CA/Browser Forum
Home » All CA/Browser Forum Posts » 2015-03-05 Minutes

2015-03-05 Minutes

Minutes of March 5, 2015

Attendees: Dean Coclin (Symantec), Doug Beattie (GlobalSign), Kirk Hall (Trend Micro), Bruce Morton (Entrust), Rick Andrews (Symantec), Ben Wilson (DigiCert), Robin Alden (Comodo), Mads Henriksveen (BuyPass), Billy VanCannon (Trustwave), Chris (didn’t catch last name) (Trustwave), Tim Hollebeek (Trustwave), Cornelia Enke (SwissSign), Atilla Biler (TurkTrust), Gerv Markham (Mozilla), Jeremy Rowley (DigiCert), Atsushi Inaba (GlobalSign), Kubra Zeray (TurkTrust), Burak Kalkan (TurkTrust), Cecilia Kam (Symantec), Jody Cloutier (Microsoft), Anoosh Saboori (Microsoft), Ryan Sleevi (Google)

  1. Antitrust Statement was read.
  2. Minutes of Feb 19th meeting (as amended by Erwann) were approved. Ben to post to website
  3. Ballot Status: Ballots 145: Voting closes later today but so far, everyone has approved it.
  4. Membership application from Trustcor: Kirk said applicants should have both a basic WebTrust and BR WebTrust audit. Kirk reminded the forum that AffirmTrust was made an Observer during an interim timeframe. Dean proposed we grant them Observer status (no voting) until they can . Kirk would like to amend the bylaws to make it clear that both documents are required for full membership. Gerv said we shouldn’t impose our own documents as membership requirements on applicants and that our membership criteria should be “generous”. Kirk challenged this by saying if browsers require both audits, why shouldn’t we? Gerv said he didn’t think the criteria for being part of the CA/B Forum should be the same as being in a browser and asked what problem Kirk was trying to solve. Kirk said that if they can’t pass both, then they aren’t a real CA. An example was given of a CA that just issues code signing certificates as one who would not have both audits. Kirk didn’t think that was realistic. Jody said this is possible. Kirk suggested then that if you are doing SSL, then you need both. Jody suggested that the requirement should say that you need an audit for the state of business you are operating in. Jody will send out a table he is working on that contains requirements for CAs. Kirk countered that if that proposal passed then CAs that are not issuing SSL could vote on SSL matters. Jody said we’d have to work that out. Kirk will propose something at the F2F meeting.
  5. IPv6: Ryan was waiting to confirm if there were going to be any issues with the DNS v6 requirements by hearing from other network operators but is now comfortable with formalizing the draft ballot.
  6. Public List and reposting: Kirk said that we all re-publish things to the public list like links, materials, papers and none of those have signed an IPR. Hence he wasn’t clear on why we can’t re-post from people on questions list. Doesn’t make sense to restrict these postings. Ryan said he would like to make it clearer (possibly in the BRs) to do so and would like to see greater public involvement especially when it pertains to the Forum’s interest. Kirk said we should come up with a process so that the public can post and discuss at the F2F. Ryan said absent that framework, does the Forum have any issues with reposting messages to the Forum (relevant to the Forum)? Gerv said the questions list is not public and we shouldn’t just repost items from that list to the public list (w/o permission). Ryan suggested we can re-post items to the public list as long as we have permission. All agreed.
  7. Validation Working Group: Jeremy said the Operational Existence ballot is about to close. They are working on a new draft of the Domain validation ballot which should be finalized at the F2F. Two more ballots are being finalized: verification of legal existence and verification of business entities.
  8. Code Signing update: Planning to finalize at the F2F meeting. Public and forum comments have been received and reviewed.
  9. Policy Review WG: During F2F we will continue working on amending the BRs to the RFC 3647 framework, assuming the ballot will pass.
  10. Info Sharing WG: Discussion happening on what should occur when malware is discovered. More to be discussed next week.
  11. Microsoft will be presenting on Tuesday of the F2F meeting. All members are invited to attend. Jody said that Microsoft is working to re-draft its auditing and program requirements. He plans to share it with the Forum once it is internally approved , around end of March.
  12. Any other business: Zurich meeting will be week of June 23rd. Signups will happen later this month. Kirk said we have 32 members coming to the F2F meeting. Continue to send agenda items to Dean.
  13. Next meeting will be March 11th in Cupertino, CA

Dean Coclin CA/B Forum Chair

Latest releases
Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.6 - Ballot SMC08 - Aug 29, 2024

This ballot sets a date by which issuance of certificates following the Legacy generation profiles must cease. It also includes the following minor updates: Pins the domain validation procedures to v 2.0.5 of the TLS Baseline Requirements while the ballot activity for multi-perspective validation is concluded, and the SMCWG determines its corresponding course of action; Updates the reference for SmtpUTF8Mailbox from RFC 8398 to RFC 9598; and Small text corrections in the Reference section

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).