Notes of meeting, CAB Forum, 6 March 2014, Version 1
1. Present: Ben Wilson, Atsushi Inaba, Adam Clark, Ryan Sleevi, Atilla Biler, Doug Beattie, Marcelo Silva, Dean Coclin, Eddy Nigg, Kirk Hall, Wayne Thayer, Jeremy Rowley,
2. Antitrust Statement and Agenda Review: Ben read the Antitrust Statement and reviewed the agenda. New member applications were briefly reviewed. Mat Caughron has been added as a representative of Apple. Adam Clark and Marcelo Silva have joined as representatives of Visa. Amazon has indicated that their internal review of the IPR has stalled. A new member category of associate member will be proposed in Ballot 116, discussed below. Ben noted that everyone should remember that because these meetings are based on UTC, some members in North America will experience our next call one hour later, relative to their adjustment to daylight savings time.
3. Review of recent past meetings: Ben noted that he hasn’t transcribed the minutes from the 13-February-2014 call. A substantial portion of the minutes from the Face-to-Face Meeting is available on the wiki. Regarding the definition of an SSL certificate, we were unable to definitively resolve this at the F2F, other than to plan moving toward stricter enforcement of the “id-kp-serverAuth EKU” . Ryan is beginning to work on a ballot that memorializes this position and specifies that for intermediate CA certificates with the “anyEKU” EKU, the server-auth EKU, or no EKU (EKU absent), those Intermediate CAs would be considered within the scope of the Baseline Requirements—even if they never intend to issue publicly trusted SSL certificates (and if they indeed never do issue an end entity SSL certificate, then their audit problem is solved by an audit of such intermediate CAs). Ben said that he liked the approach for WebTrust/ETSI audit. He suggested that the technical enforcement mechanism would be to catch, through an SSL-observatory-like mechanism, any publicly trusted SSL certificates that the CA has tried to issue outside of the Baseline Requirements. Ryan said that one of the aspects of the ballot is to require disclosure of the PKI hierarchy for audit purposes and to identify such risks.
4. Ballots: Ben noted that for Ballot 116 (revise bylaws for Associate Members) he was also going to strike mention of the “Participation Agreement” in the Bylaws, since it doesn’t exist. Dean said that he and Kirk were starting work on a membership agreement for members, which could be referenced in the bylaws when it is ready. Atilla asked for clarification about Interested Parties and whether this amendment would affect the ability to have special guests, like representatives of European supervisory bodies, attend in the future, since he hadn’t had the chance to compare the proposal in Ballot 116 with Ballot 110. Ben said that we are not changing the provision that allows the Chair to invite such guests, in his discretion, but he said he didn’t want to open up discussion on the other bylaw provisions that caused Ballot 110 to fail because the idea with Ballot 116, which was an outcome from the F2F meeting, is to resolve the non-contentious provisions first. Kirk said that the removal of the participation agreement and the work that he and Dean are doing on the member agreement will have some relevance toward a lightweight participation agreement and IPR agreement that we’ve previously discussed, so he would like to take a look at what we’ve done in the past. Ben said he would send Kirk and Dean the sample templates that he had collected.
Kirk mentioned that we needed to circulate a ballot on the definition of “internal server name” and Ben said he would finish drafting that ballot.
The ballot for SHA1 sunsetting is also on the table and will be finalized and circulated.
Kirk has prepared a ballot to restore parent, subsidiary, affiliate authority for domain verification in section 11.1 of the Baseline Requirements.
Jeremy said that he had a ballot ready to prohibit a domain name or IP address in the SAN field of EV code signing certificates.
Kirk also has a ballot to modify the insurance requirements for the issuers of EV certificates.
Ben said he would also draft the ballot to remove “OfIncorporation” from the OID descriptions in section 9.2.5 of the EV Guidelines.
5. Upcoming Face-to-Face meetings in Israel and China: Hotel arrangements are being finalized and Eddy is arranging for transportation to and from Ben Gurion airport for Sunday, June 15, and Thursday, June 19. Eddy will be sending a request to the member list to ask who is attending and when they plan to arrive. Those planning to visit Petra should plan to return to Eilat Thursday night. Ben will take a look at his travel itinerary and give people planning to visit Eilat some suggestions. One recommendation was to visit sites in Israel before the meeting.
For the meeting in Beijing, the current plan is to meet from 16 September through 18 September in Beijing and to stay at the China World Hotel. This will be followed by a visit to the Palace Museum, Tiananmen Square and National Museum on Friday, the 19th, and to the Great Wall of China on Saturday, 20th of September.
6. Working Group Reviews: For the time being, those working on the RFC 3647 comparison will use a mapping approach that does not force the existing CAB Forum documents into an RFC 3647 format. The SSL Performance WG is using its online issue tracker and discussions via the working group’s listserv to conduct business. Ben asked how good ideas will be recorded, and Wayne said that it will be done using the issue tracker. The Code Signing WG is trying to wrap up its remaining work. It is reviewing Microsoft’s comments, but the High Risk Database is the key hold-up that still needs to be resolved. The Extended Validation WG continues to meet every other week and uses a spreadsheet to track progress. The majority of EV issues being tracked are related to making the EV Guidelines easier to use in jurisdictions outside of North America and Europe.
7. Any Other Business: Ben said he would contact whoever hasn’t submitted their assigned notes from the Face-to-Face meeting. He and Wayne will also get Visa set up on the email list, wiki, and website.
8. Next phone call: Thurs. Mar. 20th (Note change to Daylight Savings for North America)