[Servercert-wg] Final Minutes for Server Certificate Working Group Teleconference - October 3 2019

Dimitris Zacharopoulos (HARICA) dzacharo at harica.gr
Thu Oct 17 09:47:25 MST 2019 

These are the Final Minutes of the Teleconference described in the 
subject of this message.


    Attendees (in alphabetical order)

Ben Wilson (Digicert), Bruce Morton (Entrust Datacard), Chris Kemmerer 
(SSL.com), Daniela Hood (GoDaddy), Dimitris Zacharopoulos (HARICA), Doug 
Beattie (GlobalSign), Dustin Hollenback (Microsoft), Enrico Entschew 
(D-TRUST), Gordon Bock (Microsoft), Inaba Atsushi (GlobalSign), India 
Donald (US Federal PKI Management Authority), Janet Hines (SecureTrust), 
Jos Purvis (Cisco Systems), Kenneth Myers (US Federal PKI Management 
Authority), Kirk Hall (Entrust Datacard), Li-Chun Chen (Chunghwa 
Telecom), Mads Henriksveen (Buypass AS), Michelle Coon (OATI), Mike 
Reilly (Microsoft), Neil Dunbar (TrustCor Systems), Niko Carpenter 
(SecureTrust), Rich Smith (Sectigo), Ryan Sleevi (Google), Shelley 
Brewer (Digicert), Timo Schmitt (SwissSign), Tobias Josefowitz (Opera 
Software AS), Trevoli Ponds-White (Amazon), Wayne Thayer (Mozilla), 
Wendy Brown (US Federal PKI Management Authority).


    Minutes


      1. Roll Call

The Chair took attendance.


      2. Read Antitrust Statement

The Antitrust Statement was read.


      3. Review Agenda

No changes to the agenda.


      4. Approval of minutes from previous teleconference


The minutes from the previous teleconference were approved and will be 
circulated to the public list.


      5. Validation Subcommittee Update

The subcommittee did not meet since the last meeting so there was no update.


      6. NetSec Subcommittee Update

Ben reported that SC21 is in the final stage of voting. He mentioned 
that some of the sub-groups met last week and they continue drafting 
ballots. Dimitris asked about SC20 and if there is any further progress 
and Ben said the sub-group is working on that and will update the ballot 
soon.

Ryan expressed some concerns about the reporting and communication of 
these sub-groups and the NetSec subcommittee to the larger WG in terms 
of the broad set of problems they are working on. It seems there were 
very interesting discussions during the preparation of SC21 which 
weren't communicated all the way to the WG. It would be sufficient if 
these discussions were somehow communicated through the minutes of these 
subcommittee calls so that Members have a better understanding about the 
rationale of some recommended changes proposed in ballots. It would be 
nice if the Subcommittee was able to describe a set of problems they are 
trying to solve and how they are trying to solve these problems. That 
would be helpful for any ballot, not just for this subcommittee.

Tobi mentioned that in the introduction of SC20 the subcommittee tried 
to add language about the motivation and the problems they are working 
on. Tobi explained some of the difficulties in explaining what it means 
to have certain requirements for "configurations" and try to add 
language which attempts to give an "impression" of what constitutes a 
"configuration" and what does not.

Ryan clarified that he sees value in updates. He would like to see which 
updates are intentional (and linked to the problem we are trying to 
solve) and which ones are not and might create additional ambiguities. 
He gave an example of the ballot that removed validation methods 1 and 5 
where Jeremy Rowley from Digicert gave a concrete example of the problem 
and suggested a solution. In any case, when a topic moves to the Working 
Group level, any pointers to previous subcommittee or sub-group 
discussions would be useful so that Members can get a clear 
understanding of the stated problems and the proposed solutions, in 
order to avoid possible new ambiguities from being accidentally introduced.

Dimitris recommended that it would be very useful if Ben could collect a 
summary of updates from the sub-groups that he could use to report back 
to the larger group. Tobi mentioned that some sub-groups have detailed 
minutes and Dimitris explained that it would be better to have 
aggregated minutes to be reported for the larger group teleconferences.

Tobi continued to discuss about SC21 and mentioned that in some cases it 
is hard to see or understand the angle/point of view of members not 
participating on the calls. Dimitris reminded that SC21 did not remove 
any of the previous controls but just added some automation options. Ben 
mentioned that the language proposed in SC21 was reorganized and that 
the subcommittee could provide more emphasis on the "continuous 
monitoring" element that the group had discussed and all the benefits 
from that. Ben also mentioned that in these meetings, Tim Crawford 
(auditor) explained how adding language for "f." around monitoring the 
archival and retention of logs would require additional review by 
auditors and preparation by CAs that have processes in place to monitor 
the archival and retention. The previous language was only about 
maintaining archival and retention but now it includes the element of 
"monitoring" which is an additional requirement.

Ryan clarified that the expectation is not to include all the detailed 
discussions in the ballot introduction. It seems there were fascinating 
discussions (hearing from auditors, hearing from CAs on the challenges 
to implement these proposed changes and confusions with their auditors) 
in the subcommittee around SC21 that should be captured in minutes and 
these minutes could be referenced as pointers in the ballot 
introduction. He emphasized that real world cases would be extremely 
useful to be captured in minutes.


      7. Ballot Status

No further discussion.


        _Ballots in Discussion Period_

//None//

_*Ballots in Voting Period*_
/SC21 Ballot (NSR 3): Log Integrity Controls/ (Ben)

_*Ballots in Review Period*_
//None//


        _Draft Ballots under Consideration_


/Improvements for Method 6, website control/ (Tim H.)
No additional comments
/
SC20 Ballot (NSR 2): System Configuration Management/
No additional comments

/LEI Ballot/ (Tim H.)

/Precertificates and OCSP/ (Wayne)
Wayne explained that in order to understand this ballot one would have 
to go back and read the public discussions in m.d.s.p. mailing list. The 
problem is that section 7.1.2.5 in the BRs explicitly states that a 
pre-certificate is not a Certificate and it's unclear what needs to 
happen in terms of OCSP. This ballot is trying to clarify the 
interpretation so that, as Rob Stradling from Sectigo said, some CAs 
would not be stuck violating certain policies because these policies 
have a conflict. Wayne mentioned that he has two endorsers and will 
initiate the review period soon.


      8. F2F 48 Agenda

The draft agenda is up on the wiki. Dimitris said that other than the 
typical slots we have no special topics to discuss. He reminded 
participants that the F2F meetings are a great opportunity to discuss in 
person some of the more controversial topics which are difficult to 
resolve via the mailing lists. Members are requested to check and 
propose new items to discuss at the F2F.


      9. Any Other Business

Dimitris sent out an email to the management list for the photo policy. 
It would be a topic to discuss at the F2F and hopefully by the end of 
that meeting the Forum would have a clear way forward.


      10. Next call

October 17, 2019 at 11:00 am Eastern Time.


      Adjourned


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20191017/639637e6/attachment-0001.html>

More information about the Servercert-wg mailing list