[cabfpub] Final Minutes for CA/Browser Forum Teleconference - January 5, 2023
Dimitris Zacharopoulos (HARICA)
dzacharo at harica.gr
Tue Jan 24 07:08:08 UTC 2023
These are the approved Minutes of the Teleconference described in the
subject of this message, prepared by Andrea Holland (VikingCloud).
*Forum Meeting: January 5, 2023*
*Attendance (in alphabetical order):*
Aaron Gable (ISRG), Aaron Poulsen (Amazon Trust Services), Adam Jones
(Microsoft), Andrea Holland (VikingCloud), Atsushi Inaba (GlobalSign),
Ben Wilson (Mozilla), Bruce Morton (Entrust), Chris Clements (Google
Chrome), Chris Kemmerer (SSL.com), Clint Wilson (Apple), Corey Bonnell
(DigiCert), Corey Rasmussen (OATI), Daryn Wright (GoDaddy), Dean Coclin
(DigiCert), Dimitris Zacharopoulos (HARICA), Dustin Hollenback
(Microsoft), Ellie (TrustAsia), Enrico Entschew (D-TRUST), Eva Van
Steenberge (GlobalSign), Fumi Yoneda (JPRS), Hazhar Ismail (MSC
Trustgate), Inigo Barreira (Sectigo), Jamie Mackey (FPKI), Janet Hines
(VikingCloud), Joanna Fox (TrustCor), Jos Purvis (Fastly), Karina Sirota
Goodley (Microsoft), Kiran Tummala (Microsoft), Lynn Jeun (Visa), Mads
Henriksveen (Buypass), Marcelo Silva (Visa), Marco Schambach
(IdenTrust), Michelle Coon (OATI), Mrugesh Chandarana (IdenTrust),
Nargis Mannan (VikingCloud), Peter Miskovic (Disig), Rich Smith
(DigiCert), Rollin Yu (Trust Asia), Sissel Hoel (Buypass), Stephen
Davidson (DigiCert), Steve Topletz (Cisco), Tadahiko Ito (SECOM), Tim
Hollebeek (DigCert), Tobias Josefowitz (Opera), Trevoli Ponds-White
(Amazon Trust Services), Wayne Thayer (Fastkt), Wendy Brown (FPKI),
Yoshiro Yoneya (JPRS)
*_Minutes_*
1. *Roll called*
2. *Antitrust statement read*
3. *Reviewed Agenda*
4. *Approval of minutes*: December 29^th meeting minutes approved
5. *Forum Infrastructure Subcommittee* – Jos P.
* Did not meet last week, no significant updates
* Working on migration to new wiki which involves archiving the
existing wiki and pulling items from there into the new wiki
* Will be posting details and invitations to the management list
6. *Code Signing Certificate Working Group* – Dean C. and Bruce M.
* Did not meet last week, no significant updates
* Continuing to work on ballot for cert revocation due to malware,
signing service requirements and removing TLS BR references from CS BRs
7. *S/MIME Certificate Working Group* – Dean C., Corey B., Inigo B.,
Dimitris Z.
* IPR period finished for the new BRs
* Discussion on auditors developing audit criteria for the new
requirements. WebTrust is aware and will do further discussions
during their Toronto meeting
* CAA discussion in IETF’s LAMPs WG, general support for adopting
draft proposal for CAA for SMIME
* Stephen also had some ERATA for future updates, he is generating
GitHub issues for these minor issues
8. *NetSec Working Group* – Clint W.
* Did not meet last week
* Continued discussion around the separation of concepts of offline vs
air gapped vs unpowered HSMs and key materials to make sure the BRs
clearly address the differences
* Organization of NSRs to provide better introduction of NSRs without
changing the goals but language to describe the intent of the
various sections and components
* Trev P.: Issues with the meeting it looked to be cancelled
o Clint W.: Wiki has latest calendar invite for the meeting
o Dimitris Z.: Same issue with forum calendar invite. An alias was
created, so that whenever there is a change in chair positions
only the password needs to be reset. This allows for management
of the invitations without needing to create a new series of
meetings. This would be a good idea for other meetings as well.
But for WebEx best way to cancel the meetings is through the UI
so all registrants get the notice.
* GitHub Approvals
o Dimitris Z.: Each WG has its own repository with review and
approval from Chair and Vice Chair
o Jos P.: A Code owner’s file exists in each of the repositories
for each of the working groups. To publish anything to the main
branch of that repository (to formally update the BRs) requires
two people to approve and one must be on the code owners list.
So if someone wants to make a change, they go through the
balloting process and then the chair approves the update and it
requires another person for approval for sanity purposes to add
to the main branch. At the moment only the Chair and Vice Chair
can approve, so if either of them is out (especially for a long
period) then we cannot get approval. If for instance, the Chair
does the pull request, then the Chair cannot approve those
changes and there is only one person, the Vice Chair, able to
approve. There is no guidance or formal policy in this instance.
o Dimitris Z.: That is the only corner case. If someone else (not
the Chair or Vice Chair) does the pull request, then there are
two people available to approve.
o Jos P.: Yes, that could be one workaround making sure neither
the Chair or Vice Chair does the pull request. Another idea is
to leave the previous Chair and Vice Chair in the approvers
group for use only in the corner case.
o Dimitris Z.: The bylaws are clear on who does the change and
it's either the chair or the vice chair. So, if we want to
consider the GitHub repository as a normative, um, for the
documents, I think we need to find a work around that.
Absolutely requires one of the Chair or Vice Chair to perform an
action there.
o Aaron G.: The difference is between who can approve and who can
merge. A larger group of people could perform the code review
effectively, but only the Chair or Vice Chair is allowed to
click the merge button. We limit it to only the Chair or Vice
Chair can merge to the repository, so we remain within the bylaws.
o Tim H.: I agree with that. I think we're fine with the bylaws as
long as the Chair/Vice Chair is the one actively making the
change they can ask whoever they want for review. The bylaws
don't say anything about who needs to review the change. I
don't like the idea of giving any weight to previous chairs as
we have moved on from previous chairs.
o Dimitris Z.: Aaron’s proposal great. Any comments on that?
o Jos P.: That would be fine. Anybody can do any of the work and
it'll be a four eye's approval process but only the Chair/Vice
Chair can actually merge the code.
o Dimitris Z.: Aaron can work with Jos to make the changes.
9. *Any Other*
* Dean C.: F2F has guest speaker lined up to discuss BGP hijacking and
requested to have an additional person join with knowledge on the
subject. They will be sharing the same timeslot.
* Dimitris Z.: No objections.
* Dimitris Z.: Other F2F
o June 6-8 in Redmond, WA hosted by Microsoft
o Sept/Oct in Portsmouth, NH hosted by GlobalSign
10. *Next Meeting*: Jan 19^th with Ben Wilson for minutes
11. *Adjourned*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20230124/ef777114/attachment.html>
More information about the Public
mailing list