CA/Browser Forum
Home » All CA/Browser Forum Posts » 2012-10-25 Minutes

2012-10-25 Minutes

Notes of meeting

CAB Forum

25 October 2012

Version 1

  1. Present: Ben Wilson, Atsushi Inaba, Kirk Hall, Gerv Markham, Brad Hill, Jeremy Rowley, Wayne Thayer, Rick Andrews, Dean Coclin, Eddy Nigg, Ryan Koski, Mads Henriksveen, Marc Braner, Yngve Pettersen, and Geoff Keating

  2. Agenda review

The agenda was reviewed and Item 7 (Review of IPR Policy) was moved ahead of Item 4 (Ballot 89).

  1. Minutes of Meeting 11-October-2012

Minutes of 11 October 2012 were approved as published.

  1. IPR Policy

Marc Braner explained that the IPR working group had met and created version 1.03 to address the concerns of Entrust, Identrust, and others while making as few changes as possible. He said that in his opinion we may now have a viable solution for everyone, but that there is no such thing as a perfect IPR Policy. There is nothing that precludes further work on the IPR Policy down the road, but it is very important that we have an IPR Policy in place. One issue identified is in section 5.1 for which there was recent discussion on whether or not to remove a subsection. Also, resolution he attached would terminate the current IPR (v. 1.0) on December 1, 2012, and then v. 1.03 would come into effect, with a time period for members to file exclusion notices.

Kirk asked for an overview of the changes. Marc said that there were only two major changes - (1) to make licensing obligations participation-based to address stand-around liability, and (2) change the definition of affiliates for portfolios of companies that are indirectly related. The goal of the proposed participation-based model, is that if you don’t participate, there is no obligation. If you do participate, then you have a duty to license, but you also have the opportunity to exclude IP from licensing.

Kirk asked whether general forum meetings would be considered as participation. Marc said he left that specific issue open for the Forum to decide. He also said that under the existing policy, signing the agreement and compliance with the IPR Policy was a condition of membership. His understanding is that this practice would continue under version 1.03, so you would sign the Membership Agreement, but the Forum could designate meetings as either General Meetings or Technical Meetings.

Yngve asked whether, considering that with the previous IPR ballot some major objections showed up just before the deadline (because they finally reviewed the IPR Policy and Agreement and decided they could not sign), such would happen again? Marc said he didn’t know, but that he had attempted to flesh out and address the issues in a way that would not offend the companies who have signed version 1.0, but there are no guarantees. Yngve would like to make sure there are no last-minute objections. Dean said that the only way to know is to put it to ballot. Marc agreed that he would like to bring closure.

Kirk asked the difference between general and technical and how to tell when something is designated or not as technical. Marc said that while the IPR Policy is modeled on the W3C Policy, which only makes you bound to the extent you actually participate in a workgroup creating a W3C Recommendation. That was envisioned here, even though we all know that the Forum doesn’t work that way. What we’ll need to do is develop rules defining participation. For example, if you attend two technical meetings, you are deemed to have participated. Marc offered to help the Forum develop rules. A general meeting would only deal with administrative issues like governance and the adoption of the IPR Policy. A technical meeting is one in which the member works on a guideline.

Kirk asked whether a vote would also be considered participation, and Marc affirmed that it would. The IPR Policy, however, contemplates that you can only vote if you participated. Kirk asked whether we could just designate that everything we’re working on 100% of the time is Working Group. Marc said you could do that, but then you’d have a problem. Ben said that what Marc is proposing is a way to adopt the IPR Policy, and get something in place that could be modified by defining the details without having to have all of the members re-sign a new agreement. Ben said he’d prefer that the default be that everything be designated as not technical, but that you specify when something is technical.

