CA/Browser Forum posts
Announcing the formation of the Code Signing Working Group – Call for Participants
April 22, 2013 by Ben WilsonThe CA/Browser Forum has chartered a Code Signing Working Group, the purpose of which is to come up with Baseline Requirements to reduce the incidences of signed malware. The CA/Browser Forum would like to invite interested third parties to participate. The working group meets bi-weekly by phone and had its first face to face meeting in Munich on June 13th coinciding with the regular CA/Browser Forum meeting. Interested parties will need to:
April 22, 2013 by Ben WilsonThe CA/Browser Forum has chartered a Code Signing Working Group, the purpose of which is to come up with Baseline Requirements to reduce the incidences of signed malware. The CA/Browser Forum would like to invite interested third parties to participate. The working group meets bi-weekly by phone and had its first face to face meeting in Munich on June 13th coinciding with the regular CA/Browser Forum meeting. Interested parties will need to:
2013-04-18 Minutes
April 18, 2013 by Ben Wilson18 April 2013 Present: Ben Wilson, Mads Henriksveen, Jeremy Rowley, Gerv Markham, Rick Andrews, Tom Albertson, Ryan Koski, Atsushi Inaba, Wayne Thayer, Robin Alden, Eddy Nigg, Kirk Hall, Wendy Brown, Atilla Biler, Stephen Davidson, Don Sheehy, and Joe Kaluzny Agenda review: Version 2 of the agenda was reviewed, which included discussion of Ballot 99, which Rick had requested previously. Ben mentioned that he will start keeping a list of some action items not on the agenda at the bottom of each agenda he sends out, just to keep them in mind. Approve Minutes of 4 April 2013: Mads asked for clarification on Item 14 in the draft minutes regarding Phill’s draft white paper on code signing, which had not been circulated to the Forum as indicated. Tom clarified that it had been sent only to the code signing working group. With that correction, the minutes of 4 April 2013 were approved for publication. Announcements and Review of Ballots: There are no ballots pending. Ben stated that several CABF members had requested that we move our Ankara F2F meeting away from October 1-3 because it conflicted with their OTA meeting in Bellevue, Washington, on those same dates. Gerv suggested that we hold another straw poll. DSA Keys Ballot 99: Rick is writing up the text on Ballot 99 to amend Appendix A to add DSA 2048 to list of approved algorithms. Report of NIST Workshop: Ben explained that the purpose of the workshop was to review the industry solutions that require multi-stakeholder involvement-mainly DANE and CT-although several similar technologies were discussed. There was general consensus that DNSSEC when fully deployed as a separate technology will help improve the overall security of the Internet. One of the barriers to DANE is the lack of full DNSSEC deployment throughout the Internet. There are also issues with CT that need to be worked out-primarily who will run and manage the CT logs and will they be sufficiently robust. Another issue is how many log records will have to be embedded in certificates. Stephen noted that the presentations on CT are helpful in understanding how the log servers will work, but there is little information on what CAs will need to do to participate in pilot testing. It was suggested that we start a list discussion to gather more information on this topic and that the resources be collected on a wiki page dedicated to CT. Rick said that Adam, Ben, and Emilia from Google have been very helpful. Stephen said that CAs developed in-house will have an easier time implementing CT than those who have acquired their systems off-the-shelf.During the NIST Workshop OCSP Stapling and Must-Staple were also discussed. The take-away is that we need to identify remaining gaps that prevent implementing OCSP must-staple as a solution. Another take-away is that CAs need to do a better job working with their customers and provide better advice on server configurations and the use of SSL/TLS. The Dutch Government presented on Diginotar. Fox-IT’s time-lapse animation of OCSP responses for the *.google.com from the Black Tulip Report was shown a couple of times. (http://youtu.be/wZsWoSxxwVY). It showed how use of the certificate concentrated in Iran, but then spread to other parts of the world as a result of DNS redirection, etc. Jens Bender presented on his work on strengthening audit requirements for issuers of qualified certificates and EV certificates. Ben presented an overview of current audit frameworks, including ETSI and WebTrust.Other technology discussions included CAA, HSTS, pinning, and hierarchical geographic / DNS scoping. There was consensus that, putting aside any potential anti-competitive lock-in concerns, CAA would not break anything and so should be considered as a partial solution. HSTS and pinning received favorable responses. Pure hierarchy-based geographic and jurisdiction-based domain name scoping were not received favorably. However, critical name constraints were viewed as a potential solution, provided that all browsers implement them in a similar fashion. Rick noted that no solution was identified as a fix-all, so the recommendation