CA/Browser Forum
Home » All CA/Browser Forum Posts » 2019-08-22 Minutes of the CA/Browser Forum Teleconference

2019-08-22 Minutes of the CA/Browser Forum Teleconference

Attendees (in alphabetical order)

Arno Fiedler (D-TRUST), Ben Wilson (Digicert), Daniela Hood (GoDaddy), Dean Coclin (Digicert), Dimitris Zacharopoulos (HARICA), Doug Beattie (GlobalSign), Dustin Hollenback (Microsoft), Gordon Bock (Microsoft), Inaba Atsushi (GlobalSign), Janet Hines (SecureTrust), Joanna Fox (GoDaddy), Kenneth Myers (US Federal PKI Management Authority), Li-Chun Chen (Chunghwa Telecom), Michelle Coon (OATI), Mike Reilly (Microsoft), Neil Dunbar (TrustCor Systems), Peter Miskovic (Disig), Rich Smith (Sectigo), Robin Alden (Sectigo), Ryan Sleevi (Google), Shelley Brewer (Digicert), Tim Callan (Sectigo), Tim Hollebeek (Digicert), Tim Shirley (SecureTrust), Timo Schmitt (SwissSign), Tobias Josefowitz (Opera Software AS), Trevoli Ponds-White (Amazon), Wayne Thayer (Mozilla).

Minutes

1. Roll Call

The Chair took attendance.

2. Read Antitrust Statement

The Antitrust Statement was read.

3. Review Agenda

No changes to the agenda.

4. Approval of minutes from previous teleconference

The minutes from the previous teleconference were approved and will be circulated to the public list.

5. Forum Infrastructure Working Group update

No update.

6. Code Signing Working Group update

Dean mentioned that the Final Guideline will be posted on the public web site and will ask the CA Security Council to update its link. The WG discussed about creating a separate timestamping document and whether the CSCWG should be re-chartered to include a timestamping certificates, associated with the id-kp-timeStamping EKU, in scope. Dean will discuss with Bruce to figure out what the plans are.

Ben talked about the need to recharter to make things as clean as possible. The existing guideline describes timestamping issues and if the WG was to make any edits to those parts, it should probably be better to re-Charter to specifically include the EKU of time stamping, as it relates to code signing and not necessarily try to create a separate time stamping working group. So, this would be like a first step and then if it was necessary, a separate time stamping working group could be chartered.

Arno mentioned that Europe and European CAs are issuing qualified timestamps for almost 15 years and there are well defined standards, policies by ETSI about timestamps.

Ryan also mentioned that this was discussed at the last F2F and more specifically during the S/MIME working group session where re-chartering was one of the topics. Google is not supportive of the Code Signing Working Group taking actions on time stamping. He noted that Time-stamping is not a code-signing issue but a broader problem which needs to be separate from code-signing. He also restated Arno’s comment about the European experience for 15 years and the fact that timestamps are actively being used along with document signing and archiving. There is no specific EKU for time stamping in relation only to code signing. The suggestion was to create a different Working Group with a separate Charter.

Dean also added that the Working Group is preparing an information sharing sheet, know who to contact, when to contact for code signing issues, malware etc.

Gordon asked if the solution to time stamping was the formation of a new Working Group and Dean replied that there are a couple of options to consider, one being that the WG doesn’t “touch” what’s in the current document and leave it the way it is.

Ryan also asked whether the WG adopted a document that provides guidance for time stamping that is outside the charter. Dean responded that the WG just adopted a document that already existed. He would take this discussion back to the WG to revisit.

7. Follow-up on new S/MIME WG Charter

No update.

8. Any Other Business

Mike asked if Members would be interested to explore about updating the name “CA/Browser Forum” for the larger Forum especially since we have already added Code Signing Working Group, will add S/MIME and even Time Stamping Working Group.

Tim H was curious about a proposed name. Would be supportive of changing it. Dean mentioned that we have distinguished Certificate Consumers for each Working Group but if there are particular proposals that could better represent the whole Forum, we should discuss further.

Ryan added that the term Application Software Suppliers could be resurrected.

Arno and Dimitris considered the CA/B Forum a good marketing name which is widely recognizable. The “brand” name is a very important asset.

Dimitris added a topic for resurrecting the governance subcommittee as it was discussed at the last F2F. He reminded participants that he sent an e-mail to the management list a few weeks back and asked if there is interest in pursuing that. If not, Members would have to individually tackle some of the bylaws changes proposals and present them to the Forum.

Ryan mentioned that SubCommittees need to be formed via ballot so he repeated his proposal at the F2F meeting which was to distinguish the most pressing matters for governance and create a ballot. The question is whether we need a Forum subcommittee to work on those issues or if we should continue to discuss at the Forum’s plenary list. Ryan proposed we start discussing some of these issues on the Forum public list and see if we can make progress on priorities. Members can also have calls between themselves, if they need to discuss issues real time, without requiring the creation of a Subcommittee. This would help validate whether we should establish a Subcommittee and whether regular calls would be beneficial. One of the popular topics lately is the document version control, flexibility for the Chair or vice-Chair to make non-normative edits to the Final Guidelines, Forum Members and representatives where practically every Company representative has the full privileges for voting, participating, posting, etc. These are important issues that should be discussed and resolved. We have had governance discussions during the regular plenary forum teleconference in the past so we could try to continue and see where this leads to.

Dimitris agreed to that approach but also mentioned that the Google document with open issues has listed about 11 issues to be addressed so we need to prioritize. He will send a new message to the list to get some more feedback.

Dean reminded Members that plan to attend F2F 48 and 49 to signup and update the participant tables on the wiki so that the hosts can plan ahead.

9. Next call

September 5, 2019 at 11:00 am Eastern Time.

Adjourned

Latest releases
Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.7 - Ballot SMC09 - Nov 25, 2024

This ballot includes updates for the following: • Require pre-linting of leaf end entity Certificates starting September 15, 2025 • Require WebTrust for Network Security for audits starting after April 1, 2025 • Clarify that multiple certificatePolicy OIDs are allowed in end entity certificates • Clarify use of organizationIdentifer references • Update of Appendix A.2 Natural Person Identifiers This ballot is proposed by Stephen Davidson (DigiCert) and endorsed by Clint Wilson (Apple) and Martijn Katerbarg (Sectigo).

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).