[cabfpub] Final minutes of CA/B Forum call October 13th 2016
Dean Coclin
Dean_Coclin at symantec.com
Sun Oct 30 14:12:47 UTC 2016
Final Minutes October 13th, 2016
Attendees: Andrew Whalley (Google), Alex Wight (Cisco), Atsushi Inaba
(Globalsign), Ben Wilson (Digicert), Billy VanCannon (Trustwave), Bruce
Morton (Entrust), Curt Spann (Apple), Dean Coclin (Symantec), Dimitris
Zacharopoulos (Harica), Gervase Markham (Mozilla), Josh Purvis (Cisco),
Kirk Hall (Entrust), Li-Chun Chen (Chunghwa Telecom), Mads Henriksveen
(BuyPass), Peter Bowen (Amazon), Peter Miscovic, (Disig), Rick Andrews
(Symantec), Robin Alden (Comodo), Ryan Sleevi (Google), Steve Medin
(Symantec), Tim Shirley (Trustwave), Tyler Myers (GoDaddy), Virginia
Fournier (Apple), Wendy Brown (FPKI)
1. Roll Call
2. Antitrust Statement was read by Robin
3. Review Agenda - no changes
4. Approve Minutes of Sept. 29th - Dean asked if there were any
edits to the draft minutes which was done by memory since the recording
failed. These were approved. The minutes from September 15th were approved
on the last call but some corrections were noted after approval. These were
sent out to the list. Hearing no objections, these are now re-approved.
5. Ballot Status
There are no open ballots at this time. Dean mentioned that we would like to
fix the IPR issues before re-starting ballots. Kirk said he will propose a
"way forward" on ballots. Gerv commented that the issue with new ballots is
that you do a 30 day IPR review, rather than a 60 because it's a change
rather than a whole document. But that assumes that when you do a change,
the thing you are changing has already had a review so you are only
reviewing the change. This makes the status of the change somewhat
uncertain. Kirk said that is one interpretation. But this would mean that we
couldn't have any new ballots for 2.5-3 months and we don't want to wait
that long. Peter said the challenge we have is that the requirement in our
bylaws is that we have approved guidelines. If we start trying to do
ballots, we will have exclusions pointed out. Ben said we have exclusions
with the maintenance guidelines. Peter said in general (contrary to other
standards organizations) we modify our guidelines way more times. Virginia
said that you normally send out the whole guideline but highlight the new
language. Going forward we would highlight the new language and exclusions
would only apply to that highlighted part. Peter said we need a clean
version first. Ben suggested we create an entire "set" but remove sections
that have had exclusion notices filed (by Symantec and GoDaddy) and adopt
that as the base document (as it would be unlikely that exclusions would
come out). Gerv said we should go with the 3 ballot plan but that is not the
issue we are discussing. Some suggested that the safest thing to do is not
pass any ballots but others suggested that this is not realistic. Kirk and
Ben are working on a document to move this forward.
Affiliate Voting: Kirk said we need to clearly define affiliates in the
bylaws as a first step. Peter said we have a definition in the IPR
agreement. Kirk and Peter discussed the definition Ben said he would like to
see control be less than 51%. Peter pointed out that Qihoo has 84% ownership
in 2 other CA/B Forum members. Kirk proposed some language which Gerv said
could be passed without waiting for the IPR ballots to pass.
6. Continuing the discussion on CAA:
Rick said that Mozilla and Google are clearly in favor of hard fail and
wanted to know the position of some of the CAs. Gerv said that 26 of the
Alexa top million are using CAA hence it is underused and stories about
massive failures are overblown. He preferred to start out with hard fail and
then hear from CAs afterwards if we need to back off from this. Gerv went on
to say that if the CA/B Forum doesn't act on CA, then he would talk to his
team about making it a root program requirement. Therefore if CAs would like
some control of the CAA 'destiny', it should be done in the forum in a
timely manner. Bruce said he would favor it for new customers but for
existing customers who have bought lots of certs in the past, it could be a
problem if someone in the company inadvertently changes their CAA record,
unbeknownst to the other division, department, etc. Peter further commented
that such a policy could include a memo to the requestor that you've
successfully performed all the validation but are blocked from issuing due
to the customer's CAA record. Ben said that's a lot of work for nothing.
Bruce commented that this prevents issuance to a customer that you may have
issued hundreds of certs for. Peter said that's because they may have told
you not to by changing the CAA record. Bruce said that it might have been
done by a person on the DNS team who is not responsible for the certs. Peter
asked what other method exists for the requestor to tell CAs they only want
CA "X" to be the issuer for their certs. Gerv said this solves the problem
of any public CA can issue for any domain in the world. Kirk said he is not
aware of any case where this has worked. Gerv said that's because CAA is not
widely deployed. Ryan said that CAA has prevented mis-issuance for Google's
domains. Kirk suggested that a requirement could say that CAs could specify
in section 4.2.1 what the exact name they want in a CAA record. Peter said
it's already required to put a domain name in there. Kirk said that
"malformed" CAA records should be checked (he listed "Entrus" vs. "Entrust"
as 1 example). Peter said the CAA record contains more info than that (and
is clearly specified by the RFC). If the property tag is correct, then it's
not up to the CA to decide if it's a known CA or not. Ryan said the RFC
covers every permutation and byte sequence possible in this field and unless
it matches yours, you cannot issue. Rick said this has been a great
discussion but we are no closer to understanding which CAs are for/against
hard fail. Bruce said they prefer hard fail for new customers but not for
existing customers. Dean suggested a straw poll be taken at the face to face
meeting.
7. Governance Change Working Group update. A much more detailed
meeting will take place at the F2F where the latest proposal would be
presented.
8. Validation Working Group Status. No meeting this week.
9. Policy Review Working Group. Ben said they are still working
on Dimitris' redlines regarding the use of the word "CA". This will be
continued at the F2F. Kirk asked what the objective of this was. Dimitris
explained that the current document is confusing in its definition when it
uses the term "CA", "Root CA", "CA issuer" and other areas.
10. Application of current IPR policy. Kirk recapped that Peter had
a good idea on how to solve and will work with Ben to get a draft out.
Further discussion will occur at the F2F next Wednesday.
11. Associate Membership application from SSL.com: SSL.com has a
point in time audit, not a period audit, hence is applying for Associate
membership. All items received were in order. Their application was granted.
12. WoSign/Startcom/Qihoo 360 discussion: Dean said we need to
determine which of these 3 entities would like to be the official forum
member. More discussion will occur at the F2F.
13. SHA-1 exception: Dean said that the current applicant is now
almost at the end of the process and the only questions have come through
have been from Mozilla. Trustwave said they are working with TNS to submit
their application. Dean said they are waiting to hear from browsers soon so
they can have approval to issue and that they TBS certs contained an issue
date of Oct. 14th. Gerv said that would be ok (the backdating). Peter
suggested we take a look at this procedure next week and get some "lessons
learned" if we have time.
14. Ballot 178: Ben Wilson has been elected vice-chair of the
Forum.
14. Any Other Business - Dean said that the spring meeting Doodle
poll results indicate a preference for the week of Feb. 8th, 2017.
15. Next Forum teleconference will be on October 27th.
16. Adjourn
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20161030/66742780/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5723 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20161030/66742780/attachment.p7s>
More information about the Public
mailing list