was that all parties should try and implement as many of the solutions as they deemed feasible so that we can experiment with them and get a better feel for what works and what doesn’t work. Another related point was to identify how well each of the solutions mitigates the threat and/or vulnerability that it aims to address. Wendy said that from her perspective, the workshop organizers did not want everyone going off and trying all of these different solutions, but that they were trying to get people to come to consensus on which of the solutions would provide the biggest bang for the buck, as opposed to spreading efforts across all potential efforts. Ben noted that NIST was hoping a coordinating group would emerge that would give direction and encouragement to the efforts already underway at IETF, CAB Forum, etc. Ballot 89 Relaunch of EV Processing Guidelines: Rick updated the document following the F2F in Mountain View and would like to put forth a ballot that either adopts an update to the current EV Processing Guidelines on the web site or removes the current one. Ben suggested that the ballot could be made in the alternative, as outlined by Rick. Rick noted that there has been a certain degree of fatigue from those who have worked on the revisions thus far. Tom offered to review the current version 2 draft with people at Microsoft and Mozilla, including Kathleen, but it might be a couple weeks before he is able to provide feedback. Browser implementation of Critical Name Constraints and use of DirectoryName and DNSName to technically constrain external subCAs: Ben said that this agenda item was related to a proposal by Steve Roylance to amend the Baseline Requirements, which has been discussed on the list, and comments made during the NIST Workshop about whether browsers were properly implementing critical name constraints, particularly Apple. The proposed ballot also addresses audit exceptions when sub CAs are technically constrained, and the Mozilla policy includes similar language. While Steve could not be on this call, he had previously noted that we need to keep moving forward on resolving this critical name constraints issue. Wendy reminded the group that certificate validation will fail if you add a subject alternative name that does not follow the pattern used for critical name constraints (for instance, if you include a GUID/UUID in the SAN). A take-away from criticality is that it makes it more likely that something will fail if you don’t do it right, and this might be one reason why Apple has not implemented it. Robin noted that criticality, per se, is not the issue with Apple–Apple simply ignores name constraints altogether, but Geoff has indicated previously that fixes to name constraints are part of Apple’s product plans. However, no one currently has information on the status of that fix. Rick said we should also check to see if all other browsers handle critical name constraints properly.Kirk wondered whether the proposed ballot was to address audits of RAs under Mozilla’s policy, but that anyone with problems implementing name constraints should take it up with the particular browser. Robin said that Mozilla has a clear position, but how it fits in with the root programs of other browsers is also an issue. Ben asked whether Tom could discuss name constraints with Kathleen if he is going to talk to her anyway to see whether all browsers have a common approach to name constraints. Tom and Gerv said that they support name constraints, so there may not be an issue to discuss. Any Other Business: Joe Kaluzny raised the issue from the Baseline Requirements’ prohibition on responding “good” to a non-issued certificate (Ballot 80). August 1, 2013 is fast approaching, and we had said that we would revisit this prohibition if CRL-based systems had not been patched in time. Joe said that their Microsoft OCSP responder is based on CRLs and they are concerned that a patch will not be available. He also said that some vendors may decide not to support that capability. Gerv said that before we take action to postpone this deadline, it would be good if we could get reports back from vendors who are not compliant with this requirement to find out what their plans are, and if they are going to patch this, their anticipated date of delivery. Joe said that from his last discussions with Microsoft he did not believe that they were planning to patch this. Wendy and Jeremy discussed whether the revision to RFC 2560 would also address this. Ben said that those planning on presenting a ballot to eliminate or delaying the requirement should also present what efforts they are making to address the problem of “non-issued” certificates and moving certificate status technology forward beyond where we are today-not that this suggestion is tied to the ballot, but just advice that they should be looking at the solutions that are out there-including security mitigations that show their risk posture is the same or better than modifying their software to not respond “good” for non-issued certificates.Next Code Signing meeting will be next Wednesday, April 24, at 1600 UTC. Next CAB Forum call will be Thursday, May 2nd, at 1600 UTC. Meeting adjourned.
