CA/Browser Forum
Home » All CA/Browser Forum Posts » 2018-04-05 Minutes

2018-04-05 Minutes

Attendees: Arno Fiedler (D-TRUST), Atsushi Inaba (GlobalSign), Ben Wilson (DigiCert), Bruce Morton (Entrust), Cecilia Kam, (GlobalSign), Christopher Kemmerer (SSL.com), Corey Bonnell (Trustwave),Daymion Reynolds (GoDaddy), Dean Coclin (DigiCert), Dimitris Zacharopoulos (HARICA), Doug Beattie (GlobalSign), Enrico Entschew (D-TRUST), Frank Corday (Trustwave), Jeremy Rowley (DigiCert), Kirk Hall (Entrust), Li-Chun Chen (Chunghwa Telecom), Mads Henriksveen (BuyPass), Mike Reilly (Microsoft), Neil Dunbar (Trustcor), Robin Alden (ComodoCA), Ryan Sleevi (Google), Shelley Brewer (DigiCert), Steve Medin (DigiCert), Tim Hollebeek (DigiCert), Tim Shirley (Trustwave), Trevoli Ponds-White (Amazon), Virginia Fournier (Apple), Wayne Thayer (Mozilla).

  1. Roll Call

  2. **Read Antitrust Statement **

  3. Review Agenda. Agenda was approved.

  4. Update on ICANN actions re WhoIs data access, response to GDPR (presented by Francisco Arias, ICANN, and Andrew Sullivan, Oracle/DYN). Francisco Arias of ICANN discussed the policy development process at ICANN, and the review of ICANN registry rules that was occurring in part to help comply with upcoming GDPR rules which will take effect May 25, 2018. The current ICANN proposal is its Proposed Interim Model, which was distributed. See https://www.icann.org/news/blog/data-protection-privacy-update-seeking-input-on-proposed-interim-model-for-gdpr-compliance and https://www.icann.org/news/blog/data-protection-privacy-issues-update-more-details-published-on-icann-proposed-interim-model. It is entirely possible that registries will be allowed to publish only “thin data” that would not show the registrant name or any contact data – that is the current proposal. Limited groups, such as law enforcement, security researchers, etc. would have access to more data, but at this point not CAs. He recommended that CAs provide their input in the process by email to the following address as soon as possible: gdpr@icann.org. Discussion documents will be posted here: https://www.icann.org/resources/pages/gdpr-legal-analysis-2017-11-17-en. Additional updates will be published here: https://www.icann.org/dataprotectionprivacy. The current ICANN plan is an “interim” plan because the ICANN board has requested guidance from the EU on how to interpret the GDPR as it applies to WhoIs data. ICANN is also launching an RDAP pilot (the future successor to WhoIs), which will offer registries greater tools to allow differentiated access to domain registration data. He asked for CAs who are interested to volunteer for the pilot program. Further details can be found here:

    • https://www.icann.org/en/system/files/correspondence/diaz-to-atallah-01aug17-en.pdf

    • https://www.icann.org/en/system/files/correspondence/atallah-to-diaz-01sep17-en.pdf

    • RDAP page:* https://icann.org/rdap

    • Pilot page:* https://community.icann.org/display/RP/RDAP+Pilot Six registries covering 50+ gTLDs