Marc said he’s left it open in order to get something in place. Kirk said his counsel will want to know exactly what it is going to apply to before they approve it. Marc said that Section 3 of the IPR Policy says that “as a condition of participation in a technical work group” but that we don’t define “technical work group.” Kirk said his counsel will not let him sign it unless his counsel knows what the IPR Policy applies to in terms of the Forum’s work. Ben said he hoped that this would only require a minor modification to this draft that would satisfy Trend Micro’s counsel, for example, by defining “technical work group” as flagging technical discussions with the word [Technical], which would make the IPR Provisions apply, similar to the way an NDA requires that confidential communications be flagged with the word [Confidential]. Marc said that to keep it simple, if you attend two meetings, then you’d be considered to have participated.

Kirk asked who would object to just saying that 100% of our meetings are considered “technical meetings”? Marc said that would work and would be the simplest approach. Ben said that he thought Entrust and others would object because that is why we’ve gone through these edits in the first place and why would we try to distinguish between participation and non-participation.

Gerv said that it is possible for everything we do to be part of a “work group,” even general discussions. The purpose would be to segment the work of the CAB Forum into sections so that people could participate in some sections but not other sections. Then, everything would be part of a section, and nothing would be missed. Then, you could consider the general group to cover discussions of everything else. So, if you had a discussion and someone was unhappy that a technical topic was being discussed within the general group, then the person could say, “actually, the discussion about that has to happen over here in this other group.”

Ben said that he liked Gerv’s concept of segmentation. Kirk asked Ben to give an example, besides deciding when to have lunch, that would not be technical, and therefore, we wouldn’t have to worry about who is participating. Gerv said the general CAB Forum call that we’re having now is not a technical discussion – we’re not the revocation working group, and we’re not the EV working group, we’re just the general discussion group. And in a general call, we wouldn’t determine the exact details of technical standards, but if there needed to be technical discussions, those could be segmented.

Jeremy said that he was concerned that we are discussing an IPR with working groups, but that the governance proposal doesn’t establish a working group model.

Kirk asked whether Entrust had explained why they wanted this segmentation. Marc said that it wasn’t just Entrust, but several of them were concerned about stand-around liability. Their representatives may or may not be paying attention, and then they would be obligated to provide royalty-free licenses. They said, “we’re fine with granting licenses, but we want that to be based on an affirmative action.” Kirk said, “well, if they forget to get up and leave the room when a technical subject comes up, it’s the same problem, they’re going to have to be on their toes, whether we adopt this or don’t adopt it.”

Yngve said that these concerns should be written up in email so that they can be discussed more closely to see what the issues really are. Marc said that that was supposed to have been done by members who convened as part of the IPR working group. Marc said that it was also discussed that the CAB Forum just adopt the IPR Policy of another organization, such as ISO, ICT, ITU, W3C, and IETF, which brought us back to where we were two years ago. Everyone was invited to those meetings, and we fleshed out the issues, and these are the issues. It would be much easier to adopt a process along the lines of what Gerv has suggested than to come to a new agreement on an IPR policy.

Yngve said that if we state the reasons for the changes in the IPR Policy, and then Kirk can delineate what is a work group versus what is not a work group, and if this happens in the entire Forum and not just the IPR working group, then we can look at what the arguments are in each direction and see if something can be worked out. Ben said we should move this discussion to the list, and have people speak or forever hold their peace, before we put it to a ballot, and that the deadline should be Wednesday of next week and that a ballot be submitted at that time.

Dean suggested that Entrust and Identrust should be involved in the discussion. Ben said that Entrust and Identrust representatives could be copied on all discussions. Dean said we do need to move forward with a new IPR policy. He also thanked Marc for his contribution. Marc said he would be happy to help suggest a process around the participation issue.

Kirk said that next Wednesday would be way too soon because he gave it to his counsel but told his counsel to hold off any review until he could understand what it was about. Kirk said that Trend Micro would have to know exactly all of the details on what is and isn’t a working group, and so on and so forth before he would ask his counsel’s opinion, so in no way would he support moving forward. Ben asked why Trend Micro’s counsel had not participated and that it was frustrating when others do all of the work, and then Kirk expects that it be fully developed. Kirk said he could not vote on it without a definition of “working group” and that he would vote “no” if it came to ballot.

