2022-03-17 Minutes of the CA/Browser Forum Teleconference
Attendees
Adam Jones (Microsoft), Adrian Mueller (SwissSign), Amanda Mendieta (Apple), Andrea Holland (SecureTrust), Ben Wilson (Mozilla), Brittany Randall (GoDaddy), Bruce Morton (Entrust), Chris Kemmerer (SSL.com), Clint Wilson (Apple), Corey Bonnell (Digicert), Dean Coclin (Digicert), Doug Beattie (GlobalSign), Dustin Ward (SSL.com), Enrico Entschew (D-TRUST), Fumi Yoneda (Japan Registry Services), Heather Warncke (Amazon), Hogeun Yoo (NAVER), Hubert Chao (Google), Inaba Atsushi (GlobalSign), Inigo Barreira (Sectigo), Joanna Fox (TrustCor Systems), Johnny Reading (GoDaddy), Karina Sirota (Microsoft), Kati Davids (GoDaddy), Khairil Nizam Abdul Malek (MSC Trustgate Sdn Bhd), Kiran Tummala (Microsoft), Mads Henriksveen (Buypass AS), Marcelo Silva (Visa), Martijn Katerbarg (Sectigo), Michelle Coon (OATI), Paul van Brouwershaven (Entrust), Pedro Fuentes (OISTE Foundation), Peter Miskovic (Disig), Rae Ann Gonzales (GoDaddy), Rebecca Kelley (Apple), Renne Rodriguez (Apple), Ryan Dickson (Google), Stephen Davidson (Digicert), Tim Hollebeek (Digicert), Tobias Josefowitz (Opera Software AS), Trevoli Ponds-White (Amazon), Tyler Myers (GoDaddy), Wendy Brown (US Federal PKI Management Authority), Yoshiro Yoneya (Japan Registry Services)
Minutes
Opening Procedures- Dean
Roll Call – per above
Read Antitrust Statement- Jos Purvis
Review Agenda
Approval of minutes of Feb 3rd call
Approved
Forum Infrastructure Subcommittee update
Given by Jos Purvis
- Working group repo on Github is now working
- Terrific demo of membership application web app. This will be a great step up from current tooling
- Next steps are going to be setting up dev pages on AWS and then start tracking in parallel until finally moving over to it permanently
- There is a neat way how to track attendance on Webex, so this could be automated.
- If anyone has experience with PHP, the group is looking for help
- Difficulties in balloting are more in scope of content rather than processes
- Will do some documentation on how to do the technical aspects
- Discussed general revamp of the websites.
- There was a security issue with the site and GoDaddy and Ben were helpful in cleaning that up.
- Do they know what happened? They think there was an authentication breach.
- Do they know which account was breached? No, but anyone who has access has been asked to change creds.
- Plan for changing over DNS from GoDaddy to AWS soon. May push out this cutover due to ballot, but will look forward to it.
Code Signing Certificate Working Group update
Given by Bruce Morton
- Long discussion on subscriber key protection, and discussion on ballot, which should go out shortly.
- Long Discussion on going through the current document on bringing it up to date on the signing services.
SMIME working group update
Given by Stephen Davidson
- Discussion on wrapping up odds and ends on text for ballot before it goes out.
- Intend to have a month of pre-ballot discussion in order to find any issues, discussion
- Before going to a proper ballot in accordance with the bylaws.
- Have general agreement on how to go forward
- Having general discussions on the details, like the use of the pseudonym aspect or reuse of common name, as examples.
- In terms of mailbox validation, we are adopting the TLS Baseline requirements methods for proving mailbox control.
- There has been an additional discussion that there would be a variant on the MX method
- Draft is here: https://github.com/cabforum/smime/blob/preSBR/SBR.md
NetSec Working Group
Given by Clint Wilson
- A shift in the time for the cloud services and infrastructure group to 9am Pacific time starting next week. This group is progressing in the risk assessment quite well and still looking for more people.
- Looking at ballots around defined terms, adding definitions and fixing definitions overall.
- Will continue to give this update going forward.
Any Other Business
- Next meeting is in Warsaw. Will continue to look ahead and make a decision going forward.
- Will there be a hybrid? Maybe, but we cannot promise quality of the hybrid.
- Suggest to err on side of having a good hybrid meeting, but wait and see
- Berlin meeting is still scheduled for Oct 24-26