CA/Browser Forum
Home » Posts » 2014-04-03 Minutes

2014-04-03 Minutes

Minutes of 3 April 2014

1. Antitrust Statement – read by Dean.

2. Agenda reviewed. Eddy would also like to discuss next meeting issues.

3. Present: Dean Coclin, Dave Barnet, Jeremy Rowley, Ben Wilson, Mads Henriksveen, Sissel Hoel, Phill Hallam-Baker, Atsushi Inaba, Ryan Sleevi, Cornelia Enke, Eddy Nigg, Wayne Thayer, Imren Altepe, Robin Alden, Gerv Markham, Moudrick Dadashov, Rick Andrews, Rich Smith, and Stephen Davidson

4. Minutes of 20-Mar-2014. Eddy was going to follow up with ARX. He said that they are still looking at their budget, so they may not be sponsoring anything. Dean was going to follow up with Oracle. He reached out, but he has not heard back from them regarding their problems with our IPR Policy. He will follow up one more time. The minutes were approved.

5. Ballot review: Voting on Ballot 112 closes today. There were no other draft ballots that anyone wanted to discuss.

6. OTA Interested Party Application: OTA just wanted to keep on top of what is going on with code signing, to be added to the list for that. Dean said that they have sent in their IPR Agreement, so he did not believe there was anything to discuss. Ben said the issue was really about Item 7 on the agenda, so we could move on to that.

7. Discussion – Scope of Code Signing Work within CA/Browser Forum: Gerv pointed to Mozilla’s post this morning to the list. (Microsoft had posted its position yesterday to the list.) He said that Mozilla plans to abstain on votes related to EV Code Signing, but if nothing occurs leading it to reaffirm support, then eventually the CAB Forum should withdraw from working on the document and allow other organizations to maintain it. Ryan said that Mozilla had stated Google’s concerns. His concern is that it is implemented by only one program, so it does not have a driving force like other standards. He noted that others members had raised the EV Code Signing Guidelines as a concern. He also noted that other code signing stores are not involved-only one browser that is involved.

Dean said that this is really about two issues – the maintenance of the EV Code Signing Guidelines and the Code Signing Working Group, and we need to make sure not to confuse the two issues. There is the Code Signing Working Group, which was chartered by the Forum to work on code signing baseline requirements, and then we already have the EV Code Signing Guidelines. If people want to uncharter the Code Signing WG, then it has to be by vote of the group.

Rick said he would like to see Google more involved in code signing work because it is a consumer of code signing services within its Android platform. Ryan said they did not want to be involved in code signing work. Ben said he understood that those browsers don’t have an interest in it and don’t want the topic taking up their time. We could form another organization with a new IPR Policy acceptable to Oracle, but we need to put the full-court press on Oracle so that we know where to go on this issue, if that works.

Ryan said that Google had expressed concern during discussions about the bylaw revisions about having a non-CA/non-Browser having control over the SSL policies. Currently we have a structure that recognizes both parties’ investment in the ecosystem. The objection that Google had to the bylaws was the revised definition that had no distinction between parties fully invested in the ecosystem and those that were not fully invested.

Ben said we could restructure the way we do things by amending the Bylaws with a different set of voting rules and create a code signing voting class and separate the voting procedures for SSL and for code signing, but voting percentages would have to change for code signing class because there would be less of them.

Ben asked if there were any final comments.

Draft Minutes of the teleconference of 3 April 2014 were distributed on 3 April 2014. Under Item, 7. Discussion – Scope of Code Signing Work, the second-to-last paragraph has been amended at Jeremy’s request to read: Rich said he thinks that additional work on EV Code Signing should be halted until issues have been worked out and there is broader interest from more Forum members. Jeremy disagreed. He said that the EV Code Signing document is important work of the Forum that cannot simply be abandoned, and that if you look at the last ballot, it was to fix a problem and maintain the document. He also argued that if we work on guideline documents and we only have a single adopter of a guideline in a space filled with 4 or 5 browsers, then the work has been a significant driving force and one that is probably envied by most other industry standard groups.

Eddy said that even though there might be problems with working on code signing in the group, at least we have the benefit that it is handled out in the open by the Forum so those who want to see what is going on can, rather than having it happen privately without public review. Moudrick agreed.

8. Working group updates:

Code Signing WG: the call is next Thursday at 1500 UTC. We’re still trying to identify databases that could be used for pre-screening suspicious applications. Jeremy has another draft almost ready to circulate.

EV Guidelines WG: there are a couple of draft ballots that are being worked on. The next meeting is on next Thursday as well, at 1600 UTC, the same time as when regular CA/B Forum meetings are held.

Performance WG: We need a new co-chair to join Wayne. Gerv will talk with people at Mozilla and get back to us. Wayne said that they will be starting work on certificate contents, and an email would be going out soon.

9. Wrapping up Minutes of Last Face-to-Face: We need to get the minutes of the last face-to-face finalized before the next call.

10. Other Business: Eddy would like to organize air transfers from Ben Gurion to the regional airport and then to Eilat. Ben said he would update the wiki page by adding a few more columns for arrivals and departures. Eddy asked if everyone could log in and write in their information about when they will arrive in Tel Aviv and when they plan to depart and that he would take it from there.

11. Next phone call - Thurs. April 17

**12. Meeting adjourned. **

Latest releases
Code Signing Requirements
v3.7 - Mar 4, 2024

S/MIME Requirements
v1.0.4 - Ballot SMC06 - May 11, 2024

Ballot SMC06: Post implementation clarification and corrections

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).