CA/Browser Forum
Home » All CA/Browser Forum Posts » 2017-10-12 Minutes

2017-10-12 Minutes

Minutes for CA/Browser Forum Teleconference – Oct. 12, 2017

Attendees: Arno Fiedler (D-TRUST), Atsushi Inaba (GlobalSign), Ben Wilson (DigiCert), Christopher Kemmerer (SSL.com), Connie Enke (SwissSign), Curt Spann (Apple), Devon O’Brien (Google), Doug Beattie (GlobalSign), Frank Corday (Trustwave), Gervase Markham (Mozilla), Li-Chun Chen (Chunghwa Telecom), Mike Reilly (Microsoft), Neil Dunbar (Trustcor), Patrick Tronnier (OATI), Peter Bowen (Amazon), Peter Miscovic (Disig), Robin Alden (Comodo), Ryan Sleevi (Google), Shelley Brewer (DigiCert), Sissel Hoel, (Buypass), Tim Shirley (Trustwave), Virginia Fournier (Apple), Wayne Thayer (GoDaddy), Wendy Brown (Federal PKI).

  1. Roll Call
  2. Read Antitrust Statement
  3. Review Agenda. Agenda was approved.
  4. Governance Change Working Group update. Ben said the WG had a recent productive call and continued to go through Gerv’s comments, and that he had recently circulated an updated draft of Ballot 206 to the group. There were a few open issues to finish, including updating the IPR Agreement to fit the new structure and voting rules at the Forum level. On voting at the Forum level, choices include one person-one vote with no classes, or something else (such as one voting group being the producers of certificates, and another voting group being the consumers of certificates). There was also the question of whether a majority vote would be sufficient at the Forum level, or a supermajority would be needed. The WG wanted input from more of the members.

Kirk suggested the WG should poll the members on choices in the undecided open areas. Gerv thought a 2/3 vote by groups at the Forum level might be a good idea to make sure something was strongly supported, but that could be burdensome if a clear majority wanted something over a period of time but could never get to 2/3; there are pros and cons of each. Kirk noted the Forum itself will only decide limited matters such as chartering of new working groups and some administrative matters.

Virginia believed there needed to be at least two voting groups, and favored producers of certificates in one group and consumers of certificates in the other. Curt supported this. Ben said the WG would need to define “consumers” of certificates better to go in this direction – there is now a good definition of what a browser is, but “consumers” could be harder to define. The IPR Agreement was discussed, with Kirk saying changes were needed so that a company that was a Forum member but did not participate in a particular working group would have no obligations under the IPR Agreement. Virginia believes the IPR Agreement already provides for that.

Virginia said the WG also needed to draft an initial charter for a web server working group, which would take over the main work of the Forum under a new governance structure, and that we needed to add that to the same ballot as the governance changes so the Forum could continue its current work. Ben said the server certificate working group charter was already drafted, and agreed to send it out to the WG immediately.

  1. Validation Working Group update. No report.
  2. Policy Review Working Group update. Ben said the WG just had a productive call where it reviewed the work at the F2F meeting. The WG is still refining the definition of “Certificate Authority” in the BRs, and looking at whether Certificate Authority could include “logical entities” as used in the Network Security requirements – that’s still an open issue. Maybe a definition using terms such as ”function” or “service” would work better.

As a separate matter, the WG had also reviewed the proposal at the F2F by Chunghwa Telecom to allow certificate policy OIDS when not doing web PKI.

  1. Network Security Working Group update. Ben said the WG was looking for more “low hanging fruit” in the current NetSec requirements that could be improved by another quick ballot. The WG also has a queue of issues of varying complexity that have been ranked by poll in order of importance, and was working through them. At the F2F meeting, the WG had discussed again whether to scrap the existing NetSec requirements and rely instead on some other existing criteria, but had decided the answer was no because other available criteria were either too general or too specific for what the CA Forum members were doing.

Kirk asked if Ben had any idea of when the WG might be finished with its main issues list, and Ben guessed it might be a few months because the group only meets every other week. The WG wants to do a risk analysis of CA systems generally in its approach, and reach agreement on what the NetSec requirements are really trying to protect, what the proper security perimeters for the standards should be, etc.

