2012-08-09 Minutes

Notes of meeting

CAB Forum

9 August 2012

Version 1

1. Present: Ben Wilson, Eddy Nigg, Jeremy Rowley, Gerv Markham, Sid Stamm, Rick Andrews, Kirk Hall, Dean Coclin, Joe Kaluzny, Chris Bailey, Wayne Thayer, Steve Roylance, Yngve Pettersen, Rich Smith, Brad Hill, Robin Alden, Stephen Davidson, Tom Albertson, Phill Hallam-Baker, Moudrick Dadashov, Ryan Koski, and Geoff Keating. Quorum equals 7.

2. Agenda review

The agenda was reviewed.

3. Minutes of Meeting 26-Jul-2012

Minutes of 26 July 2012 were approved as published.

4. Ballot status.

Ballots 79 and 83 passed. Ballot 82 was rejected. Ballot 84 is pending for user-assigned country codes. Rich mentioned that Eddy had proposed a possible alternative solution that would assign a single code “XX” when an official ISO code has not been assigned. The other fields would then be used to provide geographic location of the subscriber. Ballot 84 was then withdrawn, to be replaced with a new ballot.

5. Update on status of BR Issues list

Bruce Morton was working on a motion to address BR Issues 15 and 29. Jeremy had endorsed the previous version. Dean and Rick will review it, and it may be ready again to submit to vote. Yngve noted that a ballot to address BR Issue 7 (AIA URL) had been endorsed by Wen-Cheng Wang. Jeremy mentioned that his proposal regarding short-lived certificates could be combined in the same motion. Rick said he thought that the concept of short-lived certificates are too new to justify eliminating revocation information.

Yngve said that he had submitted a proposal to resolve BR issues 6, 8, 20 & 21 (reasons for revocation).

Rick said that that before CAs should adjust revocation of intermediate CAs, browsers should be required to check intermediates. Yngve and Gerv mentioned that Opera, IE, and Firefox have ways of checking for revocation, including the use of blacklists for situations like Diginotar, Digicert Malaysia, and Trustwave. Jeremy noted that the proposed revision to Section 13.1.5 treated the reasons for revocation the same for end entities and intermediate CAs and that some reasons for revocation did not apply so that two separate lists were needed. He said he would work with Yngve on a revised version.

6. Discussion re: Membership, Observers, and Leadership

Ben introduced the idea of having co-chairs. Several members said they favored having a single point of contact and that a chair / vice-chair arrangement would be better. Tom said he thought the chair should be interim until a new organization is formed, and it was generally agreed. Ben said that he and Dean would work together to prepare a ballot for the election of a chair and vice-chair.

7. Discussion of IETF and the Web PKI

Ben said that the IETF had requested an indication of member interest in an IETF working group on Web PKI. Chris said that he was opposed to the CAB Forum taking on a relationship with the IETF but that members should be free to participate in such a group.

8. Status of IPR Legal Committee Meeting

Ben explained that the IPR committee had met on Wednesday and that two items were discussed-whether to “blow up” the IPR and whether members would be open to adopting a work-group-centric model. Ben said he thought there would be no barrier to following a work group model, but that there were some who had indicated we might want to adopt an IETF model. Tom said that we have an IPR in place as of August 1, and there are now members and non-members but that we need to ensure that there are ways for non-members to participate in IPR and governance discussions. While we worked long and hard for the IPR policy, and we’re appreciative of the time involved, we did lose several members on Aug. 1st. Gerv said that we should stop hacking at the IPR and focus on getting the governance structure in place with a governance board that can adopt a good IPR with minimal changes. Dean asked Brad what his thoughts were. Brad said it would have been better to have had something like W3C that was easier to analyze and that the current IPR policy was rather broad.

Conversation then turned to the mailing lists. Because of the IPR, several parties were taken off of the management list but left on the governance and revocation mailing lists. Because of the conflicts that this posed with the IPR Policy and governance reform efforts, it was decided to eliminate both lists.

Stephen had previously mentioned in an email that the IPR Policy should be posted publicly on the CAB Forum site and that patent disclosure statements should also be placed on the internal wiki for review, and it was generally agreed that those two actions should take place. Ben said he would create a patent list on the wiki. Wayne will post the IPR Policy in the Documents section of the web site.

9. Status of Straw Poll on Governance Reform

Ballot 85 has been published. The ballot review period is from 10 August 2012 to 2100 UTC on 17 August 2012.

10. Status of Discussion on Revocation and Certificate Validity Discussions

Rick has reviewed documentation about client behavior for EV certificates found on the wiki and has finalized the white paper on the revocation checking to be performed by SSL clients. He will circulate a ballot requesting that they be publicly posted.

11. Next steps on CAB Forum Network Security Controls – errata and review

Ben said that he would work to harmonize the document with WebTrust and ETSI provisions and create an issues tracking page on the wiki similar to the one used for the Baseline Requirements.

12. Next Face-to-Face meeting

Less than 10 people have RSVP’d so far. Robin urged that those planning to attend RSVP as soon as possible.

Dean confirmed that a location in Munich would accommodate the size of our group and that we just need to pick date.

13. Any other business

Joe expressed concern that the 1 August 2013 deadline to comply with Ballot 80 regarding issuing “good” responses for unknown certificates would not be enough time according to discussions with a vendor. Others responded that it was understood when the ballot was passed that if next year it appears that a particular vendor will not meet the deadline that it will be adjusted by another ballot.

14. Next meeting

The next teleconference will be on August 23rd.