2021-02-04 Minutes of the CA/Browser Forum Teleconference
1. Attendees
Ali Gholami (Telia), Andrea Holland (SecureTrust), Arno Fiedler (D-TRUST), Ben Wilson (Digicert), Bruce Morton (Entrust), Chris Kemmerer (SSL.com), Chris McMillan (Visa), Clint Wilson (Apple), Corey Bonnell (DigiCert), Daniela Hood (GoDaddy), David Kluge (Google), Dean Coclin (Digicert), Dimitris Zacharopoulos (HARICA), Doug Beattie (GlobalSign), Dustin Hollenback (Microsoft), Enrico Entschew (D-TRUST), Eusebio Herrera (AC Camerfirma), Hazhar Ismail (MSC Trustgate), Inaba Atsushi (GlobalSign), Jeff Ward (CPA Canada/WebTrust), Jim Gorz (GoDaddy), Johnny Reading (GoDaddy), Jos Purvis (Cisco Systems), Juan-Angel Martin (AC Camerfirma SA), Karina Sirota (Microsoft), Mads Henriksveen (Buypass AS), Michelle Coon (OATI), Mike Reilly (Microsoft), Neil Dunbar (TrustCor Systems), Niko Carpenter (SecureTrust), Noorul Halimin Mansol (PoS Digicert), Patrick Nohe (GlobalSign), Paul van Brouwershaven (Entrust), Pedro Fuentes (OISTE Foundation), Peter Miskovic (Disig), Rebecca Kelley (Apple), Ryan Sleevi (Google), Sebastian Schulz (GlobalSign), Shelley Brewer (Digicert), Stephen Davidson (Digicert), Tadahiko Ito (SECOM Trust Systems), Tim Callan (Sectigo), Tobias Josefowitz (Opera Software AS), Wendy Brown (US Federal PKI Management Authority)
2. Antitrust Statement read by Dean
3. Agenda
The agenda was reviewed
4. Approval of prior minutes
The minutes of January 21st were approved.
5. Forum Infrastructure Update
Jos Purvis gave the update from the last subcommittee meeting. (1) There was a discussion of updates under github. If someone wants experience using github, they can create their own repository and everything will be copied to their account so they can experiment. (2) There was discussion of a bot account which would send periodic summaries of discussions on github, since members are not seeing these discussions on the list now. The bot would collect the discussions and send to the SCWG email list. (3) Sending updates from tools: Github could send out red lines and updates saving the Chair from doing so, automatically. (4) Creation of redlines are difficult with tables. This will get easier with passage of SC40. (5) The wiki SCWG page will have links to master versions of artifacts. If someone needs a copy of the word version, they can get it there. (6) A mind map of the website will be generated for folks to review. (7) Table formatting for BRs. Suggestion to release versions in separate sections for better rendering or balloting. (8) Future things to look at: how to push items to the public website.
6. Code Signing Update
Dean gave the update. Ballot CSCWG-7 was approved and is in IPR review. A suggestion to put high risk requests in the same category for all requests was made by Ian of Microsoft. CAs should check their internal database for prior requests from the customer. If there was a denial before, refer to section 11.7 for how to deal with it. If a key compromise had occurred, step them up to an HSM. Further discussion on using a 3rd-party service to host data related to breaches. Another topic was using CAA to potentially check to see if CA is authorized to issue for the company. There was also a discussion on private key protection and the standards related to this. Further discussion on the next call. Ryan asked if the CSCWG planned to use markdowns in the future. Dean said he will bring this up on the next call.
7. S/MIME Working group update
Stephen Davidson gave the update. A new member has joined the working group from Austria: RundQuadrat, which manufactures email software for mobile devices. The group is focusing on two types of S/MIME certs: (1) multipurpose for legacy purposes and (2) Strict S/MIME only. They are looking at specific cert profiles under these categories.
8. 2021 F2F meeting schedule
Looking for guest speakers for March meeting. Suggestions for topics, speakers sought. June will also be virtual. Beyond that is TBD.
9. Other Business – Membership Applications
Discussion about the application received from AT&T for Interested Party membership. Concern among members that someone with the authority to bind AT&T to the IPR did not sign the agreement nor have the proper authority to do so. Members wanted to be sure the IP obligations are binding. Dean will draft a response for member review before sending to AT&T.
10. Next call
February 18th