April 18, 2013 by Ben Wilson18 April 2013 Present: Ben Wilson, Mads Henriksveen, Jeremy Rowley, Gerv Markham, Rick Andrews, Tom Albertson, Ryan Koski, Atsushi Inaba, Wayne Thayer, Robin Alden, Eddy Nigg, Kirk Hall, Wendy Brown, Atilla Biler, Stephen Davidson, Don Sheehy, and Joe Kaluzny Agenda review: Version 2 of the agenda was reviewed, which included discussion of Ballot 99, which Rick had requested previously. Ben mentioned that he will start keeping a list of some action items not on the agenda at the bottom of each agenda he sends out, just to keep them in mind. Approve Minutes of 4 April 2013: Mads asked for clarification on Item 14 in the draft minutes regarding Phill’s draft white paper on code signing, which had not been circulated to the Forum as indicated. Tom clarified that it had been sent only to the code signing working group. With that correction, the minutes of 4 April 2013 were approved for publication. Announcements and Review of Ballots: There are no ballots pending. Ben stated that several CABF members had requested that we move our Ankara F2F meeting away from October 1-3 because it conflicted with their OTA meeting in Bellevue, Washington, on those same dates. Gerv suggested that we hold another straw poll. DSA Keys Ballot 99: Rick is writing up the text on Ballot 99 to amend Appendix A to add DSA 2048 to list of approved algorithms. Report of NIST Workshop: Ben explained that the purpose of the workshop was to review the industry solutions that require multi-stakeholder involvement-mainly DANE and CT-although several similar technologies were discussed. There was general consensus that DNSSEC when fully deployed as a separate technology will help improve the overall security of the Internet. One of the barriers to DANE is the lack of full DNSSEC deployment throughout the Internet. There are also issues with CT that need to be worked out-primarily who will run and manage the CT logs and will they be sufficiently robust. Another issue is how many log records will have to be embedded in certificates. Stephen noted that the presentations on CT are helpful in understanding how the log servers will work, but there is little information on what CAs will need to do to participate in pilot testing. It was suggested that we start a list discussion to gather more information on this topic and that the resources be collected on a wiki page dedicated to CT. Rick said that Adam, Ben, and Emilia from Google have been very helpful. Stephen said that CAs developed in-house will have an easier time implementing CT than those who have acquired their systems off-the-shelf.During the NIST Workshop OCSP Stapling and Must-Staple were also discussed. The take-away is that we need to identify remaining gaps that prevent implementing OCSP must-staple as a solution. Another take-away is that CAs need to do a better job working with their customers and provide better advice on server configurations and the use of SSL/TLS. The Dutch Government presented on Diginotar. Fox-IT’s time-lapse animation of OCSP responses for the *.google.com from the Black Tulip Report was shown a couple of times. (http://youtu.be/wZsWoSxxwVY). It showed how use of the certificate concentrated in Iran, but then spread to other parts of the world as a result of DNS redirection, etc. Jens Bender presented on his work on strengthening audit requirements for issuers of qualified certificates and EV certificates. Ben presented an overview of current audit frameworks, including ETSI and WebTrust.Other technology discussions included CAA, HSTS, pinning, and hierarchical geographic / DNS scoping. There was consensus that, putting aside any potential anti-competitive lock-in concerns, CAA would not break anything and so should be considered as a partial solution. HSTS and pinning received favorable responses. Pure hierarchy-based geographic and jurisdiction-based domain name scoping were not received favorably. However, critical name constraints were viewed as a potential solution, provided that all browsers implement them in a similar fashion. Rick noted that no solution was identified as a fix-all, so the recommendation was that all parties should try and implement as many of the solutions as they deemed feasible so that we can experiment with them and get a better feel for what works and what doesn’t work. Another related point was to identify how well each of the solutions mitigates the threat and/or vulnerability that it aims to address. Wendy said that from her perspective, the workshop organizers did not want everyone going off and trying all of these different solutions, but that they were trying to get people to come to consensus on which of the solutions would provide the biggest bang for the buck, as opposed to spreading efforts across all potential efforts. Ben noted that NIST was hoping a coordinating group would emerge that would give direction and encouragement to the efforts already underway at IETF, CAB