CA/Browser Forum
Home » Posts » 2016-01-07 Minutes

2016-01-07 Minutes

Minutes of CA/B Forum Teleconference – January 07, 2016.

Attendees: Atsushi Inaba, Ben Wilson, Bruce Morton, Burak Kalkan, Connie Enke, Dean Coclin, Dimitris Zacharopoulos, Gervase Markham, Jeremy Rowley, Kirk Hall, Li-Chun Chen, Marcelo Silva, Mat Caughron, Moudrick Dadashov, Patrick Tronnier, Peter Bowen, Peter Miscovic, Rich Smith, Rick Andrews, Robin Alden, Sigjborn Vik, Tim Hollebeek, Tim Shirley, Tyler Myers, Volkan Nergiz, Wayne Thayer

  1. Antitrust Statement Read by Kirk

  2. Roll Call completed

  3. Agenda Reviewed. Guest speaker on LV certificates could not attend.

  4. Minutes of 10 December meeting: The minutes were approved and will be sent to the public list.

  5. Policy Working Group Ballot Status: Ben posted a proposed ballot for Section 4 of the BRs and is discussing it on the list. A minor comment from Sig was mentioned and agreed to by the ballot endorsers. Ben will circulate an update. Section 5.1 will be the next ballot (160). The working group will be discussing section 5.2 next. Dean noted an email comment from Ryan Sleevi had not been addressed and Ben said he would look for it.

  6. Proposed “LV” Certificates: Jeremy said that we should come up with a better way of deprecating things that need to be deprecated. The recent SHA-1 experience highlights this. Although the LV cert proposal probably won’t pass, it does illustrate the need for a better way for deprecation. Dean said the proponents of LV published some information but follow-up questions from Peter Bowen asking for additional details were never provided. Peter’s data showed that 7.5% of Mozilla connections were not coming from NSS (Peter’s call connection dropped while talking). Jeremy said he will communicate this to the proponents but doesn’t believe they will push it further. Jeremy continued by saying this process was painful for many. Dean commented that he saw Mozilla was rolling back a change they instituted on SHA-1 as proof that it’s not easy. Jeremy suggested that we move this topic to a working group, likely the Policy WG. But he wasn’t sure what algorithm migration topic would come up next. Rick said it could be towards NIST/NSA “quantum-resistant” key sizes (i.e. RSA 3072 and ECC 256), as an example. Dean thought the “internal name” issue was handled well, with less complaints, possibly because it was well documented and a timeline was agreed to by all.

  7. Proposed Mis-Issuance ballot: Sig gave an update on the proposed ballot. The intention is to get mis-issuance out in the open as he believes this will increase the overall security of the ecosystem. The goal is to get the info out there, the details don’t have to be perfect. Dean mentioned a concern that came from a UK partner about SSL certs they issue for the UK tax authority which contain some private info (this was brought up several months ago) and asked Gerv if he had looked into it. Gerv thought the issue was resolved a while ago. Peter B said the ballot should be changed and a new mailing list should be created for reporting purposes. A discussion about having this in individual root store requirements vs. the BRs ensued. Kirk said there was one reason in favor of that. If it is in the BRs, and the CA doesn’t report it, then the CA should fail its next WebTrust audit. Whereas if it’s simply a Browser root program requirement, it’s not an automatic WebTrust failure and the browsers can decide the appropriate penalty without failing the audit. Sig said that doesn’t really matter as the root store will still decide what to do in either case. Jeremy agreed with Kirk, in that the root program rules is a better place. The CA/B Forum isn’t in the business of reporting issues or a repository as we are more of a standards body. Rick said Microsoft’s root policy says you have to disclose mis-issuance (not defined) to Microsoft. Jeremy said that is good because a discussion with the root program can be had to determine if it needs to be disclosed. Mat said clarity should be made in what needs to be disclosed. Apple would also weigh a failed audit heavily. Dean clarified that there hasn’t been a “failed” audit. Rather there are “findings” that are disclosed to the browsers which decide what action, if any, they want to take. Jeremy said this is called a “qualified audit”. Mat said they are in favor of more reporting rather than less. Jeremy agreed but said that this reporting should be to the browsers not the forum. Mat agreed. Dean said, as a corollary, during the development of the code signing BRs, there was discussion about having the forum be the repository for the “bad actors” list but that idea was turned down as the forum is not in the business of managing such a list. Sig said the intent is to make the disclosure public instead of a CA publishing something “hidden” that wouldn’t necessarily be seen and that the Forum is a nice mechanism for that. Peter said the Forum is really a standards group and isn’t the right place for this.

  8. Discussion of “generic names”: Dean said the context is the creation of an intermediate CA and the rules in the BRs surrounding this. One of the rules is that the names cannot be generic. Peter gave an example in an email of a name, “Admin-Root” which would be considered generic and wouldn’t be allowed. Dean asked about “Admin-Root-CA GmbH” since it could be a registered name in Germany. Dean believes the rule was instituted so that relying parties could find out who the issuer of the cert is and hence a registered name would allow for that. Jeremy said as further context, if a CA operated a sub CA for Company A within the CA’s infrastructure, then you might want to indicate this in the cert. Peter said the way the BRs read, it could also be a trademark. Shouldn’t be an issue for something that can pass standard OV validation. A discussion on trademark names ensued. Kirk agreed with Peter that as long as it’s a registered trademark, it should be ok, as long as it’s not misleading. He also said it’s up to CAs to turn down customer requests if the CA feels it doesn’t meet the rules and if they are not comfortable with it. Perhaps a revision to this section is necessary to include only Org validated names.

  9. PAG Status: Ben said a ballot will be coming on the new IPR policy with an effective date of 1 February. The ballot will give companies 30 days to sign the agreement and 60 days to disclose patents. Peter said he had not seen the pre-ballot. Ben said he will circulate it again.

  10. Validation WG Update: Kirk said a call is scheduled for next week. He will send out some info to the working group in preparation for the meeting.

  11. Code Signing WG Update: Dean reviewed the ballot results. The working group respects the vote of the forum but is not disbanding. A meeting is planned for next week to discuss other options for the work product. The forum will be updated once the working group comes up with a plan.

  12. Policy WG Update: No further update.

  13. Information Sharing WG Update: The CyberSecurity Act of 2015 passed and was signed the US President. It provides liability protection for sharing information.

  14. Other Business: Scottsdale meeting: all attendees should book hotels on their own with information provided on the wiki. If you are unable to book online, then call the hotel directly. Please continue to sign up on the wiki. We have about 25 participants signed up so far.

Dates for Bilbao meeting: Dean sent out an expanded poll for Bilbao dates. The week of May 17th seems to be the new favorite. Dean will confirm before the next call.

  1. Next teleconference scheduled for January 21st

  2. Meeting Adjourned

Latest releases
Code Signing Requirements
v3.7 - Mar 4, 2024

S/MIME Requirements
v1.0.4 - Ballot SMC06 - May 11, 2024

Ballot SMC06: Post implementation clarification and corrections

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).