2015-09-17 Minutes

Minutes of CA/B Forum Teleconference – September 17, 2015

Attendees: Ben Wilson, Billy VanCannon, Bruce Morton, Burak Kalkan, Cecilia Kam, Davut Tokgoz, Dean Coclin, Dimitris Zacharopoulos, Doug Beattie, Jeremy Rowley, Jody Cloutier, Li-Chun Chen, Marcelo Silva, Patrick Tonnier, Peter Miscovic, Robin Alden, Ryan Sleevi, Tyler Myers, Volkan Nergiz, Wayne Thayer, Vicky (CNNIC), Sakeeb (Microsoft)

1. Antitrust statement read by Dean
2. Roll call completed. Attendees listed above
3. Agenda reviewed
4. Minutes of 3 Sept 2015 reviewed and approved. Ben to post to website.
5. Ballot Status: Ballot 150 failed for lack of quorum due to confusion as to whether it was live or not. Ballot 151 is the replacement ballot and voting will start on Sept 21st.

5a. Side discussion on membership status of Trustcor and whether they are allowed to attend CA/B Forum calls. Consensus (and bylaws) state it should be chair’s prerogative. Ryan said such discretion should be applied consistently in the future as well. Ben agreed. Dean agreed to invite them.

6. IO: (Robin) A company called Pivotal came up with an idea to offer a combined service: DNS resolution of a name and provision of a wildcard service in such a way that you can reach any IP address on the Internet controlled by a single wildcard certificate, which happened to be purchased from Comodo. Their stated reason was that it was for developers setting up systems but didn’t want to buy a certificate for each name they had and there didn’t seem to be any intention to run live services behind this certificate. However, Robin stated that it didn’t seem right. To allow the developers to use this, the company published the private key and Comodo revoked it on those grounds. Since then they company hasn’t gone out to get new certificates and Robin believes this has gone away for now. Ryan stated that this isn’t the first time this has happened (not necessarily from Comodo but with other CAs) and that it comes down to the BRs and the point about sharing private keys. Google’s view is that this is a BR violation, not the CA’s fault, but that of the subscriber’s.
7. EV Guidelines and BR Merge: Ben stated he is in favor of this and said that Tim Hollebeek recently suggested that the EV Guidelines be added as an Appendix to the BRs, which would also be a good approach. Volkan also was in favor as he thought it would be easier for auditors. Marcelo suggested they be kept separate as it would be confusing for CAs that don’t do EV like Visa. Ben said if it was an Appendix, it shouldn’t be a problem. Ryan wasn’t sure what advantage an Appendix would offer rather than a separate document. He also said he’s seen successful merger of this in the ETSI documents. Ryan preferred either separate documents or fully integrated documents with distinguishing marks where the policy call outs are. Ben said the only criticism of doing the latter is that it makes the document voluminous and that an appendix would be cleaner. Ryan suggested a marker in the BRs to the Appendix which Ben thought was a good idea. Ben also said he has started the process within github but needs someone other than the editor (Ben) to approve requests so we need a process for that.
8. PAG Update: Ben said the PAG has met and continues to make progress. Ryan said they are providing guidance and recommendations to the IPR policy. A draft email to the forum is being prepared to highlight some of those findings as well as steps to remediate some of the concerns. The goal is to clear up some of the interpretations and continue to make progress to provide a framework for the validation group to continue their work w/o risk of misinterpreting anything.
9. Domain validation: The proposed ballot which, will eliminate #7 (any other method), raised concern that all the other methods may be patented and would raise essential claims. Until the PAG decides what the process will be, we may want to delay the ballot. Ryan agreed. Doug said if we left #7 in, would there be value in proceeding. Jeremy said no. He then said we really need to wait until the PAG review is complete.
10. Validation Working Group: Jeremy said that Kirk wanted to push the ballot forward but Jeremy thought they should wait until after the PAG call. Wayne said a compromise position would be to add #7 back into the ballot for now and then it can be removed later. Dean said this was supposed to be a dynamic process and that #7 or other items could be added later. Dean suggested that the working group take all this feedback and come up with a recommendation (via consensus) next week.
11. Code Signing Working Group: The group has finished the comments from Opera but needed some input from Microsoft on a couple of items. Once that is complete, a reply to Opera will be sent on the list. A final document should be ready for the F2F meeting.
12. Policy Review Working Group: The group met in DC at Symantec’s office. There has been some feedback that the Network Security requirements are insufficient and need to be improved. Ben said he is open to suggestions from those that have been critical but would like to merge those into the BRs. The group will meet again in Istanbul.
13. Information Sharing Working Group: Ben said the group is looking at setting up some kind of sharing system that doesn’t share personal information (w/o waiting for any kind of legislation in the US to pass). There has been some interest shown by Microsoft to move forward to share info on code signing.
14. Any other business: Everyone should have received their hotel reservation for Istanbul by now. Davut said he needs dates from Cornelia and Moudrick.

On a separate issue, Ben asked if anyone has had issues with iOS9 and name constraints. Ryan said that historically they (Apple) have not supported name constraints. Ben said that they have seen some mis-processing. Robin said they saw some different behavior on pre-release but it is ok now. Dimitrios said HARICA has had name constraints before and hasn’t seen any issues with iOS9.

Dean said he had been contacted by Cisco as a potential new member and is waiting for their IPR to be signed.

Jody sent out the redlines to the changes they are making to the root program for November. On October 10th, Microsoft will publish the list of CAs and Roots that will be removed for non-compliance.

On item 4C3a of the root program rules (revocation), there is a minimum validity of 8 hours and some CAs have a min of zero. Hence Jody said they might eliminate the 8 hour minimum time.

Patrick asked about a program cover letter which was referenced in the program documents. Jody said it was sent by Christy to the public list but apparently she didn’t have privileges to do so, hence no one received it. Wayne will fix that and Christy will resend.

Patrick asked about the WebTrust requirement (WebTrust for CAs + BR) in the Microsoft documents. Jody said they expect two audits from all SSL CAs. Patrick said his auditor was planning one audit but will specify that both audits apply. Jody said if WebTrust allowed that, it would be fine.

15. Next call: Dean proposed no call on Oct 1st since we are meeting F2F the following week. Jeremy said it might be a good idea for a short call to prepare for F2F. Dean had sent out a draft F2F agenda to the list. Ryan said it was reasonable to cancel the call. Jeremy concurred.
16. Meeting Adjourned