CAB Forum Certificate Issuers, Certificate Consumers, and Interested Parties Working to Secure the Web
Roll call: Arno Fiedler (D-TRUST), Ben Wilson (Mozilla), Bruce Morton (Entrust Datacard), Clint Wilson (Apple), Corey Bonnell (SecureTrust), Chris Kemmerer (SSL.com), Daniela Hood (GoDaddy), Dean Coclin (Digicert), Doug Beattie (GlobalSign), Dustin Hollenback (Microsoft), Enrico Entschew (D-TRUST), Inaba Atsushi (GlobalSign), Janet Hines (SecureTrust), Joanna Fox (GoDaddy), Jos Purvis (Cisco Systems), Li-Chun Chen (Chunghwa Telecom), Michael Guenther (SwissSign), Michelle Coon (OATI), Mike Reilly (Microsoft), Neil Dunbar (TrustCor Systems), Niko Carpenter (SecureTrust), Patrick Nohe (GlobalSign), Pedro Fuentes (OISTE Foundation), Peter Miskovic (Disig), Rich Smith (Sectigo), Robin Alden (Sectigo), Ryan Sleevi (Google), Shelley Brewer (Digicert), Stephen Davidson (Quo Vadis), Thanos Vrachnos (SSL.com), Tim Callan (Sectigo), Tim Hollebeek (Digicert), Timo Schmitt (SwissSign), Tobias Josefowitz (Opera Software AS), Trevoli Ponds-White (Amazon), Wayne Thayer (Mozilla), Wendy Brown (US Federal PKI Management Authority), Taconis Lewis (US Federal PKI Management Authority), Andrea Holland (SecureTrust).
Agenda approved, anti-trust statement was read, roll was taken.
Minute taker: Tim Hollebeek.
Tobi volunteered to take minutes in two weeks.
Previous minutes were approved.
Validation subcommittee discussed two things:
1. Voluntary disclosure of information sources
– a few other CAs said they were going to disclose after DigiCert, but haven’t
– CAs are still encouraged to disclosed, but voluntary doesn’t seem to be working
Ryan has a ballot to mandate disclosure
Discussion about the challenges of not having disclosure block issuance of certificates
Ryan posted a really good summary of the discussion to the mailing list, please read it there
2. Discussed the reorganization of requirements for certificate profiles
Draft skeleton certificate profile wasn’t up until shortly before the meeting, so not much
substantive discussion
Discussing continues on the list and in a Google document
Skeleton will again be reviewed on the next Validation call
NetSec subcommittee:
Discussing SC29 version 3 on the list
Minutes are up for review
SC28 (reducing log retention) is nearly complete
Another ballot (no number yet) for account deactivation
Ballot to replace secure zones and high security zones and replace with clearer structure
Dean: are you intending to start voting on SC29 next week?
Neil: are we allowing ballots due to the covid situation?
Wayne: I’d suggest putting a feeler out and seeing if people are ready to move forward
Ballot status:
Discussion period: SC29 (see above)
Voting period: None
Review period: SC26 (pandoc-friendly markdown changes) – ends Apr 30
Draft ballots:
Ryan – BR alignment
Ryan – Spring cleanup
Ryan – Data source disclosure (discussed on last week’s Validation call)
Chris Kemmerer – updated 6.1.1.3 to clarify requirements around rejecting weak keysServer Certificate Working Group adjourns