Minutes of CA/B Forum Teleconference – December 10, 2015
Attendees: Atsushi Inaba, Atilla Biller, Ben Wilson, Bruce Morton, Burak Kalkan, Davut Tokgoz, Dean Coclin, Dimitris Zacharopoulos, Doug Beattie, Eddy Nigg, Jeremy Rowley, Kirk Hall, Li-Chun Chen, Mads Henriksveen, Patrick Tronnier, Peter Miscovic, Rick Andrews, Robin Alden, Ryan Sleevi, Sisel Hoel, Tim Hollebeek, Tim Shirley, Tyler Myers, Wayne Thayer, Wendy Brown
- Antitrust Statement Read
- Roll Call completed
- Agenda Reviewed. New topic on LV certificates added.
- Minutes of 12 November meeting: The minutes were approved and will be publicized.
- Ballot Status: Ben is updating github with new policy working group ballots. A new policy working group ballot (159) is forthcoming for section 4 of the BRs. Ballot 157 (amend IPR) has been assigned but not yet balloted.
- Proposed “LV” Certificates: Jeremy brought forward an item regarding “LV” or Legacy Verified certificates. This was brought up by Facebook and Cloudflare in order to find a better way to deprecate the SHA-1 certificates. They would be distinguished by an OID. Jeremy didn’t have a specific proposal but just wanted to get a feel how forum members thought about it. Dean asked how this improves the security of the ecosystem? Jeremy said that older browsers would have no security (if they don’t work with SHA-2) so this provides some security to them (since they can’t move to SHA-2). Kirk said he has some sympathy for the older browsers but is concerned about enforceability. Jeremy said the website would use SHA-2 first but fall back to SHA-1 if there was an issue. Wayne said the enforcement should be in the browsers by blocking SHA-1. Kirk said it comes down to allowing some encryption (via SHA-1) or no encryption by not allowing it. Wayne said that sites could conceivable get a 3 year SHA-1 cert from some CAs now and avoid this issue.
- Domain Validation Ballot: The Validation Working Group went through 5 remaining questions and is working through “random values” and “test certs”. He is hoping to have something for full review at the Scottsdale meeting, if not sooner.
- Membership Applications: We received a membership application from the Ministry of Interior of Korea. All items were in order. No objections from the Forum members. Full membership approved. A second application was received from Amazon Trust Services for Associate membership (while waiting for completion of their WebTrust audit). Membership approved.
- PAG Status: Ben said that Gerv had asked what the transition period would be if we adopt the new IPR policy. What would the disclosure framework be? Ben assumed we would give people 30-60 days to submit exclusions. Dean suggested if a new IPR ballot had to be adopted, then members will need considerable time for their corporate attorneys review it. The normal 2 week period is too short and will likely fail because folks won’t have time to review. Kirk and Ryan suggested we be clear about how the policy affects members and structure a timeline accordingly. Ben suggested that anyone that would like to discuss further, stay on the call for a short meeting.
- Validation WG Update: Kirk said there was some discussion about proceeding with the IPR ballot before the domain validation ballot. Ryan said they are related and we need to understand how it affects existing disclosures as this will affect the timing. If we do domain validation before modifying IPR policy, there is some ambiguity as to whether it will apply. This is Google’s concern. Kirk said there is another path: Pass DV first, pass IPR second and re-pass DV. Kirk also said that a CA using “any other method” could be violating someone’s patent and not know it. Ben suggested holding off on the DV ballot until IPR passes. Kirk said the danger is that it could be a year off. Ryan asked if that is realistic given that we have 60 days as a limit in the current IPR for ballots. He thought it was doable much more quickly. One-two months to review ballot followed by 1 week voting period. Kirk suggested that companies that do not sign be suspended from membership, rather than kicked out of the program as he feels many legal departments will not start looking at it until it becomes a formal ballot. But we need straw man dates to kick this off.
- Code Signing WG Update: Ballot voting starts today to approve the Code Signing Baseline Requirements. Dean and Jeremy met with the WebTrust Task Force to review the document. Some minor comments received and will be incorporated in the next release of the doc.
- Policy WG Update: Update already given above in terms of the ballots.
- Information Sharing WG Update: Meeting tomorrow.
- Other Business: Dates for Bilbao meeting: Seems to be conflicts for the weeks of June 7th and June 21st so we are looking at the week of June 14th. Wayne cannot make it then. Need to check with Gerv. Inigo will be absent for 1 evening. For the February meeting, the wiki registration is open. The hotel has been selected and guests should book it per the instructions on the wiki. Meeting will be held at the GoDaddy office in North Scottsdale. Attendees should book their hotel now as rooms in Scottsdale are at a premium in February. A shuttle to the meeting will be provided from the hotel.
- Next teleconference scheduled for January 7th
- Meeting Adjourned