CA/Browser Forum
Home » Posts » 2015-07-09 Minutes

2015-07-09 Minutes

Approved Minutes July 9, 2015

Attendees: Atsushi Inaba, Ben Wilson, Billy VanCannon, Bruce Morton, Burak Kalkan, Davut Tokgoz, Dean Coclin, Doug Beattie, Gerv Markham, Jody Cloutier, Kirk Hall, Mads Henriksveen, Mat Caughron, Patrick Tonnier, Peter Miscovic, Rick Andrews, Robin Alden, Tim Hollebeek, Tim Shirley, Volkan Nergiz, Wayne Thayer, Marcelo Silva, Dimitris Zacharopoulos

  1. Antitrust statement was read by Robin Alden

  2. Roll Call

  3. Review Agenda: No changes to agenda

  4. Approve minutes of June 11, 2015 meeting: Minutes approved. Dean asked for remaining note takers to submit minutes from F2F meeting as there were still a few sections missing. Robin said he would submit his items shortly.

  5. Ballot Status: Ballot 149: Voting closes tomorrow and it looks like it will pass. Domain Validation: Jeremy was not on the call and Ben asked that we defer this to the Working Group update later in the call. IV OIDs Ballot 150: This ballot was circulated and a few comments came back which Dean said he needed to discuss with Jeremy. Kirk suggested that the OID list online be updated to say “Organizational Validated” rather than “Identity Verified”. Dean to discuss with Jeremy.

  6. Microsoft Root Program Updates: Jody joined later in the call and we reviewed certain provisions that were discussed in Zurich. Jody is reviewing the open questions on OCSP and subcontractors and is willing to revise the latter provision. Dean pointed out 2 other areas that could be interpreted differently. Jody didn’t agree with those interpretations but will be talking to their attorneys to insure there are no ambiguities. Revised Root Program rules are expected to be published shortly.

  7. CNNIC Application: All items were received from CNNIC however members questioned whether they were licensed in China and the wisdom of having a CA also be a domain registrar for a TLD. The latter was dismissed as not being relevant. Regarding the licensing, Gerv said they had a valid WebTrust audit (where something like this should be checked). Kirk said we should just ask CNNIC if they believe they should be licensed in China and explain. Dean said he sent them a note on 6/29 but had not received a response. Dean sent a follow-up request today. Admission is pending the answer to the email. [UPDATE: Explanation received from CNNIC after the call and forwarded to members]

  8. IAB Paper on PKI: Bruce discussed a paper he had seen on the IETF web site. Some members have sent in comments. Kirk asked if such a paper was typical for the IETF. Rick thought it was.

  9. Request to form PAG (Patent Advisory Group): Ryan Sleevi was unable to join. Dean gave a summary of the PAG per the IPR Policy (section 7) and referred to Ryan’s memo to the public list. He also called for volunteers and the following came forward: Mat-Apple, Gerv-Mozilla, Ben-Digicert, Dean-Symantec, Jody-Microsoft. It was assumed that someone from Google will also join but that is not confirmed. Dean will publish a request to the membership for other volunteers. The PAG will need to appoint a chair and convene a meeting. Dean will request that a new mailing list be created.

  10. Open SSL Vulnerability: A short discussion ensued on the latest Open SSL vulnerability. Bruce thought the vulnerability required client authentication. Gerv said he thought it applied beyond that. Mat agreed. Tim and Wayne said browsers were unlikely to be affected but other applications would be. Tim said VPNs would be one example. Bruce said the impact is limited to those releases that came in June. Mat said Apple products don’t appear to be affected.

  11. Working Group Updates: Validation: Ben gave the update. Revised drafts went out after the last call. Still working on “well known certificate directory”. Need to specify port numbers. Code Signing: Dean said there were still 1-2 open items that need resolution and we are waiting for some input from Microsoft. Policy Review: the working group continues to move forward reviewing the document. Information Sharing: Meeting tomorrow at 1600 UTC.

  12. Other business: Istanbul meeting still on for Oct. 6-8th. Davut reported that he is finalizing offers from hotels for the meeting in Istanbul and expects to announce it in 2 weeks. He will provide a lower cost option that will be nearby for those that wish to choose that. Dean advised not to book travel until hotels are finalized. The wiki page will be up for registration shortly. For the Feb 2016 meeting, Dean asked that members respond to the online poll regarding the exact dates. 19 responses have been received so far.

  13. Next Teleconference July 23rd.

Latest releases
Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed

Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.6 - Ballot SMC08 - Aug 29, 2024

This ballot sets a date by which issuance of certificates following the Legacy generation profiles must cease. It also includes the following minor updates:

  • Pins the domain validation procedures to v 2.0.5 of the TLS Baseline Requirements while the ballot activity for multi-perspective validation is concluded, and the SMCWG determines its corresponding course of action;
  • Updates the reference for SmtpUTF8Mailbox from RFC 8398 to RFC 9598; and
  • Small text corrections in the Reference section

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).