    • Mailing list:* https://mm.icann.org/mailman/listinfo/gtld-tech Andrew Sullivan said Francisco’s summary was comprehensive and accurate, but added his view that once ICANN’s Interim Policy was adopted, it was unlikely that there would be any changes. Kirk noted that CAs need access to WhoIs data for some of the domain validation methods under BR 3.2.2.4, and asked how (from a technological standpoint) some registries were able to block WhoIs access to the public but allow it to others, such as CAs. Andrew said the most common method today was by IP address whitelisting for CAs (otherwise, access might be rate-limited, etc.). However, it is unclear whether WhoIs IP whitelisting would be an acceptable control for GDPR authorities, plus it doesn’t really scale. Also, many new registries are coming, so a comprehensive approach will be necessary, perhaps with certificate-based solutions. Kirk noted that the GDPR applies mainly to “natural persons” and not organizations, and only where there is an EU link – he asked Francisco why ICANN was effectively applying the GDPR to the entire WhoIs network, even for organizations and persons not connected with the EU. Francisco said that ICANN expected other privacy laws would emerge in other jurisdictions, and ICANN wanted to adopt a basic framework that could work for the GDPR and future privacy regulations, which are likely to be similar to the GDPR. Kirk asked what will happen to CA access on May 25 when the GDPR takes effect if there are no changes to ICANN’s Interim Plan. Francisco said again that ICANN is waiting for further guidance from the EU on how the GDPR applies to WhoIs, so that was not yet certain – ICANN had asked for a GDPR “moratorium” to apply to WhoIs records so it could have more time to come up with a solution. However, if there is no moratorium, Francisco thinks that registries will have to hide most WhoIs data from CAs starting May 25. Kirk thanked Francisco and Andrew for their valuable information, and encouraged CAs to send comments and recommendations concerning the Interim Plan to the ICANN email address listed above, gdpr@icann.org. Francisco and Andrew then left the call.

  5. Approval of Minutes. The following draft Minutes were approved, and will be posted to the Public list:

    1. Revised Minutes from teleconference of February 8, 2017 (Emailed by Kirk March 23 with further revisions to Sec. 9)
    2. F2F Minutes from March 7-8, 2018 (Emailed by Kirk March 23, as amended by Li-Chun’s email dated April 3)
    3. Minutes from teleconference of March 22, 2017 (Emailed by Kirk March 23 as amended by Dimitris email April 1).
  6. Governance Change Working Group – Implementation Plans for Ballot 206. Kirk congratulated Virginia, Dean, and other members of the WG for bringing Ballot 206 to a successful conclusion. Dean noted that all Forum Members need to sign the updated IPR Agreement now that Ballot 206 has passed, and said the WG had set up a site on the wiki where members can download the new agreement and upload signed copies. They have 90 days to do this, or they will lose their voting rights until the IPR Agreement has been signed. Ben said the WG needs to correct an outdated reference to ETSI nomenclature, and with Dimitris’ help the WG will correct that. Virginia noted that the new working group model will go into effect on July 3, 2018, and that it was a good time for people to start developing charters for new working groups and getting them pre-approved under the new model – that way they can be ready to go by July 3rd. Ben said the members needed to start now in preparing for the new policies and procedures we have adopted.

  7. Policy Review Working Group update. Ben and Dimitris said there was no update, but that the WG would meet again right after the Forum’s teleconference.

  8. Network Security Working Group update. Ben said the WG was working on better defining critical terms such as Certificate Issuing Systems, Certificate Systems, etc. in the Network Security Guidelines – defining what it is and scope so that other requirements will become clearer. The WG will use a matrix approach for this. Tim has created a spreadsheet where things are categorized by requirements – what zones, if publicly accessible, etc. More work is needed.

  9. Validation Working Group update. Wayne said the WG did three things on its last call. (1) Get more organized – this was discussed, and a Trello board was created to figure out priorities. (2) Work on the recent all-day Validation Working Group Summit at the F2F, organizing the findings and suggestions by validation method, etc. so amendments and additions can be considered. (3) Ask how to get validation method improvements going. It is unlikely that Method 1 will be coming back, but instead there are concrete proposals for substitute methods (labelled A, B, C, etc. to promote discussion). Tim said these proposals will also be added to the Trello board.