Wayne asked whether he was correct that the expectation is that members run the document past their legal teams and be in a position next week to either oppose it or move forward with it. Ben said, “yes.”

  1. Ballot 89 – Guidelines for Processing EV SSL

Rick said that Brian Smith has requested that the following language be removed from the document: “certificates for which revocation information cannot be obtained should not be treated as trusted certificates.” Yngve asked whether it was an issue of EV treatment, and Rick said that the document says “should not be granted EV treatment” but it also has the other statement that Brian has concerns with. Gerv explained that Mozilla is developing Firefox OS based on web applications, which are served over https. If the display of the status of the application is displayed to the user, that might cause a security indicator to flicker on and off, even though the application is operating properly in an offline state. So there is a problem with a requirement that you have to remove a security indication while you are offline because you cannot get revocation information. Brian would like wording that if the certificate has been presented and validated at least once, including for EV status, then that UI treatment should persist even if the user is offline. Yngve said that if the content is downloaded to cache via HTML5 then you already have security status for that content, and that is checked at TLS download. Rick agreed that offline mode is different, and that he was assuming that the document applied only for the handshake, and if offline mode needs to be discussed, that it be done separately. Yngve added that when you resume a server session, you are not doing a full handshake, and you would not be expected to do revocation checking for that.

Another of Brian’s concerns is that an intermittent changes in security display (EV UI indicators) might would also be required if due to the inability to access OCSP information from time to time. What if an EV certificate has been revoked? Yngve said that a well-configured server would be active for a long period of time during the day, but Gerv asked what about when you shut your phone on and off and log in and out of your bank, and OCSP fails, would the CABF want the EV condition not to appear? Yngve said that CRL and OCSP responses could also be cached for a longer time than the duration of several sessions and that the only instance where he has seen a similar issue arise with EV / non-EV display in Opera was when a Japanese bank had installed two different EV certificates of different key lengths and the site switched between certificates. Opera treats failed revocation as a “no-padlock” condition so you wouldn’t get to the issue of EV indication.

Rick said that if you fail revocation checking for the first time, you should not display EV-ness, and you should not treat it as a trusted certificate. But, if we can establish an appropriate time frame for situations where you’ve previously validated an EV certificate, then you should be able to continue to trust it. Gerv said we just need clarification on whether that is allowed. The discussion on this topic then closed and moved back to the listserv.

  1. Ballot 92 – RFC 6125 and Subject Alt. Names

Kirk said he raised this issue because if you look at issues list it is not clear how these are an improvement and there are a lot of complex changes so he would like to have a written explanation of the changes so that people who are not on the calls can understand what the sponsors are trying to accomplish, but that he would like a walk-through of the ballot during the call. Ben said that part of the issue may be that the discussion of this issue has been going on for quite some time and that all of the changes may not be related to just the identified BR issues so it might be difficult to catch up. Brad and Jeremy had worked on Ballot 92 and were on the call, but it was presented by Steve Roylance, who was not on the call. So Ben asked whether either of them would be willing to attempt a review of it. Brad said that he did not have it up and would have to get it in front of him, but asked what the specific issues were. Kirk said that in the past the proponents of a measure had explained the measure so he wanted the proponents to explain it to the whole group. Brad said he had explained it multiple times over the course of work on the issue. Kirk said he was a member and entitled to know what was in the ballot and was upset that Brad was unwilling to explain the ballot. Brad said that he was willing to explain it. Kirk said that Brad should explain it. Brad asked if anyone else shared the concerns, and Kirk said it didn’t matter if anyone else shared the same concerns and that he wanted the ballot explained to him.

