Notes of meeting
6 September 2012
Present: Phill Hallam-Baker, Chris Palmer, Ben Wilson, Eddy Nigg, Jeremy Rowley, Simon Labramm, Kirk Hall, Steve Roylance, Wayne Thayer, Atsushi Inaba, Rick Andrews, Rich Smith, Brad Hill, Robin Alden, Geoff Keating, Mads Henriksveen, Patricia Forsyth. Quorum equals 6.
The agenda was reviewed.
- Minutes of Meeting 23-Aug-2012
Minutes of 23 August 2012 were approved as published.
- Ballot status
Three items were discussed under this agenda item: (1) abbreviating the voting process for replacement proposals; (2) the adoption/publication of Requirements for the Processing of EV SSL Certificates v.2; and (3) BR Issues 15 and 29.
(1) Ben noted that Ballot 88 was out for vote and asked whether members would support a revision to the voting rules to provide an abbreviated ballot process when a proposal has already been discussed but withdrawn for minor edits during the voting period. Rich mentioned that he favored having a shortened review period in such cases. Ben said that he didn’t want our review processes to bog us down unnecessarily. Kirk and Eddy opposed the idea of shortening the review period. Kirk said that sometimes people need more time, for example, when they are unavailable for a few days. Eddy said that there haven’t been situations requiring immediate changes to the guideline documents. Ben said that he wouldn’t push for an amendment to the voting rules at this time, but that he thought that there would be times in the future when those opposed to idea might think differently.
(2) Rick mentioned that he had previously proposed the release of an updated version of the guidance for applications relying on EV certificates. He stated that he had addressed issues raised by Ryan Sleevi, and that he had responded to comments from Kathleen Wilson. He said a recent question has been what the document says about a CA that does not pass an audit. Phill said the browser wouldn’t ordinarily receive a report that a CA didn’t pass an audit. In most cases, the audit is not renewed and/or no audit report is provided, and at that point the browser should begin deactivating EV treatment. Rick said that the EV Guidelines have been in place for 5 years and that is one of the reasons why the title is being changed from “Guidelines” to “Requirements.” He said he was looking for endorsers and DigiCert and TrendMicro agreed to endorse.
(3) Steve Roylance and Jeremy Rowley discussed what has been labeled on the discussion list as BR Issues 15 and 29, dealing with organizational validation for mixed content / multiple SAN certificates. Steve said that he had recently circulated a proposal for review and discussion. Kirk queried why this was currently an issue. Steve said it was not a new idea, that it had been raised before, but not thoroughly, and that in reviewing GlobalSign’s implementation of the Baseline Requirements he had identified a few holes where a potential bad practice could cause security issues. Wayne disagreed that the issue hadn’t been discussed in great depth. Kirk said that this proposal would deprecate DV certificates and had no added security value. Steve said it would enhance security and be good practice to identify the subject of a mixed-type certificate. Wayne said that the proposal would not improve security any more than issuing multiple separate DV certificates. Steve said he had not heard why it was not a good idea to put the requirement in place. Wayne said that is misleads the user into thinking that the named organization is the site, when it is one of the other entities listed by the SAN. Steve said that someone must be holding the private key, and that is what the certificate is supposed to identify. Wayne said that what the proposal essentially does is attempt to remove multi-domain certificates. Steve said that they could be eliminated some day in the future, but that is not the issue, today there is a need to identify the holder of the key. Eddy said that he agreed that where domains are owned by different parties it is a different situation and that he could see that Steve wants to give transparency on the holder of the key, but if you have 50 companies under the same key, then that is a bad thing. Steve urged people to read his proposal.
- Review Voting Procedure
Ben asked whether there were any questions about how the voting procedure would work. Kirk asked when the proposals were due, and Ben said 5:00 pm Eastern Time on Friday, September 14. There were no further questions.
- Plan Agenda for Face-to-Face meeting
Proposed items for the face-to-face agenda were reviewed and Ben said that he would post an updated schedule to the wiki. During the discussion, Kirk and Jeremy discussed the IPR Policy and observer status. Kirk said he disfavored having a policy that allowed an exception for an observer category. He suggested that one way to accommodate observer entities like ETSI would be to adopt a motion that specifically identifies them.
- Any other business
- Next meeting
The next teleconference will be on Thursday, September 20th, same time and place.