The following Minutes were approved by the CABF on Sept. 15
Minutes CABF Teleconference September 1, 2016
Attendees: Andrew Whalley (Google), Alex Wight (Cisco), Anoosh (Network
Solutions), Atsushi Inaba (Globalsign), Ben Wilson (Digicert), Bruce Morton
(Entrust), Curt Spann (Apple), Dean Coclin (Symantec), Dimitris Zacharopoulos
(Harica), Doug Beattie (Globalsign), Gervase Markham (Mozilla), Jeff Stapleton,
Wells Fargo, Jeremy Rowley (Digicert), Josh Aas (Let's Encrypt), Josh Purvis
(Cisco), Ken Myers (US PKI), Kirk Hall (Entrust), Li-Chun Chen (Chunghwa
Telecom), Mike Johnson (Digicert), Peter Bowen (Amazon), Richard Barnes
(Mozilla), Ryan Sleevi (Google), Sissel Hoel (Buypass), Virginia Fournier
(Apple), Wayne Thayer (GoDaddy), Tony Rutkowski (Invited guest)
1. Read Antitrust Statement
2. Roll Call
3. Agenda Reviewed - no changes
4. Minutes of August 4th and August 18th. There were no comments on the draft
minutes and they were approved.
5. Ballot status:
Draft SRV ballot - Peter said there was no update on this ballot.
Ballot 174 - This ballot has passed.
Ballot 175 - Voting is underway on this ballot.
Jeremy said he put out a correction on the email list on Cname validation to
the list of validation methods which would revise ballot 169. He is looking
for 2 endorsers. Kirk said he would endorse.
6. Misc Topics: Anti-spoofing certs. Guest speaker Tony Rutkowski talked about
certs for telephone devices. Tony worked for Verisign at one time and said the
problem of binding certs to telephone numbers and groups of service providers
has been going on for some time. Spoofed calls (aka "Robo calls") has been a
major problem and is being dealt with by many different groups; one of which
is the IETF and a body called "STIR" which has developed a set of
specifications. One specification deals with binding a certificate to a
telephone number. The forum could create a separate group to look at this
opportunity by developing a subset of EV certs for this purpose.
Richard said this use case is different than the normal web use case. Hence
there might be different validation requirements. It's a little unclear as to
what the authority model is.
Dean asked if this is in scope for the CA/Browser Forum. Richard said not
really as currently constituted since browsers are not the relying parties.
Dean said the Governance Change WG is looking at setting up subgroups to work
on other topics and this may be an example of one to set up.
Kirk asked who Tony thought would participate in a working group. Tony said
this would need to involve global players, such as the ITU-T which owns the
E164 specification. Also ESI and ANSI.
Peter asked what Tony was looking for from the CA/B Forum. Tony said if there
was enough interest, it should be moved into a working group of people that can
work on this subject.
There was some discussion as to whether EV was the appropriate type of
certificate for this given the entities involved.
Gerv asked if the value proposition was to insure no spoofing of caller ID
phone numbers? Tony said there was a DNS system defined for every phone number
in the world. Richard said the spec involves authenticating the phone numbers
and any meta data attached to those numbers.
Peter said that domains using mail filtering products were fetching links in
emails and "click this link in the email to confirm" was being activated
Server was seeing these anti-malware checks as confirming
Wanted to pass this along for CAs that do email validation and that this may
cause inadvertent validation. A malicious party could be validated for domains
using these email scanners.
Kirk asked if there was a valid example. Peter said he knew of instances where
companies were using the Barracuda networks product. However, it's not limited
to this product.
Bruce asked if this would be mitigated with the "random value". The answer was
no. The random value could be contained in a link that would be "clicked" by
the scanning product. So the random value doesn't help.
Jos said the only way around this was to have the user click the link and then
go to a page where they enter the random value. Peter said that could work but
another way would be to couple this with another action on the website.
Andrew said an explicit "do not approve" might be another answer.
7. Governance Change Working Group update --
Ben gave an update. There have been discussions around the IPR policy within
the governance change. There was going to be a discussion with Virginia and
others later in the day.
A proposal was sent around for review which Gerv had commented on and is still
an open item. Virginia said they need to figure out what happens if a member
sues another member for patent infringement. This will be discussed as part of
the IPR meeting.
8. Validation Working Group Status -
Jeremy said the working group has stopped meeting for now until a new topic
comes up. There has been discussion about individual validation (given
name/surname) and perhaps the group could pick this up. Kirk suggested a ballot
change could help fix this issue. Bruce asked if the types of change for domain
validation should be extended to IP address validation. Jeremy said that could
move to the working group for discussion.
9. Policy Review Working Group -
Ben said the group was discussing subordinate CAs and what policy OIDs could be
inserted. Dimitris was going to look at this and work on some language for
10. Any Other Business -
There are 48 people signed up for the fall meeting and there is a cap at 50 so
we will be closing sign ups soon. Dean announced that the guest speaker will be
Mr. Patrick Donahue, PM of SSL at Cloudflare. Dean again asked for draft
agenda items and to submit those to him via email. In addition we will have
several guest speakers from Microsoft that should have some very interesting
topics to present.
Next year's meeting locations include Cupertino (tentative), Berlin (D-Trust)
and Taiwan (Chungwa Telecom).
Dean advised elections for chair and vice chair are coming up. Chair
nominations are now closed and elections will start next week. Normally voting
takes place by members submitting ballots to our 2 independent parties from
WebTrust (Don) and ETSI (Arno). Peter commented that Arno was now associated
with a CA member (D-Trust) and asked whether we should continue asking him to
tabulate the votes. Dean concurred and suggested other Associate members such
as Federal PKI (Ken) or ACAB (Clemens).
11. Next meeting on Sept. 15th
Public mailing list