Kirk asked, “why are you outlawing DV SANs certificates?” Brad said he would have to look at the ballot. Jeremy offered to forward all of the discussions on it to Kirk for review. Kirk said that he could find those himself, but that he’d rather have a new explanation of the ballot because the ballot was very complex. Jeremy said that there was not have enough time during the telephone call to go over all of the details and that another email explanation could be sent. Kirk said he would look forward to the email. Gerv said that if would take an hour to explain the ballot, then it should be broken into multiple ballots. Wayne said that the problem is that the ballot originally started as two BR issues that has now morphed to a ban on DV certificates. Gerv said that the purpose of the BR issues list was to limit the scope to things that could be resolved, and he asked whether the proponents believe that the ballot falls squarely in Issues 15 and 29. Jeremy said that it was not because he didn’t think it had to because we have been working on the BR issues list for over a year and ongoing issues should be resolved as well. Brad said that for section 2.2.2.1, that was not language that he proposed, and that he could only speak to his own recollection and not anything he didn’t know about. Ben said that some of the language is from Steve, who was not on the call. Brad said that it appeared the language was added to provide contact information for at least one responsible party in the case of a multi-domain certificate. Rick said that he recalled from discussions that someone had mentioned that there was no evidence of this every causing harm and that if you wanted to put in information about who the controlling party was, it was difficult to determine who that party was, and that there was no consensus on this issue. Brad repeated that it wasn’t his language, and he couldn’t address it.

Rick also noted that he had previously stated that Unicode checks are very complex, and that he opposed this unless there were a Unicode library that was freely available to be used by all and that by using that library you would meet all requirements, because this is very complicated. Brad said that he had permission from counsel to contribute the code to the ITU library and that he would submit the patch and see if they were willing to accept the patch, and that he was willing in making that open source contribution to share the code so that the specifics and the algorithms are available to members of the CAB Forum, regardless of whether the library maintainers choose to accept it. Rick thanked Brad and said that he would still like language that said by using the code a CA fulfills the requirements.

Mads noted that the review period closed and that it was now in the voting period. Ben acknowledged that when these kinds of things happen it becomes unclear how to proceed and that the ballot should probably be withdrawn. Jeremy said he did not want to have it withdrawn. Yngve said that in some similar situation we had extended the review period for a week. Dean said that such approach would have to be proposed by the people who put the ballot together, and that approach would make sense where there is a good consensus because nobody likes to see ballots resubmitted because it wastes time. Wayne said that he recalled Steve indicating that he wanted to move it to a vote because there was no room for compromise, but Dean said that the other contributors may want to review their strategy and move it to vote.

Brad noted that he disagreed with Rick’s position that a CA would be absolutely always safe if they used the Unicode library-code always has bugs, standards evolve and change, new attacks are discovered, and things are refined, and it would not be a good practice to write the Guidelines as dependent on code. Guidelines should state what the objective is and not how it should be accomplished. Rick said he agreed, but usually that the requirements have been relatively simple and straightforward to implement, but that is not true with Unicode. Brad said that even if we allow it for the present time, it could later be found to be deficient, so we should not commit to it long term, because it will create a vulnerability in the ecosystem. Rick said that if there is a problem we’ll fix it, it’s better than having 50 different CAs creating 50 different sets of code and having most of them incorrect in one way or another. Yngve said that “test suite” is better than “code base”.

  1. Ballot 93 – BR Reasons for Revocation

Ben asked if there were any questions. Rick said he had one comment-that in the last paragraph there was a typographical error, that it should read 2^16+1 and then 2^256-1. Yngve acknowledged that the superscript got lost at some point. Rick said his other concern is that it will force a CA to revoke a certificate when it is misused, and that has a lot of uncertainty associated with it. What does it mean for a CA to discover that a certificate has been “misused”? Yngve said that “misused” is language that was already in section 13.1.5-it was just moved. Rick said he still has an objection, because if a customer indicates that a certificate has been “misused” we don’t want to revoke it immediately if there is more harm that will be done than good. Yngve said that “misused” will have more relevance from what is defined in you practice statements than what is defined here and that because the language is just being moved, if it needs to be fixed then that would be something for another ballot. Rick said that this presents a gray area that needs to be addressed, probably with a ballot, because this doesn’t recognize that there are reasons why you wouldn’t want to revoke it within 24 hours, and you’d be in violation if you don’t. Yngve also said that the original ballot didn’t have an effective date, but it should say effective immediately.

