2026-01-15 Minutes of the Forum
Minutes:
Begin Recording - Roll Call
Read note-well
Note read by Dimitris in the SCWG call
Review of Agenda
No changes in the agenda
Approval of minutes: December 4th (Eva), December 18 (Dustin)
Approved both
##mServer Certificate Working Group update (Dimitris) Dean: Dimitris please,
Dimitris: searching for the minutes from Dustin but don´t have that handy. Corey, can you update on the validation SC?
Corey: We met last week and had a good conversation about the ADN approval ballot. There were changes around, AND selection, you can follow the change of CNAMES. There was also some finding in the language regarding method 22 needs to be changed so, good progress on that. That was the only topic. Continue next week with the work Aaron and Jacob are doing with the ballot. But it´s in good shape and maybe not many changes.
Dimitris: thanks Dean for the email with the minutes. Mostly talk about the ballots. Not a great update. The only one about the distrust of microsec by Apple.
Dean: any question for Dimitris?
Code Signing Certificate Working Group update (Martijn)
Martijn: we had a call last week but unfortunately it was the 3rd call in a row that we didn´t have any certificate consumer on the call. WG at this moment is basically stuck and we need to decide if we are having more calls or not.
Dean: I talked to Karina and they will join next call
Martijn: yes, I also wrote her an email but no response. We´ll see.
Dean: any questions for Martijn?
S/MIME Certificate Working Group update (Stephen)
Stephen: We met this week, yesterday. Primarily spent on the updated draft about the mDL. Good feedback that resulted in a new draft. There´s an ongoing discussion about smtp and smtp authentication, usually certificates having the combination of serverAuth and clientAuth. Gathering date about the scale of the use cases. That is something that CAs around the world will work in separate hierarchies and it´s a question if this need to discuss on the SCWG or in this group and need to decide where´s the correct venue.
Dean: any question to Stephen?
NetSec Working Group update (Clint)
Dimitris: he´s not in the call
Wayne: he left a message in slack that can´t attend. I´ll read it. The NSWG met on Tuesday Read through and discussed the initial draft project plan Miguel put together for tackling the NCSSR rewrite / modernization project. Discussed whether to create a subcommittee for the cloud services work that’s been ongoing; ultimately determined to have a second NSWG call instead, so the NSWG will meet weekly now. If you’re in the NSWG you should have seen an invite for a “workshop” meeting next Tuesday; this is what used to be the “cloud services” group’s time.
Discussed the use of AI in generating meeting minutes. Consensus seemed to be that it’s functionally impossible to prevent individuals from using AI, so until or unless the Forum as a whole identifies an approach to take, that at least the NSWG deems it acceptable to leverage gen AI tools to assist with preparing minutes. There may be a NSWG on-site meeting around May to further the NCSSR rewrite effort. Nothing certain yet, but that’s what we’re roughly aiming for.
Wayne: I´m offer to take questions but can´t handle them.
Miguel: I´m happy to take questions
Dean: any questions to Miguel or netsec?
Definitions and Glossary Working Group (Tim H.) Dean: Tim C is not here and Tim H is not now so no update
Forum Infrastructure Subcommittee update (Jos)
Jos: F2F attendance and trying to keep track of attendance and the problem is that Webex that does not work of physical presence if not join to the tool. So, we need a way to capture in person attendees. The ultimate solution is do a google form connected with a QR code suggested by Tom Zermeno. People can scan the QR code and your registration will be added to the google sheet. We had a working a proof of concept and check the instructions, etc. and then be able to allow for the F2F. The idea is not the Infra SC dealing with it and not being a bottleneck.
Dean: thank you very much for that because there´s a huge work for chairs to check that
Jos: the issue with AWS lead us to a discussion to checking if the forum could be an non-profit organization because the problems happened with the different tools we use, that some donate but in a specific manner are not easy to manage. Incorporating as a non-profit in any place. Ben had a proposal and circulated a pros-cons doc. Can be in one place or another.
Ben: I´ve circulated some and would like to know where to share (management vs public)
Dean: the management list is the best option
Ben: ok, i´ll do
Dimitris: Ben, you know that HARICA has been supporting applications or Webex because is a non-profit but based on the info received from the last process I think we will not be supporting the same process again
Ben: main problem is that going this path it can take 2 years to accomplish.
Dean: The Webex is the issue here we can consider other tools that other members may think to donate while not going to a non-profit
Jos: True, and we do because we have the AWS infrastructure we have the option of self posting if it comes to that. There are some options in the table
Dean: Microsoft is here and may be willing to offer teams or Google with Meet or apple products. This a lot of options if Webex is a problem.
Ben: We should keep going with that
Jos: That´s the problem with amazon because can´t donate off the site and its not a formal donation
Trev: It´s an account out of the team´s budget. Security does not allow doing this
Dimitris: Cisco does the same for Webex
Dean: Any other organization, standards body as non-profit?
