CA/Browser Forum posts
Posts by tag Minutes
2015-09-17 Minutes
September 17, 2015 by Ben WilsonMinutes of CA/B Forum Teleconference – September 17, 2015 Attendees: Ben Wilson, Billy VanCannon, Bruce Morton, Burak Kalkan, Cecilia Kam, Davut Tokgoz, Dean Coclin, Dimitris Zacharopoulos, Doug Beattie, Jeremy Rowley, Jody Cloutier, Li-Chun Chen, Marcelo Silva, Patrick Tonnier, Peter Miscovic, Robin Alden, Ryan Sleevi, Tyler Myers, Volkan Nergiz, Wayne Thayer, Vicky (CNNIC), Sakeeb (Microsoft)
September 17, 2015 by Ben WilsonMinutes of CA/B Forum Teleconference – September 17, 2015 Attendees: Ben Wilson, Billy VanCannon, Bruce Morton, Burak Kalkan, Cecilia Kam, Davut Tokgoz, Dean Coclin, Dimitris Zacharopoulos, Doug Beattie, Jeremy Rowley, Jody Cloutier, Li-Chun Chen, Marcelo Silva, Patrick Tonnier, Peter Miscovic, Robin Alden, Ryan Sleevi, Tyler Myers, Volkan Nergiz, Wayne Thayer, Vicky (CNNIC), Sakeeb (Microsoft)
2015-09-03 Minutes
September 3, 2015 by Ben WilsonCA-Browser Forum teleconference call, Sept. 3, 2015 Attendees: Atsushi Inaba (Globalsign), Atilla Biler (TurkTrust), Ben Wilson (Digicert), Billy VanCannon (Trustwave), Bruce Morton (Entrust), Burak Kalkan (TurkTrust), Dean Coclin (Symantec), Dimitris Zacharopoulos (Harica), Doug Beattie (Globalsign), Eddy Nigg (Startcom), Jeremy Rowley (Digicert), Jody Cloutier (Microsoft), Kirk Hall (Trend Micro), Kubra Zaray, Turktrust, Li-Chun Chen (Chunghwa Telecom), Mads Henriksveen (BuyPass), Mat Caughron (Apple), Patrick Tonnier (OATI), Peter Miscovic, (Disig), Rick Andrews (Symantec), Robin Alden (Comodo), Ryan Sleevi (Google), Stephen Davidson (QuoVadis), Tim Hollebeek (Trustwave), Tim Shirley (Trustwave), Volkan Nergiz (TurkTrust), Wayne Thayer (GoDaddy)
September 3, 2015 by Ben WilsonCA-Browser Forum teleconference call, Sept. 3, 2015 Attendees: Atsushi Inaba (Globalsign), Atilla Biler (TurkTrust), Ben Wilson (Digicert), Billy VanCannon (Trustwave), Bruce Morton (Entrust), Burak Kalkan (TurkTrust), Dean Coclin (Symantec), Dimitris Zacharopoulos (Harica), Doug Beattie (Globalsign), Eddy Nigg (Startcom), Jeremy Rowley (Digicert), Jody Cloutier (Microsoft), Kirk Hall (Trend Micro), Kubra Zaray, Turktrust, Li-Chun Chen (Chunghwa Telecom), Mads Henriksveen (BuyPass), Mat Caughron (Apple), Patrick Tonnier (OATI), Peter Miscovic, (Disig), Rick Andrews (Symantec), Robin Alden (Comodo), Ryan Sleevi (Google), Stephen Davidson (QuoVadis), Tim Hollebeek (Trustwave), Tim Shirley (Trustwave), Volkan Nergiz (TurkTrust), Wayne Thayer (GoDaddy)
2015-08-20 Minutes
August 20, 2015 by Ben WilsonMinutes of August 20, 2015 Attendees: Atsushi Inaba, Ben Wilson, Billy VanCannon, Bruce Morton, Cecilia Kam, Davut Tokgoz, Dean Coclin, Doug Beattie, Eddy Nigg, Jody Cloutier, Kirk Hall, Li-Chun Chen, Mat Caughron, Patrick Tonnier, Sakib (Microsoft), Stephen Davidson, Tim Shirley, Tim Hollebeek, Tyler Myers, Vicky (CNNIC), Volkan Nergiz, Wayne Thayer Antitrust statement was read by Dean Roll Call completed Review Agenda: No items added Approve minutes of August 6, 2015 meeting: Minutes approved. Ben to post on website.
