2015-01-22 Minutes

CA-Browser Forum Conference Call – 22 January 2015

1. Antitrust Statement was read.
2. Roll Call: Kirk Hall presided as Vice Chair, and took the roll call. Present at the meeting were: Kirk Hall (Trend Micro), Ben Wilson (DigiCert), Atsushi Inaba (GlobalSign), Bruce Morton (Entrust), Doug Beattie (GlobalSign), Gerv Markham (Mozilla), Jeremy Rowley (DigiCert), Atilla Bilar (TurkTrust), Volkan Nergiz (TurkTrust), Robin Alden (Comodo), Eddy Nigg (Startcom), Stephen Davidson (Quo Vadis), Jody Coultier (Microsoft), Tim Hollebeek (Trustwave), Rick Andrews Symantec), Mads Henriksveen (Buypass), Anoosh Saboori (Microsoft), Peter Miškovič (Disig), Patrick Tronnier (OATI), and Wayne Thayer (GoDaddy),
3. **Agenda reviewed. ** There were no changes to the Agenda.
4. Minutes of 8 January 2015 The meeting minutes were approved by consent. Ben to post on website
5. .Onion proposal update

Kirk asked Jeremy for an update on his .onion draft ballot for allowing EV certs for .onion domains. Jeremy revised the ballot to permit multiple TorDescriptorHashes in the certificate. The modified ballot was posted yesterday. He noted he had one endorser (Google), and was still looking for a second endorser. Wayne said GoDaddy would be the second endorser. Jeremy said he will move forward with the ballot.

6. Ballot results 141 and 142 and next steps

Kirk reviewed the results of the two ballots, both of which failed by not receiving a 2/3 affirmative vote from the CAs. Ballot 141 (retaining liability for misissued certs plus dropping EV insurance requirements) failed among CAs 8-10 no and passed among browsers 3-2 yes. Ballot 142 (dropping EV insurance requirements) failed among CAs 13-8 yes and passed among browsers 4-0 yes. Kirk asked for suggestions from the group on how to proceed.

Gerv said Eddy has summed up the situation well in an email, and suggested that the members might want a pause before working on this issue again. He suggested we later look again at past ballot 133, which tried to update existing EV insurance requirements to something more useful and appropriate – maybe this could be a starting point. Eddy pointed out that the North American CAs seemed to oppose the elimination of current EV insurance requirements, while CAs from elsewhere generally supported it, and this might suggest a discussion on reasons why.

Atilla noted that European CAs generally must already maintain insurance to issue Qualified Certs, and there were new regulations coming that would probably require them to extend insurance to SSL certs soon. He said TurkTrust had voted yes on both ballots because the issue of insurance would soon be settled for European CAs – on this basis, perhaps the BRs don’t need to specify rules on maintaining insurance, but each CAs jurisdiction could decide that. He also suggested a delay in returning to the subject, but said a possible framework could be to set some sort of minimum financial base, then leave it to the CA and its local jurisdiction to decide on insurance requirements. Perhaps the better approach would be for the BRs to simply require disclosure in the CPS of a CA’s financial and insurance arrangements – this could provide a CA with strong finances and insurance with a competitive advantage among customers.

7. White paper from Google and Univ. of Penn. on SSL Warnings

Dean had circulated a white paper from Google and University of Pennsylvania on browser UIs and the effectiveness of SSL warnings among consumers, and wanted to know if the members would like a presentation from the authors at the Cupertino meeting in March. Tim said he would be very interested.

8. Membership Application of ESG de Electronische Signatuur B.V. from Netherlands

In written materials, Dean has stated that the application of ESG de Electronische Signatuur B.V. to join the Forum appeared to meet all of the Forum’s membership criteria, and he recommended we accept the CA as a new member of the Forum. There was no objection, and so ESG de Electronische Signatuur B.V. was accepted as a member by consensus. Dean will inform them of the decision.

9. EV Working Group Status Update

Jeremy reported on this issue, and stated that the group will come back with a proposal to change the working group’s name to the Authentication Working Group as the group’s work sometimes extended into parallel provisions in the BRs. Rick suggested if this was done that we solicit participation again among the members, as some may not have participated in the past because they don’t issue EV certs.

10. Code Signing Working Group Status Update

Jeremy stated this group was nearly finished with draft Code Signing Baseline Requirements, and would report a final draft ballot back to the members for consideration very soon.

11. Policy Review Working Group Status Update

Ben discussed the goals of this working group, which was taking the security provisions of the Baseline Requirements (including Network Security requirements) and the EV Guidelines, and mapping them to other relevant documents like NIST requirements, ETSI and WebTrust requirements, and RFC 3647 (sections 5 and 6). The goals might include filling in the BRs and EVGL where they are missing useful requirements, and possibly rearranging our current requirements to map to these external reference documents. The Working Group will meet next week at Symantec’s offices in Waltham to make further progress.

12. Information Sharing Working Group Update

Ben stated this working group had a call the next day at 8 am Pacific, and was discussing ways that members can share information about parties who have been rejected for code signing and SSL certificates or had their certificates revoked. The current approach is to divide the information into different fields depending on the type of threat posed. He said the information might be anonymized to help avoid legal liability, and the rules would specify that the decision of whether or not to issue a cert would be left solely to the issuing CA. The group is also discussing ways to encourage contribution of information from participating CAs so that no one was just taking and not sharing.

13. Any Other Business – CT Update / F2F Meeting / Other

Kirk asked if there were any updates on CT implementation, but there were no comments.

Kirk stated again that the next face to face meeting was at Trend Micro’s office in Cupertino, CA on March 10-12. The deadline for Aloft Hotel reservations at the group rate is Feb. 12, and Kirk encourage anyone who had not yet notified him of the need for a room to send him an email before that date.

Ben raised a new topic for discussion. He stated that a NIST document, NIST FIPS 201, relating to PIV and PIVI cards currently states the cards “should” contain the anyEKU extension, and NIST was proposing to change that to “may”. He asked what other members thought, and whether the Forum should contribute comments and perhaps suggest the anyEKU extension should be deprecated instead, as it could create vulnerabilities in some applications.

Gerv said that Mozilla Firefox doesn’t accept anyEKU for SSL certificates, so it wouldn’t matter to Firefox. He added that the anyEKU concept is flawed, as it implies that such a cert can be used for any purpose which isn’t true. Anoosh stated that the anyEKU extension in the end entity certificate isn’t very important, as it is the application that decides what the certificate must contain, so this might be irrelevant as an issue.

14. Next phone call – February 5, 2015

Kirk asked if there was any other business, but there were no comments. He noted that the next phone call would be at the same time in two weeks.

Meeting Adjourned