  1. Review Governance Proposal and Ratification Process

Kirk noted that there has been a review period. Kirk said that the only comments were from Ben, and that while some of them were good, they went beyond TrendMicro’s proposal so they would not be included because people would say that it wasn’t what they had voted on. He also noted that if a member of the public wanted to respond, we haven’t got a means for them to do it, but we could have them use the “information@” link, but he wasn’t sure how to communicate that to them. Gerv had mentioned it could be posted on the Mozilla list, but Kirk did not feel he should do that, unless the members felt it should. T-Systems also indicated that their counsel wanted to review it, but he hasn’t heard back from them. So the two questions are: 1- do we want to post this on our web site, with an email address for anyone wanting to post comments, and 2 – should it be posted on the Mozilla list for comments? Jeremy asked, since the proposal is similar to what we already have and the bylaws are the current rules, whether it would be simpler to have a separate ballot on just the changes, split into 4 ballots, and that way the ballot wouldn’t have to stand all together and we could pass these changes easier and quicker. He also asked whether we should wait until the IPR Policy is resolved. Kirk said that he was ready to go forward with the governance vote and people can accept it or not, and that he wanted to go with what he had circulated. He said that based on the previous ballot TrendMicro could put the ballot forward whenever they want to, and it doesn’t need any second endorsers. Jeremy said that he thought that the ballot had said that you’d follow the current forum procedures. Kirk said his questions are whether we should put it up on our web site or circulate it on the Mozilla list so that the public can comment. Jeremy said he would like to have Entrust and Identrust back in. Kirk said he was not willing to delay it. Kirk said that since it didn’t look like anyone had any comments he would not ask for any public participation and that he would put it to a vote and if it failed then we’d be back where we started. Gerv said that the right way to break this cycle is to do the governance vote first because the IPR Policy cannot take its final form until we know what the governance is. If Kirk’s proposal does not include work groups, and the governance proposal passes, and the IPR Policy requires work groups, that doesn’t work, but we can’t let the tail wag the dog. So we should do the governance, then the IPR, and then ask the other CAs whether they want to join based on the governance and IPR that we have chosen.

  1. Scheduling of next F2F Meetings

Mozilla has committed to 5th and 6th, of February, 2013, with the revocation working group meeting on February 7th. Dean noted that the room was available in Munich whenever we wanted to schedule the meeting, but it would be good to reserve it now. He asked whether June would work. Wayne asked that some May and June dates be proposed. Arno had mentioned that ETSI was meeting in the first week of June. Also, Memorial Day in the US is on May 27th. so possibilities are the week of May 20th or the week of June 10th or the week of June 17th. So people should look at their calendars, and Dean will circulate a poll with those 3 options.

  1. Status Review

Ben will send out a follow-up email asking for volunteers for the web site standing committee.

Yngve noted that he still is looking for another endorser for BR issue #7. Ryan Hurst said he would look at it. Yngve said he wants some endorsers.

Gerv provided an update on Mozilla OCSP Stapling. There is a technical disagreement that is being arbitrated on how this issue will be resolved. It is being worked on and reviewed by the NSS module owners.

  1. Other Business

Yngve noted that he had emailed updated statistics on OCSP stapling server support and TLS renego patching.

  1. Next meeting

Next meeting will be 8 November 2012. Please note that daylight savings time will have ended and that for those members going off of daylight savings the meeting will be an hour earlier.

Latest releases
Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.7 - Ballot SMC09 - Nov 25, 2024

This ballot includes updates for the following: • Require pre-linting of leaf end entity Certificates starting September 15, 2025 • Require WebTrust for Network Security for audits starting after April 1, 2025 • Clarify that multiple certificatePolicy OIDs are allowed in end entity certificates • Clarify use of organizationIdentifer references • Update of Appendix A.2 Natural Person Identifiers This ballot is proposed by Stephen Davidson (DigiCert) and endorsed by Clint Wilson (Apple) and Martijn Katerbarg (Sectigo).

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).