CA/Browser Forum
Home » All CA/Browser Forum Posts » 2018-05-31 Minutes

2018-05-31 Minutes

Attendees: Arno Fiedler (D-TRUST), Atsushi Inaba (GlobalSign), Ben Wilson (DigiCert), Bob Wiegand (SSL.com), Bruce Morton (Entrust), Cecilia Kam, (GlobalSign), Christopher Kemmerer (SSL.com), Corey Bonnell (Trustwave),Daymion Reynolds (GoDaddy), Devon O’Brien (Google), Dimitris Zacharopoulos (HARICA), Doug Beattie (GlobalSign), Enrico Entschew (D-TRUST), Frank Corday (Trustwave), India Donald (FPKI), Jeff Ward (WebTrust), Jos Purvis (Cisco), Ken Myers (Federal PKI), Kirk Hall (Entrust), Li-Chun Chen (Chunghwa Telecom), Mads Henriksveen (BuyPass), Michele Coon (OATI), Mike Reilly (Microsoft), Neil Dunbar (Trustcor), Patrick Tronnier (OATI), Peter Miscovic (Disig), Rich Smith (ComodoCA), Rick Andrews (DigiCert), Ryan Sleevi (Google), Tim Hollebeek (DigiCert), Tim Shirley (Trustwave), Trevoli Ponds-White (Amazon), Tyler Myers (GoDaddy),Virginia Fournier (Apple), Wayne Thayer (Mozilla), Wendy Brown (Federal PKI).

