CA/Browser Forum
Home » All CA/Browser Forum Posts » 2014-11-13 Minutes

2014-11-13 Minutes

  1. Antitrust Statement was read.

  2. Roll Call: Rick (Symantec), Bruce (Entrust), Atsushi (Globalsign), Jeremy (Digicert), Tim S (Trustwave), Kirk (Trend Micro), Wayne (GoDaddy), Gerv (Mozilla), Eddy (Startcom), Connie (Swisscom), Jody (Microsoft), Kelvin (Microsoft), Robin (Comodo), Rich (Comodo), and Davut (E-Tuğra)

  3. Agenda reviewed. There were no changes to the Agenda.

  4. Minutes of 30 October 2014 The meeting minutes (as previously corrected for name misspelling) were approved by consent. Ben to post on website

  5. Ballot Review. There are no pending Ballots. Gerv indicated the pending pre-ballot on short-lived certificates was still being worked on, but not ready to present as a ballot for voting.

  6. Financial Responsibility for CAs. Kirk indicated he was still interested in comments from members on his two conceptual proposals for new financial responsibility requirements for CAs (see below), and also indicated Moudrick of SSC had wanted to discuss the status of insurance further.

Moudrick was not on the call, so Kirk said he assumed Moudrick wanted to know if there would be a ballot to eliminate the current insurance requirements under EV Guidelines Section 8.4 as previously discussed. On that point, Kirk said it appeared from prior discussion there was consensus to delete EV Guideline Sec. 8.4, but he had presented the two financial responsibility proposals to be considered as a substitute.

Kirk opened discussion to his first proposal to establish capital requirements (similar to the capital tests of EV Guideline Sec. 8.4 for those CAs who want to self-insure). There were no comments in support or opposition.

Kirk then opened discussion to his second proposal to limit a CAs ability to disclaim all legal liability for DV and OV certs (similar to the limitation that exists today for EV certs under EV Guidelines Sec. 18, which does not permit a CA to limit its legal liability to less than US$2,000 per Subscriber or Relying Party per EV Certificate). Kirk pointed out this proposal would not create any new type of legal liability under applicable law, but would only limit a CA’s ability to cap its liability at the same $2,000 figure, if there is in fact any legal liability.

Eddy said he liked the concept generally, but was not sure about what the amount should be. Perhaps other approaches should be considered, such as an aggregate amount for a CA for all certificates and all claims. Jeremy said did not favor an aggregate liability approach for all claims and certificates, and said it might be appropriate to set a minimum amount for potential liability other than zero, but he was not convinced yet.

Eddy said a CA should only be responsible for what it has done, so that it would not be fair to hold a CA liable for identity checking for a DV cert. Kirk agreed and said the proposal would not make a CA legally liable for things that were not part of the authentication process, so there would likely be less potential liability for DV certs than for OV or EV. Eddy said some CAs limit their potential liability for DV and OV certificates to $0, some don’t, and some provide additional warranties for competitive advantage, but relying parties generally don’t know this when looking at a website secured by a certificate. There were no other comments.

Kirk said the discussion was useful, and asked members to continue thinking about whether either new financial responsibility requirement would be useful.

  1. Posting of Comments to Public List by the Public (IPR Issues): Kirk noted the recent list discussion on whether re-posting comments and ideas by non-Forum members to the Public list presented IP problems, as the commenters have not signed the Forum’s IPR Agreement. These comments come in two main ways – private emails that members republish to the Public list with permission, or messages to the Forum’s questions@ address that are republished to the Public list for discussion.

Kirk recalled that the main reason why the Forum created its IPR policy was to help members find potential IPR infringement claims in new ideas being considered for the BRs, EV Guidelines, or other Forum efforts. Jeremy added that we wanted to avoid undisclosed “submarine” patents that the Forum included in its rules without knowing that could result in infringement claims, possibly years later. He also noted that the current IPR policy called for a PAG Committee of Forum members to review all new rules against the patents and other IP that members had disclosed to look for possible infringement, but that no one in the Forum had volunteered to do this and so we were not fully enforcing our IPR policy.

