Notes of meeting
26 July 2012
Tim Moses, Wayne Thayer, Atsushi Inaba, Brad Hill, Dean Coclin, Eddy Nigg, Bruce Morton, Geoff Keating, Rick Andrews, Renne Rodriguez, Yngve Pettersen, Jeremy Rowley, Carsten Dahlenkamp
2. Agenda review
The agenda was accepted as published.
3. Minutes of meetings on 12 July
The minutes were accepted as published.
4. Ballots status
Ballot 80 opens for voting later today.
Ballot 82 closes next Tuesday.
Ballot 83 opens for voting tomorrow.
5. CABForum Network Security Controls Ballot Draft 1
Rick said that he would like to propose a change. It has to do with air-gap requirements for root CAs. Symantec has one or two legacy CAs that have issued end-entity certificates. They need to keep them online to issue CRLs. He said that he has circulated a proposed revision to allow this case.
Tim said that Ben is the only one with the authority to modify or withdraw the motion. Absent such a move, the voting period will commence at 2100 UTC (Friday) 27 July. Jeremy said that he would be able to talk to Ben and make sure that the issue was addressed before the voting period commenced.
Rick said that his proposal is specific to existing roots that must issue CRLs on a short time-base. Eddy said that having these root CAs online should not be allowed beyond the expiry of the last end-entity certificate. Rick agreed. He thought that other CAs shared his concern. Bruce asked to see Rick’s proposed revision. Rick said that he would send the proposal to the public list. Jeremy said that he would make sure the ballot was amended prior to commencement of the voting period.
6. BR Issues list
Yngve said that those who have objected to Ballot 80 agree with the principle of the motion, but they had trouble with the timeline.
Yngve said that previous ballots commonly contained grace periods of seven months or less. Tim said that, in this case, we are dealing with a third-party software supplier. So, implementation is not entirely under the CA’s control. For this reason, they need a way of convincing the supplier that a product change is required. Eddy agreed, saying that the Baseline Requirements contain some “softened” requirements where software or hardware changes are involved.
Yngve said that he can understand the problem. But, in his view, CAs have been on notice since October that this change was coming. Tim said that Yngve had to decide whether to let the ballot proceed as currently worded and face the possibility that it will fail. Alternatively, he could accept an amendment, in which case the ballot might pass. It was his choice.
Yngve said that he preferred to make this requirement “mandatory” with (if necessary) an extended grace period, and “recommended” with an earlier introduction date.
Rick asked what would happen if he was unable to convince his supplier to update the product. Tim said that, if, when we approach the deadline, a suitable product has not become available, then another ballot could be introduced to deal with the situation. Eddy thought that one year should be sufficient.
Yngve suggested eleven months for introduction of the mandatory requirement. Rick said that he thought twelve months would be required. Yngve suggested recommending the practice from 1 Feb 2013 and making it mandatory from 1 Aug 2013. Rick agreed. He said that he would monitor progress closely, and in case it becomes impossible to meet the 1 Aug deadline, he will reintroduce the topic.
Eddy asked about related client changes. Rick said that it would be easier to “sell” changes like this one inside his organization if there were corresponding moves on the client front to deal with revocation behaviour (for instance, if browsers were required to block a site on receipt of an affirmative “revoked” status).
Yngve said that Opera already hard-fails on “revoked” status. But, uncertainty persists around the “unknown” and “unauthorized” values. Rick asked about the other browsers. Yngve said that he was uncertain about Google’s plans for using OCSP responses. He said that he thought that Firefox and IE hard-fail on “revoked”. Geoff said that Safari displays a dialog box. But, he believes that there is still a way to click around that. However, if there were an industry position that this behaviour should be deprecated, then Apple would revisit the decision. Rick said that he would like to see an industry position that; in case the browser gets a “revoked” status for any certificate in the chain, then it must block with no option for proceeding to the Web-site. He said that, if we can’t agree on that, then we’ll never be able to agree on how to deal with “no response” or an “unknown” response.
Tim speculated on the proper vehicle for making such a statement. Rick said that it should be a CABForum Requirements document. He hasn’t written it into the “Guidelines for the Processing of EV Certificates”, because he wants to get agreement first.
Yngve said that he had just tested Firefox and it doesn’t allow click-through. Rick said that he would like to see all browser vendors state for the record that, for DV, OV and EV, for desktop and mobile, they don’t allow navigation to a site when an affirmative “revoked” status is received. He said that IE9 appears to allow the user to click-through, but this may be an artifact of the particular certificate.
Geoff said that Apple would likely respond to something as simple as a CABF ballot calling on browsers to behave a certain way.
Tim said that we obviously have to hear from a Windows/IE representative, but, it sounds like a possibility that CABF could take a stance on an issue like this one and that it might have an effect on browser design.
Eddy said that he would like to see such a ballot coincident with Yngve’s ballot. Tim said that that would cause a delay to Yngve’s ballot.
Yngve said that he thought Opera could be more agile than other browsers. He thought that Opera could release a change of this nature in half a year. Security features could have a faster turn-around.