Ben: W3C might be
Dimitris: ETSI is also like that
Ben: The question now is if we want to file the US or go to another country
Dean: You mentioned Switzerland
Ben: have not looked at any candidate yet. I think Canada needs some kind of representation.
Dimitris: Need to find a champion for this
Dean: Jos, anything else?
Jos: One final note, I’ve been the chair of the infra SC since its inception and my job title now and responsibilities do not me allow go to the f2f and is god time to talk having someone else running it. I´m not stepping back but the organization work is better handled other way. I’m opening the floor to other person, let us know, particularly for the next election period.
Dean: So a call for candidates
Jos: Yes, there´s no rush
Dean: Any question for Jos?
Scott: yes, I have one regarding the QR code. If this is per-session registration or once on-site.
Jos: we had that discussion for a separate registration for each WG or having one per day. WGs are broken by days, so the person building the forms and managing the F2F and can do it one way or the other
Any Other Business: Reordering March Meeting, Proposed dates for fall meeting – Sept 21 or Oct 5th weeks, Attendance by D Telekom
Reordering the March meeting
Dean: Reordering the march meeting. I´m not able to attend the first day and asked Dimitris to switch the ServerCert WG to Tuesday and then do the forum plenary next day, Wednesday. Also there’s a conflict with the IETF meeting in China, they are probably leaving later that week. Is there a problem with this change? Dimitris any problem?
Dimitris: No, it´s ok. ServerCert and validation are together. Cory any issue with that?
Corey: No, it´s ok.
Dean: When I have the agenda publish i´ll check that everything is ok and we start on Tuesday with the ServerCert.
Dimitris: The idea is to have ServerCert and validation in one day but maybe need to ask for clint for netsec.
Dean: Good point. I´ll talk to clint. Dustin, can you also talk to clint?
Dustin: Yes. Sounds good.
Dean: thank you. I encourage people to register. Event is on wed evening. Hotels links are in the wiki.
Fall meeting
Dimitris: We are having 2 meeting this year, and the talking about the fall meeting, and there are lot if events on those dates, ETSI, CA day, etc. so the options are the week of September 21st or the week of October 5th. Scott do you have any preference or restrictions?
Scott: I have to ask for feedback from folks to know which is better and if folks don´t have any preference I think looks like October is better.
Dimitris: Problem that week
Dean: The week of sept 21st is open. Would that work?
Scott: Need to ask. We have plenty of time to accommodate but the only thing I ask for is details
Dean: So, September 21st week is the best one (22 to 24 Sept)
Deustche Telekom
Dean: last topic. We have the D Telekom attending the F2F meetings without signing the IPR agreement, and the IPR committee is not making changes to the IPR agreement, but they are still coming to the meetings but looking for feedback from this group if we allow attending non-signing IPR organization to the meetings. They do not much participate during the meeting but the concern is still there. Any comments?
Aaron: to be clear It´s not allowing them to attend but inviting them to attend because that´s how the attendance policy works, right?
Dean: The policy is that the chair can invite but I’m not extending the invitation. Maybe they took as a perpetual ok. None has said anything until now. The only reason I´m bringing it now is because I was in one of those IPR reasons that Ben hosted and it was discussed.
Trev: how did they sign up?
Dean: they signed up by Enrico, he put them on the wiki.
Trev: ah, ok.
Dimitris: I always explicitly extended the invitation, there was not perpetual invitation for D Telekom security.
Dean: It´s the same email every time and they expect me to say yes, then D-Trust put them on the wiki and I don´t have to do that and that´s why I´m bringing this here.
Trev: Why do we invite them?
Dean: let me find the email
Trev: Enrico is also on the call
Ben: The issue is that they want to sign the IPR but their legal council can´t get it signed because all are independent, multinational, t-mobile,…
Dean: Reading the email from Telekom. Legal problems don not allow us to participate but are looking for options. Suggestions are appreciated. And would like to have it done for the Houston meeting. Stephan as a remote participant and I´ll be onsite.
Dustin: this perpetual exception, what the issues are that are not affected other members, multinational organizations? They had enough time to solve this problem
Dean: This is my problem
Dimitris: It´s not perpetual
Dustin: Not perpetual but turned into defacto
Chris: Didn´t we create like an invited person policy back in July for invitation to these meetings? About interested parties? Didn´t that solved this?
Dimitris: I think this was for invited guest that make presentations
Dean: Yes, I this that was
Ben: I don´t know if we can resolve it now. We can publish a new IPR agreement to address this, but they wanted a specific language (subsidiaries) that the legal committee said not to do that. If other large organizations have been able to sign why are they different? All comes down to communication with their legal counsel and they have a strong position.
Dean: Chris this policy you mentioned I don´t think these guys fall into that category
Ben: The legal committee said that´s they way W3C works as well
Trev: I´m confused. And we can change the expert policy but I think more participation is good but this is weird maybe this may incitive to solve this problem if we don´t allow this time
Wayne: My suggestion is that we do not extend the invitation to D Telekom for future F2F that if none objects for that then you have the back of the group. That´s my suggestion.
