[cabfpub] Final Minutes for CA/Browser Forum Teleconference - August 22, 2019
Dimitris Zacharopoulos (HARICA)
dzacharo at harica.gr
Thu Sep 5 15:59:57 UTC 2019
These are the Final Minutes of the Teleconference described in the
subject of this message.
Attendees (in alphabetical order)
Arno Fiedler (D-TRUST), Ben Wilson (Digicert), Daniela Hood (GoDaddy),
Dean Coclin (Digicert), Dimitris Zacharopoulos (HARICA), Doug Beattie
(GlobalSign), Dustin Hollenback (Microsoft), Gordon Bock (Microsoft),
Inaba Atsushi (GlobalSign), Janet Hines (SecureTrust), Joanna Fox
(GoDaddy), Kenneth Myers (US Federal PKI Management Authority), Li-Chun
Chen (Chunghwa Telecom), Michelle Coon (OATI), Mike Reilly (Microsoft),
Neil Dunbar (TrustCor Systems), Peter Miskovic (Disig), Rich Smith
(Sectigo), Robin Alden (Sectigo), Ryan Sleevi (Google), Shelley Brewer
(Digicert), Tim Callan (Sectigo), Tim Hollebeek (Digicert), Tim Shirley
(SecureTrust), Timo Schmitt (SwissSign), Tobias Josefowitz (Opera
Software AS), Trevoli Ponds-White (Amazon), Wayne Thayer (Mozilla).
1. Roll Call
The Chair took attendance.
2. Read Antitrust Statement
The Antitrust Statement was read.
3. Review Agenda
No changes to the agenda.
4. Approval of minutes from previous teleconference
The minutes from the previous teleconference were approved and will be
circulated to the public list.
5. Forum Infrastructure Working Group update
6. Code Signing Working Group update
Dean mentioned that the Final Guideline will be posted on the public web
site and will ask the CA Security Council to update its link. The WG
discussed about creating a separate timestamping document and whether
the CSCWG should be re-chartered to include a timestamping certificates,
associated with the id-kp-timeStamping EKU, in scope. Dean will discuss
with Bruce to figure out what the plans are.
Ben talked about the need to recharter to make things as clean as
possible. The existing guideline describes timestamping issues and if
the WG was to make any edits to those parts, it should probably be
better to re-Charter to specifically include the EKU of time stamping,
as it relates to code signing and not necessarily try to create a
separate time stamping working group. So, this would be like a first
step and then if it was necessary, a separate time stamping working
group could be chartered.
Arno mentioned that Europe and European CAs are issuing qualified
timestamps for almost 15 years and there are well defined standards,
policies by ETSI about timestamps.
Ryan also mentioned that this was discussed at the last F2F and more
specifically during the S/MIME working group session where re-chartering
was one of the topics. Google is not supportive of the Code Signing
Working Group taking actions on time stamping. He noted that
Time-stamping is not a code-signing issue but a broader problem which
needs to be separate from code-signing. He also restated Arno's comment
about the European experience for 15 years and the fact that timestamps
are actively being used along with document signing and archiving. There
is no specific EKU for time stamping in relation only to code signing.
The suggestion was to create a different Working Group with a separate
Dean also added that the Working Group is preparing an information
sharing sheet, know who to contact, when to contact for code signing
issues, malware etc.
Gordon asked if the solution to time stamping was the formation of a new
Working Group and Dean replied that there are a couple of options to
consider, one being that the WG doesn't "touch" what's in the current
document and leave it the way it is.
Ryan also asked whether the WG adopted a document that provides guidance
for time stamping that is outside the charter. Dean responded that the
WG just adopted a document that already existed. He would take this
discussion back to the WG to revisit.
7. Follow-up on new S/MIME WG Charter
8. Any Other Business
Mike asked if Members would be interested to explore about updating the
name "CA/Browser Forum" for the larger Forum especially since we have
already added Code Signing Working Group, will add S/MIME and even Time
Stamping Working Group.
Tim H was curious about a proposed name. Would be supportive of changing
it. Dean mentioned that we have distinguished Certificate Consumers for
each Working Group but if there are particular proposals that could
better represent the whole Forum, we should discuss further.
Ryan added that the term Application Software Suppliers could be
Arno and Dimitris considered the CA/B Forum a good marketing name which
is widely recognizable. The "brand" name is a very important asset.
Dimitris added a topic for resurrecting the governance subcommittee as
it was discussed at the last F2F. He reminded participants that he sent
an e-mail to the management list a few weeks back and asked if there is
interest in pursuing that. If not, Members would have to individually
tackle some of the bylaws changes proposals and present them to the Forum.
Ryan mentioned that SubCommittees need to be formed via ballot so he
repeated his proposal at the F2F meeting which was to distinguish the
most pressing matters for governance and create a ballot. The question
is whether we need a Forum subcommittee to work on those issues or if we
should continue to discuss at the Forum's plenary list. Ryan proposed we
start discussing some of these issues on the Forum public list and see
if we can make progress on priorities. Members can also have calls
between themselves, if they need to discuss issues real time, without
requiring the creation of a Subcommittee. This would help validate
whether we should establish a Subcommittee and whether regular calls
would be beneficial. One of the popular topics lately is the document
version control, flexibility for the Chair or vice-Chair to make
non-normative edits to the Final Guidelines, Forum Members and
representatives where practically every Company representative has the
full privileges for voting, participating, posting, etc. These are
important issues that should be discussed and resolved. We have had
governance discussions during the regular plenary forum teleconference
in the past so we could try to continue and see where this leads to.
Dimitris agreed to that approach but also mentioned that the Google
document with open issues has listed about 11 issues to be addressed so
we need to prioritize. He will send a new message to the list to get
some more feedback.
Dean reminded Members that plan to attend F2F 48 and 49 to signup and
update the participant tables on the wiki so that the hosts can plan ahead.
9. Next call
September 5, 2019 at 11:00 am Eastern Time.
*F2F Meeting Schedule: *
* 2019: November 5-7– Guangzhou (GDCA)
* 2020: Feb18-20 Bratislava (Disig), June – Minneapolis (OATI),
October – Tokyo (GlobalSign)
* 2021: Feb-March Dubai (DarkMatter), June – Poland (Asseco-Certum),
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Public