Re: [cabfpub] Draft CAA motion

On Wed, Nov 9, 2016 at 11:06 AM, Peter Bowen wrote: > Ryan, > > If we adopt CAA hard-fail only, and it does become a problem, what is the > path to correct, given the current WebTrust cycle? At it stands, I expect > it to take years to correct if it makes it into a WebTrust

Re: [cabfpub] Draft CAA motion

On Wed, Nov 9, 2016 at 9:34 AM, Peter Bowen wrote: > Ryan, > > I presume Google has internal controls in place that cover who can sign > contracts and under what circumstances. I am inclined to side with Bruce > on this one — a signed contract should be prima facie evidence of >

Re: [cabfpub] IPR policy and authorial intent

On Tue, Nov 8, 2016 at 11:01 AM, Gervase Markham wrote: > Given that we will simultaneously be discussing and hopefully before too > long be voting on some changes to the Bylaws to solve the problem, their > trust does not have to extend for that long. > You said "hopefully

Re: [cabfpub] IPR policy and authorial intent

On Tue, Nov 8, 2016 at 10:21 AM, Gervase Markham wrote: > On 08/11/16 18:10, Ryan Sleevi wrote: > > Can you point me to the ballot or bylaw that guarantees this? Otherwise, > > you're taking a gamble that everyone will behave rationally - which, > > from a legal perspective, is

Re: [cabfpub] IPR policy and authorial intent

On Tue, Nov 8, 2016 at 10:07 AM, Gervase Markham via Public < public@cabforum.org> wrote: > and I think the general risks of > IPR "fishing" Ryan raises would not come into play because we would only > be using this process for a limited time and a known number of ballots > with known content.

Re: [cabfpub] IPR policy and authorial intent

On Tue, Nov 8, 2016 at 8:46 AM, Gervase Markham via Public < public@cabforum.org> wrote: > I may have buried the lede here, so: > > On 03/11/16 16:21, Gervase Markham wrote: > > be addressed, which would be fine. But would both sides be willing to > > allow Mark to rule on original intent, and

Re: [cabfpub] Validation WG

Jeremy, Just to check - I don't recall there being a formal ballot to terminate the WG (as per section 5.2 of the bylaws), so a few quick and easy process questions: 1) Do you expect that the continuation of the Validation WG will be conducted in accordance with the scope and deliverables of

Re: [cabfpub] question about patent-free guidelines

On Fri, Nov 4, 2016 at 5:03 AM, Gervase Markham via Public < public@cabforum.org> wrote: > On 03/11/16 18:20, Dimitris Zacharopoulos wrote: > > 1. whether it is dictated in the bylaws or the IPR policy that the CA/B > > Forum must produce patent-free guidelines (otherwise it is probably > >

Re: [cabfpub] question about patent-free guidelines

On Thu, Nov 3, 2016 at 11:20 AM, Dimitris Zacharopoulos via Public < public@cabforum.org> wrote: > Well, my question was not intended to interfere with the other threads > regarding the current ballots or the sequence of events that have to take > place. I was more curious if there is a clear

Re: [cabfpub] Ballot process ordering (2)

On Wed, Nov 2, 2016 at 3:05 PM, Kirk Hall via Public wrote: > Of course, the PAG will not be providing legal advice to any member. In > the end, the ballot might be modified by the proposer and two endorsers > (which would probably trigger another discussion period and

Re: [cabfpub] Ballot process ordering (2)

On Wed, Nov 2, 2016 at 3:41 PM, Geoff Keating via Public < public@cabforum.org> wrote: > > > a) Is the process that the PAG may modify the ballot before the vote, > based on its conclusions? If so, do we need a new Discussion Period after > the PAG? If not, and the PAG makes "recommendations",

Re: [cabfpub] Ballot process ordering

More concretely to the discussion of the F2F, which does not yet appear in the draft minutes, and for which a recording would be necessary to fully reconstruct arguments from those on the call (Virginia) or in the room (Jeremy), during the F2F, I discussed and disagreed with Virginia's statements

Re: [cabfpub] Ballot process ordering

Hi Kirk, Can you provide the recording of the F2F to support your claim that "you didn't raise these issues at the F2F either"? Thanks, Ryan On Wed, Nov 2, 2016 at 11:31 AM, Kirk Hall wrote: > Emails before the F2F are available, and so are teleconference >

Re: [cabfpub] Ballot process ordering (2)

On Wed, Nov 2, 2016 at 11:04 AM, Gervase Markham via Public < public@cabforum.org> wrote: > Questions for proponents of Position 2: > > j) This position states that we vote, there's an IPR review, and the > change gets made regardless of what it turns up. So encumbered > requirements could make