Forum, etc. Ballot 89 Relaunch of EV Processing Guidelines: Rick updated the document following the F2F in Mountain View and would like to put forth a ballot that either adopts an update to the current EV Processing Guidelines on the web site or removes the current one. Ben suggested that the ballot could be made in the alternative, as outlined by Rick. Rick noted that there has been a certain degree of fatigue from those who have worked on the revisions thus far. Tom offered to review the current version 2 draft with people at Microsoft and Mozilla, including Kathleen, but it might be a couple weeks before he is able to provide feedback. Browser implementation of Critical Name Constraints and use of DirectoryName and DNSName to technically constrain external subCAs: Ben said that this agenda item was related to a proposal by Steve Roylance to amend the Baseline Requirements, which has been discussed on the list, and comments made during the NIST Workshop about whether browsers were properly implementing critical name constraints, particularly Apple. The proposed ballot also addresses audit exceptions when sub CAs are technically constrained, and the Mozilla policy includes similar language. While Steve could not be on this call, he had previously noted that we need to keep moving forward on resolving this critical name constraints issue. Wendy reminded the group that certificate validation will fail if you add a subject alternative name that does not follow the pattern used for critical name constraints (for instance, if you include a GUID/UUID in the SAN). A take-away from criticality is that it makes it more likely that something will fail if you don’t do it right, and this might be one reason why Apple has not implemented it. Robin noted that criticality, per se, is not the issue with Apple–Apple simply ignores name constraints altogether, but Geoff has indicated previously that fixes to name constraints are part of Apple’s product plans. However, no one currently has information on the status of that fix. Rick said we should also check to see if all other browsers handle critical name constraints properly.Kirk wondered whether the proposed ballot was to address audits of RAs under Mozilla’s policy, but that anyone with problems implementing name constraints should take it up with the particular browser. Robin said that Mozilla has a clear position, but how it fits in with the root programs of other browsers is also an issue. Ben asked whether Tom could discuss name constraints with Kathleen if he is going to talk to her anyway to see whether all browsers have a common approach to name constraints. Tom and Gerv said that they support name constraints, so there may not be an issue to discuss. Any Other Business: Joe Kaluzny raised the issue from the Baseline Requirements’ prohibition on responding “good” to a non-issued certificate (Ballot 80). August 1, 2013 is fast approaching, and we had said that we would revisit this prohibition if CRL-based systems had not been patched in time. Joe said that their Microsoft OCSP responder is based on CRLs and they are concerned that a patch will not be available. He also said that some vendors may decide not to support that capability. Gerv said that before we take action to postpone this deadline, it would be good if we could get reports back from vendors who are not compliant with this requirement to find out what their plans are, and if they are going to patch this, their anticipated date of delivery. Joe said that from his last discussions with Microsoft he did not believe that they were planning to patch this. Wendy and Jeremy discussed whether the revision to RFC 2560 would also address this. Ben said that those planning on presenting a ballot to eliminate or delaying the requirement should also present what efforts they are making to address the problem of “non-issued” certificates and moving certificate status technology forward beyond where we are today-not that this suggestion is tied to the ballot, but just advice that they should be looking at the solutions that are out there-including security mitigations that show their risk posture is the same or better than modifying their software to not respond “good” for non-issued certificates.Next Code Signing meeting will be next Wednesday, April 24, at 1600 UTC. Next CAB Forum call will be Thursday, May 2nd, at 1600 UTC. Meeting adjourned.
2013-04-04 Minutes
April 4, 2013 by Ben WilsonHere are the notes from our penultimate telephone call, held 4 April 2013. Item 14 was amended from the draft minutes to clarify that the draft white paper had been circulated to the code signing working group and not the CABF as a whole. Present: Rick Andrews, Atsushi Inaba, Dean Coclin, Robin Alden , Steve Roylance, Wayne Thayer, Gerv Markham , Ben Wilson, Rich Smith, Phil Hallam-Baker Agenda review: The agenda was not sent out ahead of time due to a mix-up but was announced at the start of the meeting.
