CA/Browser Forum
Home » Posts » 2013-04-04 Minutes

2013-04-04 Minutes

Here are the notes from our penultimate telephone call, held 4 April 2013. Item 14 was amended from the draft minutes to clarify that the draft white paper had been circulated to the code signing working group and not the CABF as a whole.

  1. Present: Rick Andrews, Atsushi Inaba, Dean Coclin, Robin Alden , Steve Roylance, Wayne Thayer, Gerv Markham , Ben Wilson, Rich Smith, Phil Hallam-Baker

  2. Agenda review: The agenda was not sent out ahead of time due to a mix-up but was announced at the start of the meeting.

  3. Approve Minutes of 21 March 2013: The minutes of 21 March 2013 were approved as published.

  4. Review of Ballots: There are no outstanding ballots.

  5. Latest Version of BR 1.1.3 on website: Wayne was requested to place latest version on the website. (Was completed after the call). Steve asked if we are moving away from the “errata” system and going towards point releases. Ben said that every ballot will produce a new point release and the “errata” will be shown in each subsequent release. These will be pdf files.

  6. Ballot to add DSA into Baseline Requirements Appendix A: Rick is looking for a second endorser to his proposed ballot. Robin asked to see the ballot and he would consider endorsing.

  7. NIST Workshop: Ben is preparing slides for the NIST meeting on behalf of the CABF. Several members will meet for dinner on Tuesday night before the conference.

  8. EV SSL Guidelines: Rick said he hasn’t received any comments since the face to face meeting. He will put to a ballot if no other comments are received.

  9. Technical Constraints on sub CAs: Steve asked for members to review the language in the email he sent out and respond with comments. He will format it as a ballot shortly.

  10. Code Signing Working Group: Dean gave an update on the CSWG. A notice for public participation was posted but no one has responded from outside the CABF. The first meeting was held where it was agreed to set the high level goal as: “Prepare Baseline Requirements to reduce the incidence of signed malware”. The group will initially research the causes of signed malware by reviewing recent incidents and also reviewing best practices that may already exist from places like NIST, OTA, “Stop badware”, as well as code signing guidelines from Microsoft and Mozilla. The working group will meet in Munich on June 13th.

  11. Munich Meeting: Symantec will provide a website for participants to register for the conference and to reserve hotel rooms. We were able to secure a hotel not far from the office and it looks like about 25 participants will attend. Symantec will hold rooms at the hotel for those that register. Members can pay with their own credit card upon checkout. Agenda to follow.

  12. IETF: Phil stated that the “must staple” draft has been renamed. There are also drafts on “Multi-stapling” and “Cached credentials for TLS”.

  13. Status of website rewrites: Dean stated that most of the material is up on the wiki and encouraged a smaller group to get together to complete the updates. We will need Wayne’s help to complete the task and we might want to take a ½ day in Munich to get peer review of all the materials.

  14. Code Signing and NIST Meeting: Phil wrote a white paper which he circulated to the Code Signing Working Group which is basically a “problem statement”. Every platform has a different approach and developers have to learn how to sign code for multiple platforms. Phil said there really isn’t a forum that “owns” code signing as an infrastructure. Dean said that the CABF CSWG was setup to address this.

  15. Meeting adjourned until the next call – Thursday, 18 April, 2013.

Latest releases
Code Signing Requirements
v3.7 - Mar 4, 2024

S/MIME Requirements
v1.0.4 - Ballot SMC06 - May 11, 2024

Ballot SMC06: Post implementation clarification and corrections

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).