CA/Browser Forum
Home » All CA/Browser Forum Posts » 2017-02-16 Minutes

2017-02-16 Minutes

Final Minutes for CA/Browser Forum Teleconference 16 February 2017 (approved March 2, 2017)

Attendees: Atsushi Inaba (Globalsign), Ben Wilson (Digicert), Bruce Morton (Entrust), Christopher Kemmerer (SSL.com), Connie Enke (SwissSign), Curt Spann (Apple), Dimitris Zacharopoulos (Harica), Fotis Loukos (SSL.com), Frank Corday (Trustwave), Josh Aas (Let’s Encrypt), Jos Purvis (Cisco), Kirk Hall (Entrust), Leo Grove (SSL.com), Li-Chun Chen (Chunghwa Telecom), Mads Henriksveen (BuyPass), Patrick Tronnier (OATI), Peter Bowen (Amazon), Peter Miscovic, (Disig), Rick Andrews (Symantec), Robin Alden (Comodo), Ryan Sleevi (Google), Stephen Davidson (QuoVadis), Steve Medin (Symantec), Tarah Wheeler (Symantec), Tim Hollebeek (Trustwave), Tim Shirley (Trustwave), Virginia Fournier (Apple).

  1. **Roll Call **

  2. Read Antitrust Statement

  3. Review Agenda – there were no changes to the Agenda.

  4. Approve Minutes of teleconference of Feb. 2, 2017. The draft Minutes were approved for posting to the Public list.

  5. Governance Change Working Group update. Virginia asked for members to provide any response to the outline on governance changes by tomorrow. The next step is to draft a ballot to make the changes recommended there. Peter noted there were two more Governance Working Group teleconferences before the next F2F meeting. It might be useful to prepare a governance change ballot and then schedule time at the F2F to discuss the ballot in detail.

  6. Validation Working Group update. Ben said lots of topics were discussed on the last call. Peter said some were ready for ballots, but the WG doesn’t want to overload the Forum with multiple ballots at the same time. Also, some ballots were on hold until the WG sees the final PAG report.

  7. Policy Review Working Group update. Ben said the draft ballot on defining the meanings of “CA” in the Baseline Requirements and EV Guidelines would be revised based on recent comments, and then the ballot will be filed for its official review period and vote.

  8. Patent Advisory Group (PAG) update. Virginia said that at its last meeting the PAG had discussed royalty free licenses to the IP included in the Exclusion Notices for Ballot 182, and that it looked as if the three companies that filed exclusion notices will all offer RF licenses, which will make the PAG’s job easier. Symantec will provide a draft at the next PAG meeting of a possible RF license that licensees would sign, and it appears that GlobalSign and GoDaddy may want to offer a RF license that does not require licensees to sign a copy.

Virginia suggested that members do not use any Ballot numbers that come before Ballots 180-182, as it could cause confusion – Ballots 180-182 essentially put all prior ballots into compliance with the IPR Policy, and any later ballots would need to go through their own separate Review Periods, so they should have higher ballot numbers to avoid any misunderstanding. Those who previously filed for Ballot numbers 176 and 179 should choose new numbers.

  1. Ballot Status. The status of each of the following draft ballots was then discussed.

a – Ballot 185 – Limiting cert lifetime (Ryan) – IN DISCUSSION PERIOD. Ryan asked if anyone wanted to discuss the ballot, but there was no discussion.

b – Ballot 176 – BR 3.4.4.2 – CNAME verification (Jeremy). Jeremy was not on the call, so there was no discussion.

c – Ballot 179 – BR 6.1.7 – Root signing time stamping certs (Dimitris). Dimitris said the ballot was ready to go.

d – Ballot 184 – RFC 822 Names, OtherNames, SRV names (Jeremy). Jeremy was not on the call, so there was no discussion.

e – Ballot 186 – Limiting reuse of validation information (Ryan). There was no discussion.

f – Ballot 187 – Make CAA checking mandatory (Gerv). Gerv was not on the call, so there was no discussion.

g – Ballot 188** – Clarify use of term “CA” in Baseline Requirements (Dimitris). Dimitris said the ballot would be modified in response to Gerv’s comments, and then would be started on the **list.

h – BR 7.1.4.2.2 and EVGL 9.2.5 and 9.2.7 (Li-Chun). Ben said this ballot was still being discussed, but the Validation Working Group may be coming to some conclusions. Kirk asked if the WG could explain the issues in simple terms to the Forum, and offer some alternatives. Ben said one possibility could be to write limited exceptions on state and locality requirements for Taiwan and Singapore. Peter said that discussions kept confusing two or three separate issues, which are not overlapping and may require two or three ballots. One issue involves jurisdiction of incorporation, another physical address, etc. Also, in Taiwan an official registry of companies already assigns a DN for each company and for government entities, and there are conflicts between the registry rules and the BRs. Li-Chun said that, in Taiwan, the law says that the company name must be unique for the whole country. Peter asked are there databases for companies in Taiwan. Li-Chun said there is QGIS in Taiwan. Li-Chun said Taiwan’s Government PKI has had a defined Certificate profile and CRL profile, and Distinguished Name rule for more than 14 years. Taiwan’s Government PKI follows RFC 5280, X.520, RFC 3739 Qualified Certificates, and so on. The Government PKI Certificate Profile requires an organizationName attribute in the certificate’s subject DN, so for certificates for central government entities or company, SSL BR’s “either State/Province or Locality should be required” should be changed so that both are optional for Taiwan. Taiwan’s Government PKI auditor joined Redmond F2F meeting. Licensed WebTrust Practitioners in Taiwan (there are two) can provide more details.