Aaron: I was going to say that in general that is appropriate and valuable to have a mechanism that allow us to invite people to join the forum without the legal signoffs, etc. for invited experts or create a new category but it must have a limit, this can be considered forever.
Martijn: To put in black and white they are a CA like any other CA here, adding a new category can have some problems because CAs can move to that new category. I know they have the best intentions but creating exceptions I don´t think we should go that way
Scott: We can put this policy before the next one, to the fall one and extend 1, 2 months more.
Dimitris: If they haven´t done for 3 year I don´t think they should do now immediate
Dean: we can invite them for this time, for Houston, but if they don´t do anything for the next one, they will not be invited anymore.
Dustin: The invitation has been approved?
Dean: The request to be invited has been sent to us, they signed up but for now is fine.
Dustin: They are waiting for yes or no, so just say no
Dean: Yes, we can say no
Aaron: We should stop extending the perpetual invitation to these folks. Don´t have a strong feeling if they have booked flights for the upcoming F2F and this would be the last one with that invitation.
Dean: Seems logical. Enrico you have any comments?
Enrico: I usually put them on the list because I´m able to do so. But I´ll let them know whether they can join or not. They have arranged something but not sure.
Dean: They sent an email on dec 17th but didn´t act because was on holidays
Enrico: I have in contact with them and they have a limited budget and maybe have booked in advance.
Dean: I will handle it, do not want you to handle it. I ask about the plans and if they haven´t booked anything I´ll let tell them not to join until they sign the IPR, consensus?
Dimitris: Yes
Trev: No objection. This is crazy
Dean: I want to make sure
Dimitris: I see the scheduled for 2027, there are 2 meeting in the US, so is it any chance to ask Swisssign to run the fall meeting?
Dean: I actually want to do that. I reached out to Roman that we are not having the summer meeting and asked to switch to fall, I can reach out to him again. I´ll do that. Anything else?
Next call: Jan 29th
Adjourn
Attendees
Aaron Gable - (Let’s Encrypt)
Adam Folson - (IdenTrust)
Adam Jones - (Microsoft)
Adriano Santoni - (Actalis S.p.A.)
Alvin Wang - (SHECA)
Antti Backman - (Telia Company)
Arman Asemani - (Apple)
Ben Wilson - (Mozilla)
Chris Clements - (Google)
Corey Bonnell - (DigiCert)
Corey Rasmussen - (OATI)
Cynethia Brown - (US Federal PKI Management Authority)
Daryn Wright - (Apple)
David Kluge - (Google)
Dean Coclin - (DigiCert)
Dimitris Zacharopoulos - (HARICA)
Dustin Hollenback - (Apple)
Enrico Entschew - (D-TRUST)
Eric Kramer - (Sectigo)
Hogeun Yoo - (NAVER Cloud Trust Services)
Inaba Atsushi - (GlobalSign)
Iñigo Barreira - (Sectigo)
Jeanette Snook - (Visa)
Jeff Ward - (CPA Canada/WebTrust)
Jieun Seong - (MOIS (Ministry of Interior and Safety) of the republic of Korea)
John Mason - (Microsoft)
Johnny Reading - (GoDaddy)
Jos Purvis - (Fastly)
Josselin Allemandou - (Certigna (DHIMYOTIS))
Julie Olson - (GlobalSign)
Jun Okura - (Cybertrust Japan)
Karina Sirota - (Microsoft)
Kateryna Aleksieieva - (Asseco Data Systems SA (Certum))v
Lilia Dubko - (CPA Canada/WebTrust)
Lucy Buecking - (IdenTrust)
Luis Cervantes - (SSL.com)
Mahua Chaudhuri - (Microsoft)
Marco Schambach - (IdenTrust)
Martijn Katerbarg - (Sectigo)
Masaru Sakamoto - (Cybertrust Japan)
Michael Slaughter - (Amazon)
Michelle Coon - (OATI)
Miguel Sanchez - (Google)
Nate Smith - (GoDaddy)
Nome Huang - (TrustAsia)
Ono Fumiaki - (SECOM Trust Systems)
Paul van Brouwershaven - (Entrust)
Peter Miskovic - (Disig)
Rebecca Kelly - (SSL.com)
Rich Smith - (DigiCert)
Ryan Dickson - (Google)
Sándor Szőke - (Microsec)
Sandy Balzer - (SwissSign)
Scott Rea - (eMudhra)
Sean Huang - (TWCA)
Stephen Davidson - (DigiCert)
Sven Rajala - (Keyfactor)
Tathan Thacker - (IdenTrust)
Thomas Zermeno - (SSL.com)
Tim Hollebeek - (DigiCert)
Tobias Josefowitz - (Opera Software AS)
Trevoli Ponds-White - (Amazon)
Wayne Thayer - (Fastly)
Wendy Brown - (US Federal PKI Management Authority)