[cabfpub] Final Minutes for CA/Browser Forum Teleconference - January 5, 2023
Ben Wilson
bwilson at mozilla.com
Wed Jan 25 16:21:50 UTC 2023
Do you want me to post these to the website?
On Tue, Jan 24, 2023 at 12:08 AM Dimitris Zacharopoulos (HARICA) via Public
<public at cabforum.org> wrote:
> These are the approved Minutes of the Teleconference described in the
> subject of this message, prepared by Andrea Holland (VikingCloud).
>
> *Forum Meeting: January 5, 2023*
>
> *Attendance (in alphabetical order):*
>
> Aaron Gable (ISRG), Aaron Poulsen (Amazon Trust Services), Adam Jones
> (Microsoft), Andrea Holland (VikingCloud), Atsushi Inaba (GlobalSign), Ben
> Wilson (Mozilla), Bruce Morton (Entrust), Chris Clements (Google Chrome),
> Chris Kemmerer (SSL.com), Clint Wilson (Apple), Corey Bonnell (DigiCert),
> Corey Rasmussen (OATI), Daryn Wright (GoDaddy), Dean Coclin (DigiCert),
> Dimitris Zacharopoulos (HARICA), Dustin Hollenback (Microsoft), Ellie
> (TrustAsia), Enrico Entschew (D-TRUST), Eva Van Steenberge (GlobalSign),
> Fumi Yoneda (JPRS), Hazhar Ismail (MSC Trustgate), Inigo Barreira
> (Sectigo), Jamie Mackey (FPKI), Janet Hines (VikingCloud), Joanna Fox
> (TrustCor), Jos Purvis (Fastly), Karina Sirota Goodley (Microsoft), Kiran
> Tummala (Microsoft), Lynn Jeun (Visa), Mads Henriksveen (Buypass), Marcelo
> Silva (Visa), Marco Schambach (IdenTrust), Michelle Coon (OATI), Mrugesh
> Chandarana (IdenTrust), Nargis Mannan (VikingCloud), Peter Miskovic
> (Disig), Rich Smith (DigiCert), Rollin Yu (Trust Asia), Sissel Hoel
> (Buypass), Stephen Davidson (DigiCert), Steve Topletz (Cisco), Tadahiko Ito
> (SECOM), Tim Hollebeek (DigCert), Tobias Josefowitz (Opera), Trevoli
> Ponds-White (Amazon Trust Services), Wayne Thayer (Fastkt), Wendy Brown
> (FPKI), Yoshiro Yoneya (JPRS)
>
>
>
> *Minutes*
>
> 1. *Roll called*
> 2. *Antitrust statement read*
> 3. *Reviewed Agenda*
> 4. *Approval of minutes*: December 29th meeting minutes approved
> 5. *Forum Infrastructure Subcommittee* – Jos P.
>
>
> - Did not meet last week, no significant updates
> - Working on migration to new wiki which involves archiving the
> existing wiki and pulling items from there into the new wiki
> - Will be posting details and invitations to the management list
>
>
> 1. *Code Signing Certificate Working Group* – Dean C. and Bruce M.
>
>
> - Did not meet last week, no significant updates
> - Continuing to work on ballot for cert revocation due to malware,
> signing service requirements and removing TLS BR references from CS BRs
>
>
> 1. *S/MIME Certificate Working Group* – Dean C., Corey B., Inigo B.,
> Dimitris Z.
>
>
> - IPR period finished for the new BRs
> - Discussion on auditors developing audit criteria for the new
> requirements. WebTrust is aware and will do further discussions during
> their Toronto meeting
> - CAA discussion in IETF’s LAMPs WG, general support for adopting
> draft proposal for CAA for SMIME
> - Stephen also had some ERATA for future updates, he is generating
> GitHub issues for these minor issues
>
>
> 1. *NetSec Working Group* – Clint W.
>
>
> - Did not meet last week
> - Continued discussion around the separation of concepts of offline vs
> air gapped vs unpowered HSMs and key materials to make sure the BRs clearly
> address the differences
> - Organization of NSRs to provide better introduction of NSRs without
> changing the goals but language to describe the intent of the various
> sections and components
> - Trev P.: Issues with the meeting it looked to be cancelled
> - Clint W.: Wiki has latest calendar invite for the meeting
> - Dimitris Z.: Same issue with forum calendar invite. An alias was
> created, so that whenever there is a change in chair positions only the
> password needs to be reset. This allows for management of the invitations
> without needing to create a new series of meetings. This would be a good
> idea for other meetings as well. But for WebEx best way to cancel the
> meetings is through the UI so all registrants get the notice.
> - GitHub Approvals
> - Dimitris Z.: Each WG has its own repository with review and
> approval from Chair and Vice Chair
> - Jos P.: A Code owner’s file exists in each of the repositories
> for each of the working groups. To publish anything to the main branch of
> that repository (to formally update the BRs) requires two people to approve
> and one must be on the code owners list. So if someone wants to make a
> change, they go through the balloting process and then the chair approves
> the update and it requires another person for approval for sanity purposes
> to add to the main branch. At the moment only the Chair and Vice Chair can
> approve, so if either of them is out (especially for a long period) then we
> cannot get approval. If for instance, the Chair does the pull request, then
> the Chair cannot approve those changes and there is only one person, the
> Vice Chair, able to approve. There is no guidance or formal policy in this
> instance.
> - Dimitris Z.: That is the only corner case. If someone else (not
> the Chair or Vice Chair) does the pull request, then there are two people
> available to approve.
> - Jos P.: Yes, that could be one workaround making sure neither the
> Chair or Vice Chair does the pull request. Another idea is to leave the
> previous Chair and Vice Chair in the approvers group for use only in the
> corner case.
> - Dimitris Z.: The bylaws are clear on who does the change and it's
> either the chair or the vice chair. So, if we want to consider the GitHub
> repository as a normative, um, for the documents, I think we need to find a
> work around that. Absolutely requires one of the Chair or Vice Chair to
> perform an action there.
> - Aaron G.: The difference is between who can approve and who can
> merge. A larger group of people could perform the code review effectively,
> but only the Chair or Vice Chair is allowed to click the merge button. We
> limit it to only the Chair or Vice Chair can merge to the repository, so we
> remain within the bylaws.
> - Tim H.: I agree with that. I think we're fine with the bylaws as
> long as the Chair/Vice Chair is the one actively making the change they can
> ask whoever they want for review. The bylaws don't say anything about who
> needs to review the change. I don't like the idea of giving any weight to
> previous chairs as we have moved on from previous chairs.
> - Dimitris Z.: Aaron’s proposal great. Any comments on that?
> - Jos P.: That would be fine. Anybody can do any of the work and
> it'll be a four eye's approval process but only the Chair/Vice Chair can
> actually merge the code.
> - Dimitris Z.: Aaron can work with Jos to make the changes.
>
>
> 1. *Any Other*
>
>
> - Dean C.: F2F has guest speaker lined up to discuss BGP hijacking and
> requested to have an additional person join with knowledge on the subject.
> They will be sharing the same timeslot.
> - Dimitris Z.: No objections.
> - Dimitris Z.: Other F2F
> - June 6-8 in Redmond, WA hosted by Microsoft
> - Sept/Oct in Portsmouth, NH hosted by GlobalSign
>
>
> 1. *Next Meeting*: Jan 19th with Ben Wilson for minutes
> 2. *Adjourned*
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/public
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20230125/d19fa437/attachment.html>
More information about the Public
mailing list