CA/Browser Forum posts
Ballot 120 – Affiliate Authority to Verify Domain (passed)
June 5, 2014 by Ben WilsonVoting closed on June 5, 2014. We received votes in favor from Actalis, ANF, Buypass, DigiCert, Disig, Firmaprofesional, GlobalSign, GoDaddy.com, Logius PKIoverheid, Mozilla, QuoVadis, StartCom, Symantec, Trend Micro, TURKTRUST, OpenTrust, and WoSign. There were no votes against and no abstentions. Therefore, Ballot 120 passed. Kirk Hall of TrendMicro made the following motion and Jeremy Rowley of DigiCert and Cecilia Kam of Symantec have endorsed it: Ballot 120 – Affiliate Authority to Verify Domain Reasons for proposed ballot Ballot 72 in May 2012 reorganized the EV Guidelines by moving certain definitions and common provisions to the Baseline Requirements and replacing them with cross references to the Baseline Requirements. In July 2013, Ballot 104 was a similar replacement with a cross reference to avoid unnecessary duplication between the two sets of guidelines , but it inadvertently removed domain verification through a parent or subsidiary from EV Guidelines Sec. 11.6.2 (now renumbered as EVGL 11.6.1), which had listed it as part of the allowed verification process. Ballot 104 essentially deleted the separately listed EVGL 11.6.2 methods for verifying domain ownership, and instead inserted a cross-reference to the methods of verifying domain ownership in BR 11.1.1 (except for subsection (7) – “any other method of confirmation” – which was not deemed reliable enough for EV).
June 5, 2014 by Ben WilsonVoting closed on June 5, 2014. We received votes in favor from Actalis, ANF, Buypass, DigiCert, Disig, Firmaprofesional, GlobalSign, GoDaddy.com, Logius PKIoverheid, Mozilla, QuoVadis, StartCom, Symantec, Trend Micro, TURKTRUST, OpenTrust, and WoSign. There were no votes against and no abstentions. Therefore, Ballot 120 passed. Kirk Hall of TrendMicro made the following motion and Jeremy Rowley of DigiCert and Cecilia Kam of Symantec have endorsed it: Ballot 120 – Affiliate Authority to Verify Domain Reasons for proposed ballot Ballot 72 in May 2012 reorganized the EV Guidelines by moving certain definitions and common provisions to the Baseline Requirements and replacing them with cross references to the Baseline Requirements. In July 2013, Ballot 104 was a similar replacement with a cross reference to avoid unnecessary duplication between the two sets of guidelines , but it inadvertently removed domain verification through a parent or subsidiary from EV Guidelines Sec. 11.6.2 (now renumbered as EVGL 11.6.1), which had listed it as part of the allowed verification process. Ballot 104 essentially deleted the separately listed EVGL 11.6.2 methods for verifying domain ownership, and instead inserted a cross-reference to the methods of verifying domain ownership in BR 11.1.1 (except for subsection (7) – “any other method of confirmation” – which was not deemed reliable enough for EV).
2014-05-29 Minutes
May 29, 2014 by Ben WilsonNotes of Teleconference – CABF – 29 May 2014 1. Antitrust Statement: Read by Ben.
May 29, 2014 by Ben WilsonNotes of Teleconference – CABF – 29 May 2014 1. Antitrust Statement: Read by Ben.
Ballot 122 – Verified Method of Communication (failed)
May 8, 2014 by Ben WilsonBallot 122 – Verified Method of Communication Voting on Ballot 122 closed. We received “yes” votes from Actalis, Buypass, Comodo, DigiCert, GlobalSign, GoDaddy, Izenpe, Logius PKIoverheid, QuoVadis, SECOM, Symantec, Trend Micro, Trustis, TURKTRUST, Visa, and WoSign OpenTrust and SSC abstained. Mozilla and Microsoft voted “no.” Therefore, Ballot 122 did not pass. The EV Guidelines Working Group has completed its review of Section 11.4.2 of the EV Guidelines (Telephone Number for Applicant’s Place of Business). The purpose of the review was to “develop a more international process for verifying contact information,” especially to transition away from a landline-centric focus. The purpose of Section 11.4.2 has been to ensure a means for communicating with an organization (to verify the authority of EV roles and ensure that it was appropriately aware of the certificate request) and to provide additional evidence of an organization’s existence. This is maintained by the proposed replacement language.
May 8, 2014 by Ben WilsonBallot 122 – Verified Method of Communication Voting on Ballot 122 closed. We received “yes” votes from Actalis, Buypass, Comodo, DigiCert, GlobalSign, GoDaddy, Izenpe, Logius PKIoverheid, QuoVadis, SECOM, Symantec, Trend Micro, Trustis, TURKTRUST, Visa, and WoSign OpenTrust and SSC abstained. Mozilla and Microsoft voted “no.” Therefore, Ballot 122 did not pass. The EV Guidelines Working Group has completed its review of Section 11.4.2 of the EV Guidelines (Telephone Number for Applicant’s Place of Business). The purpose of the review was to “develop a more international process for verifying contact information,” especially to transition away from a landline-centric focus. The purpose of Section 11.4.2 has been to ensure a means for communicating with an organization (to verify the authority of EV roles and ensure that it was appropriately aware of the certificate request) and to provide additional evidence of an organization’s existence. This is maintained by the proposed replacement language.
Ballot 121 – EV Guidelines Insurance Requirements(failed)
May 7, 2014 by Ben WilsonBallot 121 – EV Guidelines Insurance Requirements Voting has closed on Ballot 121. “Yes” votes were cast by Buypass, Disig, Firmaprofesional, GlobalSign, GoDaddy, Izenpe, OpenTrust, SSC, Trend Micro, Turktrust, and WoSign. “No” votes were cast by Actalis, DigiCert, QuoVadis, Symantec, and Mozilla. Abstentions were submitted by StartCom, Visa, and Google. Therefore, Ballot 121 failed.
