[Servercert-wg] Final minutes for Server Certificate Working Group Teleconference - February 6, 2020

Dimitris Zacharopoulos (HARICA) dzacharo at harica.gr
Fri Feb 21 00:33:39 MST 2020 

These are the final minutes of the Teleconference described in the 
subject of this message.*
*


    Attendees (in alphabetical order)

Clint Wilson (Apple), Corey Bonnell (SecureTrust), Chris Kemmerer 
(SSL.com), Curt Spann (Apple), Daniela Hood (GoDaddy), Dean Coclin 
(Digicert), Dimitris Zacharopoulos (HARICA), Doug Beattie (GlobalSign), 
Dustin Hollenback (Microsoft), Enrico Entschew (D-TRUST), Inaba Atsushi 
(GlobalSign), Joanna Fox (GoDaddy), Jos Purvis (Cisco Systems), Leo 
Grove (SSL.com), Li-Chun Chen (Chunghwa Telecom), Mads Henriksveen 
(Buypass AS), Michelle Coon (OATI), Mike Reilly (Microsoft), Neil Dunbar 
(TrustCor Systems), Niko Carpenter (SecureTrust), Patrick Nohe 
(GlobalSign), Peter Miskovic (Disig), Rich Smith (Sectigo), Ryan Sleevi 
(Google), Shelley Brewer (Digicert), Thanos Vrachnos (SSL.com), Tim 
Hollebeek (Digicert), Tobias Josefowitz (Opera Software AS), Trevoli 
Ponds-White (Amazon), Vincent Lynch (Digicert), Wayne Thayer (Mozilla), 
Wendy Brown (US Federal PKI Management Authority).


    Minutes


      1. Roll Call

The Chair took attendance.


      2. Read Antitrust Statement

The Antitrust Statement was read.


      3. Review Agenda

Accepted without changes.


      4. Approval of minutes from previous teleconference


Accepted without objections.


      5. Approval of minutes from F2F meeting November 5, 2019


Accepted without objections.


      6. Validation Subcommittee Update

  * The subcommittee's call was short and discussed about possible
    topics for the upcoming F2F.


      7. NetSec Subcommittee Update

  * Problems discussing how the SC could share sensitive information off
    the public list. Created a netsec-management list with help from Travis.
  * Preparing a new ballot to change the CVSS requirements
  * Working on the Log retention ballot, performing a risks benefit
    analysis in the discussion document so others can see the thought
    process and rationale and why some items are proposed for a 2-year
    retention policy vs the normal one (7+ years).
  * SC20 is on discussion
  * Finalize what to present at the F2F.


      8. Ballot Status


        _Ballots in Discussion Period_

/SC20: Configuration Management/ (Neil)
Ryan suggested there could be "creative interpretations" to the text 
related to desired config changes that would not be considered 
compliance issues. He recommended alternative language that will be 
discussed at the next meeting. The plan is to put this ballot out for a 
vote soon. The subcommittee agreed to stick with lightweight changes 
that Ryan proposed.
/
SC27: Version 3 Onion Certificates /(Wayne)
There was a change in section 3.2.2.4 improving a rather long paragraph. 
After 7 days of discussion Wayne will start the voting period.
//////
_*Ballots in Voting Period*_
////None

_*Ballots in Review Period*_
/SC25: Define New HTTP Domain Validation Methods (review ends 
2020-03-03)///


        _Draft Ballots under Consideration_


/SC26 - Pandoc-Friendly Markdown Formatting Changes/ (Jos)
Jos posted a quick update that fixed the issues. Comparison is now 
easier. Plans to start the discussion period.

//LEI Ballot//(Tim H.)/
/No updates. More discussion at the F2F./

Aligning the BRs with existing Browser Requirements /(Ryan)
Ryan is incorporating Mozilla Policy 2.7. The plan is to send an update 
before the F2F. All proposed changes derive from existing Root Program 
requirements. Ryan also wants to explore what the effective dates should 
be in the BRs because various root programs had different policies and 
effective dates in the past. This issue is more important to Root 
Programs than for the CA members. CAs will see if they have missed any 
program requirements and Root Programs will see whether they were 
enforcing their Root Program requirements on CAs and whether the Root 
Programs would decide to give some grace period.

Tim H noted that it is possible that a CA may not participate in all 
Root programs. Therefore, bringing all requirements in the BRs would 
cause that CA to have to comply with more than necessary and even though 
that CA was complying with the requirements of a single Root Program, it 
would be out of compliance because of the additional requirements from 
other Root Programs. Ryan considers this to be a fair statement and we 
will need to discuss possible solutions.


      9. Approve agenda for F2F 49


The agenda as posted on 2020-02-07 was approved.


      10. Any Other Business

No other Business raised.


      11. Next call

March 5, 2020 at 11:00 am Eastern Time.


      Adjourned


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20200221/021ce59d/attachment-0001.html>

More information about the Servercert-wg mailing list