2015-04-02 Minutes

Minutes of CA-Browser Forum Meeting – 2 April 2015

Attendees: Atsushi Inaba (Globalsign), Ben Wilson (Digicert), Bruce Morton (Entrust), Burak Kalkan (TurkTrust), Davut Tokgöz (e-Tugra), Doug Beattie (Globalsign), Eddy Nigg (Startcom), Gervase Markham (Mozilla), Jeremy Rowley (Digicert), Kirk Hall (Trend Micro), Moudrick Dadashov (SSC), Patrick Tronnier (OATI), Rick Andrews (Symantec), Ryan Sleevi (Google), Wayne Thayer (GoDaddy).

1. Antitrust Statement was read.

2. Minutes of March 19th meeting were approved. Ben to post to website. Rick wants to edit his portion of the minutes of the Face to Face meeting in Cupertino March 11-12 concerning code signing certs after listening to a portion of the meeting recording, and will let Dean know when his edits have been completed.

3. Ballot Status:

Pre-Ballot 146 (conversion of BRs): Ben to revise this as a regular ballot and start the discussion period soon.

Ballot 147 (Attorney-Accountant Letter Changes): Jeremy said he would soon circulate a final draft to the Validation Working Group, and then post as a ballot for general discussion.

Ballot 148 (Issuer Field Correction): Doug stated there had been discussion about further edits to the language, but that was not going to happen and the current ballot is ready for voting. Jeremy noted that Ballot 148 was already in the voting period, and voting would end later that day (but no one had voted yet). After discussion, the members agreed by consensus to simply start and complete voting that day.

Potential Ballot on support for IPv6: Ryan said he still wants to proceed with this as a ballot and will post a draft ballot soon.

Preballot on Domain Validation Method Revisions: Jeremy said he had posted an updated version of the draft ballot to the public mailing list. The new version will be discussed by the Validation Working Group next week, and then posted to the public list for discussion.

4. US-CERT advisory concerning domain validation through emails. The members discussed the recent US-CERT advisory claiming that domain validation through the use of emails and responses presented a vulnerability. The members noted the methods had been outlined and approved by the Forum since 2008 (the five permitted prefixes had been pruned from a longer list of potential common addresses usually controlled by the domain owner), and were widely used even by certain browser apps. There was also discussion of the potential vulnerabilities of the other methods listed for domain control verification in the Baseline Requirements at Section 11. The consensus was that US-CERT was incorrect in saying the email method of domain confirmation presents a vulnerability, that no changes were required, and that the Forum did not need to make any formal response to the US-CERT advisory.

5. CNNIC sub-CA issue: The members discussed the recent CNNIC sub-CA issue, and noted that Google had recently published its response. Gerv stated that Mozilla was about to publish its response, which would be similar to the Google response. There was consensus that the Forum did not need to take any action.

6. Working Group Updates:

Validation Working Group: Jeremy stated there was nothing to add beyond what he said about the status of the preballots. He stated the working group had a few other issues it was still working on.

Code Signing Working Group: Jeremy said there had been some confusion on one issue at the face-to-face meeting in Cupertino, and that a revised version of the Code Signing Baseline Requirements would be posted soon. He also stated that the EV Code Signing requirements would be amended to clarify requirements concerning how a permanent identifier works.

Policy Review Working Group: Ben stated that he had already given his update when discussing the status of Ballot 146. Other projects will await the outcome of this ballot.

Information Sharing Working Group: Ben stated the working group will have a teleconference tomorrow to discuss pending legislation in the US Congress which could help companies share information about possible threats by creating some limited immunity from parties listed as potential threats.

7. Other Business:

Next Face-to-Face Meeting – Zurich, June 23-25, 2015: Kirk noted that SwissSign needed to know immediately if anyone else needed hotel reservations for this meeting. He also stated that anyone interested in participation in the Netcraft meeting in the UK the prior weekend should contact Netcraft as soon as possible.

Application of Kimberly Martin of FiServ to join as Interested Party: Kirk noted that Kimberly Martin of FiServ had applied to be an Interested Party and wanted to serve on a number of working groups. However, Dean had pointed out that she signed the IPR Agreement only in her individual capacity, and not on behalf of FiServ, but was using a FiServ email address – he wondered if that presented any problems. The members agreed this could cause confusion, and Ms. Martin should be encouraged either to have the IPR Agreement signed by FiServ (if she is participating as a FiServ representative) or to use a personal email account (if she is participating only in her personal capacity) to avoid confusion. Ryan said she should also be encouraged to consult with FiServ’s legal department to find out their preference, as Google had certain rules for when and how Google employees could serve on open source committees.

Consideration of vetting and certificate lifetime issue: Jeremy stated he thought the members might continue the prior discussion on possible alignment of the vetting and validity periods for different types of certificates (DV, OV, and EV), but noted it was not listed on the Agenda. He suggested it be added as an agenda item for the next meeting.

8. Next telephone meeting will be April 16nd. The meeting was adjourned

Kirk Hall CA/B Forum Vice Chair