[cabfpub] Final Minutes for CA/Browser Forum Teleconference - January 5, 2023

Ben Wilson bwilson at mozilla.com
Wed Jan 25 16:21:50 UTC 2023


Do you want me to post these to the website?

On Tue, Jan 24, 2023 at 12:08 AM Dimitris Zacharopoulos (HARICA) via Public
<public at cabforum.org> wrote:

> These are the approved Minutes of the Teleconference described in the
> subject of this message, prepared by Andrea Holland (VikingCloud).
>
> *Forum Meeting: January 5, 2023*
>
> *Attendance (in alphabetical order):*
>
> Aaron Gable (ISRG), Aaron Poulsen (Amazon Trust Services), Adam Jones
> (Microsoft), Andrea Holland (VikingCloud), Atsushi Inaba (GlobalSign), Ben
> Wilson (Mozilla), Bruce Morton (Entrust), Chris Clements (Google Chrome),
> Chris Kemmerer (SSL.com), Clint Wilson (Apple), Corey Bonnell (DigiCert),
> Corey Rasmussen (OATI), Daryn Wright (GoDaddy), Dean Coclin (DigiCert),
> Dimitris Zacharopoulos (HARICA), Dustin Hollenback (Microsoft),  Ellie
> (TrustAsia), Enrico Entschew (D-TRUST), Eva Van Steenberge (GlobalSign),
> Fumi Yoneda (JPRS), Hazhar Ismail (MSC Trustgate), Inigo Barreira
> (Sectigo), Jamie Mackey (FPKI), Janet Hines (VikingCloud), Joanna Fox
> (TrustCor), Jos Purvis (Fastly), Karina Sirota Goodley (Microsoft), Kiran
> Tummala (Microsoft), Lynn Jeun (Visa), Mads Henriksveen (Buypass), Marcelo
> Silva (Visa), Marco Schambach (IdenTrust), Michelle Coon (OATI), Mrugesh
> Chandarana (IdenTrust), Nargis Mannan (VikingCloud), Peter Miskovic
> (Disig), Rich Smith (DigiCert), Rollin Yu (Trust Asia), Sissel Hoel
> (Buypass), Stephen Davidson (DigiCert), Steve Topletz (Cisco), Tadahiko Ito
> (SECOM), Tim Hollebeek (DigCert), Tobias Josefowitz (Opera), Trevoli
> Ponds-White (Amazon Trust Services), Wayne Thayer (Fastkt), Wendy Brown
> (FPKI), Yoshiro Yoneya (JPRS)
>
>
>
> *Minutes*
>
>    1. *Roll called*
>    2. *Antitrust statement read*
>    3. *Reviewed Agenda*
>    4. *Approval of minutes*: December 29th meeting minutes approved
>    5. *Forum Infrastructure Subcommittee* – Jos P.
>
>
>    - Did not meet last week, no significant updates
>    - Working on migration to new wiki which involves archiving the
>    existing wiki and pulling items from there into the new wiki
>    - Will be posting details and invitations to the management list
>
>
>    1. *Code Signing Certificate Working Group* – Dean C. and Bruce M.
>
>
>    - Did not meet last week, no significant updates
>    - Continuing to work on ballot for cert revocation due to malware,
>    signing service requirements and removing TLS BR references from CS BRs
>
>
>    1. *S/MIME Certificate Working Group* – Dean C., Corey B., Inigo B.,
>    Dimitris Z.
>
>
>    - IPR period finished for the new BRs
>    - Discussion on auditors developing audit criteria for the new
>    requirements. WebTrust is aware and will do further discussions during
>    their Toronto meeting
>    - CAA discussion in IETF’s LAMPs WG, general support for adopting
>    draft proposal for CAA for SMIME
>    - Stephen also had some ERATA for future updates, he is generating
>    GitHub issues for these minor issues
>
>
>    1. *NetSec Working Group* – Clint W.
>
>
>    - Did not meet last week
>    - Continued discussion around the separation of concepts of offline vs
>    air gapped vs unpowered HSMs and key materials to make sure the BRs clearly
>    address the differences
>    - Organization of NSRs to provide better introduction of NSRs without
>    changing the goals but language to describe the intent of the various
>    sections and components
>    - Trev P.: Issues with the meeting it looked to be cancelled
>       - Clint W.: Wiki has latest calendar invite for the meeting
>       - Dimitris Z.: Same issue with forum calendar invite. An alias was
>       created, so that whenever there is a change in chair positions only the
