CA/Browser Forum
Home » All CA/Browser Forum Posts » 2022-12-08 Minutes of the CA/Browser Forum Teleconference

2022-12-08 Minutes of the CA/Browser Forum Teleconference

Attendees (in alphabetical order)

Adam Jones (Microsoft), Andrea Holland (SecureTrust), Atsushi INABA (GlobalSign), Ben Wilson (Mozilla), Bruce Morton (Entrust), Cassie L’Heureux (GoDaddy), Chris Clements (Google Chrome), Chris Kemmerer (SSL.com), Clint Wilson (Apple), Corey Bonnell (DigiCert), Corey Rasmussen (OATI), Daryn Wright (GoDaddy), Dean Coclin (DigiCert), Dimitris Zacharopoulos (HARICA), Doug Beattie (GlobalSign), Dustin Hollenback (Microsoft), Enrico Entschew (D-Trust), Fumi Yoneda (Japan Registry Services), Joanna Fox (TrustCor), Johnny Reading (GoDaddy), Luis Cervantes (GoDaddy), Lynn Jeun (VISA), Mads Henriksveen (Buypass), Michelle Coon (OATI), Nargis Mannan (SecureTrust), Paul van Brouwershaven (Entrust), Peter Miskovic (Disig), Rebecca Kelley (Apple), Rollin Yu (TrustAsia), Stephen Davidson (DigiCert), Tadahiko Ito (SECOM), Thomas Zermeno (SSL.com), Tim Hollebeek (DigiCert), Tobias Josefowitz (Opera), Trevoli Ponds-White (Amazon), Tyler Myers (Godaddy), Wendy Brown (FPKI), Yoshiro Yoneya (JPRS).

Minutes

**1. Roll call **

The Chair (Dimitris Zacharopoulos) took attendance

2. Read Antitrust Statement

The antitrust statement was read

**3. Review Agenda **

Today’s agenda was approved

**4. Approval of minutes of last call and F2F#57 **

The minutes of the last call and of the F2F#57 were approved.

**5. Forum Infrastructure Subcommittee update **

Jos Purvis, I couldn’t attend today and asked Ben Wilson to give the update:

  • The Infrastructure Subcommittee is experimenting with a new wiki based on BookStack. Jos is working on a script to import all content from the old wiki. Members can contact Jos if they would like to test the new wiki.
  • There is some work for the website, such as the minutes that need to be updated to associate them with each of the working groups.

6. Code Signing Certificate Working Group update

Bruce Morton gave the update. The working group had a long meeting and is working on three main items that have not completed yet:

  • Updates to the PR for revocation due to a signature on malware
  • Still working on updating the signing service item
  • Working on a ballot to remove references to the SSL BR

Tim Hollebeek commented that he double checked and that there is no need for a transition timeline for the signing service to require FIPS 140-2 level 3.

7. S/MIME Certificate Working Group update

Stephen Davidson joined late, and Tim Hollebeek agreed to provide the update.

  • The group discussed a proposal to move to a less frequent more predictable schedule of effective dates. Maybe twice a year but with the option to have emergency updates. Dimitris Zacharopoulos added that we will discuss the same topic later in this call.
  • Bruce Morton mentioned that the group talked about allowing the QIIS for just a couple of items to help validate address and the reliable method of communication. Tim Hollebeek added that there are definitely some good discussion points there and that he is glad Bruce spotted this.
  • Stephen joined late and adding that some information about CAA has been shared on the mailing list around the work that is happening in the LAMPS working group of the IETF.

**8. NetSec Working group report **

Clint Wilson gave the update.

  • The group talked about changing the meeting time as there are a few people that have been unable to attend lately. A straw poll will be sent out to see if there are people that would attend NetSec meetings, if it was at a different time, and try to figure out if we can find a schedule that works to allow us more folks to attend.
  • We have been working on the red-lines ballot that Ben Wilson has been spearheading, and we have spent a fair amount of time on the fundamentals around offline CAs, powered off CAs, air gapped CAs, what these different states mean, and what we can expect or should be able to expect them to mean.

**9. 2022-2024 CA/B Forum Plans – Strategy – Tasks **

Dimitris Zacharopoulos explained that he took a lot of feedback at the latest face to face meeting and had a couple of meetings with Paul van Brouwershaven (the vice chair) and other folks to put together a couple of slides for this call.

The slides can be reviewed here:

Dimitris presented the slides; the following items try to cover the discussions:

  • Issues with Bylaws and some of the working group Charters
  • Discussion about how we notify people of their obligation to comply with the forum policies such as the anti-trust statement and code of conduct.
  • Dean Coclin reminded that we looked into having a splash screen in WebEx like some other groups have but that our subscription does not support this.
  • Dimitris suggested that he could show a slide at the beginning of the meeting, Trevoli Ponds-White reminded that call-in users would not be able to see this slide. Tim Hollebeek commented that IETF uses a similar approach.
  • Trevoli suggested that we might also have it in the description of the agenda item. Tim stated that this is the only one that he has heard legal object to because nobody reads meeting invites.
  • Bruce Morton stated that we might all agree but that this might be a topic for a lawyer to look at.
  • Some tasks for the Infrastructure subgroup
  • Paul van Brouwershaven states that he had a conversation with Martijn Katerbarg (wo could not be on the call) about the management and automation of the ballot process in the new member tools. Martijn agreed to investigate and estimate the work.
  • Define specific release cycles for Guidelines
  • Two dates per year (March 15, September 15)
  • Emergency guidelines would allow bypassing the 6-moth limit
  • Tim and Trevoli argued that this could be covered in the ballot and members could vote no if they think it’s not an emergency. Corey Bonnell and Clint Wilson showed a thumbs up.
  • There was some discussion about a required discussion period for emergency ballots.
  • Paul suggested to look at software release life cycle management best practices.
  • Tim suggested that it would be beneficial if other root programs align their effective dates with the odd months.

**10. Any other business **

  • Dimitris created a minute takers rotation plan for the forum and server certificates working group like the validation subcommittee. The group has not shown any objections. Andrea Holland is the next minute taker on the list.
  • Reminder that people should not forget to sign-up for the next face-to-face meeting in Ottawa, hosted by Entrust from February 28 until March 2, 2023, and is followed by a Post-Quantum Cryptography from the PKI Consortium on Friday (3 March).
  • We are waiting on a confirmation of the dates for the summer face-to-face meeting hosted by Microsoft.
  • The fall 2023 face-to-face meeting is hosted by GlobalSign on October 11-13.
  • It was decided to cancel the December 22 meeting.

11. Next call

Jan 5, 2023

12. Adjourned

Latest releases
Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.7 - Ballot SMC09 - Nov 25, 2024

This ballot includes updates for the following: • Require pre-linting of leaf end entity Certificates starting September 15, 2025 • Require WebTrust for Network Security for audits starting after April 1, 2025 • Clarify that multiple certificatePolicy OIDs are allowed in end entity certificates • Clarify use of organizationIdentifer references • Update of Appendix A.2 Natural Person Identifiers This ballot is proposed by Stephen Davidson (DigiCert) and endorsed by Clint Wilson (Apple) and Martijn Katerbarg (Sectigo).

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).