CA/Browser Forum
Home » All CA/Browser Forum Posts » 2018-03-22 Minutes

2018-03-22 Minutes

Final Minutes for CA/Browser Forum Teleconference – March 22, 2018

Attendees

Atsushi Inaba (GlobalSign), Ben Wilson (DigiCert), Cecilia Kam, (GlobalSign), Christopher Kemmerer (SSL.com), Corey Bonnell (Trustwave), Curt Spann (Apple), Dean Coclin (DigiCert), Dimitris Zacharopoulos (HARICA), Doug Beattie (GlobalSign), Fotis Loukos (SSL.com), Frank Corday (Trustwave), Fraser Evans (FPKI), Jeff Ward (WebTrust), Jos Purvis (Cisco), Ken Myers (Federal PKI), Kirk Hall (Entrust), Julie Olson (GlobalSign), Li-Chun Chen (Chunghwa Telecom), Michele Coon (OATI), Mike Reilly (Microsoft), Neil Dunbar (Trustcor), Patrick Tronnier (OATI), Rich Smith (ComodoCA), Rick Andrews (DigiCert), Robin Alden (ComodoCA), Ryan Sleevi (Google), Shelley Brewer (DigiCert),Steve Medin (DigiCert), Tim Shirley (Trustwave), Tyler Myers (GoDaddy), Virginia Fournier (Apple), Wayne Thayer (Mozilla), Wendy Brown (Federal PKI).

1. Roll Call

2. Read Antitrust Statement

3. Review Agenda.

Agenda was approved.

4. Approval of Minutes

Kirk asked for approval of the draft Minutes (as amended) for the teleconference of February 8, 2018, which had been distributed on March 16. Ryan wanted to propose additional changes to the Minutes in one section. Kirk agreed to defer approval until the next teleconference, but asked Ryan to circulate for review the revised language he wanted to propose.

Next, Kirk asked for approval of the draft Minutes for the teleconference of February 22, 2018, which had been distributed on March 16. The Minutes were approved and will be posted on the Public list.

Kirk noted that the Minutes from the F2F meeting on March 7-8, 2018 were nearly complete and would be available soon. Wayne said he wants to post the Minutes from the all-day Validation Working Group conference on March 6, and will compile the Minutes taken by various meeting participants for that purpose.

5. Governance Change Working Group update

Dean noted that the Governance Change WG made a detailed presentation of the Ballot 206 proposal at the recent F2F meeting. The formal discussion period for the ballot has just started. The WG would consider minor changes, but would not make any radical changes to the ballot at this point. The voting period will start on March 27.

6. Policy Review Working Group update

Ben and Dimitris had no update. In future meetings the WG will focus on the issues discussed at the recent F2F meeting and an initial ballot.

7. Network Security Working Group update

Ben had no update. Dimitris noted that on the March 15 WG call the group continued to draft “second wave” possible amendments to the existing NetSec requirements, including updating the requirements for High Security Zones.

8. Validation Working Group update

Wayne said the WG had a call the prior week, which focused on proposals for changes to the prior domain validation Method 1. The WG also discussed the best way to move forward with the discussion and ideas from the all-day VWG meeting at the recent F2F meeting.

9. Ballot Status

Discussion of ballots (See Ballot Status table at end of Agenda). There was no discussion.

10. Dark Matter Membership Application

Kirk noted that Dark Matter had submitted a response to questions he had posed after the last Forum call, and the response had been circulated. The members discussed the requirements of Bylaws 2.1 and 3.1 for full Membership or for Associate Membership, and agreed by consensus that Dark Matter did not appear to qualify for either membership status at the present time. Kirk said he would convey the decision to Dark Matter.

11. Process for marking updated CABF Guidelines after Ballots and Review Periods

Kirk noted that in most cases, Forum Ballots simply amend existing Guidelines and no Exclusion Notices are filed during the 30 day Review Period required by our IPR Agreement, which means that the amendments become effective at the end of the Review Period. Our rules require that a full set of the Guidelines including the ballot amendments (“Document A”) be circulated after a successful ballot result along with the Review Notice, but that the amendments do not take effect until the end of the 30 day Review Period. At that point, our rules require an updated version of the amended Guideline (“Document B”) including the amendments be posted to the Forum’s website (and our practice is also to post a red-line version showing the changes made, and to give the updated version a new version number and Effective Date, which is the date the 30-day Review Period ended).

Kirk and Dimitris wanted to establish a clear procedure for how to mark Document A so that members and the public would know that the amendments included in Document A from a successful ballot were not yet in effect. Kirk proposed using the existing version of the Guideline (and not changing the version number) for Document A, including the amendments, and adding a prominent legend to the first page saying that the document was for IPR Review Period review only, and was not yet in effect. After the end of the 30 days, Document B would be created with a new version number and showing an Effective Date that was the end date of the successful Review Period, then posting that Document B to the Forum’s website. Kirk also proposed not posting Document A to the Forum’s website (as it is ephemeral and is not intended to be used after 30 days), but noted that Document A will be distributed in a message on the Public mail list with the Review Notice, and so would be available to all.