Rick said that he could agree to letting Yngve’s ballot proceed, while we progress the other issue separately. He asked how the Forum’s resolution would be communicated. Should it result in a change to the Baseline Requirements, for instance? Somehow, it should appear on the CABF “Documents” page. Geoff agreed that a public statement would be better than a simple ballot result.
Yngve said that we could have a “notes” section on the “Documents” page.
Tim asked if we should introduce the statement into the “Guidelines for the Processing of Certificates”. Rick said that the current document is specific to EV. He said that he could extend it to cover other certificate types. He suggested that we complete the EV document, and style it as “requirements”, not “guidelines”. Then we can use that as a model for a document on non-EV certificates. The first draft would likely contain nothing other than a statement about behaviour on receipt of a “revoked” status response. Subsequent drafts would state a broader range of requirements. This was agreed.
Eddy said that he was happy with Rick’s proposal.
Tim summarized: Yngve has agreed to require two implementation dates: SHOULD by 1 Feb 2013 and MUST by 1 Aug 2013. And Rick will start drafting a document that records requirements on browsers processing publicly-trusted SSL certificates.
Bruce said that he is working on a ballot for two issues (15 and 29). He has received comments from Rick and Yngve that he plans to accommodate. But, he is lacking endorsers. Rick said that he would be willing to endorse.
Jeremy said that he doesn’t support deprecating domain names in the subject common name attribute because he is uncertain of the impact on legacy clients. We already require that a domain name in the subject common name attribute be selected from those in the subject alternative name extension. This requirement addresses the concerns, so there is no good reason to risk breaking legacy clients.
Rick said that, if we are to modify CA behaviour in relation to domain names in the subject common name attribute, we should simultaneously impose requirements on browsers to deal with the common name attribute properly.
Yngve said that there has been an SSL client requirement for some years that, where a subject alternative name extension is present, it should be used in place of the subject common name attribute. This is what Opera does.
Brad said that he is more concerned about the gTLD and the Internationalized Domain Name requirements than the common name requirement. He would be willing to drop the common name requirement.
Yngve said that he proposed using a newer IDN reference (RFC 5890 instead of RFC 3490). Also, he had concerns about the definition of the term “operationalize”. Brad said that this means the time at which the name is resolvable on the public Internet. Yngve said that he is concerned about private names remaining in use after they have become resolvable on the public Internet. Brad agreed. But, the current text was an acceptable compromise, given the difficulties that customers may confront in removing the names from their private networks. Yngve said that a user on the private network would remain vulnerable. Brad said that he would accept a grace period in return for agreement to phase out the practice. Yngve said that there will be a delay between the announcement of a new gTLD and its being available for registrations. In his opinion, they are “operational” once announced.
Yngve said that the point of “operationalization” should be defined. Brad said that he would propose some language on that topic. Jeremy said that he would likely endorse the revised motion.
7. Any other business
Dean said that we have been operating under the Baseline Requirements for a few weeks now. The CABForum should issue a statement to the effect that members are now operating under the requirements. He also suggested that the statement include guidance on how to check which certificates are issued in conformance and which are not. Dean said that the Forum should provide a resource for dereferencing policy identifiers.
Rick said that we should do the same thing for EV.
Tim pointed out that, probably, as of today’s date, not all members are issuing conformant certificates. Dean said that we would list the subset of members that were issuing, and wanted to be identified as issuing, conformant certificates. This is an opportunity for the Forum to step forward with information about ongoing improvements in the Web PKI. Dean agreed to take the lead on the topic.
Dean said that there appears to an impetus to form an industry group for SSL CAs. The purpose is to educate the public and provide unified messaging around SSL CAs and respond to issues that come up in the press. A group of CAs could be more responsive than the Forum can be. Dean said that this is just in the discussion phase. Consideration had been given to making this a part of the Forum. But, it was decided that this was not the best way forward. He wanted to make others aware of the initiative.
Yngve said that through the incidents in 2011, there had been involvement of, and sharing with, the browsers. He was concerned that that collaboration might suffer. Dean said that the intent is public education and coordinating response to incidents when necessary; working WITH the CABForum, not INSTEAD OF the CABForum.
Jeremy said that there is no plan to duplicate or conflict with CABForum. He said that DigiCert was in the spotlight last year over the Digicert Malaysia incident, and this made them keenly aware of the need for an industry body to represent CAs.
Dean said that Munich is looking more likely than Reading for Meeting 29.
8. Next meeting 9 Aug.
Tim said that today’s is the last meeting before some significant changes in membership. He mentioned the names of some previous participants who will not be participating henceforth based on the situation as it exists today. He said that this will necessitate some administrative changes, including the teleconference number. A new chair will have to be appointed.
Tim said that he has a list of members’ email addresses that he has correlated with the list of executed IPR agreements. He sent messages to the addresses of those whose organizations had not executed the agreement, warning them that they will be deleted from the list and the Wiki ACL on 1 Aug. He offered to update the list of 31 July and send the result to Wayne, asking him to make the necessary changes to the mail list and Wiki ACL.