Re: [cabfpub] Ballot process ordering

On Wed, Nov 2, 2016 at 11:03 AM, Gervase Markham wrote: > On 02/11/16 17:39, Ryan Sleevi wrote: > > That is, Ballots 181 and 182 are thus Draft Guidelines, and need 60 day > > reviews, > > How does this follow? > > Section 4.1: "Prior to the approval of a CAB Forum Draft

Re: [cabfpub] Ballot process ordering

On Wed, Nov 2, 2016 at 10:40 AM, Kirk Hall wrote: > First, why did you say nothing about this during the weeks of discussion > on this list, (with Virginia, me, and others pointing out we were not > following our IPR Policy, and must do so now)? We made it clear

Re: [cabfpub] Ballot process ordering

On Wed, Nov 2, 2016 at 10:32 AM, Gervase Markham <g...@mozilla.org> wrote: > On 02/11/16 15:57, Ryan Sleevi via Public wrote: > > Oh, and I would note the Key Definitions of 8.3 > > > > d. “Draft Guideline” means a version of a CAB Forum guideline that has >

Re: [cabfpub] Ballot process ordering

On Wed, Nov 2, 2016 at 9:04 AM, Kirk Hall wrote: > No one at the meeting objected at that time, said the procedure was wrong, > or suggested a different procedure. > I feel this deserves calling out on it's own - I do not believe this is not an accurate

Re: [cabfpub] Ballot process ordering

On Wed, Nov 2, 2016 at 9:04 AM, Kirk Hall wrote: > Clearly there are people in the Forum who don’t agree with this analysis – > I am one. > > > > Can you clarify – do you believe Position 1 is wrong, and Position 2 is > correct? Or are just weighing the two

Re: [cabfpub] Ballot process ordering

On Wed, Nov 2, 2016 at 8:45 AM, Kirk Hall via Public wrote: > So under Position 2, how do we ever get to Approval - which (under the IPR > Policy) can only come AFTER the Review Period is over. Something is > missing from the Position 2 process? > > Can someone who supports

Re: [cabfpub] Ballot process ordering

On Wed, Nov 2, 2016 at 8:14 AM, Gervase Markham via Public < public@cabforum.org> wrote: > This is my understanding of the current controversy regarding the > balloting process. I'm sure it is incomplete. Can people make > corrections and additions until it's accurate and everyone can >

Re: [cabfpub] CAA concerns (and potential solutions)

On Sat, Oct 29, 2016 at 12:59 AM, Gervase Markham wrote: > On 28/10/16 17:49, Ryan Sleevi wrote: > > On Fri, Oct 28, 2016 at 7:49 AM, Peter Bowen via Public > > > wrote: > > > > I think CAs should track this so we can come

Re: [cabfpub] CAA concerns (and potential solutions)

On Fri, Oct 28, 2016 at 9:57 AM, Peter Bowen wrote: > > With products like the Cavium CNN3560-NFBE-G supporting more than 30,000 > RSA signatures per second when using a 2048-bit key, I'm confident that > the multiple DNS lookups required by CAA will be the long pole. > And if I

Re: [cabfpub] CAA concerns (and potential solutions)

On Fri, Oct 28, 2016 at 9:52 AM, Peter Bowen wrote: > > OK. I used a machine with a locally running caching resolver. I then did > the following as a test: > > Fetch top-1m.csv.zip > Unzip it > head -n 200 top-1m.csv | cut -d, -f2 | sed -r -e ’s/^/www./‘ > top200.txt > echo

Re: [cabfpub] CAA concerns (and potential solutions)

On Fri, Oct 28, 2016 at 8:01 AM, Gervase Markham via Public < public@cabforum.org> wrote: > However, the expected use case for skipsubdomains=true is when CAs > have a very particular relationship with a small number of clients who > need high speed issuance. If that is the use case, then I

Re: [cabfpub] CAA concerns (and potential solutions)

On Fri, Oct 28, 2016 at 7:49 AM, Peter Bowen via Public wrote: > > I think CAs should track this so we can come back in a year and review how > often allowing soft-fail had any impact. We've been spinning our wheels on this point for several years. For four years now,

Re: [cabfpub] CAA concerns (and potential solutions)

On Thu, Oct 27, 2016 at 8:33 PM, Peter Bowen via Public wrote: > I propose that this be mitigated by adoption a two prong rule for CAA: > 1) By default CAs must treat the presence of CAA records which do not > include them as “hard fail” and not issue > 2) However, if the

Re: [cabfpub] Continuing the discussion on CAA

On Thu, Oct 27, 2016 at 3:44 PM, Richard Barnes via Public < public@cabforum.org> wrote: > > > On Thu, Oct 27, 2016 at 6:33 PM, Jody Cloutier via Public < > public@cabforum.org> wrote: > >> Question: If a company has trusted roots, but it does not issue roots to >> the general public, would it