August 20, 2015 by Ben WilsonMinutes of August 20, 2015 Attendees: Atsushi Inaba, Ben Wilson, Billy VanCannon, Bruce Morton, Cecilia Kam, Davut Tokgoz, Dean Coclin, Doug Beattie, Eddy Nigg, Jody Cloutier, Kirk Hall, Li-Chun Chen, Mat Caughron, Patrick Tonnier, Sakib (Microsoft), Stephen Davidson, Tim Shirley, Tim Hollebeek, Tyler Myers, Vicky (CNNIC), Volkan Nergiz, Wayne Thayer Antitrust statement was read by Dean Roll Call completed Review Agenda: No items added Approve minutes of August 6, 2015 meeting: Minutes approved. Ben to post on website.
2015-08-06 Minutes
August 6, 2015 by Ben WilsonFinal Minutes August 6, 2015 Attendees: An Ying (CNNIC), Atsushi Inaba, Ben Wilson, Billy VanCannon, Christy McKinley, Dean Coclin, Charlotte Yan (CNNIC), Doug Beattie, Eddy Nigg, Gerv Markham, Jeremy Rowley, , Kirk Hall, Mads Henriksveen, Marcelo Silva, Patrick Tonnier, Peter Miscovic, Rick Andrews, Robin Alden, Ryan Sleevi, Sisel Hoel, Tim Shirley, Tim Hollebeek, Volkan Nergiz, Wayne Thayer
August 6, 2015 by Ben WilsonFinal Minutes August 6, 2015 Attendees: An Ying (CNNIC), Atsushi Inaba, Ben Wilson, Billy VanCannon, Christy McKinley, Dean Coclin, Charlotte Yan (CNNIC), Doug Beattie, Eddy Nigg, Gerv Markham, Jeremy Rowley, , Kirk Hall, Mads Henriksveen, Marcelo Silva, Patrick Tonnier, Peter Miscovic, Rick Andrews, Robin Alden, Ryan Sleevi, Sisel Hoel, Tim Shirley, Tim Hollebeek, Volkan Nergiz, Wayne Thayer
2015-07-23 Minutes
July 23, 2015 by Ben WilsonMinutes July 23, 2015 Attendees: Atsushi Inaba, Ben Wilson, Billy VanCannon, Bruce Morton, Dean Coclin, Dimitris Zacharopoulos, Gerv Markham, Jeremy Rowley, Jody Cloutier, Kirk Hall, Mads Henriksveen, Mat Caughron, Patrick Tonnier, Peter Miscovic, Rick Andrews, Stephen Davidson, Tim Hollebeek, Wayne Thayer
July 23, 2015 by Ben WilsonMinutes July 23, 2015 Attendees: Atsushi Inaba, Ben Wilson, Billy VanCannon, Bruce Morton, Dean Coclin, Dimitris Zacharopoulos, Gerv Markham, Jeremy Rowley, Jody Cloutier, Kirk Hall, Mads Henriksveen, Mat Caughron, Patrick Tonnier, Peter Miscovic, Rick Andrews, Stephen Davidson, Tim Hollebeek, Wayne Thayer
2015-07-09 Minutes
July 9, 2015 by Ben WilsonApproved Minutes July 9, 2015 Attendees: Atsushi Inaba, Ben Wilson, Billy VanCannon, Bruce Morton, Burak Kalkan, Davut Tokgoz, Dean Coclin, Doug Beattie, Gerv Markham, Jody Cloutier, Kirk Hall, Mads Henriksveen, Mat Caughron, Patrick Tonnier, Peter Miscovic, Rick Andrews, Robin Alden, Tim Hollebeek, Tim Shirley, Volkan Nergiz, Wayne Thayer, Marcelo Silva, Dimitris Zacharopoulos
July 9, 2015 by Ben WilsonApproved Minutes July 9, 2015 Attendees: Atsushi Inaba, Ben Wilson, Billy VanCannon, Bruce Morton, Burak Kalkan, Davut Tokgoz, Dean Coclin, Doug Beattie, Gerv Markham, Jody Cloutier, Kirk Hall, Mads Henriksveen, Mat Caughron, Patrick Tonnier, Peter Miscovic, Rick Andrews, Robin Alden, Tim Hollebeek, Tim Shirley, Volkan Nergiz, Wayne Thayer, Marcelo Silva, Dimitris Zacharopoulos
Minutes of the F2F 35 Meeting in Zurich, Switzerland, 23-25 June 2015
June 24, 2015 by Ben WilsonMeeting 35 Minutes Day 1 Wednesday, 24 June 2015
June 24, 2015 by Ben WilsonMeeting 35 Minutes Day 1 Wednesday, 24 June 2015
2015-06-11 Minutes
June 11, 2015 by Ben WilsonMinutes of Teleconference – 11 June 2015 Read Antitrust Statement. The Statement was read.