  1. F2F Meeting Follow-Up: Kirk again thanked Li-Chun and Chunghwa Telecom for hosting an excellent and fun F2F meeting in Taipei. Gerv commended the hosts for the creativity in their “extra-curricular” activities, including the meeting with meteorite specialists, and suggested future hosts try to reach that level. Kirk reminded some meeting participants that they still needed to post their portion of the Minutes on the wiki.

Ryan thanked the hosts for their work, but noted there were some communication issues for members who tried to participate remotely as he had. He suggested that for future F2F meetings, the hosts should make certain that remote participation works, and suggested the Forum create some minimum hosting requirements (e.g., wifi bandwidth) and even bring some standard communications equipment owned by the Forum that could be plugged in and used at every meeting to improve communications.

Kirk liked the idea, but noted that even if hosts try very hard, they can’t always know or guarantee how well communications systems will work at the actual meetings. Curt noted there is already a set of host requirements (located at the top of the Meetings page on the wiki), and said the list could be expanded and made more specific. Ryan thought updating the list was a good idea, and suggested past hosts could update based on their experience.

Peter noted that the Forum was growing and it may become harder and harder for hosts to find the necessary space, layout, communications systems, etc. to meet our needs. Gerv said perhaps the Forum would need to limit the number of participants in the future (e.g., no more than 2 per company) so the total number would not become too great. He also asked for recommendations of possible “hardware” to purchase and bring to meetings, so we could have a standard “box” in the room with speaker, microphones, etc. with a standard plug in to a laptop and Skype, etc. so everyone participating remotely could hear. Peter noted there were typically more network problems than equipment problems at meetings creating the communications problems. Gerv suggested maybe the Forum needed a long cable to connect its equipment directly to the internet to avoid the “last 10 feet” wifi problem. Curt said that pre-determined equipment might be challenging for the host.

Ryan said the Forum’s growth might mean meetings need more bandwidth, and hosts may need to recognize that. Curt said we might need to give hosts a metric of how much bandwidth was needed per attendee. Peter noted Amazon is scheduled to be the next F2F host, and he would take the lead in updating hosting requirements on the wiki.

Kirk asked if the Taipei meeting sessions had been recorded; Ben said yes, but he hadn’t checked sound quality yet. Kirk said it may be challenging to guarantee live participation would always work, but at least we could try to guarantee good recordings so those not present at the meetings could hear the discussion of issues. He also noted it could be problematic if multiple remote people all wanted to speak in a meeting – it’s awkward shifting back and forth with people in the room. Ryan said other groups like IETF successfully handle attendees who are both remote and physically present, and the Forum needed to change to accomplish this.

  1. Ballot Status. Ryan said his proposed ballot requiring CAs to use RFC 3647 format after six months would start soon – he had delayed it because of all the other ballots that were proceeding. Kirk asked if later the Forum should work on possible changes to the RFC 3647 format itself, as many of the RFC 3647 headings in in RFC 3647 are odd or inappropriate, but Ryan said he didn’t think that would be worthwhile. Ben said he had two ballots coming – Ballot 208 on dnQualifiers and Ballot 209 on EV Liability.
  2. Future F2F Schedule: Kirk reviewed the following schedule of F2F meetings, and asked members who were willing to host in June and October 2019 to contact him.

Future F2F schedule:

March 6-8, 2018: Amazon, Herndon, VA USA

June 2018: Comodo, London

Sept.-Oct. 2018: China (TBD)

Feb.-Mar. 2019: Cupertino, CA, USA (tentative)

June / Oct. 2019:

  1. Any Other Business. There was no other business.
  2. Next call October 26, 2017.
  3. Adjourn
Latest releases
Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.7 - Ballot SMC09 - Nov 25, 2024

This ballot includes updates for the following: • Require pre-linting of leaf end entity Certificates starting September 15, 2025 • Require WebTrust for Network Security for audits starting after April 1, 2025 • Clarify that multiple certificatePolicy OIDs are allowed in end entity certificates • Clarify use of organizationIdentifer references • Update of Appendix A.2 Natural Person Identifiers This ballot is proposed by Stephen Davidson (DigiCert) and endorsed by Clint Wilson (Apple) and Martijn Katerbarg (Sectigo).

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).