CA/Browser Forum
Home » All CA/Browser Forum Posts » 2018-06-14 Minutes

2018-06-14 Minutes

Final Minutes for CA/Browser Forum Teleconference – 14 June 2018

Attendees: Arno Fiedler (D-TRUST), Ben Wilson (DigiCert), Cecilia Kam, (GlobalSign), Christopher Kemmerer (SSL.com), Daymion Reynolds (GoDaddy), Devon O’Brien (Google), Dimitris Zacharopoulos (HARICA), Frank Corday (Trustwave), Joanna Fox (GoDaddy), Jos Purvis (Cisco), Julie Olson (GlobalSign), Ken Myers (Federal PKI), Kirk Hall (Entrust), Li-Chun Chen (Chunghwa Telecom), Mike Reilly (Microsoft), Neil Dunbar (Trustcor), Patrick Tronnier (OATI), Peter Miscovic (Disig), Rich Smith (ComodoCA), Robin Alden (ComodoCA), Ryan Sleevi (Google), Shelley Brewer (DigiCert),Tim Hollebeek (DigiCert), Tim Shirley (Trustwave), Trevoli Ponds-White (Amazon), Virginia Fournier (Apple), Wayne Thayer (Mozilla), Wendy Brown (Federal PKI).

  1. Roll Call

  2. Read Antitrust Statement

  3. Review Agenda. Agenda was approved.

  4. Approval of Minutes of CABF Teleconference of May 31, 2018 as amended. The Minutes as amended were approved. Kirk also listed the missing portions of the Minutes from the London F2F meeting that occurred the prior week, and asked the volunteer Minutes takers to upload their Minutes as soon as possible.

  5. Validation Working Group update. No report.

  6. Network Security Working Group update. No report.

  7. Governance Change Working Group update.

(a) List of IPR Agreements v1.3 received to date. Kirk reviewed the list of Members and Associate Members who have not yet signed and returned the new IPR Agreement v. 1.3, and said he would soon send individual emails to people at the organizations involved.

(b) Review of changes to Forum governance structure after July 3. Kirk said the Governance Change Working Group had met by teleconference earlier in the week to map out the steps to take with the July 3 effective date of Ballot 206, and the conclusions were stated in the email he sent to the Public list. He asked if there were comments or questions, but there were none.

  1. Policy Review Working Group update. No update.

  2. Ballot Status – Discussion of ballots (See Ballot Status table at end of Agenda). No discussion.

  3. Follow-up from London F2F – June 5-7, 2018. No discussion.

  4. Any Other Business. Kirk referred to his email to the Forum earlier in the week discussing the issue of ETSI’s status as an Associate Member in the Forum, and whether anything would change once the deadline for signing the IPR Agreement v1.3 had passed. He noted that Associate Members are invited to participate in the Forum to help the Forum in its work (they don’t apply as CAs and browsers do), and further noted that Bylaw 3.1 contains the following sentence: “In order to become an Associate Member, an organization must sign a mutual letter of intent, understanding, or other agreement and the Forum’s IPR Agreement, unless this latter requirement is waived in writing by the Forum based on overriding policies of the Associate Member’s own organization IPR rules.” He noted that ETSI has objected years ago to signing the IPR Agreement based on ETSI policies, including the fact that the Forum is not a legal entity, and that for many years the Forum had relied on a 2009 Memorandum of Understanding between ETSI and the then-Chair of the Forum instead and waived the requirement that ETSI sign the IPR Agreement. He proposed to continue this existing practice.

Ryan objected to discussing the matter as it was not listed on the Agenda, and shouldn’t be discussed under “Any Other Business” in the Agenda. He believed the matter should be referred to the Governance Change Working Group for further discussion.

Virginia said the Agenda topic “Any Other Business” was an appropriate place for this discussion, and asked Ryan what his objection was. Ryan reiterated that the topic was not listed on the Agenda, and said that the topic was discussed by the members the prior week with other related open Associate Member issues, and believed further discussion should happen in a Governance Change Working Group meeting.

Ben Wilson noted that Google’s counsel was on the Governance Change Working Group meeting earlier this week, and did not bring up the matter. He noted that the current relationship and the existing MOU between the Forum and ETSI had been in place for nine years, and Ryan had never objected to it. Ryan said the issue of waiving signing of the new IPR Agreement was an issue for other members to raise, not Google.

Virginia asked what Ryan’s specific concerns were about ETSI’s status, and what additional facts were needed. She said that Google’s counsel didn’t seem to know anything about Ryan’s concerns on the Governance Change Working Group call earlier in the week. Ryan said he wanted to understand what concerns ETSI has with its signing the IPR Agreement – we don’t have that information in archive fashion. He’d like ETSI to clearly state its objections to signing. He also objected to the discussion on various procedural grounds.

Virginia said that pointing out what’s wrong with something is minimally helpful to the Forum – she asked what Ryan thinks should be done. Did he want a call with an ETSI person to discover what its problems were? Ryan said yes, and asked that ETSI write a problem statement. Virginia said the Governance Change Working Group could do this if it has appropriate contact addresses and phone numbers for ETSI.

Ben said the concern on this issue had been raised by Google, not ETSI, and the ball was in Google’s court. Ryan said if someone at ETSI has issues with signing the IPR Agreement, let ETSI express those concerns.

Virginia suggested the way to do that was to have a call with ETSI. Arno pointed out that Google is actually an ETSI member.

Dimitris said that at the London F2F meeting, we talked about Associate Members in general, and the fact that ETSI had said it couldn’t sign our IPR Agreement because the Forum was not a corporate entity. But there were other unresolved questions about Associate Members as well – for example, if CPA Canada (WebTrust) signs the Agreement as an Associate Member, are the CPA Canada representatives also required to sign in the names of their auditing firms? He said he would be interested in resolving these other issues also in the Governance Change Working Group.

Wendy said the Federal PKI would sign the IPR Agreement on behalf of the government and the FPKI representatives, and that the document was in legal review.

Kirk said it sounded like the Governance Change Working Group will take up all the open issues about Associate Members in future meetings. He said that in the meantime, for the avoidance of doubt as to ETSI’s status in the Forum he planned to extend on ongoing invitation to ETSI to continue its participation in meetings and teleconferences as an invitee under Bylaw 5.4 until the Forum takes other action.

  1. Next call: June 28, 2018

  2. Adjourn

Latest releases
Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.7 - Ballot SMC09 - Nov 25, 2024

This ballot includes updates for the following: • Require pre-linting of leaf end entity Certificates starting September 15, 2025 • Require WebTrust for Network Security for audits starting after April 1, 2025 • Clarify that multiple certificatePolicy OIDs are allowed in end entity certificates • Clarify use of organizationIdentifer references • Update of Appendix A.2 Natural Person Identifiers This ballot is proposed by Stephen Davidson (DigiCert) and endorsed by Clint Wilson (Apple) and Martijn Katerbarg (Sectigo).

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).