CA/Browser Forum
Home » All CA/Browser Forum Posts » 2012-09-20 Minutes

2012-09-20 Minutes

Notes of meeting

CAB Forum

20 September 2012

Version 1

  1. Present: Dean Coclin, Ben Wilson, Atsushi Inaba, Rich Smith, Phillip Hallam-Baker, Kirk Hall, Eddy Nigg, Jeremy Rowley, Brad Hill, Gerv Markham, Patricia Forsythe, Robin Alden, Rick Andrews, Bill Maddell

  2. Agenda review

The agenda was reviewed.

  1. Minutes of Meeting 6-Sept-2012

Minutes of 6 September 2012 were approved as published.

  1. Ballot status

Ballot 89 (Requirements for the Processing of EV SSL Certificates v.2) failed for lack of quorum. Rick noted that Tom had objected to the ballot because he was concerned that it had not been adequately reviewed or modified to incorporate browser comments. Subsequently Rick and Ben had modified and resubmitted a new draft of the requirements during the review period and before voting had begun. They explained that voting did not proceed on Ballot 89 because the sponsor and endorsers felt that the document needed one more review before being voted on. Kirk asked whether voting periods are announced, and Ben explained that the practice has been for voting to begin immediately after the review period without any announcement. Ben said that he would re-send a new ballot with the attached document and announce a review period.

Rick said that the revised revocation whitepaper for clients implementing SSL is being finalizing with input from Ben, Scott Rea, and Ryan Hurst.

Ben asked whether there were any questions on Ballot 90 (Governance), and Rick asked whether it would be good to provide a synopsis of the proposals. Kirk suggested that instead of creating a full review document maybe the document could point to where all of the questions and answers have been provided. Ben offered to provide a synopsis and said that DigiCert and Trend Micro would coordinate on what would be provided.

Ballot to publish v.1.1 of Baseline Requirements – Ben asked whether everyone had noticed that he had attached a proposed v. 1.1 of the Baseline Requirements to the results of Ballot 88 (BR_9_2_4_Errata-ISO3166) and whether there was anyone who would endorse a motion. It was generally agreed that since it only incorporated the results of other ballots that it could be published for a one-week review period. Ben said he would do that.

Kirk asked, with regard to Ballot 88, whether CAs alone could adopt guidelines (for example, when no browsers vote). Gerv said he didn’t think that a ballot could pass without at least one browser vote because the voting rule says “50% plus one.” Ben said that there are two sections to the voting rules-one for determining quorum and one for voting percentages. He said it was his understanding that the 50%+1 was meant to correct the prior rule for voting percentages that had caused concern among browsers when some votes had tied at 2-2 because the previous language said a ballot passed if “half or more” of the browsers supported it. Ben also said that the percentage rule applies to “those voting” – “of the votes cast”– in a category. So, if anyone wants to amend the rule, then they should propose language that more clearly states that at least one member of each group has to vote (as a quorum-requirement provision).

Kirk also said he was concerned about the current quorum calculation formula if only 6 members are required to constitute a quorum. Ben said that the quorum rule was amended back in December 2007 (Ballot 5 – January 2008) because we had gone for quite a while without being able to pass a motion for lack of quorum. Ben asked Kirk to come up with a proposal that would be somewhere in between the previous formula (50% of members) and the current formula (50% of active members as determined by the number of members attending the last three meetings). Rich recommended that we should add posting to the list as means of calculating quorum since geographic reasons can cause active members to be under-counted. It was generally agreed that this was a good idea. Kirk suggested a 90-day period. Ben said he thought a 60-day period would be easier to apply. There was open discussion on what would work best, and Kirk said he would also like to bunch votes together in batches so that they are easier to follow, review and vote on. Ben requested that Kirk give a presentation during the face-to-face in NYC on some of the ballot-improvement suggestions.

  1. Update on revisions to IPR Policy

Ben said he thought that some very good progress had occurred this week on the revisions to the IPR policy. Jeremy said that Marc Braner of Apple was working on some amendments to IPR Policy, including for example, that new entrants could file exclusion notices. Dean said that he understood from his participation during the IPR call that the changes would satisfy Entrust, Identrust and other former members. Ben asked whether the proposed revisions would have a “working group model.” Gerv said he recalled that Tom Albertson had suggested that after governance was revised we would turn to an IETF policy (which has a working group model). Gerv asked, anticipating that the governance issue will be sorted out, what will we do? Kirk said that regardless of which governance model or IPR policy we have, we’ll have to deal with individuals contributing and that he recalled that we were going to have a simplified form of IPR agreement for these people. Gerv said that we will want one agreement for people who are clearly not patent holders and who cannot hire lawyers to review an IPR Agreement and another agreement for companies that have IP and lawyers to review them. Kirk asked whether the IETF had a single agreement. Brad said that the IETF IPR agreement is entered into by individuals rather than by companies. Ben said that we could continue this discussion during the face-to-face meeting.

  1. Review Face-to-face agenda

We walked through the current draft of the face-to-face agenda. Members are asked to help fill in any gaps in the agenda with items, suggestions and topics for discussion. Rick said he would like to spend some time discussing the fact that lots of enterprises are implementing mobile apps that interface directly with mobile devices (without relying on browsers) and that it is unclear whether the stacks between the servers and those mobile systems follow recommended protocols.

If anyone has any new proposals or research results that that they would like to present, they should contact Ben for a slot on the agenda.

  1. Any Other Business

None.

  1. Next telephone call will be Oct. 11th. Robin will send a note to the list in case anyone wants to dial in to the face-to-face meeting.

  2. Meeting adjourned.

Latest releases
Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.6 - Ballot SMC08 - Aug 29, 2024

This ballot sets a date by which issuance of certificates following the Legacy generation profiles must cease. It also includes the following minor updates: Pins the domain validation procedures to v 2.0.5 of the TLS Baseline Requirements while the ballot activity for multi-perspective validation is concluded, and the SMCWG determines its corresponding course of action; Updates the reference for SmtpUTF8Mailbox from RFC 8398 to RFC 9598; and Small text corrections in the Reference section

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).