April 4, 2013 by Ben WilsonHere are the notes from our penultimate telephone call, held 4 April 2013. Item 14 was amended from the draft minutes to clarify that the draft white paper had been circulated to the code signing working group and not the CABF as a whole. Present: Rick Andrews, Atsushi Inaba, Dean Coclin, Robin Alden , Steve Roylance, Wayne Thayer, Gerv Markham , Ben Wilson, Rich Smith, Phil Hallam-Baker Agenda review: The agenda was not sent out ahead of time due to a mix-up but was announced at the start of the meeting.
2013-03-21 Minutes
March 21, 2013 by Ben WilsonNotes of meeting CAB Forum 21 March 2013 Version 1 Present: Rich Smith, Ben Wilson, Atsushi Inaba, Mads Henriksveen, Sissel Hoel, Eddy Nigg, Robin Alden, Dean Coclin, Wayne Thayer, Håvard Molland, Phill Hallam-Baker, Rick Andrews, Atilla Biler, Brad Hill, Geoff Keating, Kirk Hall, Jeremy Rowley, Cornelia Enke, Steve Roylance, Ryan Sleevi, and Stephen Davidson Agenda review: The agenda was reviewed. Dean asked that we bring better closure on the issue with re-validation of customers whose information is older than 39 months. That discussion was added to the agenda under Other Business.
March 21, 2013 by Ben WilsonNotes of meeting CAB Forum 21 March 2013 Version 1 Present: Rich Smith, Ben Wilson, Atsushi Inaba, Mads Henriksveen, Sissel Hoel, Eddy Nigg, Robin Alden, Dean Coclin, Wayne Thayer, Håvard Molland, Phill Hallam-Baker, Rick Andrews, Atilla Biler, Brad Hill, Geoff Keating, Kirk Hall, Jeremy Rowley, Cornelia Enke, Steve Roylance, Ryan Sleevi, and Stephen Davidson Agenda review: The agenda was reviewed. Dean asked that we bring better closure on the issue with re-validation of customers whose information is older than 39 months. That discussion was added to the agenda under Other Business.
2013-03-07 Minutes
March 7, 2013 by Ben WilsonNotes of meeting CAB Forum 7 March 2013 Version 2 Present: Rick Andrews, Atsushi Inaba, Dean Coclin, Ryan Koski, Atilla Biler, Jeremy Rowley, Gerv Markham, Brad Hill, Ryan Sleevi, Ben Wilson, Rich Smith, Wayne Thayer, Phill Hallam-Baker, Mads Henriksveen, and Cornelia (Connie) Enke Agenda review: The agenda was reviewed and approved. Approve Minutes of 21 February 2013: The minutes of 21 February 2013 were approved as published. Review of Ballots: Ben stated that Ballots 96, 97 and 98 all passed. He didn’t send out an announcement yet that Ballot 98 passed, but he will. Straw Poll for the meeting in Turkey, Ben has not tallied up the total, but he thinks that B and C are in the running and that B is the choice. He will confirm it and send out an email.
March 7, 2013 by Ben WilsonNotes of meeting CAB Forum 7 March 2013 Version 2 Present: Rick Andrews, Atsushi Inaba, Dean Coclin, Ryan Koski, Atilla Biler, Jeremy Rowley, Gerv Markham, Brad Hill, Ryan Sleevi, Ben Wilson, Rich Smith, Wayne Thayer, Phill Hallam-Baker, Mads Henriksveen, and Cornelia (Connie) Enke Agenda review: The agenda was reviewed and approved. Approve Minutes of 21 February 2013: The minutes of 21 February 2013 were approved as published. Review of Ballots: Ben stated that Ballots 96, 97 and 98 all passed. He didn’t send out an announcement yet that Ballot 98 passed, but he will. Straw Poll for the meeting in Turkey, Ben has not tallied up the total, but he thinks that B and C are in the running and that B is the choice. He will confirm it and send out an email.
