[cabfpub] Final minutes for CA/Browser Forum Teleconference - December 8, 2022

Dimitris Zacharopoulos (HARICA) dzacharo at harica.gr
Mon Jan 9 15:37:27 UTC 2023


These are thefinal minutes of the Teleconference described in the 
subject of this message.

*Attendees (in alphabetical order)*
Adam Jones(Microsoft), Andrea Holland(SecureTrust), Atsushi 
INABA(GlobalSign), Ben Wilson (Mozilla), Bruce Morton(Entrust), Cassie 
L'Heureux(GoDaddy), Chris Clements (Google Chrome), Chris Kemmerer 
(SSL.com), Clint Wilson (Apple), Corey Bonnell (DigiCert), Corey 
Rasmussen(OATI), Daryn Wright(GoDaddy), Dean Coclin (DigiCert), Dimitris 
Zacharopoulos (HARICA), Doug Beattie(GlobalSign), Dustin 
Hollenback(Microsoft), Enrico Entschew (D-Trust), Fumi Yoneda (Japan 
Registry Services), Joanna Fox(TrustCor), Johnny Reading (GoDaddy), Luis 
Cervantes(GoDaddy), Lynn Jeun (VISA), Mads Henriksveen(Buypass), 
Michelle Coon(OATI), Nargis Mannan (SecureTrust), Paul van 
Brouwershaven(Entrust), Peter Miskovic(Disig), Rebecca Kelley (Apple), 
Rollin Yu(TrustAsia), Stephen Davidson (DigiCert), Tadahiko Ito(SECOM), 
Thomas Zermeno (SSL.com), Tim Hollebeek (DigiCert), Tobias 
Josefowitz(Opera), Trevoli Ponds-White(Amazon), Tyler Myers(Godaddy), 
Wendy Brown (FPKI), Yoshiro Yoneya(JPRS).


  Minutes


*1. Roll call*
The Chair (Dimitris Zacharopoulos) took attendance

*2. Read Antitrust Statement***
The antitrust statement was read

*3. Review Agenda*
Today’s agenda was approved

*4. Approval of minutes of last call and F2F#57*
The minutes of the last call and of the F2F#57 were approved.

*5. Forum Infrastructure Subcommittee update*
Jos Purvis, I couldn't attend today and asked Ben Wilson to give the update:

  * The Infrastructure Subcommittee is experimenting with a new wiki
    based onBookStack <https://www.bookstackapp.com/>. Jos is working on
    a script to import all content from the old wiki. Members can
    contact Jos if they would like to test the new wiki.
  * There is some work for the website, such as the minutes that need to
    be updated to associate them with each of the working groups.

*6. Code Signing Certificate Working Group update***
Bruce Morton gave the update. The working group had a long meeting and 
is working on three main items that have not completed yet:

  * Updates to the PR for revocation due to a signature on malware
  * Still working on updating the signing service item
  * Working on a ballot to remove references to the SSL BR

Tim Hollebeek commented that he double checked and that there is no need 
for a transition timeline for the signing service to require FIPS 140-2 
level 3.

*7. S/MIME Certificate Working Group update***
Stephen Davidson joined late, and Tim Hollebeek agreed to provide the 
update.

  * The group discussed a proposal to move to a less frequent more
    predictable schedule of effective dates. Maybe twice a year but with
    the option to have emergency updates. Dimitris Zacharopoulos added
    that we will discuss the same topic later in this call.
  * Bruce Morton mentioned that the group talked about allowing the QIIS
    for just a couple of items to help validate address and the reliable
    method of communication. Tim Hollebeek added that there are
    definitely some good discussion points there and that he is glad
    Bruce spotted this.
  * Stephen joined late and adding that some information about CAA has
    been shared on the mailing list around the work that is happening in
    the LAMPS working group of the IETF.

*8. NetSec Working group report*
Clint Wilson gave the update.

  * The group talked about changing the meeting time as there are a few
    people that have been unable to attend lately. A straw poll will be
    sent out to see if there are people that would attend NetSec
    meetings, if it was at a different time, and try to figure out if we
    can find a schedule that works to allow us more folks to attend.
  * We have been working on the red-lines ballot that Ben Wilson has
    been spearheading, and we have spent a fair amount of time on the
    fundamentals around offline CAs, powered off CAs, air gapped CAs,
    what these different states mean, and what we can expect or should
    be able to expect them to mean.

*9. 2022-2024 CA/B Forum Plans - Strategy - Tasks*
Dimitris Zacharopoulos explained that he took a lot of feedback at the 
latest face to face meeting and had a couple of meetings with Paul van 
Brouwershaven (the vice chair) and other folks to put together a couple 
of slides for this call.

The slides can be reviewed here:

  * https://cabforum.org/wp-content/uploads/CA_B-Forum-2022-2024.pdf

Dimitris presented the slides; the following items try to cover the 
discussions:

  * Issues with Bylaws and some of the working group Charters
      o Discussion about how we notify people of their obligation to
        comply with the forum policies such as the anti-trust statement
        and code of conduct.
          + Dean Coclin reminded that we looked into having a splash
            screen in WebEx like some other groups have but that our
            subscription does not support this.
          + Dimitris suggested that he could show a slide at the
            beginning of the meeting, Trevoli Ponds-White reminded that
            call-in users would not be able to see this slide. Tim
            Hollebeek commented that IETF uses a similar approach.
          + Trevoli suggested that we might also have it in the
            description of the agenda item. Tim stated that this is the
            only one that he has heard legal object to because nobody
            reads meeting invites.
          + Bruce Morton stated that we might all agree but that this
            might be a topic for a lawyer to look at.
  * Some tasks for the Infrastructure subgroup
      o Paul van Brouwershaven states that he had a conversation with
        Martijn Katerbarg (wo could not be on the call) about the
        management and automation of the ballot process in the new
        member tools. Martijn agreed to investigate and estimate the work.
  * Define specific release cycles for Guidelines
      o Two dates per year (March 15, September 15)
      o Emergency guidelines would allow bypassing the 6-moth limit
          + Tim and Trevoli argued that this could be covered in the
            ballot and members could vote no if they think it’s not an
            emergency. Corey Bonnell and Clint Wilson showed a thumbs up.
          + There was some discussion about a required discussion period
            for emergency ballots.
      o Paul suggested to look at software release life cycle management
        best practices.
      o Tim suggested that it would be beneficial if other root programs
        align their effective dates with the odd months.

*10. Any other business*

  * Dimitris created a minute takers rotation plan for the forum and
    server certificates working group like the validation subcommittee.
    The group has not shown any objections. Andrea Holland is the next
    minute taker on the list.
  * Reminder that people should not forget to sign-up for the next
    face-to-face meeting in Ottawa, hosted by Entrust from February 28
    until March 2, 2023, and is followed by a Post-Quantum Cryptography
    from the PKI Consortium on Friday (3 March).
  * We are waiting on a confirmation of the dates for the summer
    face-to-face meeting hosted by Microsoft.
  * The fall 2023 face-to-face meeting is hosted by GlobalSign on
    October 11-13.
  * It was decided to cancel the December 22 meeting.

*11. Next call*
Jan 5, 2023

*12.Adjourned*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20230109/19ac615b/attachment-0001.html>


More information about the Public mailing list