CA/Browser Forum
Home » All CA/Browser Forum Posts » 2015-02-05 Minutes

2015-02-05 Minutes

Attendees: Dean (Symantec), Gerv (Mozilla), Jeremy (Digicert), Atsushi (Globalsign), Ben W (Digicert), Tim S (Trustwave), Davut (E-Tugra), Robin (Comodo), Doug (Globalsign), Patrick (OATI), Volkan (TurkTrust), Kubra (TurkTrust), Eddy (Startcom), Tim H (Trustwave), Anoosh (Microsoft), Wayne (GoDaddy), Chris (Trustwave), Jody (Microsoft), Peter (Disig), Ryan S (Google)

  1. Antitrust statement was read.
  2. Minutes of Jan 22, 2015 meeting were approved.
  3. Ballot updates:
  4. EV Working Group name change to Validation working group: Jeremy has proposed a ballot to change the name and scope of the working group to include other validations, not just for EV. There are 2 endorsers and the discussion period starts after the call.
  5. .Onion Ballot: Jeremy will circulate an update and the review period will start today. Robin asked if wildcard certificates will be allowed. Gerv sent out an explanation why they will be allowed as there is a single private key and so the idea of different mutually-untrusting entities owning and controlling different parts of the subdomain space doesn’t really make much sense for .onion. Eddy challenged this, saying the same thing would apply to normal webserver certificates. Gerv further explained why that is not the case since there is only 1 Tor private key for that domain. Further discussion ensued on wildcard certs in general and it was suggested that an additional topic be added to the face to face meeting on wildcard certs
  6. Additional ballots are coming out of EV working group on using attorney opinion letters and domain validation issues as well as operational existence for government entities. On the latter point, Jeremy said they would like for CAs to rely on the verification of the legal existence of the government entity to prove operational existence (instead of having to wait 3 years). Dean said we should wait on this ballot so we can keep it to only 2 active ballots at a time.
  7. Vivaldi: A new browser called Vivaldi was recently launched. Dean communicated with Yngve about having Vivaldi join the forum as a browser. Yngve stated they are currently focused on their project and can’t afford the distraction of the forum. Dean will follow-up with Yngve later this year.
  8. IPv6: Ryan is still soliciting feedback from CAs on this topic but hasn’t heard from many. Wayne (GoDaddy) is waiting for his network team to provide feedback on this proposal. Ryan stated that Rick (Symantec) had previously said IPv6 is already supported. Eddy asked why is this urgent. Ryan pointed him to the list for recent discussions. Ryan also emphasized the need for the information (transition period, large server operators). Wayne said that if the transition period is a year or longer, that would probably be ok (so that orgs can get into budget cycles). If it’s shorter, there may be pushback from CAs. Ryan stated that is reasonable. Dean suggested that he poll the CA Security Council, which is composed of the 7 largest SSL issuers, and provide a response to Ryan by next meeting. Ryan would like to know who is and is not IPv6 ready and what timeframe is reasonable.
  9. EV Working group update: See 3c above.
  10. Code Signing Working group: Final draft of BRs will be sent out after the call which incorporates comments from public, auditors and other CABF members. Asking for comments to be returned by March 6th. Expecting to have ballot ready for voting by face to face meeting in March.
  11. Policy Review Working group: meeting in Boston postponed due to blizzard. Held 2 hour call instead. Decided to put a ballot forward to change BRs to RFC 3647 format. Once that passes, we will continue to work the rest of the document and submit individual ballots on a section by section basis.
  12. Information Sharing Working group: Ben could not give an update during the call.
  13. Other business:
  14. 26 attendees signed up so far for face to face meeting. Received confirmation from Adrienne Porter-Felt that she will come and present her paper on SSL warnings. Kirk invited people from Oracle and they may come but nothing is firm yet. Kathleen Wilson (Mozilla) will also make a presentation. Microsoft has a separate slot but the topic hasn’t been solidified.
  15. June Zurich meeting. Gerv said he nor anyone from Mozilla can come that week. Dean said he would discuss with Kirk and Connie to see if a change is even possible.
  16. Next call Feb 19th.

Dean Coclin

CA/B Forum Chair

Latest releases
Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.7 - Ballot SMC09 - Nov 25, 2024

This ballot includes updates for the following: • Require pre-linting of leaf end entity Certificates starting September 15, 2025 • Require WebTrust for Network Security for audits starting after April 1, 2025 • Clarify that multiple certificatePolicy OIDs are allowed in end entity certificates • Clarify use of organizationIdentifer references • Update of Appendix A.2 Natural Person Identifiers This ballot is proposed by Stephen Davidson (DigiCert) and endorsed by Clint Wilson (Apple) and Martijn Katerbarg (Sectigo).

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).