Ballot 98 – Public Voting
February 22, 2013 by Ben WilsonBallot 98 – Public Voting (Passed) Motion Gervase Markham made the following motion, and Jeremy Rowley and Kirk Hall endorsed it: Motion begins The CAB Forum wishes to require that the votes of Members on CAB Forum ballots be public information. For avoidance of doubt, a consequence of this change is that the voting information for ballots will be public. Therefore, effective immediately, the CAB Forum Bylaws[0] are updated as follows:
February 22, 2013 by Ben WilsonBallot 98 – Public Voting (Passed) Motion Gervase Markham made the following motion, and Jeremy Rowley and Kirk Hall endorsed it: Motion begins The CAB Forum wishes to require that the votes of Members on CAB Forum ballots be public information. For avoidance of doubt, a consequence of this change is that the voting information for ballots will be public. Therefore, effective immediately, the CAB Forum Bylaws[0] are updated as follows:
Ballot 97 – Prevention of Unknown Certificate Contents
February 21, 2013 by Ben WilsonBallot 97 – Prevention of Unknown Certificate Contents (Passed) Motion Jeremy Rowley made the following motion, and Ryan Hurst and Robin Alden endorsed it: Motion begins Erratum begins A. In Section 10.2.3, after the first paragraph, insert: “The CA SHALL establish and follow a documented procedure for verifying all data requested for inclusion in the Certificate by the Applicant.”
February 21, 2013 by Ben WilsonBallot 97 – Prevention of Unknown Certificate Contents (Passed) Motion Jeremy Rowley made the following motion, and Ryan Hurst and Robin Alden endorsed it: Motion begins Erratum begins A. In Section 10.2.3, after the first paragraph, insert: “The CA SHALL establish and follow a documented procedure for verifying all data requested for inclusion in the Certificate by the Applicant.”
2013-02-21 Minutes
February 21, 2013 by Ben WilsonNotes of meeting CAB Forum 21 February 2013 Version 1 Present: Phill Hallam-Baker, Ben Wilson, Atsushi Inaba, Ryan Koski, Eddy Nigg, Gerv Markham, Wayne Thayer, Sara Morris, Dean Coclin, Paul Lambert, Atilla Biler, Rich Smith, Mads Henriksveen, Sissel Hoel, Mert Ozarar, Jeremy Rowley, Stephen Davidson, Tom Albertson, Agenda Review The agenda was reviewed and Item 6 (Wi-Fi Alliance) was moved forward to Agenda Item 4. Approval of the Minutes of 24 January 2013. The minutes of 24 January 2013 were approved as published.
February 21, 2013 by Ben WilsonNotes of meeting CAB Forum 21 February 2013 Version 1 Present: Phill Hallam-Baker, Ben Wilson, Atsushi Inaba, Ryan Koski, Eddy Nigg, Gerv Markham, Wayne Thayer, Sara Morris, Dean Coclin, Paul Lambert, Atilla Biler, Rich Smith, Mads Henriksveen, Sissel Hoel, Mert Ozarar, Jeremy Rowley, Stephen Davidson, Tom Albertson, Agenda Review The agenda was reviewed and Item 6 (Wi-Fi Alliance) was moved forward to Agenda Item 4. Approval of the Minutes of 24 January 2013. The minutes of 24 January 2013 were approved as published.
Ballot 96 – Wildcard Certificates and New gTLDs
February 20, 2013 by Ben WilsonBallot 96 – Wildcard Certificates and New gTLDs (Passed) Motion
February 20, 2013 by Ben WilsonBallot 96 – Wildcard Certificates and New gTLDs (Passed) Motion
Guidance on the Deprecation of Internal Server Names and Reserved IP Addresses
February 4, 2013 by Ben WilsonThis document explains the changes to Certification Authority support for internal server names and reserved IP dddresses and the reasons behind the new rules that were introduced in the Baseline Requirements for the Issuance and Management of Publicly Trusted Certificates, Version 1.0 that took effect effect on July 1, 2012: Guidance on the Deprecation of Internal Server Names and Reserved IP Addresses
February 4, 2013 by Ben WilsonThis document explains the changes to Certification Authority support for internal server names and reserved IP dddresses and the reasons behind the new rules that were introduced in the Baseline Requirements for the Issuance and Management of Publicly Trusted Certificates, Version 1.0 that took effect effect on July 1, 2012: Guidance on the Deprecation of Internal Server Names and Reserved IP Addresses