5280. Ryan expressed
disappointment in that it's been roughly 17 years since the RFC was passed
and CAs are just now noticing this. Jeremy said that's because Microsoft
needed it for their products. However he noted that the one big customer
that was using it no longer needs it. Ryan said he had put forth a technical
solution 8 months ago and that seems to work for most customers but for 1
exception which dealt with an old SSL load balancer from a very small
manufacturer. Ryan wondered what other customers need it and why, given his
previous solution proposal. Jeremy said that 2000 have been issued by
various CAs across a broad spectrum so someone must need it. Dean said it
sounds like a reminder needs to be sent to CAs and perhaps an advisory to
users (similar to the Internal Name doc on the CA/B Forum website). Ben
thought Mozilla would be in a good position to communicate with CAs and
perhaps they could send a reminder. Jody said they are trying to be
responsive to requests from the industry which is telling them they need it.
Jeremy said they no longer need it. However, he thought that Let's Encrypt
had issued a bunch of these certs (although after the call, he corrected
this and said this was an error on his part). Peter clarified that this is
about not allowing IP addresses in the DNS name in the SAN. Dimitris
volunteered to write an advisory document for the forum website. 

7.       Governance Review Working Group.  Dean noted that we now have a
mailing list and a kickoff meeting scheduled for May 4th where the first
order of business will be to elect a chair. The first F2F meeting will be
held during the working group day in Bilbao. 

8.       Formatting issues in CA/B documents: Alex said that it is hard to
search for terms in our documents because of the full justification which is
adding white space and hidden tabs to the text. He liked the idea of making
github the authoritative source for the documents. Peter said the github
source needs a little more work because of some rendering issues. Changing
everything to left justification in the word doc would solve the immediate
problem. Ben said he would make it all left justified and will test it out
so Alex can check it.

9.       IPR: Dean said there are still 4 parties that have not signed the
IPR: Digidentity, SECOM, Visa and Wells Fargo. WF did reach out to Dean and
is reviewing the document. There was also a 60 day window to submit IPR
exclusions which the deadline has now passed (it was 60 days after the IPR
went into effect-Feb 15th). Dean suggested extending that window as we had
not reminded members to do so and many may have simply forgotten about the
deadline (similar to what happened with the signing of the IPR). Ryan said
we could not do that without another ballot. Gerv agreed and said if
challenged in court, the deadline is what was in writing. A discussion as to
whether it should be 60 business or calendar days ensued with Ryan pointing
out that we've never used business days in the past. A further discussion on
what it means to exclude a patent continued.  Dean said we should have sent
reminders. Peter said he did raise it on the mailing list before the
deadline, but Dean said we failed to raise it on the subsequent call. Ryan
noted that Dean sent a reminder but it was on April 21st, past the deadline.
Peter said the appropriate way forward would be a ballot. Ryan said this
rule is about protecting work product from a legal perspective. He
volunteered bringing in the Google attorney who also represents them on
other standards orgs if necessary to work this out. Dean said he would think
about a way forward including proposing a ballot to extend the deadline and
suggested perhaps a follow-up PAG meeting to discuss. Wayne raised an
additional concern regarding the validity of an exclusion notice posted by
Comodo that was only posted to the wiki, which seemed to catch some members
by surprise as it was not posted publicly. Peter thought this was not a
proper exclusion as it did not conform to the requirements. Wayne said that
if we decide to allow for an extension, that full documentation on how to
post the exclusion should be included in the ballot. Peter said that members
may have to go back to their counsels for further details. 

10.   Validation WG Update: No further updates other than the Ballot

11.   Code Signing WG Update: Working group members are signing the
Contribution Agreements. In addition, the group is finishing up some minor
updates before disbanding and expects to complete this in Bilbao. 

12.   Policy WG Update: Ben said the group continues to make progress and
will have some ballots ready soon. 

13.   Information Sharing WG Update: No update. This group will not meet in
Bilbao. 

14.   Other Business: Dean mentioned that Netcraft will host a meeting in
Bath on Sunday May 22nd and members are invited to attend but must let Dean
know ahead of time. The agenda is essentially a "state of the SSL industry"
briefing followed by demos of Netcraft services. The agenda for Bilbao has
been posted on the wiki and Dean is looking for a few more topics to
complete the schedule. 43 people are registered and we are at capacity. 

15.   Next teleconference scheduled for May 12th 

16.   Meeting adjourned 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160512/5f8cad7d/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5747 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160512/5f8cad7d/attachment.p7s>