Ryan said this sounded like a good procedure. Dimitris suggested also adding a watermark to the pages of Document A indicating that version of the Guideline was not in effect. He also volunteered to update the table of Ballots on the Forum website so that the “Effective Date” column would be correct (showing the end of the Review Period, not the date the Ballot was approved). Kirk will provide the table of dates.

12. Maintaining list of CA OIDs

Kirk noted a recent email asked if the EV OIDs listed on the Forum’s website were up-to-date, and said he doubted if that was so. The Forum could ask members to update their EV OIDs from time to time, but there was no guarantee the Forum website’s EV OIDs list would always be correct. He asked if the Forum should delete the list, and instead include a link to the list of EV OIDs maintained by Mozilla and Chromium – presumably these are up to date, as CAs have every incentive to provide updated OIDs to the browsers so their EV certificates will be recognized.

Curt asked if we were discussing all the OIDs listed on the Forum’s website (including standard OIDs used by all CAs indicating type of cert, etc.), or each CA’s unique EV OIDs, or both. Ryan noted the Forum’s website today lists both, but proposed to drop the list of individual EV OIDs because it would be hard for the Forum to maintain the list. He also suggested the Forum should not add the Mozilla and Chromium links for EV OIDs, as those links could change and the Forum might be unable to keep the correct links on its site.

Curt asked for confirmation that the Forum’s common OIDs would remain on the site, and Ryan said yes. Dimitris volunteered to remove the EV OIDs table from the Forum’s website after the teleconference.

Wayne noted each CA was required to list its EV OIDs in its CPS, and Curt said that would be the definitive source for that information. Any person could collect and publish that data if interested. Curt noted that the OIDs listed in each CA’s CPS might or might not all be currently recognized by all the browsers. Ryan also mentioned the complexity of cross-certification issues, and that the usefulness of any EV OIDs list depends on what people are trying to understand – a CA assertion by an OID is different from whether a browser will recognize that certificate as “EV”. For the latter question, it’s better to check with the browsers directly.

13. Dates for Fall F2F meeting (Shanghai)

Kirk noted that the host of the Fall F2F meeting in Shanghai, CFCA, was focused on two potential weeks and wanted to know if there were conflicts for either week: October 16-18, 2018 or October 23-25, 2018. Ryan said there was a conflict for the week of October 23-25 with the W3C Tech Plenary week, so suggested the better date for the F2F meeting would be October 16-18, 2018. Kirk said he would convey that information to CFCA.

Kirk also noted that Comodo CA was hosting the next F2F meeting in London in early June, and suggested that Comodo ask members now if they need invitation letters to get a visa (as the visa approval process can take a long time). Robin agreed to do this.

14. Any Other Business

  • Kirk introduced a Resolution of Commendation for Gervase Markham of Mozilla, thanking him for all his years of service (2005-2018) to the Forum, and asked unanimous consent for its approval. The Members approved the Resolution unanimously. Kirk will convey the Resolution to Gerv, and post on the Public list.
  • Dean raised the topic of allowing F2F hosts to charge a standard amount to members for attendance at future F2F meetings, which could be important if we want smaller CAs to be able to serve as hosts. Ryan said this had been discussed at the last F2F meeting (Dean said he must have been out of the room), and pointed out that this was already allowed by Bylaw 4.2, which says in part:

“Forum Meetings may be held from time to time upon the voluntary sponsorship of one or more Forum members. The sponsor of a Forum Meeting may suggest a fixed cost per meeting participant as reimbursement to the sponsor to cover (a) the cost of meeting rooms and refreshments, and (b) the cost of any meeting dinner or other group activity. Sponsors will be encouraged to announce any suggested per-participant fixed cost reimbursement amount in advance of the Forum Meeting for participant planning purposes, and will provide a statement or invoice to each participant upon request after the Forum Meeting for submission to the participant’s accounting department. All per-participant reimbursements shall be paid directly to the sponsor. ***”

Kirk noted that the sponsor’s fixed cost per meeting participant was “suggested” only, and that members whose policies would not allow payment of the fixed cost for any reason could still attend the F2F meeting without paying the cost, but others could pay on a voluntary basis if it did not conflict with their policies.

15. Next call

April 5, 2018 at 11:00 am Eastern Time

16. Adjourn

Latest releases
Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.7 - Ballot SMC09 - Nov 25, 2024

This ballot includes updates for the following: • Require pre-linting of leaf end entity Certificates starting September 15, 2025 • Require WebTrust for Network Security for audits starting after April 1, 2025 • Clarify that multiple certificatePolicy OIDs are allowed in end entity certificates • Clarify use of organizationIdentifer references • Update of Appendix A.2 Natural Person Identifiers This ballot is proposed by Stephen Davidson (DigiCert) and endorsed by Clint Wilson (Apple) and Martijn Katerbarg (Sectigo).

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).