CA/Browser Forum
Home » All CA/Browser Forum Posts » 2016-04-28 Minutes

2016-04-28 Minutes

Final minutes April 28, 2016

Attendees: Andrew Whalley (Google), Alex Wight (Cisco), Atsushi Inaba (Globalsign), Ben Wilson (Digicert), Billy VanCannon (Trustwave), Cap Hayes (Cisco), Dean Coclin (Symantec), Dimitris Zacharopoulos (Harica), Doug Beattie (Globalsign), Gervase Markham (Mozilla), JC Jones (Mozilla), Jeremy Rowley (Digicert), Jody Cloutier (Microsoft), Li-Chun Chen (Chunghwa Telecom),Mads Henriksveen (BuyPass), Moudrick Dadashov (SSC), Neil Dunbar (Trustcor), Patrick Tonnier (OATI), Peter Bowen (Amazon), Rich Smith (Comodo), Rick Andrews (Symantec), Robin Alden (Comodo), Ryan Sleevi (Google), Sissel Hoel (Buypass), Tim Hollebeek (Trustwave), Tim Shirley (Trustwave),Volkan Nergiz (TurkTrust), Wayne Thayer (GoDaddy)

  1. Roll Call completed.

  2. Antitrust Statement was read by Robin.

  3. Agenda Reviewed.

  4. Minutes of 14 April meeting: The minutes were approved and will be sent to the public list.

  5. Ballot Status: Ballots 167 failed due to lack of quorum (as some concerns were raised during voting period) but Peter has posted a revised ballot (168) and has found endorsers (Harica and Comodo). Therefore the ballot is “live” and in the review period. It’s primarily the same as ballot 167 but the language around RFCs has been removed as the focus is 100% on corrections. One of the big items corrected is the OCSP reference to RFC 6960 from the old 2960 (which now allows for SHA2). Peter asked everyone to please review and make comments during the review period.

  6. Domain Validation draft ballot and IP/SAN proposal: A draft of the ballot has been sent out and is seeking 2 endorsers. Jeremy said the changes were minor and are evident in the ballot based on input from the group. He would like to get it endorsed by this Friday. Regarding the IP/SAN address proposal, Jeremy said Microsoft products below Win 10 don’t support IP address in the IP address field of the SAN extension. It must be in the DNS field of the SAN extension (unless it’s the only name in the certificate). Digicert said they found about 2000 certs issued with the IP address in the DNS name in the wild which is currently prohibited by the BRs. 1500 of these certs included them both in the IP address and the DNS name, which works fine. Jeremy said there seemed to be a current unawareness of this in the BRs by CAs and they have customers asking them to do it but Digicert is rejecting them. Customers said there wasn’t a logical decision to prematurely deprecate Windows products prior to version 10. Digicert would like an extension to permit inclusion of the IP address in the SAN extension. Jeremy said Ryan had raised 2 objections, namely it would break technical constraints and it doesn’t comply with RFC 5280. Ryan expressed disappointment in that it’s been roughly 17 years since the RFC was passed and CAs are just now noticing this. Jeremy said that’s because Microsoft needed it for their products. However he noted that the one big customer that was using it no longer needs it. Ryan said he had put forth a technical solution 8 months ago and that seems to work for most customers but for 1 exception which dealt with an old SSL load balancer from a very small manufacturer. Ryan wondered what other customers need it and why, given his previous solution proposal. Jeremy said that 2000 have been issued by various CAs across a broad spectrum so someone must need it. Dean said it sounds like a reminder needs to be sent to CAs and perhaps an advisory to users (similar to the Internal Name doc on the CA/B Forum website). Ben thought Mozilla would be in a good position to communicate with CAs and perhaps they could send a reminder. Jody said they are trying to be responsive to requests from the industry which is telling them they need it. Jeremy said they no longer need it. However, he thought that Let’s Encrypt had issued a bunch of these certs (although after the call, he corrected this and said this was an error on his part). Peter clarified that this is about not allowing IP addresses in the DNS name in the SAN. Dimitris volunteered to write an advisory document for the forum website.

  7. Governance Review Working Group. Dean noted that we now have a mailing list and a kickoff meeting scheduled for May 4th where the first order of business will be to elect a chair. The first F2F meeting will be held during the working group day in Bilbao.

  8. Formatting issues in CA/B documents: Alex said that it is hard to search for terms in our documents because of the full justification which is adding white space and hidden tabs to the text. He liked the idea of making github the authoritative source for the documents. Peter said the github source needs a little more work because of some rendering issues. Changing everything to left justification in the word doc would solve the immediate problem. Ben said he would make it all left justified and will test it out so Alex can check it.

  9. IPR: Dean said there are still 4 parties that have not signed the IPR: Digidentity, SECOM, Visa and Wells Fargo. WF did reach out to Dean and is reviewing the document. There was also a 60 day window to submit IPR exclusions which the deadline has now passed (it was 60 days after the IPR went into effect-Feb 15th). Dean suggested extending that window as we had not reminded members to do so and many may have simply forgotten about the deadline (similar to what happened with the signing of the IPR). Ryan said we could not do that without another ballot. Gerv agreed and said if challenged in court, the deadline is what was in writing. A discussion as to whether it should be 60 business or calendar days ensued with Ryan pointing out that we’ve never used business days in the past. A further discussion on what it means to exclude a patent continued. Dean said we should have sent reminders. Peter said he did raise it on the mailing list before the deadline, but Dean said we failed to raise it on the subsequent call. Ryan noted that Dean sent a reminder but it was on April 21st, past the deadline. Peter said the appropriate way forward would be a ballot. Ryan said this rule is about protecting work product from a legal perspective. He volunteered bringing in the Google attorney who also represents them on other standards orgs if necessary to work this out. Dean said he would think about a way forward including proposing a ballot to extend the deadline and suggested perhaps a follow-up PAG meeting to discuss. Wayne raised an additional concern regarding the validity of an exclusion notice posted by Comodo that was only posted to the wiki, which seemed to catch some members by surprise as it was not posted publicly. Peter thought this was not a proper exclusion as it did not conform to the requirements. Wayne said that if we decide to allow for an extension, that full documentation on how to post the exclusion should be included in the ballot. Peter said that members may have to go back to their counsels for further details.

  10. Validation WG Update: No further updates other than the Ballot

  11. Code Signing WG Update: Working group members are signing the Contribution Agreements. In addition, the group is finishing up some minor updates before disbanding and expects to complete this in Bilbao.

  12. Policy WG Update: Ben said the group continues to make progress and will have some ballots ready soon.

  13. Information Sharing WG Update: No update. This group will not meet in Bilbao.

  14. Other Business: Dean mentioned that Netcraft will host a meeting in Bath on Sunday May 22nd and members are invited to attend but must let Dean know ahead of time. The agenda is essentially a “state of the SSL industry” briefing followed by demos of Netcraft services. The agenda for Bilbao has been posted on the wiki and Dean is looking for a few more topics to complete the schedule. 43 people are registered and we are at capacity.

  15. Next teleconference scheduled for May 12th

  16. Meeting adjourned

Latest releases
Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.7 - Ballot SMC09 - Nov 25, 2024

This ballot includes updates for the following: • Require pre-linting of leaf end entity Certificates starting September 15, 2025 • Require WebTrust for Network Security for audits starting after April 1, 2025 • Clarify that multiple certificatePolicy OIDs are allowed in end entity certificates • Clarify use of organizationIdentifer references • Update of Appendix A.2 Natural Person Identifiers This ballot is proposed by Stephen Davidson (DigiCert) and endorsed by Clint Wilson (Apple) and Martijn Katerbarg (Sectigo).

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).