Kirk said he did not necessarily see a big danger from reposting third party comments and suggestions to the Public list without obtaining an IP agreement, as the ideas were already disclosed and known to the Members (at least if posted to the questions@ or management address), and in any case the risk of infringement seemed low. He asked Gerv to expand on his idea of a simpler form of IP agreement for people who want to post comments (maybe enforced as a click-through requirement before posting). He also asked if the Forum should consider opening its Public list to everyone, but noted that might require someone to monitor third party postings, and could result in lots of irrelevant postings.

Gerv stated that many of the current messages from third parties were from individuals not representing their companies, and that the Forum’s current IPR agreement was probably too complex and onerous for them. He suggested creation of a short form agreement stating the commenter had no IP in any ideas suggested (or was waiving the IP) might be more appropriate. He also said he favored opening up Forum discussions to the public in some fashion. Rick said he thought some groups with public lists, like IETF, might already require a similar short form click-through IP acknowledgement or waiver.

Jeremy recalled that Microsoft in particular was eager for an IP policy to apply to all people and companies participating in the Forum in any way, so opening the Public list might be problematic. Gerv noted that the Forum’s Bylaws already allow defined Interested Parties to participate in the Forum, mainly through Working Groups but potentially in other ways, if they will sign the full IPR Agreement – maybe this would be a way to expand participation. Or we could allow an Interested Party to sign a short-form IP acknowledgement and waiver as an alternative. Gerv pointed out there were potentially people with great expertise who could help the Forum if we find a way for them to participate. Kirk expressed a concern that if we open participation too broadly, we could receive a great many requests (some from experts who would help us, and some from people with no particular expertise), and it would be uncomfortable to accept some and reject others. Gerv thought it was unlikely we would receive many participation requests.

The Members reached no conclusions on these issues.

  1. EV Working Group Update: Jeremy noted that the last call had been cancelled due to schedule conflicts, so there was no report.

  2. Code Signing Working Group Update: Jeremy said that he and Dean Coclin would be meeting with Don Sheehy (representing WebTrust) in California next week to make sure the new code signing guidelines would be auditable. Others are welcome to join the meeting if interested.

  3. Policy Review Working Group Update: Ben Wilson was not on the call, so there was no update.

  4. Information Sharing Working Group Update: Jeremy stated that Ben Wilson asked for volunteers for this new working group, and a number of people have shown interest. Ben is trying to find a convenient time for the working group to hold its teleconferences, and will send out an invitation for the first meeting soon.

  5. Any other business: Kirk gave an update on Dean Coclin’s Doodle poll concerning the best date for a face to face meeting in Istanbul hosted by E-Tuğra next fall, and the three alternative weeks – Sept 28th, Oct 5, or Oct 12th – are roughly tied. Potential weeks are Sept 28th, Oct 5, or Oct 12th. Kirk noted that October 12 is Thanksgiving Day in Canada. Kirk then read the names of those who have responded to the Doodle poll, and suggested that anyone who had not yet responded on the dates should do so. The final decision on the date will be made by the host and the Chair, and announced at a future date.

  6. Next phone call. Kirk mentioned that the next scheduled date for a Forum call is Nov. 27, which is the Thanksgiving Day in the US. The group discussed two alternative call schedules to get around that holiday plus Christmas and New Year.

Option 1 – Forum calls on Dec. 4, Dec. 18, and Jan. 8 – this would mean three meetings in that period, but working group calls on the proposed new dates would have to be moved, which could be difficult.

Option 2 – Forum calls on Dec. 11 and Jan. 8 – this would mean only two meetings in that period, but working group calls would not have to be moved.

The members appeared to favor Option 2 as the least complicated. Dean Coclin will announce the schedule for meetings in the coming two months in the next few days.

  1. Meeting adjourned.
Latest releases
Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.7 - Ballot SMC09 - Nov 25, 2024

This ballot includes updates for the following: • Require pre-linting of leaf end entity Certificates starting September 15, 2025 • Require WebTrust for Network Security for audits starting after April 1, 2025 • Clarify that multiple certificatePolicy OIDs are allowed in end entity certificates • Clarify use of organizationIdentifer references • Update of Appendix A.2 Natural Person Identifiers This ballot is proposed by Stephen Davidson (DigiCert) and endorsed by Clint Wilson (Apple) and Martijn Katerbarg (Sectigo).

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).