[cabfpub] Final Minutes for CA/Browser Forum Teleconference - August 22, 2019

Dimitris Zacharopoulos (HARICA) dzacharo at harica.gr
Thu Sep 5 15:59:57 UTC 2019 

These are the Final Minutes of the Teleconference described in the 
subject of this message.


    Attendees (in alphabetical order)

Arno Fiedler (D-TRUST), Ben Wilson (Digicert), Daniela Hood (GoDaddy), 
Dean Coclin (Digicert), Dimitris Zacharopoulos (HARICA), Doug Beattie 
(GlobalSign), Dustin Hollenback (Microsoft), Gordon Bock (Microsoft), 
Inaba Atsushi (GlobalSign), Janet Hines (SecureTrust), Joanna Fox 
(GoDaddy), Kenneth Myers (US Federal PKI Management Authority), Li-Chun 
Chen (Chunghwa Telecom), Michelle Coon (OATI), Mike Reilly (Microsoft), 
Neil Dunbar (TrustCor Systems), Peter Miskovic (Disig), Rich Smith 
(Sectigo), Robin Alden (Sectigo), Ryan Sleevi (Google), Shelley Brewer 
(Digicert), Tim Callan (Sectigo), Tim Hollebeek (Digicert), Tim Shirley 
(SecureTrust), Timo Schmitt (SwissSign), Tobias Josefowitz (Opera 
Software AS), Trevoli Ponds-White (Amazon), Wayne Thayer (Mozilla).


    Minutes


      1. Roll Call

The Chair took attendance.


      2. Read Antitrust Statement

The Antitrust Statement was read.


      3. Review Agenda

No changes to the agenda.


      4. Approval of minutes from previous teleconference

The minutes from the previous teleconference were approved and will be 
circulated to the public list.


      5. Forum Infrastructure Working Group update

No update.


      6. Code Signing Working Group update

Dean mentioned that the Final Guideline will be posted on the public web 
site and will ask the CA Security Council to update its link. The WG 
discussed about creating a separate timestamping document and whether 
the CSCWG should be re-chartered to include a timestamping certificates, 
associated with the id-kp-timeStamping EKU, in scope. Dean will discuss 
with Bruce to figure out what the plans are.

Ben talked about the need to recharter to make things as clean as 
possible. The existing guideline describes timestamping issues and if 
the WG was to make any edits to those parts, it should probably be 
better to re-Charter to specifically include the EKU of time stamping, 
as it relates to code signing and not necessarily try to create a 
separate time stamping working group. So, this would be like a first 
step and then if it was necessary, a separate time stamping working 
group could be chartered.

Arno mentioned that Europe and European CAs are issuing qualified 
timestamps for almost 15 years and there are well defined standards, 
policies by ETSI about timestamps.

Ryan also mentioned that this was discussed at the last F2F and more 
specifically during the S/MIME working group session where re-chartering 
was one of the topics. Google is not supportive of the Code Signing 
Working Group taking actions on time stamping. He noted that 
Time-stamping is not a code-signing issue but a broader problem which 
needs to be separate from code-signing. He also restated Arno's comment 
about the European experience for 15 years and the fact that timestamps 
are actively being used along with document signing and archiving. There 
is no specific EKU for time stamping in relation only to code signing. 
The suggestion was to create a different Working Group with a separate 
Charter.

Dean also added that the Working Group is preparing an information 
sharing sheet, know who to contact, when to contact for code signing 
issues, malware etc.

Gordon asked if the solution to time stamping was the formation of a new 
Working Group and Dean replied that there are a couple of options to 
consider, one being that the WG doesn't "touch" what's in the current 
document and leave it the way it is.

Ryan also asked whether the WG adopted a document that provides guidance 
for time stamping that is outside the charter. Dean responded that the 
WG just adopted a document that already existed. He would take this 
discussion back to the WG to revisit.


      7. Follow-up on new S/MIME WG Charter


No update.


      8. Any Other Business

Mike asked if Members would be interested to explore about updating the 
name "CA/Browser Forum" for the larger Forum especially since we have 
already added Code Signing Working Group, will add S/MIME and even Time 
Stamping Working Group.

Tim H was curious about a proposed name. Would be supportive of changing 
it. Dean mentioned that we have distinguished Certificate Consumers for 
each Working Group but if there are particular proposals that could 
better represent the whole Forum, we should discuss further.

Ryan added that the term Application Software Suppliers could be 
resurrected.

Arno and Dimitris considered the CA/B Forum a good marketing name which 
is widely recognizable. The "brand" name is a very important asset.

Dimitris added a topic for resurrecting the governance subcommittee as 
it was discussed at the last F2F. He reminded participants that he sent 
an e-mail to the management list a few weeks back and asked if there is 
interest in pursuing that. If not, Members would have to individually 
tackle some of the bylaws changes proposals and present them to the Forum.

Ryan mentioned that SubCommittees need to be formed via ballot so he 
repeated his proposal at the F2F meeting which was to distinguish the 
most pressing matters for governance and create a ballot. The question 
is whether we need a Forum subcommittee to work on those issues or if we 
should continue to discuss at the Forum's plenary list. Ryan proposed we 
start discussing some of these issues on the Forum public list and see 
if we can make progress on priorities. Members can also have calls 
between themselves, if they need to discuss issues real time, without 
requiring the creation of a Subcommittee. This would help validate 
whether we should establish a Subcommittee and whether regular calls 
would be beneficial. One of the popular topics lately is the document 
version control, flexibility for the Chair or vice-Chair to make 
non-normative edits to the Final Guidelines, Forum Members and 
representatives where practically every Company representative has the 
full privileges for voting, participating, posting, etc. These are 
important issues that should be discussed and resolved. We have had 
governance discussions during the regular plenary forum teleconference 
in the past so we could try to continue and see where this leads to.

Dimitris agreed to that approach but also mentioned that the Google 
document with open issues has listed about 11 issues to be addressed so 
we need to prioritize. He will send a new message to the list to get 
some more feedback.

Dean reminded Members that plan to attend F2F 48 and 49 to signup and 
update the participant tables on the wiki so that the hosts can plan ahead.


      9. Next call

September 5, 2019 at 11:00 am Eastern Time.


      Adjourned


      *F2F Meeting Schedule: *

  * 2019: November 5-7– Guangzhou (GDCA)
  * 2020: Feb18-20 Bratislava (Disig), June – Minneapolis (OATI),
    October – Tokyo (GlobalSign)
  * 2021: Feb-March Dubai (DarkMatter), June – Poland (Asseco-Certum),
    October [Open]

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20190905/76afb313/attachment-0002.html>

More information about the Public mailing list