June 11, 2015 by Ben WilsonMinutes of Teleconference – 11 June 2015 Read Antitrust Statement. The Statement was read.
2015-05-28 Minutes
May 28, 2015 by Ben WilsonCA/Browser Forum Minutes of May 28, 2015 Attendees: Atsushi Inaba, Atilla Biler, Ben Wilson, Billy VanCannon, Bruce Morton, Connie Enke, Dean Coclin, Doug Beattie, Gerv Markham, Jeremy Rowley, Jody Cloutier, Kubra Zaray, Mads Henriksveen, Mat Caughron, Patrick Tronnier, Peter Miscovic, Rick Andrews, Robin Alden, Ryan Sleevi, Sissel Hoel, Tim Hollebeek, Tim Shirley, Volkan Nergiz, Wayne Thayer Minutes of 14 May meeting were approved. These will be posted to the public list.
May 28, 2015 by Ben WilsonCA/Browser Forum Minutes of May 28, 2015 Attendees: Atsushi Inaba, Atilla Biler, Ben Wilson, Billy VanCannon, Bruce Morton, Connie Enke, Dean Coclin, Doug Beattie, Gerv Markham, Jeremy Rowley, Jody Cloutier, Kubra Zaray, Mads Henriksveen, Mat Caughron, Patrick Tronnier, Peter Miscovic, Rick Andrews, Robin Alden, Ryan Sleevi, Sissel Hoel, Tim Hollebeek, Tim Shirley, Volkan Nergiz, Wayne Thayer Minutes of 14 May meeting were approved. These will be posted to the public list.
2015-05-14 Minutes
May 14, 2015 by Ben WilsonMinutes May 14, 2015 Attendees: Dean Coclin, Ben Wilson, Doug Beattie, Gerv Markham, Atsushi Inaba, Kirk Hall, Atilla Biler, Bruce Morton, Burak Kalkan, Cecilia Kam, Davut Tokgoz, Volkan Nergiz, Rick Andrews, Moudrick Dadashov, Eddy Nigg, Mat Caughron, Tim Hollebeek, Patrick Tronnier, Billy VanCannon, Jeremy Rowley, Robin Alden, Ryan Sleevi Minutes of 30 April meeting were approved. These will be posted to the public list. Ballots: Ballot 149 (Bylaw updates from Kirk): Kirk wants to hold the ballot until the WebTrust audit team determines what the new name of the audit will be. Domain Validation Ballot*: There are a few open issues on this ballot:Working on revising #10 from the list. Some folks were concerned with the “test cert” provision. Tim H said the test cert should be allowed and that #10 needs to be tightened up. A longer discussion in the working group is warranted. Kirk also said it needs more details to make it more like methods 6-9 (which are explicit). Ryan also agreed. Jeremy said he put Doug’s proposed method in the proposal for now. The “random value” was 128 bits but Kirk wanted it back to 112 bits. Kirk said that 128 bits was overkill. The random value is provided by the CA to applicants so it’s not practically predictable by hackers. Kirk felt the lower value is adequate (and is commonly used for some other purpose). Ryan disagreed and said there were threats like reversible random number generators and things like passive observation which may allow for reconstruction of the RNG. He would like to see the standard to be 128 bits. Tim said he also had these concerns but after looking into Java Secure random generator (which apparently doesn’t do 128 bits) he felt it was cryptographically secure and is no longer concerned. Gerv said the cryptographic strength of the generator is more important than the bit size but feared that specifying a smaller key size would lead people to use a less secure RNG. Kirk challenged the security issue. Ryan further explained (and said we should err on the side of caution) that a network based adversary could observe traffic sent to a CA’s customer and (theoretically) predict a random number challenge sent to a future customer and cause a miss-issuance which is not the CA’s fault. Gerv suggested a compromise of specifying a cryptographically strong random number generator (with a lower key size) instead of specifying a higher key size (which would include the Java generator but not the Windows GUID generator). Doug said an adversary could submit an order and get a random string back w/o monitoring the network (Ryan’s example threat). Ryan said it depends on the type of cert (OV/EV vs DV). Rick said how would an auditor determine if a RNG is cryptographically secure. Ryan said in theory they should but in reality, recent reports and events prove they probably don’t. But he said it could be an auditable requirement. Tim H. said that in the financial industry, this type of thing gets audited all the time. Kirk said this is not the place we should be focusing this type of effort. Ryan asked what harm a requirement for 128 bits would cause. Kirk said what CAs are using today may not meet that requirement and it would be a wasted effort to get people to switch for no real benefit. Ryan said there are already requirements for cryptographically strong random number generators but Kirk said for this issue, it wasn’t that important. Discussion was terminated due to time constraints.
