2014-08-07 Minutes

Minutes of CA/B Forum Teleconference, 7 August 2014

1. Antitrust Statement: Read by Ben.

2. Roll Call: Atilla Biler, Patrick Tronnier, Ben Wilson, Atsushi Inaba, Eddy Nigg, Steve Roylance, Richard Wang, Kirk Hall, Jeremy Rowley, Cecilia Kam, Chris Casciano, Kelvin Yiu, Dean Coclin, Gerv Markham, Ryan Sleevi, Rick Andrews, and Tim Hollebeek

3. Agenda Review: Reviewed. A brief recap of recent IETF meeting was included under other business.

4. Approve Minutes:Minutes of 24 July 2014 approved as amended.

5. Ballot review: None pending; review status of Ballot 125 on CAA. Rick says he thought that the last thing was someone had asked for rewriting one of the sentences that Ben had added. Ben will take a look at it after the call.

6. Code Signing Discussions:

EV Code Signing

Steve Roylance asked about amending the validity period limits on timestamping certificates for EV code signing. He would like to extend the period to 135 months. He asked the group why there is no validity period limit on timestamping certificates in the Code Signing Baseline Requirements but there are in the EV Code Signing Guidelines. GlobalSign tries to have a timestamp valid for a 10-year period or more, and the maximum period in the EV Guidelines is ten years. Steve is looking for a couple of sponsors for a ballot and asked whether there would be any chance of having the same requirement for both Baseline and EV code signing. Kelvin said that the Code Signing WG did discuss the 10-year period. For Baseline, we did away with the maximum certificate lifetime, but specified that the private key would have to be replaced every 15 months, but that we do want to keep the validity period as short as possible. Steve said that he would work on a proposal.

Baseline Requirements for Code Signing

Dean said that CA/B Forum members have another week to review the Baseline Requirements for Code Signing and to make comments. If we are OK with the way it is, then we could circulate it publicly for a 90-day period. Jeremy said we are looking at the middle of August to begin the time period. He thought we could have a 60-day period, collect comments, and release a second public draft for a 30-day review. This will keep it fresh in peoples’ minds. Dean asked whether that meant we would have two comment periods. Jeremy said it was just to wrap up new comments. Dean said that if we do that, then it will go for audit review, and next audit cycle, everyone should just be aware that it will be at a least a year until we see full implementation. Jeremy said it depends on when a software company incorporates it into a requirement. Kelvin said that there are two ways this happens – one is that it is audited as part of set criteria, which is what they prefer, but another way is that Microsoft can make it part of a written agreement with CAs.

He noted that there was not much for the working group to discuss further until we have received more comments. Jeremy said he did not think we needed to have a ballot before publishing this draft. Dean asked whether we needed to make any changes. Jeremy said that there is some clean up because the version has redlines. We have a working group call next Thursday, so we would release it after that working group call. The working group can decide how to divide up the public comment period (90 days vs. 60 days plus 30 days).

7. Working Group Updates: EV working group: Jeremy said that there are a bunch of proposals that will be coming up for a ballot but that the work is quickly winding down.

Policy Review working group: This WG is looking at the NISTIR 7924 and identifying requirements that are not found in the Baseline Requirements.

8. Review Beijing Meeting Logistics: Richard: has updated the wiki page. Ben read through what Richard has posted on the wiki page. We have 22 attendees. A reservation code exists for the China World Hotel. There is information on getting to the hotel from the airport. There is also information about social outings and meals. Dean noted that we have added a couple of new attendees, including a couple of auditors. We have said this will be fine since that is what we allowed when we visited Turkey. Ben also noted that advance work on the agenda will be important. Kirk expressed gratitude of the group for the efforts made by WoSign to host this face-to-face meeting.

Ben noted that according to the Bylaws and the officer election, which took place two years ago this October, the offices of chair and vice-chair will be open for election this October, and that this announcement is just to give everyone a heads-up that we will be accepting nominations for chair and vice-chair. Dean said that it was originally envisioned that the vice chair would be elected to chair after two years, but if people want to make a change, that is doable.

9. Other Business:

Report on IETF Meeting in Toronto: Rick said that he attended the meetings and attended the TRANS and TLS meetings. He noted that a new group was formed called UTA (“Using TLS in Applications”), which will discuss the extension of TLS to other applications, but that from what he has gathered, there will not be likely impact for the way CAs currently operate. The TLS group continues work on TLS version 1.3. Maybe the group of most interest for the Forum was the TRANS working group– Public Notary Transparency. At that meeting a couple of people said they are building log servers, including Akamai and Comodo. There were a lot of discussions about implementing CT with DNSSEC. Rick also noted that on the TRANS list, some CAs have brought up the fact that there is a lot of confusion about what they are supposed to be following.

Ryan Sleevi said that Google has made it clear that it is the RFC 6962 and that discussions of Google’s CT policy can be followed on its CT policy list–you do not need to go to the IETF’s TRANS list. If you have question about the technical details or Google’s policy, then that should occur on the CP policy list. If there are any changes, then that is where it will be announced. Rick said that there is still an issue about which logs will be accepted. Ben said he found it informative to learn that the work on RFC 6962-bis might be split so that CT monitoring and auditing would be in a separate RFC.

Certificate Policy Object Identifiers in Certificates: Jeremy asked if he could talk briefly about requiring use of the DV and OV OIDs found in the Baseline Requirements. Right now there is ongoing discussion about using the CA/B Forum OIDS in certificates. Different people want to use the OIDs for different reasons–some for an attestation of compliance, others, like Netcraft, to track and report on types of certificates, and people reporting on or following these types of certificates are having problems because they are constantly having to make changes to their tracking systems. Ben asked about next steps. Jeremy said that if people are in favor of such a proposal, then it would require a ballot, but we’ll want to have a discussion of it first on the list, and he wanted to kick off the discussion on this call.

February 2015 Face-to-Face Meeting: Dean noted that the last time we went around asking for hosts of face-to-face meetings we came up with a list, but for the next meeting after Beijing, Microsoft is unable to host and Kirk from Trend Micro has offered the possibility of hosting it in February, and it will not conflict with RSA, which in 2015 is in April. Dean said that pretty soon we’re going to have to nail down dates. Kirk asked whether anyone on the call could notify him by email of any obvious time conflicts.

** 10. Next phone call** - Thurs. Aug. 21st

11. Meeting Adjourned