i – Ballot adding back Methods 1 and 8 to BR 3.2.2.4 (Peter). Peter will move forward with a ballot soon, as this does not depend on the PAG’s work.

j – New boilerplate for ballots posted to wiki – Kirk said that new “boilerplate” language based on the changes to voting procedures made in Ballot 184 was now posted on the wiki in the “Ballots” section, and can be used at the end of new ballots.

  1. Next F2F meetings: The next F2F meeting is set for 21-23 March 2017 at Research Triangle Park, NC and hosted by Cisco. Kirk said it was time to start preparing an Agenda for these meetings, and asked members to send him suggested agenda items.

Ryan asked if the PAG would meet at the next F2F meeting, and Virginia said no, as a number of PAG members will not be at the F2F. Ryan was going to suggest that non-PAG members could meet at the same time in a “hack-a-thon” to work on GitHub integration to reduce the work to produce updated documents.

Virginia said the GitHub solution just doesn’t work for her and that people in the legal community don’t use it. The Forum documents are legal documents, and we are going to have to find a solution that works for everyone. Ryan said he understood Virginia’s point but that the Forum had decided in the past to use GitHub, which is widely used in the IETF, W3C, OASIS, and other standards defining organizations as the medium of collaboration on those documents. Virginia noted that W3C PSIG, the Patent Standards Interest Group, does not use GitHub for activities for the patent group.

Peter said that based on his work with Amazon’s legal group, he assumed Virginia’s goal was to have a red-lined document like track-changes in Word, as opposed to computer code documents. Virginia agreed that legal documents generally use red-line modes like those in Word to show changes, and said GitHub is just not used in the legal community for legal documents, and won’t work here. Tarah asked if there was a reason why GitHub is not used for legal documents, as it works well for collaborative measure for technologists. Virginia said redlining like when using Word is important to highlight changes. Kirk added that with redlining it’s much easier to look at a paragraph and see all the changes highlighted in one paragraph rather than having to go back and forth between two different paragraphs and try to notice out where there are changes. For that reason, it’s very hard to use GitHub for legal documents.

Peter said there were two different things being discussed – there was a technology implementation discussion (using GitHub) and a requirements discussion which is can GitHub be used to do red-lined and “see changes” versions of documents. It’s something that can be discussed during the upcoming meeting, but if the “technologists” want to store a copy of the Forum’s documents in GitHub and then send around red-lined copies in Word format, nobody should care as that meets everybody’s requirements. Kirk agreed, but said that if someone like Virginia or Kirk was forced to offer up amendments in GitHub rather than in the traditional “track changes” mode, that’s not really something we want to spend time to learn – Kirk had said this before when GitHub was adopted as the repository, that he didn’t see an advantage to it, and some people will use it while some people will not.

Ryan noted that the recent Bylaws changes were not reflected quickly in an updated document and it’s important to make consistent document updates. As was said when GitHub was adopted, it would reduce barriers and increase collaboration. Requiring the use of licensed Microsoft Word or Adobe Acrobat products presents some challenges. Tarah said the use of Word presents problems when there are multiple different versions of a document running around.

Peter summarized that the next step is that there probably needs to be a good demonstration of how to do this in a way that supports Kirk and Virginia’s point that red-lined documents can be created in a world where things are GitHub mastered but allows people to support the work flows they are familiar with. There was also a suggestion on the call that this could be extended into something like a Tools Working Group, and that the Forum did not necessarily need to be wedded to either of those platforms – collaboration between groups is a problem with many solutions. Peter agreed, and said let’s not focus in a specific technology solution.

Kirk again asked people to forward suggested Agenda items to him for the F2F.

After the North Carolina meeting, the next scheduled meetings are 20-23 June 2017 Berlin (D-Trust) and 3-5 Oct 2017 Taipei (Chunghwa Telecom).

  1. Any Other Business. There was no other business.

  2. Next call on Thursday, March 2, 2017.

  3. Adjourn

Latest releases
Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.7 - Ballot SMC09 - Nov 25, 2024

This ballot includes updates for the following: • Require pre-linting of leaf end entity Certificates starting September 15, 2025 • Require WebTrust for Network Security for audits starting after April 1, 2025 • Clarify that multiple certificatePolicy OIDs are allowed in end entity certificates • Clarify use of organizationIdentifer references • Update of Appendix A.2 Natural Person Identifiers This ballot is proposed by Stephen Davidson (DigiCert) and endorsed by Clint Wilson (Apple) and Martijn Katerbarg (Sectigo).

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).