Meeting of the CA/Browser Forum
February 2, 2023
Attendance: Aaron Poulsen – (Amazon), Adam Jones – (Microsoft), Amanda Mendieta – (Apple), Andrea Holland – (SecureTrust), Ben Wilson – (Mozilla), Bruce Morton – (Entrust), Chad Ehlers – (IdenTrust), Chris Clements – (Google), Chris Kemmerer – (SSL.com), Clint Wilson – (Apple), Corey Bonnell – (DigiCert), Corey Rasmussen – (OATI), Daryn Wright – (GoDaddy), Dean Coclin – (DigiCert), Dimitris Zacharopoulos – (HARICA), Doug Beattie – (GlobalSign), Dustin Hollenback – (Microsoft), Enrico Entschew – (D-TRUST), Fumi Yoneda – (Japan Registry Services), Inaba Atsushi – (GlobalSign), Inigo Barreira – (Sectigo), Janet Hines – (SecureTrust), Joanna Fox – (TrustCor Systems), Johnny Reading – (GoDaddy), Jos Purvis – (Fastly), Karina Sirota – (Microsoft), Kiran Tummala – (Microsoft), Marcelo Silva – (Visa), Martijn Katerbarg – (Sectigo), Michelle Coon – (OATI), Nargis Mannan – (SecureTrust), Paul van Brouwershaven – (Entrust), Pedro Fuentes – (OISTE Foundation), Peter Miskovic – (Disig), Rebecca Kelley – (Apple), Ryan Dickson – (Google), Sissel Hoel – (Buypass AS), Stephen Davidson – (DigiCert), Steven Deitte – (GoDaddy), Steve Topletz – (Cisco Systems), Tadahiko Ito – (SECOM Trust Systems), Thomas Zermeno – (SSL.com), Tim Hollebeek – (DigiCert), Tobias Josefowitz – (Opera Software AS), Trevoli Ponds-White – (Amazon), Wayne Thayer – (Fastly), Wendy Brown – (US Federal PKI Management Authority), Yoshiro Yoneya – (Japan Registry Services).
Antitrust Statement read by Dimitris Zacharopoulos.
Review of Agenda: There were no additions.
Approval of Minutes from Last Call of January 19, 2023: minutes were approved.
Next minute-taker – Chris Clements (February 16, 2023)
Forum Infrastructure Subcommittee update – Moving away from the existing wiki and replace with a system called Bookstack. Would like to move the existing wiki to read only starting today, but it may be down for a week. Since we are in the signup phase for the next F2F it was decided to postpone the wiki change until after the F2F. Would like the wiki back or available to do the minutes after the F2F.
Code Signing Certificate Working Group update – Working on 3 ballots. One to change revocation requirements when suspect code is signed. Second is updating signing service requirements. Third is to remove call outs to SSL BRs, by including the same text or rationalizing the text to make sense for code signing. Hoping to have these closed in the next few months.
S/MIME Certificate Working Group update – Planning to have WebTrust draft by the next F2F. There has been a meeting of ETSI working on ETSI auditable plan for their next F2F in May. CAA may be extended to S/MIME based on an Internet draft written by Corey. Would probably have an effective date in 2024. Discussed whether existing issuing CAs can be used or do new issuing CAs need to be created to meet the S/MIME BR requirements. There was consensus that existing issuing CAs could be used if they meet the S/MIME BRs. There was discussion of methods available for Enterprise RAs to validate email addresses. Waiting to hear confirmation back from certificate consumers about adopting the S/MIME BRs. We understand the Mozilla community is kicking off an inclusion discussion.
Network Security Working Group update – New meeting invite available on the wiki or from Clint. Currently working on introductory paragraphs to define desired outcomes of the sections and implementations.
Bylaw Changes – Dimitris and Tim Hollebeek working on updates to bylaws. For example removing of reading anti-trust statement at before each meeting. According to the existing Bylaws, the meeting we are having right now is defined as a Teleconference and the antitrust statement only needs to be read at the face to face meetings. There should be a short statement read at the beginning of the Teleconference and F2F meetings. There may be some members with antitrust issues in their jurisdictions which they need to work through. It was suggested that it would be of benefit to those with antitrust issues to have the Bylaws changed. It was agreed that we would read a message similar to this starting at the next meeting, “All participants are reminded that they must comply with the CA/Browser Forum anti-trust policy, code of conduct, and intellectual property rights agreement. Please contact the chair with any comments or concerns about these policies.”
F2F58 Draft Agenda – We need to get the agenda finalized. Expect WG chairs to finalize their agendas. Looking for input from Browsers and Auditors for the time required. Everyone was asked to please register for the next F2F. It was agreed that the Browsers time has appeared to be too short, so the normal 10 minutes each was changed to 15 minutes each. S/MIME BR Chair will ask if there are any interest of presentation by the S/MIME certificate consumers.
Lessons Learned SC60 – Issue of ballot failing for a company that qualified and met the requirements. Do we need to add anything else in the membership application? Updates to clarify the requirements for voting in new members – charter or the bylaws. What do we do if the membership ballot fails? When can the applicant apply again? Do ballot proposers need to publish ballot results? Disappointed there was no ballot discussion, since there could have been an argument that the applicant did not meet the requirements. There was some disagreement about the ballot question. It was argued that a ballot failing is an acceptable outcome of a vote. Tim stated the question “What’s the point of having membership criteria if we arbitrarily reject people who meet the membership criteria?” Plan to discuss at the next F2F. The application process should not imply that a new applicant will be a new member. It was stated that we should not be making assumptions when we do not have enough information. Tobias wanted to voice his disagreement about the interpretation of the charter; he stated that we need to work to the charter and not bring in any other notions. Tobias is willing to propose a ballot to change the charter so a future application from the same applicant can not be accepted for a year and the reasons for failing are no longer present. Tim H. is concerned that there will be many assumptions externally from the Forum, which could hurt the reputation, so we next to explain what happened to a broader audience.
Any other business: None
Next Meeting: February 16, 2023