CA/Browser Forum
Home » Posts » 2015-08-06 Minutes

2015-08-06 Minutes

Final Minutes August 6, 2015

Attendees: An Ying (CNNIC), Atsushi Inaba, Ben Wilson, Billy VanCannon, Christy McKinley, Dean Coclin, Charlotte Yan (CNNIC), Doug Beattie, Eddy Nigg, Gerv Markham, Jeremy Rowley, , Kirk Hall, Mads Henriksveen, Marcelo Silva, Patrick Tonnier, Peter Miscovic, Rick Andrews, Robin Alden, Ryan Sleevi, Sisel Hoel, Tim Shirley, Tim Hollebeek, Volkan Nergiz, Wayne Thayer

  1. Antitrust statement was read by Dean

  2. Roll Call completed

  3. Review Agenda: No items added

  4. Approve minutes of July 23, 2015 meeting: Minutes approved. Ben to post on website.

  5. Ballot Status: Domain Validation: Undergoing revisions. Kirk said that a revised draft will come up in next week’s working group meeting. IV OIDs Ballot 150: A revised ballot including the EV OID will be circulated soon.

  6. Microsoft Root Program Updates: Jody was not on the call but Christy responded to the questions. Rick asked about the change in policy of OCSP responses to a 2 day lifetime. This may have unintended consequences, especially for those using CDNs, as caching will be reduced and there will be a lot more hits. Another unintended consequence might be to folks interested in short lived certs w/o revocation information. Christy took it under advisement and asked for Rick to send the issue in an email. Gerv asked if Rick could produce a graph with OCSP lifetime along the horizontal axis and relative costs on the vertical axis. Jeremy asked why do the costs matter? Gerv clarified that he is asking about OCSP lifetime, not short lived certs. Doug had a concern about SHA-1 vs. SHA-2. The agreement states that all OCSP signatures must be signed with SHA-2 starting Jan 2016. For SHA-2 hierarchies this is fine but for SHA-1 certs that have been issued and allowed to be used in 2016, Doug is concerned about the effect of this. Clarity around this is needed and he believes that CAs should continue to be able to sign using SHA-1 thru the end of 2016. Christy said Jody is still researching it but asked that another message be sent in to their list. Dean asked if the section on subcontracting had been updated. Christy will follow-up on the list.

  7. Corrections to F2F minutes: Gerv asked for a correction to the minutes on Domain validation methods. Ben suggested deleting the words relating the comment to Gerv. There were no objections.

  8. PAG/Working Group minutes clarification: The PAG is not a Working Group as defined by our bylaws but operates under the IPR Policy. Ryan asked if the PAG list should be public or private as the bylaws can be construed both ways. He also brought up the topic of regular working group minutes and if those were being made public. Kirk said that the minutes from the PAG may not be ready for discussion right away but it’s a question of when, not whether. Ryan said we could make the archives public which would be discoverable by a search engine. Dean suggested that the PAG itself should make a recommendation at their next meeting on this topic and bring it back to the forum. Ryan agreed. On the topic of working groups, Dean said the working groups aren’t generally taking detailed minutes but do produce new drafts and agendas which are distributed to their list. The list is only open to members that have signed the IPR. If you make the list public, then the list is open to those that have not agreed to the IPR policy. The CABF meeting minutes do contain summary of the working groups. Ryan said a concern is the “why” of the working group, i.e. why was a particular item added but conceded there is a balance to be struck. Lastly, Ryan asked if the PAG should be considered the same as a Working Group (per the bylaw definitions). Kirk said it should.

  9. Short Lived Certs: Ben said we discussed this at the F2F meeting (allowing short lived certs w/o revocation information). There was some objection from some CAs (notably Eddy). Dean asked why experiments couldn’t be done with private certs. Both Jeremy and Ryan said you need some scalability from public clients and roots to do a real test. Eddy suggested that Ben talk to browser vendors. Doug said that not all browsers check for revocation during this time frame and hence it would be an interesting test. Ryan said that if you use OCSP stapling, you could remove that data. The discussion ended as we ran out of time. Dean suggested the proponents send out a message to the list to see if we have any consensus.

  10. Working Group Updates: Validation: Kirk said he’d like to see a final ballot come up before the membership for discussion. He believes they are very close to having that ready. Code Signing: Dean sent out the final draft to the management list and will post it to the public list shortly to get it ready for a vote in the forum. Policy: The working group will have a face to face meeting on Sept 9th at Symantec in Washington, DC. We have 7 people signed up so far. Ben said they were looking at taking the Network Security guidelines and adding into the new document and asked the forum for comments. Doug said we discussed at the F2F that we would first put the EV Guidelines into the new format. Kirk said we should add the Network Security requirements in and then the EV requirements. Then delay adding other items until the first 2 pass. Information Sharing: Meeting tomorrow at 1600 UTC. Ben said the Senate didn’t vote on the Information Sharing act in this session. When they return they will review and decide whether to adopt. Dean said the group is concerned about putting people on a “black list” and then trying to remove them or face liability issues by putting them on a black list. Ben believes this bill would resolve some of those issues.

  11. Other business: The Istanbul meeting will be either at the Divan or Crowne Plaza, both of which are near Taksim Square. A dinner will be held Wednesday night. We expect to have a final hotel by next week. Please register for the conference on the wiki.

  12. Other business:

  13. Next Teleconference Aug 20th.

Latest releases
Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed

Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.6 - Ballot SMC08 - Aug 29, 2024

This ballot sets a date by which issuance of certificates following the Legacy generation profiles must cease. It also includes the following minor updates:

  • Pins the domain validation procedures to v 2.0.5 of the TLS Baseline Requirements while the ballot activity for multi-perspective validation is concluded, and the SMCWG determines its corresponding course of action;
  • Updates the reference for SmtpUTF8Mailbox from RFC 8398 to RFC 9598; and
  • Small text corrections in the Reference section

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).