  1. Roll Call
  2. Read Antitrust Statement
  3. Review Agenda. Agenda was approved.
  4. Approval of Minutes of CABF Teleconference of May 3 and 17, 2018. The Minutes were approved.
  5. CA membership application of Hongkong Post CA (Certizen). Kirk reviewed the application materials received, and said the applicant appeared to qualify for CA membership. He noted that the CA itself appeared to be Hongkong Post CA, but that the CA was managed by Certizen. Certizen wanted both names to be included in the member name if possible. Ryan agreed that the applicant Hongkong Post CA appeared to qualify, but questioned whether Certizen should be included as part of the member name or participate in the Forum as a member. He said other CAs he has reviewed are in similar situations, but was not aware that this affects other CA members. It was noted that only Certizen had signed the Forum’s IPR Agreement, and all agreed that Hongkong Post would also have to sign in its own name before becoming a CA member. There was further discussion on issues of actual authority and apparent authority of one party to act for another. In the end, there was consensus that for now Hongkong Post could join as a CA member once it signs and returns the IPR Agreement, and that the issue of how to deal with another company who administers the infrastructure of a CA member and how to list the member name would be discussed later. Kirk asked the Governance Change Working Group to develop recommended rules for the Forum to consider.
  6. CA membership application of Visa. Kirk noted that Visa had previously been a CA member, but had dropped out at one point. Its application appeared to be in order, and the members agreed by consensus that Visa would again be accepted as a CA member.
  7. Associate Member status and meeting participation by related entities. Kirk summarized his emails on this topic, and said there were two issues to consider: (1) should Associate Members be asked to provide a list of individuals (or companies) who have authority to participate in Forum meetings as representatives of the Associate Member, and (2) should the Forum require all designated representatives of an Associate Member who are not actual employees of the Associate Member to sign the Forum’s IPR Agreement (as individuals, or as companies if that is how they have been designated). Kirk noted that the Forum was trying to be consistent in requiring all Forum “participants” to sign the IPR Agreement with the latest version 1.3, and the rules were somewhat unclear. Virginia thought generally that all participants should sign the IPR Agreement, except that employees of organizations that sign the IPR Agreement do not have to sign again in their individual capacity. Arno and Ben noted that in the past ETSI could not sign the IPR Agreement under its own rules because the CA/Browser Forum is not a corporation but only a name. Kirk noted that the Forum had solved that problem in 2009 by accepting a Letter of Intent from ETSI instead, which is still in effect. Jos said it might also be a good idea to ask full Members for a list of those authorized to represent them in Forum meetings (and in votes), as sometimes new names appear and we only have the peoples’ email addresses to connect them to a member. Tim noted that there were many new people at the Validation Summit held in March – they were all employees of members, but were unknown to the regulars at Forum meetings. He was cautious about starting up new lists of people as authorized representatives of members that might not be regularly maintained. Wendy said that she participates in Forum meetings only as a representative of the FPKI and is under a contract between her company and the US government for that support. Therefore her participation is covered under the same IPR signed by the government, according to government legal opinion at the time the government representative signed the initial IPR agreement. Kirk acknowledged her point of view, but noted that the Forum was struggling with the notion of who is a “participant” and needed to sign – as a hypothetical example, Wendy’s company could have a secret patent that Wendy promotes by proposing a new BR requirement in the name of the FPKI, and then once adopted by the Forum Wendy’s company could ask members for licensing fees – that is what the IPR Agreement is intended to prevent in the Forum and even at other groups like W3C. It’s something for the Forum to think about. However, that example would be a violation of the contract between Wendy’s company and the government, no different than an employee pushing a secret personally held patent and trying to ask for licensing fees not sanctioned by the employer, would violate the IPR signed on behalf of the employee’s company. Dimitris mentioned that for cases where the Member is the Organization that “owns” the rights for the Root/SubCA Certificates but delegates all operations to another company, it would make more sense and would be more beneficial for the Forum to have the actual Operator participating in the Forum activities, as they would have more to contribute. In order for an “owner” to have a delegated operator, a contractual agreement must be in place so that all obligations by the CA “owner” would flow down to its Operator. That would probably include any IPR agreements that the owner has signed and the Operator probably doesn’t need to. Of course this is a legal issue to be clarified. Kirk concluded by asking if anyone objected to his first proposal – asking Associate Members to list who their authorized representatives are at Forum meetings – and there were no objections. Kirk suggested the second issue – whether all representatives of an Associate Member should be required to sign an IPR Agreement in their own name or in their own company name (if different from the Associate Member’s name) should not be decided on this call, but instead the members should think about it and decide at a later time.
  8. Validation Working Group update. Tim said the WG had spent 30 minutes on its last call working on EV improvements, and the remaining time working on other validation improvements. The WG will meet for four hours in London.
  9. Network Security Working Group update – relaunch of Ballot 221 (Two-Factor Authentication and Password Improvements). Kirk noted that Ballot 221 had failed from lack of quorum, plus some confusion about the content of the ballot, and asked if it would be resubmitted. Tim said yes – he had communicated with Microsoft about some of its concerns, and would refile an amended ballot with a new number and with a red-line comparison showing changes (probably on GitHub) in the near future. Ben noted the WG will meet for two hours in London the following week.
  10. Governance Change Working Group – list of IPR Agreements v1.3 received to date. Kirk reviewed the list of signed IPR Agreements received, and noted that three more had just been submitted to him. Ben said the WG needed to start working on transition issues for the July 3 effective date of the governance ballot, and Tim agreed, saying the WG needed to meet and discuss rearranging existing mailing lists.
  11. Policy Review Working Group update. Dimitris said the WG will soon post a comparison version of the BRs on GitHub showing the terminology changes that are being proposed. The link will be sent to the Public mailing list. The WG will meet in London next week.
  12. Ballot Status – Discussion of ballots (See Ballot Status table at end of Agenda). No discussion.
  13. Agenda, logistics for London F2F – June 5-7, 2018. Kirk reviewed the Agenda and logistics for the Face-to-Face meeting in London the following week, and said there were still open Agenda times available on Thursday afternoon if members want to add topics.
  14. Any Other Business. There was no other business.
  15. Next call: June 14, 2018
  16. Adjourn
Latest releases
Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.7 - Ballot SMC09 - Nov 25, 2024

This ballot includes updates for the following: • Require pre-linting of leaf end entity Certificates starting September 15, 2025 • Require WebTrust for Network Security for audits starting after April 1, 2025 • Clarify that multiple certificatePolicy OIDs are allowed in end entity certificates • Clarify use of organizationIdentifer references • Update of Appendix A.2 Natural Person Identifiers This ballot is proposed by Stephen Davidson (DigiCert) and endorsed by Clint Wilson (Apple) and Martijn Katerbarg (Sectigo).

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).