2012-08-23 Minutes
Notes of meeting
CAB Forum
23 August 2012
Present: Ben Wilson, Eddy Nigg, Jeremy Rowley, Mads Henriksveen, Sissel Hoel, Atsushi Inaba, Gerv Markham, Rick Andrews, Yngve Pettersen, Rich Smith, Brad Hill, Bill Madell, Robin Alden, Geoff Keating, and Ryan Sleevi. Quorum equals 6.
Agenda review
The agenda was reviewed.
- Minutes of Meeting 9-Aug-2012
Minutes of 9 August 2012 were approved as published.
- Ballot status
Ballots 85 and 86 were reviewed. Rich mentioned that if Ballot 86 passes, then the ISO-3166 directorate will need to be notified that the CAB Forum is using the single user-defined country code of “XX” when an official ISO code has not been assigned. On the ballot for BR Issues 15 & 29, Rick noted that he had received comments from Steve Roylance who wanted to (a) disallow non-FQDNs and internal IP addresses in the CN and (b) require that the CA put Org Info in certificates with internal names/IP addresses. Jeremy stated that DigiCert was in support of Steve’s request. Rick said that the second request would require additional engineering, since it wasn’t in the original BRs. Ben said that there was a discussion about this previously, and Jeremy said that a resolution of the issue was postponed and that it is the right time to bring the discussion up again for resolution. It was decided that further discussion on the issue of organizational validation was needed. Rick also noted that the part of the proposal dealing with IDNs raised engineering concerns because Unicode can be tricky. It is not just an issue of confusion caused by mixed character sets, but it also must be screened for mixing of scripts, bi-directional characters, etc. He said it was essential that we identify Unicode libraries in this area because it can be just as susceptible to mistake as crypto, and that is why we have crypto libraries. Brad said he would contact Chris Weber of Casaba Security who has worked on Unicode libraries in this area and see if he has anything to suggest.
- Status of IPR Policy
Jeremy said that there will be an IPR Committee call next week. He also said that because of ETSI, Entrust, and others comments about the IPR, and because something needs to be in place temporarily while the governance reform process runs its course, he would like to introduce a motion to allow observer status and have a set of rules that allow them to participate upon invitation only and without providing contributions covered by the IPR. Robin volunteered to work with Jeremy on a proposed set of rules that would provide the needed restrictions.
- Liaison Agreement with ETSI
Ben said that if the proposal above to temporarily reinstate an observer status works, then it would obviate the need for a special IPR agreement with ETSI.
- Status of Revocation Improvements
Rick reviewed Brian Smith’s responses on the CAB Forum’s OCSP Recommendations for Clients document. He said that Brian was concerned about various instances where it appears to mandate browser behavior. Rick said that he thought those instances were pretty minimal. For instance, if an OCSP client gets a status of revoked, the client should block access to the web site.
Rick asked whether there was any sentiment one way or the other with Brian’s suggestion that we work on other solutions rather than OCSP. Rick and Jeremy said that they thought we should describe what is here today and move forward with this document. Ben asked whether a single OCSP stapling document should be created to discuss it from both the client and server side.
Ryan from Google said that they were working on a post in response and that they agree, in large part, with Brian’s position. He felt there were more UI requirements in the white paper on how to handle things like expired certificates, for example. Gerv said that he would chime in on the topic as well.
Yngve said that Opera has a number of hints when revocation lookup fails. He also said that the W3C may have some helpful UI guidelines for browsers in the web security context working group. Rick asked whether Yngve could post a link to it.
Rick said that if we’re trying to increase security, and you get revoked status, the browser should not let the user go through. Yngve agreed.
- Agenda Planning for Face to Face
Ben explained that he had copied the agenda template over from the meeting in Norway and that there would be certain items on the agenda that re-appear as a matter of course like audit updates and reviews of issues with the Baseline Requirements and the EV Guidelines. Additional discussion items for the face-to-face agenda include: a review of the Network Security Requirements; an update on the IPR Policy, if any; a preliminary review of organizational documents for the reformed entity; a short discussion on the work of the new IETF wpkops group; application developer guidelines for EV; browser UIs; and the status of revocation work. Ben asked those planning to attend, including browser representatives, to provide any other topics that they would like to discuss during the face-to-face.
- Any other business
Yngve said that version 12.02 of Opera will address “unauthorized” and “unknown” responses and that there may be other changes for when no status information is received from the CA. He said that he had looked at other browser responses “unauthorized” and “unknown” and that responses varied (Mozilla had a warning message in one case, and in another case IE 9 on Windows 7 had provided no error message). Additional information and downloads of release candidates for 12.02 were available on the My Opera Desktop Team blog, https://my.opera.com/desktopteam/blog/.
- Next meeting
The next teleconference will be on Thursday, September 6th, same time and place.
- Close
Meeting adjourned.