Notes of meeting
10 October 2013
1. Present: Ben Wilson, Stephen Davidson, Eddy Nigg, Rich Smith, Robin Alden, Eneli Kirme, Dean Coclin, Atsushi Inaba, Wayne Thayer, Mert Ozarar, Atilla Biler, Hävard Molland, Gerv Markham, Geoff Keating, Rick Andrews, and Jeremy Rowley
2. Agenda review: Eddy asked that the question regarding exceptions to migration to 2048-bit be discussed. Ben asked that we add discussions about the meaning of EV and the definition of application service provider to the list. Gerv asked to discuss a new working group on certificate format best practices.
3. Minutes: Ben explained that he hasn’t typed up the minutes of the telephone call on 19 Sept. 2013, but he will and circulate them soon.
4. Ballots: Voting on Ballot 89 starts next Monday. Anyone with comments to bring them to the list. Other ballots need to be revisited and presented.
5. Membership applications: Dean noted that we’ve received the application from Atos. They’ve signed the IPR Agreement and confirmed they meet the bylaws and have passed an audit report, but we are still unclear on whether they’ve issued any publicly trusted SSL certificates. There is nothing under Atos in issuance databases, so it’s possible that they are listed under a different name. Dean will go back to them and ask for a confirmation of this because this issue is similar to the reason why we held up the application of Affirm Trust.
6. Bylaws: As noted in Dean’s email and the draft minutes of the Ankara face-to-face, we have discussed the participation levels of interested parties, invited guests, and others. Dean quickly reviewed the proposed language. Dean suggested that we circulate a ballot. Ben offered to take the language and redline page 4 of the Bylaws and then circulate that page so everyone can see what the changes are. Ben will take the action to mark up the bylaws.
Ben asked about the issue raised in Sigbjorn’s recent email about whether Opera met the definition of a browser. Gerv clarified that the issue was the use of a definition for application software in the draft recommendations for processing EV certificates. Turning to the definition of “browser” in the bylaws, however, we need to look at this in light of Oracle’s interest in joining the CABF. The bylaws define “browsers” as someone who makes a browser product. Who we’re talking about are not the root store operators, but also operating platforms in addition to software used for browsing. Ben said we could add operating system to the title “Browser/OS”. We might also have to consider the size of the applicant, but there might be small ones that want to join. If they become a voting member, it might have an impact. This is not trivial, we should take this to the list. If they want to join, we should change the definition so that they fit. Ben will start a thread on the list discussing this topic.
7. Review of working group status: We are moving the revocation working group discussions to the main public list. Dean said that for the code signing working group we had good discussion on the three areas we are focusing on–private key protection (there really is an issue with theft and there have been examples of this previously), enhanced vetting, and information sharing.
Enhanced key protection with a hardware token or storage in a signing portal is the recommendation, but to implement such a drastic change, we might be upsetting current processes. We will put recommendations out to the list for comments, then to the public for comment, and then we’ll have a phase in period over about a year.
Vetting: This has been a concern primarily in the countries of China, Brazil, and Korea. We’re recommending enhanced requirements similar to OV vetting for all of these.
Information sharing: provisions for information sharing were preserved in the draft because we determined that because it was optional and not a requirement that it would not be opposed because if people wanted to share info, they can.
So we’ll be coming out with a draft of the code signing requirements. First they’ll be reviewed by the Code Signing Group, and then for 30 days by the Forum, and then by the public for 60 days. Before we set firm implementation dates, we’d like to get comments back and specifically target software developers and publishing houses and get their feedback on the draft.
EV Guidelines Working Group: we are going to convert both EV Guidelines and Baseline Requirements to RFC 3647 format. Jeremy has both drafts almost done, and by next call he might be able to distribute them.
New Working Group for Recommended Certificate contents: Gerv proposed that a group be formed to address the various performance characteristics to optimize SSL system configuration so that handshakes and SSL communications are streamlined. We should create a working group that gives all of the possibilities, and keeps track of progress on this topic, etc. Mozilla and other people at the face-to-face exhibited interest in having the CAB Forum publish a set of best practices. Ben offered to manage a new email list. Wayne will set it up as cabfperf or performance mailing list.
First we will need to follow the bylaws in setting up a working group. According to section 5.3 of the bylaws, the process is to have a ballot to open up the working group. Gerv will draft a ballot for the working group.
8. Review other tasks and follow-ups from Ankara meeting: We need to make sure we capture all tasks from the face-to-face. Jeremy is mapping our guidelines to RFC 3647. We were also going to distribute the ICANN presentation and other slides from the face-to-face.
For continued discussions on transitioning from SHA 1 we’ll need Tom to be present. Microsoft was proposing some things that were more aggressive than what many of the CAs in the CAB Forum are ready to meet. If those terms were accepted, then we would have a very short transition period. At the F2F we talked about possible requirements to bring in the Baseline Requirement dates to match Tom’s dates, but we would like to propose to Microsoft that they move their dates to meet the CAB Forum dates because Microsoft’s dates are very aggressive.
Rick would like to propose that all browsers agree on a certain policy versus every browser having its own implementation policies.
Gerv thinks it will be difficult to convince Microsoft to move its dates. You might want to take advantage of the next three years and raise the bar for best practices of those certificates that could include shortening the life.
Wayne said he had reached out previously to Microsoft on this issue. He also asked about the suggestion from the Munich face-to-face that we adopt a transition plan with SHA2 being offered as a default.
Eddy said that defaulting to SHA2 will not work because as soon as customers get the SHA2 certificate they’ll be calling right back to get a new one that is SHA1 instead.
Gerv said CAs should develop server patches that support multiple certificates with the ability to serve up different kinds of certificates based on browser capabilities.
Ben asked whether we could create an FAQ about transitioning from SHA1 to SHA2.
Dean said the Microsoft was publishing an article, but if the article contains the deadlines, then we’d need to do something prior to that announcement. By not publishing it, and keeping with the currently suggested deadlines, it could make things worse.
Rick and Wayne will send a message to Tom to see if we can do anything about it and to see if there is an alternative path forward that lessens the impact.
9. Website status: Ben said that he broke all of the links trying to set up the pages as user-friendly permalinks, so he put them back to the way they were. The re-indexing is not happening as it should, but he’ll get some help to figure it out. Ben also asked Wayne whether we could copy all of the different versions of the Baseline Requirements and EV Guidelines from the docs folder over to the media folder so that all of the existing documents can be linked to from WordPress. Wayne said he thought it would be pretty easy. Gerv said we need to make sure to create referral links from our existing URLs. He also recommended that Ben prepare a punch list in order to delegate remaining tasks for the website.
10. Upcoming meetings: Our next call is October 24. Then Nov 7, and it looks like we can keep on this schedule every other week into January next year. We are looking at having our next face-to-face meeting in the San Francisco area the week of February 17 (the week before RSA). Google is going to confirm. For our June 2014 meeting, Eddy has offered to host in Israel. The fall meeting will be hosted by WoSign in China and in 2015 we have offers from Microsoft, SwissSign to have it in Zurich, and e-tugra has offered to host in Istanbul in the fall of 2015. Iñigio/Izenpe has also offered to host in Bilbao at some point in the future. Code signing and EV working groups will meet next Wednesday and Thursday, respectively, and every other week after that.
11. Any Other Business: Eddy asked about providing a response to the question about exceptions to 1k certificate deadline. Dean sent some questions last night to Eddy that can be used to ask in order to clarify the question more, because we need to understand that person’s issue a little better. Discussion on the EV green bar can continue on the list.
12. Next call: October 24