CA/Browser Forum
Home » All CA/Browser Forum Posts » 2015-04-30 Minutes

2015-04-30 Minutes

Attendees: Dean Coclin, Ben Wilson, Doug Beattie, Gerv Markham, Atsushi Inaba, Kirk Hall, Volkan Nergiz, Rick Andrews, Moudrick Dadashov, Kubra Zeray, Eddy Nigg, Wayne Thayer, Mads Henriksveen, Sissel Hoel, Tim Hollebeek, Billy VanCannon, Jeremy Rowley, Tim Shirley, Peter Miskovic, Robin Alden, Ryan Sleevi

  1. Minutes of 16 April meeting were approved. These will be posted to the public list.
  2. Ballot 146 (Conversion of BRs): Ballot passed.

Ballot 149 (Bylaw updates from Kirk): This ballot adds a WebTrust BR requirement for CAs and also requests that applicants provide an example URL of a site that uses their cert (among some minor procedural changes). Ryan said the ballot changes the WebTrust for CAs to Baseline Requirements which is a concern for Google. The BR audit is currently reflected in the requirements of root stores, membership of which is required for CA/B Forum admission. Ryan said that this new requirement significantly narrows membership to a work product of the forum. Kirk couldn’t understand why any CA would want to join the forum if they didn’t follow the BRs. Ryan said this was irrelevant to the topic and said the primary concern was that the public would have to be subject to rules which the public had no input on. Kirk countered that we require WebTrust for CAs which is in the same category (i.e. no public input). Ryan said this was not a work product of the forum. Gerv gave a scenario whereby some CA may have a problem with the BRs and would like to join to help correct the problem but would be prohibited under Kirk’s proposal. Gerv continued to say that membership in the forum shouldn’t be subject to a forum work product as it gives incumbent members some advantage. Kirk said such an example was not realistic. Gerv said that membership in the CA/B Forum isn’t equivalent to that or root programs. Eddy said before BR guidelines were effective, there was never a requirement to comply with the EV guidelines, as an example. Hence making a requirement to comply with BRs doesn’t make sense. Dean said that if this was the only potential “issue” in the ballot and if the ballot doesn’t pass, we may “decouple” the other issues and propose a separate ballot for those. Both Gerv and Ryan didn’t express concerns on the other parts of the ballot.

Domain Validation Ballot: Working on re-drafting the ballot. Kirk suggested bringing it back to Validation WG for further discussion.

  1. Browser Security Indicators: Rick reiterated what he stated at the Cupertino F2F meeting: Chrome and Firefox intend to deprecate RC4 (as an example) and are starting to reflect in their security indicators, whether RC4 is used or not. It may be confusing to website owners and relying parties to understand why they are not seeing the proper security UI because of this reason. Rick asked the browsers for some help in researching why the particular UI is indicated (developer console, debug log files). Rick indicated that Richard Barnes of Mozilla acknowledged this at the F2F meeting and would like a way to formally track this. Gerv suggested he reach out to Richard directly. Ryan also acknowledged the request on behalf of Google and said it is being worked. Some diagnostic capabilities exist today and more are coming (in Chrome). Rick can also file a bug in Chromium if there are specific “pain points” so they can be actioned and tracked.
  2. Membership Application, National Certification Authority RUS: We have received an application from a Qualified CA in Russia. IPR was signed by an appropriate party. They don’t have a WebTrust or ETSI audit nor are publicly trusted by the major browsers (Gerv confirmed they are not in Mozilla and Rick confirmed they are not in Microsoft). It was recommended that they be given the opportunity to join as an Interested Party. Moudrick mentioned that he knows this CA from a separate work group and is the one that encouraged them to join the forum but acknowledged they do not meet membership rules for a full member, but it would be good to have them as an interested party.

A separate application came from Access Company (NetFront Browser). They had some questions about the IPR which Ben will respond to.

  1. Email from the public on Validation: An email with a pointer to a document was received. Dean asked other members for comments and a recommendation for a response. Ryan and Kirk suggested he submit it to the IETF instead.
  2. Validation Working Group: No further updates other than domain validation.
  3. CSWG: Someone suggested we re-format the draft into the 3647 format. Ben and Inigo wanted to see this done. Jeremy had mixed feelings; on one hand, it would be nice to have this done. On the other, we’ve spent so much time to get to this point that any further delay is not desired. Dean suggested we try to get the document passed as is since it won’t go into effect for another year. During that time, we can propose another ballot with a reformatted version so that the ETSI and WebTrust teams can get it into a version they will use. Everyone agreed on this approach.
  4. Policy Review Working Group: Since the ballot passed, Ben will go back through the document to check all the cross references to the older version. Will have something for the next meeting to discuss.
  5. Info Sharing Working Group: No update.
  6. Other Business: Dean said the EU representative invited to the Zurich meeting cannot make it but will try to attend the Istanbul meeting in the fall. Dean also said that an EU “TrustMark” was announced. Moudrick said that it is not clear on how it will be used yet. Mads said the TrustMark will be used for all types of Trust Services. We will hear more about this at the fall meeting. There is a one hour slot open for the F2F meeting. Please let Dean know if there are any additional topics to add.
  7. Next meeting: May 14th. Adjourned.
Latest releases
Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.7 - Ballot SMC09 - Nov 25, 2024

This ballot includes updates for the following: • Require pre-linting of leaf end entity Certificates starting September 15, 2025 • Require WebTrust for Network Security for audits starting after April 1, 2025 • Clarify that multiple certificatePolicy OIDs are allowed in end entity certificates • Clarify use of organizationIdentifer references • Update of Appendix A.2 Natural Person Identifiers This ballot is proposed by Stephen Davidson (DigiCert) and endorsed by Clint Wilson (Apple) and Martijn Katerbarg (Sectigo).

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).