Notes of meeting, CAB Forum, 20 March 2014, Version 1
1. Antitrust Statement was read.
2. Agenda reviewed.
3. Present: Ben Wilson, Doug Beattie, Phill Hallam-Baker, Jeremy Rowley, Atsushi Inaba, Ryan Sleevi, Eddy Nigg, Geoff Keating, Dean Coclin, Kirk Hall, Robin Alden, Gerv Markham, Moudrick Dadashov, Rick Andrews
4. Minutes of 30-Jan-2014 and 6-Mar-2014 were approved.
5. Ballot review: Current tally of votes on Ballots 116 (revise bylaws for Associate Members); 117 (EV Code Signing fixes); and 119 (remove “ofIncorporation”) is available on Google spreadsheet. Voting ends Monday. Ballot 112 to revise the definition of “internal name” was discussed. Ryan S. and Kirk both said that the new gTLD issues in section 11.1.4 are complex/complicated, so it may be better to keep this ballot simple and to set for voting without any additional language to section 11.1.4. This was accepted as the approach and Ben said he would send the ballot out. He also said that he thought we need to look at the SHA1 transition issues in greater detail before considering a ballot, but that is another discussion that we need to have at another time with more data. On other ballots, Kirk said that he would be circulating some draft language.
6. Membership Applications: Dean noted that he had circulated documentation from SHECA – Shanghai Electronic Certification Authority Center Co. Ltd (WebTrust report, URL information and some sites with certificates that they have issued) for review. The general consensus was that Forum membership criteria had been met, even if technical implementation questions remained. Dean will send them a welcome email and Ben will add their name to the list of members on the website. There was nothing new to report on other previous indications of interest in joining the Forum except that Oracle has indicated that they will not be able to join. Kirk said it might be useful to see what in particular they found troubling with the IPR. Dean will ask them if they could tell us that, at least for future reference.
7. Discussion: Unique Identifier for Subscribers of Code Signing Certificates: Robin agrees with Jeremy’s point that we are interested in the difficulties of maintaining reputation, and keeping that reputation for as long as possible. He asked whether there is a good argument that if we don’t address the negative reputation with unique identifiers we are making it easier for bad guys by helping them get brand new identifiers, as Richard Wang has argued. Jeremy said his understanding, unless someone disagrees and can further clarify, that is the way that the online reputation system works– you start out with a zero or negative reputation and you have to build up to a good reputation. That’s why Microsoft would this identifier, so that you don’t have to rely on zero or negative reputation.
Ben said that the Code Signing Working Group wanted to be able to refer to a bad actor information source. He asked whether there would be any objection if he reached out to the Anti-Phishing Working Group or somebody else with concerns about malware in order to work with them to divert liability for black listing by working in conjunction with an industry group. Isn’t that the next step? Robin thinks it would be a good idea to get everyone involved that would like to, in order to broaden the scope of the industry effort.
Dean said we can discuss this further during the next Code Signing Working Group call, next Thursday, March 27, beginning at 1500 UTC. (The EV WG call would follow the CSWG call at 1600 UTC.)
Kirk expressed concern about a blacklist because CAs should not be declaring applicants as bad. The only real solution is for other parties, like browsers or other third parties, to keep lists so that CAs can defer to those. CAs can’t do this in any way on a coordinated basis and each CA has to make its own decision.
Jeremy agreed and said that CAs can accept information from browsers and third parties about risk during the application process. The unique identifier is not to tell you anything about the nature of that applicant, it is only for allowing browsers to carry over the reputation. If applicants don’t want to carry over anything, then they can apply for a new unique identifier. For registered entities, you would use the registration number, in combination with other location data. For individuals, something else is needed for the identifier. Ben said that a unique identifier based on industry standards could be used.
Phill said we need a unique identifier, but we cannot jump into this and design it within the committee right now. It needs to be done right, with a lot of thought and planning. Adopting any unique identifier that is not a very good one could be worse than not having one at all. We only get a limited number of chances to do something right.
Jeremy said that people in the CSWG including Microsoft would like to make progress on this issue. It would be a good idea to get more input, ideas, and suggestions, but he doesn’t think this should be something that we should sit on.
Phil said that while Microsoft is one of the entities working in the code signing initiative, the problem with code signing all along has been the lack of an industry-wide response. We’ve had recent issues with attacks on SCADA systems and we should be setting our objectives higher rather than rushing to fill the needs of one platform provider.
Rick: The reason we have been working with Microsoft is because they are the ones that are responding and willing to work on these issues in the CSWG.
Phil: Adobe and Oracle have recently shown interest.
Ben: Let’s hear from those browsers on the call, if they are willing to say anything.
Geoff: Apple has its own code signing, so it really doesn’t apply to us.
Gerv: We have very little interest in code signing.
Ben: To me it seems that the only thing we don’t have is something to address an identifier, where we have a specific field in the certificate where we include an identifier, with a standard that already exists. Is Phill’s problem with the UUID standard is that it is not sophisticated enough?
Dean: We can continue this in the Code Signing Working Group, which will take place next Thursday.
8. Upcoming Face-to-Face meeting in Israel: What is the CA/B Forum position on entities who want to sponsor events during our face-to-face meetings? Ben and Moudrick both said they thought that Dean’s proposal to allow the host to decide what to do was an acceptable approach. Dean noted that this issue arose in preparation for the Ankara face-to-face and that deference should be given to the host to decide how to address these offers. Kirk said he thought that any company offering to pay for dinner would be expecting something in return, like the opportunity to make a presentation or something. He said it would be fine if someone wanted to invite them to dinner or something like that. He would actually prefer it if we agreed in advance to pay something to the host for these meetings. We do not want to get into the position of having lots of vendors expect our attention during our meetings.
Eddy said that he understands that people do not want to listen to vendor pitches after day-long meetings. He asked Dorit Oren of ARX to send the question to the list because he wanted us to discuss what we would prefer. Ben said that as a contrary position to Kirk’s view, it is not necessarily a vendor’s position that when they sponsor a dinner that they want to make a presentation. It may be that they are trying to build name recognition or good will—they are not necessarily trying to do a hard-sell. He thinks that if expectations are known beforehand that we are not going to listen to a presentation, then it is what it is. Kirk said he would feel uncomfortable having them pay for a meal if he had absolutely no interest in what they had to sell. Dean said that ARX sells a digital signature solution.
Ben wondered whether we should set an attendance fee. Kirk thought it was a good idea. Dean said it was doable with a credit card approach. Kirk said that $200 would be a good amount. Ben said we could do something like that. Eddy said it wouldn’t be necessary. In order to wrap up discussion, it was decided that if Eddy wanted, he could offer that ARX could attend dinner and pay their own tab.
9. Working Group Updates: The next EV WG call is on 27-Mar-2014. Wayne will circulate an email to the SSL Performance WG to open discussion about certificate contents. For Code Signing, key issues of the info-sharing database and the unique identifier will be discussed on the next call, also on 27-Mar-2014.
10. Any Other Business: Gerv said that in case he hadn’t communicated it previously, Brian Smith is no longer at Mozilla, so the SSL Performance Group will need to find a replacement chair — a representative from one of the browsers would be strongly preferred.
11. Next phone call — Thurs. April 3
12. Meeting adjourned.