2015-05-28 Minutes
CA/Browser Forum Minutes of May 28, 2015 Attendees: Atsushi Inaba, Atilla Biler, Ben Wilson, Billy VanCannon, Bruce Morton, Connie Enke, Dean Coclin, Doug Beattie, Gerv Markham, Jeremy Rowley, Jody Cloutier, Kubra Zaray, Mads Henriksveen, Mat Caughron, Patrick Tronnier, Peter Miscovic, Rick Andrews, Robin Alden, Ryan Sleevi, Sissel Hoel, Tim Hollebeek, Tim Shirley, Volkan Nergiz, Wayne Thayer
Minutes of 14 May meeting were approved. These will be posted to the public list.
Ballots
Ballot 149: Kirk was not on the call. No update.
Legal Existence by Attorney Opinion Letter (proposed ballot 150): Jeremy had sent out this proposed ballot which Ryan commented on. Ryan said he was satisfied with the responses for now.
Optional OIDs for IV (proposed ballot 151): Dean is working on a ballot with Jeremy and will send out shortly
Domain Validation Ballot: still in the working group. Jeremy said there are 2 types of ways to form the domain name you are validating: (1) by either taking the FQDN and removing parts/labels until you get down to whatever name you want to validate or (2) by only validating the base domain. There has been a debate on which one to do. For example mail.secure.example.com or example.com. You can validate by sending to secure.example.com or by pruning to example.com. The working group feels that they prefer the “pruning” method to make it consistent but wanted to run it by the broader forum for input. Jeremy will circulate this by email to the forum. Robin said he suggested an amendment to the proposal but hadn’t seen it incorporated. Jeremy will review again.
- EV Wildcards: A discussion around what the info in EV certs should represent began. Dean started by saying the 2 options were that the info should represent the owner of the website business you are communicating with or the entity hosting the website (i.e. Akamai). Ryan said the EV guidelines are vague as to what piece of information you should be validating. He went on to give examples of the different parties at play in hosting a website: domain holder (actual registrant or someone from say a whois anonymizing service), entity operating name servers, webhosting entity, Intermediate DNS holder/CDN provider (i.e. Cloudflare), design firm for website, and payment provider for website. Hence it is a complex question. In the context of wildcards, who is an EV certificate saying something about? This is where some of the concern comes in. Hence we need to decide who we want the information in an EV certificate to say about. Then we can discuss how wildcards play a role. Gerv agreed there are multiple parties that could demonstrate domain control but said the party of interest is the business owner, who would have contracts with the other parties. Hence he felt that the name of the party in an EV cert should be the entity responsible for the content in the site. Dean agreed and said this is all about establishing identity. Jeremy disagreed and said it should be about the owner of the private key which could be a CDN and they should be named in the cert. Rick said what good is a cert that says “Akamai.com” for a business that is not Akamai? Jeremy said it tells you who owns the private key. Gerv asked how is that useful? Ryan said this information is not consistently presented to users across browsers. He also cited an example of someone using AppEngine where theoretically Google could see all communication since they terminate the SSL session. Someone might want to know that. Gerv said it is impractical for certs to list all the parties that Ryan outlined above and reiterated that the info should be the one that is most useful to users of that website. Jeremy disagreed with that premise. Wayne questioned that for example hundreds of thousands of sites hosted by GoDaddy should be issued to GoDaddy? That didn’t make sense. Bruce said when the guidelines were created, it was to give the user strong evidence that they were on the site they thought they were. Jeremy agreed and hence hasn’t embraced wildcards on EV. Dean said that when you call your bank today, they may outsource the call center to a third party. They don’t necessarily disclose this and for most people it’s not an issue because you know you called your bank on the number they gave you. Hence the 3rd party isn’t relevant. The bank has a contractual agreement with the 3rd party and that should cover you. How does it help you to know that info in the SSL certificate? Ryan agreed but says it does (rarely) come up with some users. He also said one of the arguments against wildcard certs, for example, *.appspot.com, shouldn’t be allowed for EV because now you are communicating that all of the certs are operated by appspot. However, appspot could get EV certs for each of those domains that indicate you’re communicating with appspot, which may not be what you expect.” Jeremy said that would be true in any case. Ryan said it is true but it may not be what you expect. Tim H said he also would like to clarify what’s in an EV cert and that things like *.appspot.com should not be allowed. Gerv agreed and said the point of an EV cert is to know who you are talking to. Discussion was terminated due to time constraints.
- 2016 F2F meeting locations: Dean said he had offers to host from 2 parties, one in Europe and one in the USA. We are looking for a 3rd potential host, perhaps but not necessarily in Asia. Dean asked for volunteers to send him a note.
- Validation Working Group: No further updates other than domain validation.
- Code Signing WG: We now have a final document which the group is giving a final review. Then it will go to the public forum mailing list for final feedback. A ballot will follow.
- Policy Review Working Group: In the last call, the group went through the document and determined where to add “No Stipulation”. Ben will circulate a ballot to the working group.
- Info Sharing Working Group: No activity
- Other Business: Zurich F2F is up to 35 attendees. We are reaching capacity. Telephone conferencing will not be available. Dean suggested using Skype with an external speaker. One attendee on the list is an Interested Party. Discussion ensued on that but there were no objections.
- Next meeting: June 11th.
- Adjourned.