Read Antitrust Statement. The Statement was read.
Roll Call: Attendees: Ben Wilson (Digicert), Billy VanCannon (Trustwave), Cecilia Kam (Symantec), Christie McKinley, Microsoft,, Connie Enke, SwissSign, Doug Beattie (Globalsign), Eddy Nigg (Startcom), Gervase Markham (Mozilla), Jeremy Rowley (Digicert), Kirk Hall (Trend Micro), Kubra Zaray, Turktrust, Mads Henriksveen (BuyPass), Mat Caughron (Apple), Patrick Tronnier (OATI), Ryan Sleevi (Google), Sissel Hoel, Buypass, Tim Shirley (Trustwave), Volkan Nergiz (TurkTrust), and Wayne Thayer (GoDaddy). Chaired by Vice Chair Kirk Hall
Review Agenda. There were no changes to the agenda.
Approve Minutes of 28 May 2015. There were no changes to the draft minutes, so the minutes were deemed approved.
Ballot 149 – Kirk reviewed his proposed change to Ballot 149 on amendments to Bylaw 2.1 membership rules to eliminate a requirement of audits by CA applicants, and instead simply to require that the CA applicant has at least one root in the independent trusted roots stores of at least two browser members, and asked for comments. Gerv stated he had not yet had time to review the new language and so had no comment at the present time. There were no other comments. The matter will be discussed again at the face to face meeting in Zurich.
Pre-ballot on Domain Validation. Jeremy said the Validation Working Group had almost finished its work on this ballot, and would likely do so at its meeting next week. The pre-ballot will then be ready for discussion in Zurich.
IV/EV OIDs. Jeremy stated that Dean Coclin of Symantec was working on a ballot for new OIDs for IV and EV certs, similar to what exists in the BRs now for DV and OV certs. This will be discussed at the Zurich meeting.
- Request from Microsoft to CA partners to sign new contracts
Christy stated that Microsoft was updating its root certificate program contract, and described the process that would be followed. CAs must provide preliminary information by June 15 on CA information and who will sign for the CA, and then the new agreement must be e-signed within 90 days. She also stated that new root program rules had been published, and that minor edits would be made in the next few weeks.
Kirk asked if there would be any transition or grace periods for compliance for things that would take time, such as creating new issuing sub-CAs that include specified OIDs for DV, OV, or EV, etc. Christy said that each CA that needed more time should send Microsoft a proposal for when it would be in compliance, and Microsoft will let the CA know if the plan is acceptable. Someone asked if Microsoft had prepared a document showing what changes were made from the old program rules, and Christy said no.
- Application from HARICA for membership
Kirk reviewed the application materials from a Greek CA that had applied for membership, HARICA, and said that with additional links recently provided to HARICA’s ETSI audit the company appeared to him and to Dean Coclin to qualify under the Forum’s membership rules. He noted the useful ETSI information provided by Erwann Abalea indicating that the Greek government was not current in ETSI fees and so was suspended, that current information about qualified auditors in Greece may not be available, but that available information about the auditor in question did not indicate any non-qualification or invalidity of the audit.
Kirk therefore proposed that HARICA be added as a CA member and asked if there were any objections. No one objected, and so HARICA will be added as a member. Kirk asked Connie if there was room for HARICA to come to the Zurich meeting, and said she could probably work that out if HARICA wants to come.
- Membership status TrustCor Systems
Kirk noted that WebTrust had suspended TrustCor’s right to use the WebTrust seal because of issues as to the form of BR WebTrust audit provided by TrustCor’s auditor (previously discussed by the Forum), but apparently had not yet received a response or plan of correction from the auditor. He noted that TrustCor has a root in the Windows trusted root store (but is not yet issuing certificates), does not appear to have a WebTrust for CAs audit, and that the Forum had extended observer status to TrustCor on its March 5 call and TrustCor was coming to the Zurich meeting.
Kirk stated that perhaps the Forum had “jumped the gun” in offering observer status to TrustCor without a WebTrust for CAs audit before its BR WebTrust audit issues were resolved, but proposed maintaining the observer status decision for now and asking TrustCor for its plan of resolving the audit issues. He asked if there were any objections to that proposal. There were no objections.
- Short-lived certs
Doug stated the present proposal was to amend the BRs so that certs with a validity period of 3 days or less can omit revocation information, and can be post-dated by up to one day. He said a ballot would be proposed soon. Jeremy indicated support for short lives certs without revocation pointers, and stated they had similar security to longer term certs with revocation pointers. Kirk stated that Trend Micro continued to oppose certs that lack revocation pointers because revocation information does protect some users, and allowing certs without revocation pointers would just continue the current slide against checking for revocation.
- Validation Working Group Status Update
Jeremy reiterated his prior comments that a domain validation methods ballot was almost complete. He noted there was a pending ballot concerning revised rules for use of an attorney/accountant letter and asked for questions; there were none. He then briefly discussed a future ballot to allow EV validation for non-registered businesses, which were common in certain countries.
- Code Signing Working Group Status Update
Jeremy stated that there had been last minute questions on the most recent code signing draft ballot, and that these were being resolved and a ballot would be presented soon.
- Policy Review Working Group Status Update
Ben stated the working group was reviewing the recent reformatting of the BRs to an RFC 3647 format, and determining whether it was correct to include the words “no provision” for many subsections. To do this, the group was reviewing certain NIST and ETSI security recommendations to see if they should be added to the BRs as new requirements. Kirk suggested that if the working group found new provisions it liked, it might be more efficient to bring them first for discussion to the whole Forum before drafting specific new BR language. Ben also said the working group was considering whether or not to convert the EV Guidelines to an RFC 3647 format and would bring the question up in the full Forum.
- Information Sharing Working Group Update
Ben stated the working group had made progress, but its work was on hold due to the uncertain status of a bill before the US Congress which might make security information sharing easier and provide certain legal protections for the parties. Once this is resolved, the group can complete its work.
- Any Other Business
The Zurich face to face meeting on June 23-25 is now up to 35 people. Kirk asked Connie if there were any updates on the meeting, and Connie said no, all information was already posted on the wiki. She said anyone with questions should contact her directly.
There was no new information on the Istanbul meeting, scheduled for Oct. 6-8.
Kirk said there had been a request to add President Obama’s recent memo ordering all US government websites to become https only to the agenda, and asked if anyone had ideas how this might be leveraged by the Forum as a project to encourage others to move to https only, or if the browsers might consider new methods to encourage https only such as new browser UIs, etc. There was no response.
Next teleconference July 9th, 2015.