CA/Browser Forum
Home » Posts » 2013-08-08 Minutes

2013-08-08 Minutes

Notes of meeting

CAB Forum

8 August 2013

Version 1

1. Present: Atsushi Inaba, Ben Wilson, Jeremy Rowley, Wayne Thayer, Kirk Hall, Eddy Nigg, Richard Wang, Steve Roylance, Dean Coclin, Robin Alden, Connie Enke, Rick Andrews, Ryan Sleevi

2. Agenda review: Approved as published. Steve asked that the latest version of the EV Guidelines be posted to the website. Ben and Wayne will coordinate after the call to get the current version up.

**3. Minutes: ** The minutes of July 11, 2013 were approved. (We didn’t vote to approve them last meeting, but they are already published because the rules say that after 2 weeks of circulating them they are to be published.) The minutes of the teleconference of July 25, 2013, and the Munich face-to-face meeting were also approved.

4. Ballots: Dean said that he thought that Microsoft still wanted to discuss Ballot 106 and Ben said that even though Ballot 106 (to extend the deadline for no “good” response for non-issued certificates) was withdrawn, he wondered how we could keep a placeholder without keeping it as an agenda item but stated the issue will likely come up again in due course. Ballot 107 has only received a few votes and it closes tomorrow. Kirk said that we are seeing a problem when things go to ballot too quickly and that maybe we can have more discussion before they go to ballot. Ben said he thought we could go ahead and give it a ballot number if it looked clear it was going to become a ballot. Kirk said he wouldn’t give it a number, but just send around the draft stating that the proponent was considering a ballot with such text and solicit pre-ballot comments. Jeremy and Robin said they liked having a proposed number because it’s easier to track in their email and suggested that a subject line that makes it clear that it’s not an official ballot might work – like “proposed ballot 108a” “pre-ballot 108b”, etc.–then going back to “Ballot 108” could work. Rick suggested that we consider creating a pre-ballot stage.

Jeremy said that he withdrew Ballot 108 to replace the proposal with one that just requires an FQDN or internal server name and a Server Authentication EKU. He asked for any other suggestions to the proposed ballot.

Ballot 89 (EV Processing Guidelines) – Rick said that he has tried to update the document but that the browsers are still not satisfied. Tom recently doubted whether they can be followed. Rick would like to remove the old version as soon as Wayne can get to it. Ben said he didn’t think we needed a ballot to remove the EV Processing Guidelines from the website. Eddy said that if we’ve had an important document on the website for 7 years, then we shouldn’t just remove it without more discussion and the browsers should vote to remove it if they want to. Rick will revise Ballot 89, and Ben said that he would discuss a revised ballot with Rick that could be to the effect that a “no” vote meant that the current version would be removed and a “yes” vote would mean that version 2 gets posted. Rick said that the pre-discussion period has been going on for two years. He’s going to start the official discussion period next week.

5. Application of Firmaprofessional and Disig A.S.: The group reviewed the applications of Firmaprofessional and Disig and noted that they appeared to qualify as CA members of the Forum. Ben suggested that Dean write to their representatives and acknowledge acceptance of their membership.

6. Definition of “rekey” and applicability of BRs to legacy certificates: Wayne said that there has been a lot of debate on the mailing list about this. There are two aspects to the issue – the conflict between contractual provisions and compliance with new requirements. He said that Robin had a good suggestion for dealing with the first aspect by requiring a contractual provision that subscribers must agree to if the Baseline Requirements change. Kirk said we are not a standards body and that enforcement depends on browsers. Ryan said that each CA that applies for inclusion in a root store is responsible for complying with the requirements and that whatever that CA is able to offer commercially is already constrained by what is allowed by the browser root programs–so at the end of the day, every CA needs to conform to industry standards. Eddy said that whatever we offer the customer is of course limited to what we can offer by being in the root store and he thought that most CAs have provisions that provide for this circumstance. Wayne said that there seems to be general agreement that there’s not a reason to not put Robin’s suggestion in Subscriber Agreements. Ryan said that the Subscriber Agreements should specifically reference that changes to the Baseline Requirements are foreseeable. Wayne asked whether someone would write a ballot. Ben said he and Jeremy would write something up. Kirk asked whether it would address the “rekey” issue, and Ben said we hadn’t fully discussed that yet.