Re: [cabfpub] Allowing SHA-1 OCSP and CRL signatures past 2016

Forwarding on behalf of Brian Smith On Wed, Oct 26, 2016 at 2:39 PM, Brian Smith wrote: > [Please forward this message to the CABForum mailing list. Thanks!] > > Rick Andrews via Public wrote: > >> Rob, I think the primary use case is OCSP for code

Re: [cabfpub] Allowing SHA-1 OCSP and CRL signatures past 2016

On Wed, Oct 26, 2016 at 11:45 AM, Kirk Hall wrote: > I think we may be making too much of all this. If we have both an old > style ballot to make the change now following the procedures in our Bylaws > and our past practices, at the very least we will have added

Re: [cabfpub] Allowing SHA-1 OCSP and CRL signatures past 2016

On Wed, Oct 26, 2016 at 11:00 AM, Jeremy Rowley wrote: > I’m not sure if there is consensus on Virigina’s interpretation. We > haven’t even had a straw poll to agree/disagree on the issue. > > > > That’s my interpretation more or less with one point. I don’t see a

Re: [cabfpub] Draft CABF agenda for Oct. 27, 2016 teleconference

Hi Kirk, It's unclear what the discussion agenda is for Items 11 - CT is. I especially want to highlight Google's position that the proper venue for discussing CT use case/concerns (with the protocol) is the IETF, and that the proper venue for discussing concerns with CT's requirement in Chrome

Re: [cabfpub] Allowing SHA-1 OCSP and CRL signatures past 2016

On Wed, Oct 26, 2016 at 10:02 AM, Jeremy Rowley wrote: > It’s important because a draft guideline isn’t non-binding on the CAB > Forum membership. The bylaws clearly spell out how a ballot takes place: > > > > (c) A representative of any Member can call for a

Re: [cabfpub] Continuing the discussion on CAA

a CAA record in the DNS is a lot more > difficult than changing the record once established. > > > > *From:* Public [mailto:public-boun...@cabforum.org] *On Behalf Of *Ryan > Sleevi via Public > *Sent:* Wednesday, October 26, 2016 9:52 AM > *To:* Eneli Kirme <eneli.ki...@sk.e

Re: [cabfpub] Allowing SHA-1 OCSP and CRL signatures past 2016

Reposting to public, somehow lost. On Oct 26, 2016 9:32 AM, "Ryan Sleevi" wrote: > On Oct 26, 2016 9:06 AM, "Jeremy Rowley" > wrote: > > > > It’s called a “CAB Forum Draft Guideline” and would follow the procedure > already established by the

Re: [cabfpub] Continuing the discussion on CAA

On Oct 25, 2016 10:38 PM, "Eneli Kirme via Public" wrote: > > Hi, > > In practice CAA record are subject to be manipulated by UI provided by DNS records management. We have no way to control it and once there is a “default” listed for customer convenience then the damage for

Re: [cabfpub] Allowing SHA-1 OCSP and CRL signatures past 2016

On Oct 26, 2016 8:40 AM, "Kirk Hall via Public" wrote: > > Helpful suggestion, Gerv - thanks. > > On the question of whether our change of processes to comply with our IPR Policy must be complete and immediate, I think about the prayer of the St. Augustine who was trying to

Re: [cabfpub] Allowing SHA-1 OCSP and CRL signatures past 2016

On Tue, Oct 25, 2016 at 5:26 PM, Kirk Hall via Public wrote: > Wayne – I agree with you we that need to move forward now. > > > > Previously we had discussed not putting forward any ballots that amend the > current BRs or EVGL until we complete the readoption Ballot 180,

Re: [cabfpub] Ballot 181 – Readopting BR 3.2.2.4 (Part 1)

Similarly, can you produce a redline version for this ballot? Thanks On Tue, Oct 25, 2016 at 1:38 PM, Kirk Hall via Public wrote: > *This is the start of the 7 day discussion period for this Ballot. The > Review Period under our IPR Policy will start on Nov. 1, and run

Re: [cabfpub] Ballot 182 – Readopting BR 3.2.2.4 (Part 2)

Last request for a redline version. Thanks :) On Tue, Oct 25, 2016 at 1:38 PM, Kirk Hall via Public wrote: > *This is the start of the 7 day discussion period for this Ballot. The > Review Period under our IPR Policy will start on Nov. 1, and run for 60 > days. I will

Re: [cabfpub] Ballot 180 – Readopting the BRs, EVGL, EV Code Signing, and NCSSR Guidelines with Amendments

Hi Kirk, Per our past F2F conversation - https://cabforum.org/2016/05/25/2016-05/ - would you mind preparing redline versions of the documents changed? I'm specifically referencing this part of the conversation, from Ben Wilson: "Ben: As we’ve said in the past, we should prepare a redlined

