[Servercert-wg] Final Minutes for Server Certificate Working Group Teleconference - January 23 2020
Dimitris Zacharopoulos (HARICA)
dzacharo at harica.gr
Fri Feb 7 00:30:36 MST 2020
These are the Final Minutes of the Teleconference described in the
subject of this message.*
*
Attendees (in alphabetical order)
Arno Fiedler (D-TRUST), Clint Wilson (Apple), Corey Bonnell
(SecureTrust), Chris Kemmerer (SSL.com), David Moeller (Sectigo), Dean
Coclin (Digicert), Dimitris Zacharopoulos (HARICA), Doug Beattie
(GlobalSign), Dustin Hollenback (Microsoft), Enrico Entschew (D-TRUST),
Inaba Atsushi (GlobalSign), India Donald (US Federal PKI Management
Authority), Janet Hines (SecureTrust), Joanna Fox (GoDaddy), Kirk Hall
(Entrust Datacard), Leo Grove (SSL.com), Li-Chun Chen (Chunghwa
Telecom), Michelle Coon (OATI), Mike Reilly (Microsoft), Neil Dunbar
(TrustCor Systems), Patrick Nohe (GlobalSign), Pedro Fuentes (OISTE
Foundation), Peter Miskovic (Disig), Rashmi Jha (Microsoft), Rich Smith
(Sectigo), Robin Alden (Sectigo), Ryan Sleevi (Google), Thanos Vrachnos
(SSL.com), Tim Callan (Sectigo), Timo Schmitt (SwissSign), Tobias
Josefowitz (Opera Software AS), Trevoli Ponds-White (Amazon), Vincent
Lynch (Digicert), Wayne Thayer (Mozilla).
Minutes
1. Roll Call
The Chair took attendance.
2. Read Antitrust Statement
The Antitrust Statement was read.
3. Review Agenda
Accepted without changes.
4. Approval of minutes from previous teleconference
Accepted without objections.
5. Validation Subcommittee Update
* The subcommittee first discussed about the updated validation method
for method 6 which is described in ballot SC25. Since that meeting
Doug has started the official discussion period for ballot SC25. It
includes two new methods; one is an update to method 6 and the other
is the ACME domain control validation via agreed-upon change to website.
* Then the subcommittee discussed about allowing DV/OV certificate
issuance for .onion addresses. Wayne needs one more endorser. Other
than that, the ballot is ready to move forward.
* The allowed fields in CA Certificates subject was also discussed.
Ryan posted a list of subject attributes currently used in CA
Certificates, by searching the CT logs. This is useful information
to help drafting a ballot for defining the allowed subject fields in
CA Certificates.
* There was some discussion about Validation of Domain Names ending in
.arpa, a specially reserved TLD that is used for mapping IP
addresses to Domain Names.
* Finally, the subcommittee discussed about possible topics for the
F2F. One possible topic for discussion was the "default deny"
interpretations of the BRs but that would require some pre-work that
the subcommittee was not able to commit to. Another topic for
discussion was the spreadsheet of Organization validation sources
shared by CAs that is published on the wiki. This could be a
potential "allow list" for validation sources. CAs may contribute
with their lists of sources for Organizational information in the
link provided by Wayne. There is a link on the wiki which was sent
via the validation subcommittee mailing list. So far Digicert has
contributed but other CAs are preparing to share their own lists.
* Detailed minutes were circulated in the validation subcommittee
mailing list
(https://cabforum.org/pipermail/validation/2020-January/001406.html)
6. NetSec Subcommittee Update
* The document structure subgroup discussed about how the netsec
document would look like if they applied the changes they have in
mind. There was consensus to fix sections that are overly repetitive
and overlapping. Some requirements don't even fit as best practices.
* Ben tried a mapping between RFC 3647 and ETSI/WebTrust with the
requirements of the NSRs. This task is under way.
* SC20 has delayed with the redline, now it's ready for general group
discussion.
* Pain points subgroup: retention of audit data (7 years is the
blanket retain period for all information). The subgroup considered
the current BRs for logging and there was consensus that some logs
(not related to the certificate issuance), should be retained for 2
years as a more reasonable retention period and more aligned with
other security frameworks. It was clarified that the change of the
retention years is not for certificate information evidence but
other logs, for example entry-exit from a datacenter facility, or
who is logged in/out from a particular host, audit telemetry. They
will try to establish if these logs make sense to keep for 7 years.
Other requirements frameworks don't have this retention period for
such logs.
* Detailed minutes were circulated in the netsec subcommittee mailing
list (https://cabforum.org/pipermail/netsec/2020-January/000275.html)
7. Ballot Status
_Ballots in Discussion Period_
/SC25: Define New HTTP Domain Validation Methods /(Doug)
The discussion period of the ballot will soon be completed and Doug will
start the voting period.
//////
_*Ballots in Voting Period*_
////None
_*Ballots in Review Period*_
None//
_Draft Ballots under Consideration_
/SC20 Ballot (NSR 2): System Configuration Management/ (Neil)
The draft ballot has been circulated in the netsec list. Neil is making
final adjustments (creating a redline) and will soon send it to the main
WG public list.
/SC26 - Pandoc-Friendly Markdown Formatting Changes/ (Jos)
The ballot is almost done. It is very close of being ready for the
discussion period to start. Now that ballot SC25 is in the discussion
and then voting period, if it overlaps with sections modified by SC25,
Jos needs to add language to describe how these sections would look like
if SC25 succeeded or failed.
//LEI Ballot//(Tim H.)
No further discussion
/
Aligning the BRs with existing Browser Requirements /(Ryan)
Ryan is incorporating changes introduced in Mozilla Policy 2.7.
Microsoft is ok with the changes so far.
/Onion Proposal/ (Wayne)
Wayne is looking for one more endorser. Other than that the ballot is ready.
8. Topics for F2F 49
Robin proposed adding a slot for a discussion around Jurisdiction of
Incorporation for Private Organizations in Germany. The issue probably
doesn't only apply for Germany but also other countries. We may need to
review our definitions in the EV Guidelines to see if they match real
life cases and clarify how they apply to different scenarios like the
one in Germany.
Mike reminded the group of a proposal by OS and Browser vendors
regarding the use of QWACs. He thinks it would be useful to have some
discussion about that at the F2F.
9. Any Other Business
No other Business raised.
10. Next call
February 6, 2020 at 11:00 am Eastern Time.
Adjourned
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20200207/e2241619/attachment-0001.html>
More information about the Servercert-wg
mailing list