>       password needs to be reset. This allows for management of the invitations
>       without needing to create a new series of meetings. This would be a good
>       idea for other meetings as well. But for WebEx best way to cancel the
>       meetings is through the UI so all registrants get the notice.
>    - GitHub Approvals
>       - Dimitris Z.: Each WG has its own repository with review and
>       approval from Chair and Vice Chair
>       - Jos P.: A Code owner’s file exists in each of the repositories
>       for each of the working groups.  To publish anything to the main branch of
>       that repository (to formally update the BRs) requires two people to approve
>       and one must be on the code owners list. So if someone wants to make a
>       change, they go through the balloting process and then the chair approves
>       the update and it requires another person for approval for sanity purposes
>       to add to the main branch. At the moment only the Chair and Vice Chair can
>       approve, so if either of them is out (especially for a long period) then we
>       cannot get approval. If for instance, the Chair does the pull request, then
>       the Chair cannot approve those changes and there is only one person, the
>       Vice Chair, able to approve. There is no guidance or formal policy in this
>       instance.
>       - Dimitris Z.: That is the only corner case. If someone else (not
>       the Chair or Vice Chair) does the pull request, then there are two people
>       available to approve.
>       - Jos P.: Yes, that could be one workaround making sure neither the
>       Chair or Vice Chair does the pull request. Another idea is to leave the
>       previous Chair and Vice Chair in the approvers group for use only in the
>       corner case.
>       - Dimitris Z.: The bylaws are clear on who does the change and it's
>       either the chair or the vice chair. So, if we want to consider the GitHub
>       repository as a normative, um, for the documents, I think we need to find a
>       work around that. Absolutely requires one of the Chair or Vice Chair to
>       perform an action there.
>       - Aaron G.: The difference is between who can approve and who can
>       merge.  A larger group of people could perform the code review effectively,
>       but only the Chair or Vice Chair is allowed to click the merge button. We
>       limit it to only the Chair or Vice Chair can merge to the repository, so we
>       remain within the bylaws.
>       - Tim H.: I agree with that. I think we're fine with the bylaws as
>       long as the Chair/Vice Chair is the one actively making the change they can
>       ask whoever they want for review. The bylaws don't say anything about who
>       needs to review the change.  I don't like the idea of giving any weight to
>       previous chairs as we have moved on from previous chairs.
>       - Dimitris Z.: Aaron’s proposal great. Any comments on that?
>       - Jos P.: That would be fine. Anybody can do any of the work and
>       it'll be a four eye's approval process but only the Chair/Vice Chair can
>       actually merge the code.
>       - Dimitris Z.: Aaron can work with Jos to make the changes.
>
>
>    1. *Any Other*
>
>
>    - Dean C.: F2F has guest speaker lined up to discuss BGP hijacking and
>    requested to have an additional person join with knowledge on the subject.
>    They will be sharing the same timeslot.
>    - Dimitris Z.: No objections.
>    - Dimitris Z.: Other F2F
>       - June 6-8 in Redmond, WA hosted by Microsoft
>       - Sept/Oct in Portsmouth, NH hosted by GlobalSign
>
>
>    1. *Next Meeting*: Jan 19th with Ben Wilson for minutes
>    2. *Adjourned*
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/public
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20230125/d19fa437/attachment.html>


More information about the Public mailing list