Re: [cabfpub] Continuing the discussion on CAA

t; > > -Rick > > > > *From:* Public [mailto:public-boun...@cabforum.org] *On Behalf Of *Ryan > Sleevi via Public > *Sent:* Tuesday, October 25, 2016 8:22 AM > *To:* Gervase Markham <g...@mozilla.org> > *Cc:* public@cabforum.org > *Subject:* Re: [cabfpu

Re: [cabfpub] Continuing the discussion on CAA

On Tue, Oct 25, 2016 at 1:57 AM, Gervase Markham via Public < public@cabforum.org> wrote: > > I think this is definitely worth exploring, and I am confident we can > work out some reasonable parameters. However, I wonder if, if we are not > checking CAA at every issuance, it would be wise for CAs

[cabfpub] Announcement: Requiring Certificate Transparency in 2017

[Note: This is cross-posted. The best venue for follow-up questions is the public mailing list at ct-pol...@chromium.org or the post at https://groups.google.com/a/chromium.org/d/msg/ct-policy/78N3SMcqUGw/ykIwHXuqAQAJ ] This past week at the 39th meeting of the CA/Browser Forum, the Chrome team

Re: [cabfpub] Continuing the discussion on CAA

Kirk, It's sad to see your promise was so short lived. That is, the " I promise I will read the links carefully for the details you have provided. " promise you made one hour ago. Since your message is not appearing in the archives, I'll link you to the reply in which I quoted you, in the hopes

Re: [cabfpub] Continuing the discussion on CAA

On Mon, Oct 24, 2016 at 1:38 PM, Kirk Hall wrote: > Ryan, this discussion is happening on the Public list, and members of the > public were not at our meeting. > Which is why minutes of our phone calls and meetings are so important. > So please drop your

Re: [cabfpub] Continuing the discussion on CAA

On Mon, Oct 24, 2016 at 12:09 PM, Kirk Hall wrote: > Yes, please provide the links to all – I certainly don’t remember any > details from what you have said in the past, and others feel the same way. > I promise I will read the links carefully for the details you

Re: [cabfpub] Continuing the discussion on CAA

On Mon, Oct 24, 2016 at 11:32 AM, Kirk Hall wrote: > Ryan, I have to admit I have not always understood your response on > Jeremy’s question (which I have asked myself). You have said at times “we > already answered that”, but I think many of us can’t recall what

Re: [cabfpub] Continuing the discussion on CAA

Jeremy, This has been repeatedly asked on calls, and each time Google provides details about how it has prevented unauthorized issuance? Can we accept CAA has worked, helped for those CAs that check, and move on? On Mon, Oct 24, 2016 at 8:40 AM, Jeremy Rowley via Public < public@cabforum.org>

Re: [cabfpub] SHA-1 exception request

On Tue, Oct 18, 2016 at 4:34 PM, Dean Coclin via Public wrote: > While I'm not the technical expert here, assuming we could, wouldn't they > then need to undergo the 10 day eval period? > Yes ___ Public mailing list

Re: [cabfpub] SHA-1 exception request

On Tue, Oct 18, 2016 at 4:10 PM, Dean Coclin via Public wrote: > Given that the current TBS certs have passed cryptanalysis, could you allow > the issuance of the TBS certs as presented, and mandate that the CA revoke > those > certs on 12/31 (or the next business day).

Re: [cabfpub] SHA-1 exception request

Google concurs with Mozilla's findings. We believe it would be best to see these certificates expire by December 31, 2016, for this and future requests. ___ Public mailing list Public@cabforum.org https://cabforum.org/mailman/listinfo/public

Re: [cabfpub] Recourse for domain owners who discover unknown certificates issued to their domain

On Tue, Oct 11, 2016 at 5:26 PM, Peter Bowen wrote: > > You are conflating two things here. "it's perfectly acceptable for the > domain operator to be distinct from the certificate applicant” - Yes. > Akamai or Fastly (or any CDN) can apply for a certificate for a domain >

Re: [cabfpub] Potential F2F Topics

While I understand the IETF doesn't work on policy, I meant to suggest that the most important aspect - which absolutely belongs in the IETF - is use cases. I do not believe we can have a meaningful discussion of policy without understanding use cases. It's clear that the technical solutions

Re: [cabfpub] SHA-1 exception request

Forwarding on behalf of Patrick Donahue, at Cloudflare. On Sun, Oct 9, 2016 at 8:09 PM, Patrick Donahue wrote: > > > >> We examined this mechanism and determined that due to the variety of POS >> devices using our network, the client HELLO will not allow us to >>

<    4   5   6   7   8   9