The following Minutes were approved by the CABF on Sept. 15

Minutes CABF Teleconference September 1, 2016

Attendees: Andrew Whalley (Google), Alex Wight (Cisco), Anoosh (Network 
Solutions), Atsushi Inaba (Globalsign), Ben Wilson (Digicert), Bruce Morton 
(Entrust), Curt Spann (Apple), Dean Coclin (Symantec), Dimitris Zacharopoulos 
(Harica), Doug Beattie (Globalsign), Gervase Markham (Mozilla), Jeff Stapleton, 
Wells Fargo, Jeremy Rowley (Digicert), Josh Aas (Let's Encrypt), Josh Purvis 
(Cisco), Ken Myers (US PKI), Kirk Hall (Entrust),  Li-Chun Chen (Chunghwa 
Telecom), Mike Johnson (Digicert), Peter Bowen (Amazon), Richard Barnes 
(Mozilla), Ryan Sleevi (Google), Sissel Hoel (Buypass), Virginia Fournier 
(Apple), Wayne Thayer (GoDaddy), Tony Rutkowski (Invited guest)

1. Read Antitrust Statement

2. Roll Call

3. Agenda Reviewed - no changes

4. Minutes of August 4th and August 18th.  There were no comments on the draft 
minutes and they were approved.

5. Ballot status:

Draft SRV ballot - Peter said there was no update on this ballot.

Ballot 174 - This ballot has passed.

Ballot 175 - Voting is underway on this ballot.

Jeremy said he put out a correction on the email list on Cname validation to 
the list of validation methods which would revise ballot 169.  He is looking 
for 2 endorsers. Kirk said he would endorse.

6. Misc Topics: Anti-spoofing certs. Guest speaker Tony Rutkowski talked about 
certs for telephone devices. Tony worked for Verisign at one time and said the 
problem of binding certs to telephone numbers and groups of service providers 
has been going on for some time. Spoofed calls (aka "Robo calls") has been a 
major problem and is being dealt with by many different groups;  one of which 
is the IETF and a body called "STIR" which has developed a set of 
specifications. One specification deals with binding a certificate to a 
telephone number. The forum could create a separate group to look at this 
opportunity by developing a subset of EV certs for this purpose.

Richard said this use case is different than the normal web use case. Hence 
there might be different validation requirements. It's a little unclear as to 
what the authority model is.

Dean asked if this is in scope for the CA/Browser Forum. Richard said not 
really as currently constituted since browsers are not the relying parties.

Dean said the Governance Change WG is looking at setting up subgroups to work 
on other topics and this may be an example of one to set up.

Kirk asked who Tony thought would participate in a working group. Tony said 
this would need to involve global players, such as the ITU-T which owns the 
E164 specification. Also ESI and ANSI.

Peter asked what Tony was looking for from the CA/B Forum. Tony said if there 
was enough interest, it should be moved into a working group of people that can 
work on this subject.
There was some discussion as to whether EV was the appropriate type of 
certificate for this given the entities involved.

Gerv asked if the value proposition was to insure no spoofing of caller ID 
phone numbers? Tony said there was a DNS system defined for every phone number 
in the world. Richard said the spec involves authenticating the phone numbers 
and any meta data attached to those numbers.

Inadvertent Validation:
Peter said that domains using mail filtering products were fetching links in 
emails and  "click this link in the email to confirm" was being activated 
inadvertently.
Server was seeing these anti-malware checks as confirming
Wanted to pass this along for CAs that do email validation and that this may 
cause inadvertent validation.  A malicious party could be validated for domains 
using these email scanners.

Kirk asked if there was a valid example. Peter said he knew of instances where 
companies were using the Barracuda networks product. However, it's not limited 
to this product.

Bruce asked if this would be mitigated with the "random value". The answer was 
no. The random value could be contained in a link that would be "clicked" by 
the scanning product. So the random value doesn't help.
Jos said the only way around this was to have the user click the link and then 
go to a page where they enter the random value. Peter said that could work but 
another way would be to couple this with another action on the website.

Andrew said an explicit "do not approve" might be another answer.

7. Governance Change Working Group update --
Ben gave an update. There have been discussions around the IPR policy within 
the governance change. There was going to be a discussion with Virginia and 
others later in the day.
A proposal was sent around for review which Gerv had commented on and is still 
an open item. Virginia said they need to figure out what happens if a member 
sues another member for patent infringement. This will be discussed as part of 
the IPR meeting.

8. Validation Working Group Status -
Jeremy said the working group has stopped meeting for now until a new topic 
comes up. There has been discussion about individual validation (given 
name/surname) and perhaps the group could pick this up. Kirk suggested a ballot 
change could help fix this issue. Bruce asked if the types of change for domain 
validation should be extended to IP address validation. Jeremy said that could 
move to the working group for discussion.

9. Policy Review Working Group -
Ben said the group was discussing subordinate CAs and what policy OIDs could be 
inserted. Dimitris was going to look at this and work on some language for 
subordinate CAs.

10. Any Other Business -
There are 48 people signed up for the fall meeting and there is a cap at 50 so 
we will be closing sign ups soon. Dean announced that the guest speaker will be 
Mr. Patrick Donahue, PM of SSL at Cloudflare.  Dean again asked for draft 
agenda items and to submit those to him via email. In addition we will have 
several guest speakers from Microsoft that should have some very interesting 
topics to present.

Next year's meeting locations include Cupertino (tentative), Berlin (D-Trust) 
and Taiwan (Chungwa Telecom).

Dean advised elections for chair and vice chair are coming up. Chair 
nominations are now closed and elections will start next week. Normally voting 
takes place by members submitting ballots to our 2 independent parties from 
WebTrust (Don) and ETSI (Arno). Peter commented that Arno was now associated 
with a CA member (D-Trust) and asked whether we should continue asking him to 
tabulate the votes. Dean concurred and suggested other Associate members such 
as Federal PKI (Ken) or ACAB (Clemens).

11. Next meeting on Sept. 15th

12. Adjourn

_______________________________________________
Public mailing list
Public@cabforum.org
https://cabforum.org/mailman/listinfo/public

Reply via email to