Wayne said the second aspect was the debate between rekey and reissue. Rick said we need to address how to handle certificates that were issued prior to adoption of the Baseline Requirements. Wayne noted that there were limited exceptions to the Baseline Requirements for certain cases and that he has proposed what he thinks is a workable solution to clarify what is allowed when a certificate was issued prior to adoption of the Baseline Requirements, and that a couple members have seconded the motion, but others have been strongly opposed.

Wayne said that contractual obligations to issue long-term multi-domain certificates are impacted because they cannot be changed unless they fall into an allowed category. Eddy said his understanding is that when adding or removing host names, for example, if host name rules change, then you have to be compliant with the Baseline Requirements every time when you reissue.

Wayne said that the ballot he is proposing has a very narrow in scope in that it only exempts a CA from the duration limitation of the Baseline Requirements and nothing else. Eddy said that he remembers a couple of years ago, when we were talking about the same issue that Wayne had agreed to the 60 months and that previously issued certificates would comply to that as well. Ryan said that even though the scope of the ballot is limited, there should still be more discussion about what this means for CA practices. If you are going to reissue a certificate, then all of the business implications must really be understood and agreed upon because different parties might have different ideas about what the ballot means. Wayne said the ballot will help define the scope of the Baseline Requirements and help us when we find these cases to address them and so he will put forth the ballot and hopefully get more discussion.

7. Review status of website revisions: Ben reviewed his tracking sheet and gave the following status report:

  • He hasn’t been able yet to do a full review of the draft web site.
  • Info for Consumers – Dean worked on it most recently, but Simon was also asked to edit it.
  • Info for Website Owners – Robin was assigned to it, but it was last worked on by Ben in February.
  • Info for System Administrators – Mert was in charge of that one.
  • Info for Manufacturers and Developers – Rick worked on that on July 22nd.
  • Info for Potential CAs and Browser Members – Dean worked on that in July.
  • Info for Auditors – Iñigo, Don and Reema need to take a look at it.
  • Info for Press – Gerv worked on it. (The news articles doesn’t need much editing - that’s in the “About” section.)
  • Mission and Governance pages have been combined, as discussed during the F2F.
  • Bylaws page hasn’t been worked on since February – Ben will take a look.
  • Members page – Ryan Koski worked on that in February.
  • Leadership – Ryan K. worked on that, too, in February.
  • Mailing list – also needs a little work by Robin and Jeremy.
  • IPR Policy page – Ben needs to do that still.
  • Ben sent Connie a reminder on July 10th – she has been off on holiday and will get to it next week.
  • Research statistics – Ryan Sleevi had put things up there in February. Ryan S. had also worked on several other pages in February. Don was going to look at it.

Ben will send out another reminder email to give the status of where things are and make the tracking sheet available for everyone’s review.

Wayne said that due to the passage of time after volunteering GoDaddy resources to modify the website, those resources are no longer available to him, and he will likely have problems in the next six months or so getting those resources. GoDaddy can continue hosting the site, but we need to select a WordPress template. Ben said he would put out a call for suggested WordPress themes to use on the revised website.

Dean said that he would draft something for the current home page to announce/welcome new CABF members.

8. Other Business–Ankara Logistics: Ben noted that the meetings would be held at Swissotel. Dean said the rate of around 100 Euros looked reasonable, but he also said that he thinks that Turktrust might be making the reservations and then we would pay with our own credit cards at check out.

9. Meeting adjourned: Next meeting is set for Thursday, August 22nd.

Latest releases
Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed

Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.6 - Ballot SMC08 - Aug 29, 2024

This ballot sets a date by which issuance of certificates following the Legacy generation profiles must cease. It also includes the following minor updates:

  • Pins the domain validation procedures to v 2.0.5 of the TLS Baseline Requirements while the ballot activity for multi-perspective validation is concluded, and the SMCWG determines its corresponding course of action;
  • Updates the reference for SmtpUTF8Mailbox from RFC 8398 to RFC 9598; and
  • Small text corrections in the Reference section

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).