May 14, 2015 by Ben WilsonMinutes May 14, 2015 Attendees: Dean Coclin, Ben Wilson, Doug Beattie, Gerv Markham, Atsushi Inaba, Kirk Hall, Atilla Biler, Bruce Morton, Burak Kalkan, Cecilia Kam, Davut Tokgoz, Volkan Nergiz, Rick Andrews, Moudrick Dadashov, Eddy Nigg, Mat Caughron, Tim Hollebeek, Patrick Tronnier, Billy VanCannon, Jeremy Rowley, Robin Alden, Ryan Sleevi Minutes of 30 April meeting were approved. These will be posted to the public list. Ballots: Ballot 149 (Bylaw updates from Kirk): Kirk wants to hold the ballot until the WebTrust audit team determines what the new name of the audit will be. Domain Validation Ballot*: There are a few open issues on this ballot:Working on revising #10 from the list. Some folks were concerned with the “test cert” provision. Tim H said the test cert should be allowed and that #10 needs to be tightened up. A longer discussion in the working group is warranted. Kirk also said it needs more details to make it more like methods 6-9 (which are explicit). Ryan also agreed. Jeremy said he put Doug’s proposed method in the proposal for now. The “random value” was 128 bits but Kirk wanted it back to 112 bits. Kirk said that 128 bits was overkill. The random value is provided by the CA to applicants so it’s not practically predictable by hackers. Kirk felt the lower value is adequate (and is commonly used for some other purpose). Ryan disagreed and said there were threats like reversible random number generators and things like passive observation which may allow for reconstruction of the RNG. He would like to see the standard to be 128 bits. Tim said he also had these concerns but after looking into Java Secure random generator (which apparently doesn’t do 128 bits) he felt it was cryptographically secure and is no longer concerned. Gerv said the cryptographic strength of the generator is more important than the bit size but feared that specifying a smaller key size would lead people to use a less secure RNG. Kirk challenged the security issue. Ryan further explained (and said we should err on the side of caution) that a network based adversary could observe traffic sent to a CA’s customer and (theoretically) predict a random number challenge sent to a future customer and cause a miss-issuance which is not the CA’s fault. Gerv suggested a compromise of specifying a cryptographically strong random number generator (with a lower key size) instead of specifying a higher key size (which would include the Java generator but not the Windows GUID generator). Doug said an adversary could submit an order and get a random string back w/o monitoring the network (Ryan’s example threat). Ryan said it depends on the type of cert (OV/EV vs DV). Rick said how would an auditor determine if a RNG is cryptographically secure. Ryan said in theory they should but in reality, recent reports and events prove they probably don’t. But he said it could be an auditable requirement. Tim H. said that in the financial industry, this type of thing gets audited all the time. Kirk said this is not the place we should be focusing this type of effort. Ryan asked what harm a requirement for 128 bits would cause. Kirk said what CAs are using today may not meet that requirement and it would be a wasted effort to get people to switch for no real benefit. Ryan said there are already requirements for cryptographically strong random number generators but Kirk said for this issue, it wasn’t that important. Discussion was terminated due to time constraints.