May 7, 2014 by Ben WilsonBallot 121 – EV Guidelines Insurance Requirements Voting has closed on Ballot 121. “Yes” votes were cast by Buypass, Disig, Firmaprofesional, GlobalSign, GoDaddy, Izenpe, OpenTrust, SSC, Trend Micro, Turktrust, and WoSign. “No” votes were cast by Actalis, DigiCert, QuoVadis, Symantec, and Mozilla. Abstentions were submitted by StartCom, Visa, and Google. Therefore, Ballot 121 failed.
2014-05-01 Minutes
May 1, 2014 by Ben WilsonNotes of meeting, CAB Forum, 1 May 2014, Version 2 1. Antitrust Statement
May 1, 2014 by Ben WilsonNotes of meeting, CAB Forum, 1 May 2014, Version 2 1. Antitrust Statement
Turktrust Statement on Root CA Recognition Process
April 17, 2014 by Ben WilsonAs a member of the CA/Browser Forum, we want to share our experiences with trying to overcome hurdles with trust anchor programs during recognition processes. This is not a complaint issue, we just want to discuss it and open to any kind of advice. Oracle is not a member of the Forum, yet we want to mention that we have spent a lot of efforts to complete the application form. The only answer was that we had been rejected without giving any reason. They have said please apply 6 months later. We have asked for the reasons of rejection and what kind of improvements should we make to be successful. Simply, there was no response.
April 17, 2014 by Ben WilsonAs a member of the CA/Browser Forum, we want to share our experiences with trying to overcome hurdles with trust anchor programs during recognition processes. This is not a complaint issue, we just want to discuss it and open to any kind of advice. Oracle is not a member of the Forum, yet we want to mention that we have spent a lot of efforts to complete the application form. The only answer was that we had been rejected without giving any reason. They have said please apply 6 months later. We have asked for the reasons of rejection and what kind of improvements should we make to be successful. Simply, there was no response.
2014-04-17 Minutes
April 17, 2014 by Ben WilsonNotes of meeting, CAB Forum, 17 April 2014, Version 1 1. Antitrust Statement – read by Ben.
April 17, 2014 by Ben WilsonNotes of meeting, CAB Forum, 17 April 2014, Version 1 1. Antitrust Statement – read by Ben.
WebTrust Releases New Audit Criteria for Extended Validation and Baseline Requirements
April 5, 2014 by Ben WilsonOn April 3, 2014, the WebTrust® Task Force of the American Institute of CPAs (AICPA) and Chartered Professional Accountants Canada (CPA Canada) released three new audit criteria documents to the CA/Browser Forum and others for review and/or implementation. These documents are part of the WebTrust Program for Certification Authorities and are based on the CA/Browser Forum Guidelines. The Trust Services Principles and Criteria for Certification Authorities – Extended Validation SSL – Version 1.4.5 is based on the Forum’s Guidelines for the Issuance and Management of Extended Validation SSL Certificates – Version 1.4.5 and is effective immediately (3 April 2014).
April 5, 2014 by Ben WilsonOn April 3, 2014, the WebTrust® Task Force of the American Institute of CPAs (AICPA) and Chartered Professional Accountants Canada (CPA Canada) released three new audit criteria documents to the CA/Browser Forum and others for review and/or implementation. These documents are part of the WebTrust Program for Certification Authorities and are based on the CA/Browser Forum Guidelines. The Trust Services Principles and Criteria for Certification Authorities – Extended Validation SSL – Version 1.4.5 is based on the Forum’s Guidelines for the Issuance and Management of Extended Validation SSL Certificates – Version 1.4.5 and is effective immediately (3 April 2014).
Ballot 112 – Replace Definition of “Internal Server Name” with “Internal Name”(passed)
April 3, 2014 by Ben WilsonBallot 112 – Replace Definition of “Internal Server Name” with “Internal Name” Votes in Favor: ANF, Buypass, Comodo, DigiCert, Disig, FirmaProfesional, GlobalSign, GoDaddy, Logius PKIoverheid, QuoVadis, Sertifitseerimiskeskus, SSC, StartCom, SwissSign, Symantec,Trend Micro, Trustis, TURKTRUST, TAIWAN-CA, WoSign, Mozilla and Google No abstentions or nay votes. Ballot passed. The current definition of Internal Server Name is ambiguous. It reads, “A Server Name (which may or may not include an Unregistered Domain Name) that is not resolvable using the public DNS.”
April 3, 2014 by Ben WilsonBallot 112 – Replace Definition of “Internal Server Name” with “Internal Name” Votes in Favor: ANF, Buypass, Comodo, DigiCert, Disig, FirmaProfesional, GlobalSign, GoDaddy, Logius PKIoverheid, QuoVadis, Sertifitseerimiskeskus, SSC, StartCom, SwissSign, Symantec,Trend Micro, Trustis, TURKTRUST, TAIWAN-CA, WoSign, Mozilla and Google No abstentions or nay votes. Ballot passed. The current definition of Internal Server Name is ambiguous. It reads, “A Server Name (which may or may not include an Unregistered Domain Name) that is not resolvable using the public DNS.”
2014-04-03 Minutes
April 3, 2014 by Ben WilsonMinutes of 3 April 2014 1. Antitrust Statement – read by Dean.
April 3, 2014 by Ben WilsonMinutes of 3 April 2014 1. Antitrust Statement – read by Dean.