Minutes CABF Teleconference September 1, 2016
Attendees: Andrew Whalley (Google), Alex Wight (Cisco), Anoosh (Network Solutions), Atsushi Inaba (Globalsign), Ben Wilson (Digicert), Bruce Morton (Entrust), Curt Spann (Apple), Dean Coclin (Symantec), Dimitris Zacharopoulos (Harica), Doug Beattie (Globalsign), Gervase Markham (Mozilla), Jeff Stapleton, Wells Fargo, Jeremy Rowley (Digicert), Josh Aas (Let’s Encrypt), Josh Purvis (Cisco), Ken Myers (US PKI), Kirk Hall (Entrust), Li-Chun Chen (Chunghwa Telecom), Mike Johnson (Digicert), Peter Bowen (Amazon), Richard Barnes (Mozilla), Ryan Sleevi (Google), Sissel Hoel (Buypass), Virginia Fournier (Apple), Wayne Thayer (GoDaddy), Tony Rutkowski (Invited guest)
- Read Antitrust Statement
- Roll Call
- Agenda Reviewed – no changes
- Minutes of August 4th and August 18th. There were no comments on the draft minutes and they were approved.
- Ballot status:
Draft SRV ballot – Peter said there was no update on this ballot.
Ballot 174 – This ballot has passed.
Ballot 175 – Voting is underway on this ballot.
Jeremy said he put out a correction on the email list on Cname validation to the list of validation methods which would revise ballot 169. He is looking for 2 endorsers. Kirk said he would endorse.
- Misc Topics: Anti-spoofing certs. Guest speaker Tony Rutkowski talked about certs for telephone devices. Tony worked for Verisign at one time and said the problem of binding certs to telephone numbers and groups of service providers has been going on for some time. Spoofed calls (aka “Robo calls”) has been a major problem and is being dealt with by many different groups; one of which is the IETF and a body called “STIR” which has developed a set of specifications. One specification deals with binding a certificate to a telephone number. The forum could create a separate group to look at this opportunity by developing a subset of EV certs for this purpose.
Richard said this use case is different than the normal web use case. Hence there might be different validation requirements. It’s a little unclear as to what the authority model is.
Dean asked if this is in scope for the CA/Browser Forum. Richard said not really as currently constituted since browsers are not the relying parties.
Dean said the Governance Change WG is looking at setting up subgroups to work on other topics and this may be an example of one to set up.
Kirk asked who Tony thought would participate in a working group. Tony said this would need to involve global players, such as the ITU-T which owns the E164 specification. Also ESI and ANSI.
Peter asked what Tony was looking for from the CA/B Forum. Tony said if there was enough interest, it should be moved into a working group of people that can work on this subject.
There was some discussion as to whether EV was the appropriate type of certificate for this given the entities involved.
Gerv asked if the value proposition was to insure no spoofing of caller ID phone numbers? Tony said there was a DNS system defined for every phone number in the world. Richard said the spec involves authenticating the phone numbers and any meta data attached to those numbers.
Peter said that domains using mail filtering products were fetching links in emails and “click this link in the email to confirm” was being activated inadvertently.
Server was seeing these anti-malware checks as confirming
Wanted to pass this along for CAs that do email validation and that this may cause inadvertent validation. A malicious party could be validated for domains using these email scanners.
Kirk asked if there was a valid example. Peter said he knew of instances where companies were using the Barracuda networks product. However, it’s not limited to this product.
Bruce asked if this would be mitigated with the “random value”. The answer was no. The random value could be contained in a link that would be “clicked” by the scanning product. So the random value doesn’t help.
Jos said the only way around this was to have the user click the link and then go to a page where they enter the random value. Peter said that could work but another way would be to couple this with another action on the website.
Andrew said an explicit “do not approve” might be another answer.
- Governance Change Working Group update —
Ben gave an update. There have been discussions around the IPR policy within the governance change. There was going to be a discussion with Virginia and others later in the day.
A proposal was sent around for review which Gerv had commented on and is still an open item. Virginia said they need to figure out what happens if a member sues another member for patent infringement. This will be discussed as part of the IPR meeting.
- Validation Working Group Status –
Jeremy said the working group has stopped meeting for now until a new topic comes up. There has been discussion about individual validation (given name/surname) and perhaps the group could pick this up. Kirk suggested a ballot change could help fix this issue. Bruce asked if the types of change for domain validation should be extended to IP address validation. Jeremy said that could move to the working group for discussion.
- Policy Review Working Group –
Ben said the group was discussing subordinate CAs and what policy OIDs could be inserted. Dimitris was going to look at this and work on some language for subordinate CAs.
- Any Other Business –
There are 48 people signed up for the fall meeting and there is a cap at 50 so we will be closing sign ups soon. Dean announced that the guest speaker will be Mr. Patrick Donahue, PM of SSL at Cloudflare. Dean again asked for draft agenda items and to submit those to him via email. In addition we will have several guest speakers from Microsoft that should have some very interesting topics to present.
Next year’s meeting locations include Cupertino (tentative), Berlin (D-Trust) and Taiwan (Chungwa Telecom).
Dean advised elections for chair and vice chair are coming up. Chair nominations are now closed and elections will start next week. Normally voting takes place by members submitting ballots to our 2 independent parties from WebTrust (Don) and ETSI (Arno). Peter commented that Arno was now associated with a CA member (D-Trust) and asked whether we should continue asking him to tabulate the votes. Dean concurred and suggested other Associate members such as Federal PKI (Ken) or ACAB (Clemens).
- Next meeting on Sept. 15th