  10. Ballot Status – Discussion of ballots (See Ballot Status table at end of Agenda). There was no discussion.

  11. Bylaws Clarification – Form of audit required for CA Membership and Associate Membership. Kirk noted that the Forum’s Bylaws were somewhat unclear on what form of “audit” was required for a CA to become a Member, or an Associate Member, and suggested the members decide on that issue and then amend the Bylaws to make them clearer. The two options are a Point in Time (PIT) audit, also known as a “readiness” audit (before a CA begins operations), or a Period of Time (POT) audit, also known as a “performance” audit. Kirk noted that our Bylaws currently require a CA to submit the link to its latest “performance” audit (which would be a POT audit), but in the past it appears the Forum has also accepted PIT audits. Wayne thought a PIT audit was acceptable for membership, and was allowed under the Bylaws. Ryan thought either a PIT or POT audit was acceptable for membership, and noted that ETSI audits are effectively only POT audits (Arno agreed on that last point). Dimitris noted that browsers accepted PIT audits with a CA’s root store inclusion application. Ryan said that only Microsoft accepted PIT audits for root store inclusion, while other browsers required POT audits to be in the root store, so considering all the other Forum membership requirements that effectively requires a CA applying for membership to have a POT audit. Dimitris said he prefers that CA member applicants present a POT audit, which he noted can cover an operational period of as short as two months. Kirk thanked the members for their input. Because there are different viewpoints, he said he will post an online poll to gather the point of view of more members, and then bring back a proposal for Bylaws clarifications.

  12. Allowing people to the Forum’s Github site if they haven’t signed the IPR Agreement. Kirk noted that one company wanted to have the status of an Interested Party and participate in Forum discussions on issues, but didn’t want to sign our standard IPR Agreement for technical reasons. The company then said it assumed it was ok for it to continue to post comments on the Forum’s GitHub page, where draft ballots and other documents are posted for group review. Kirk said that he had a high opinion of the company, but he wasn’t comfortable in letting people who had not signed the Forum’s IPR Agreement post material to our GitHub page as this could defeat the purpose of the IPR Agreement (which is to promote participation in developing guidelines which would not be hampered by IP claims, and where all participants would grant royalty-free licenses to any IP they have included in the guidelines). In theory, someone could post content to the GitHub page that included its secret IP, then later sue all the Forum members for IP infringement. Ryan asked if there was any difference between allowing the public to post to GitHub versus sending a message to the Forum’s questions@ email box. Kirk said he thought there was a difference – GitHub access could be ongoing and extensive, while a comment or question posted to questions@ was usually limited (and a member of the public who abused questions@ posting privileges could be blocked). Virginia said allowing general public posting on the Forum’s GitHub page concerned her as not complying with the Forum’s IP goals. Ryan said he agreed in principal, but noted GitHub is useful because it allows valuable public feedback on proposals – and the Forum has solicited feedback from the public in the past via its questions@ mailbox. Virginia thought there was a difference – questions@ were very general comments, while GitHub was more specific. Tim said there was virtually nothing posted by the public in the GitHub pages, and any comments posted by the public had been minor. The suggestions from the company in questions had been helpful, and an error in draft Ballot 219 had been corrected as a result. The better approach is for members to keep their eyes open, and if a member of the public posts something IPR-constrained via GitHub or questions@, then the Forum can ask that person to sign the IPR Agreement before continuing. Ryan said there were other ways of limiting GitHub in the future based on the process, if needed. Virginia noted that other standards organizations like W3C face the same issues and had generally required participants to sign their IPR Agreement to participate. She recommended the Forum be proactive on this issue and take steps so members of the public could not post to GitHub unless they have signed the Forum’s IPR Agreement. Kirk noted there was no clear agreement on the issue, and asked those members who do participate on the GitHub page to be alert to the issue and take steps if necessary to head off an IP problem

  13. Any Other Business. There was no other business.

  14. Next call: (1) April 19, 2018 [RSA Week] or (2) skip until May 3, 2018? Kirk noted the next scheduled date for the CABF teleconference was April 19, right in the middle of RSA 2018 week which many members will be attending. He asked if the Forum should skip the April 19 call, and hold its next call on May 3. There were opinions on both sides. Kirk said he would post an online poll to get a broader sample, and then decide whether or not to skip the April 19 call.

  15. Adjourn

Latest releases
Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.7 - Ballot SMC09 - Nov 25, 2024

This ballot includes updates for the following: • Require pre-linting of leaf end entity Certificates starting September 15, 2025 • Require WebTrust for Network Security for audits starting after April 1, 2025 • Clarify that multiple certificatePolicy OIDs are allowed in end entity certificates • Clarify use of organizationIdentifer references • Update of Appendix A.2 Natural Person Identifiers This ballot is proposed by Stephen Davidson (DigiCert) and endorsed by Clint Wilson (Apple) and Martijn Katerbarg (Sectigo).

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).