[Servercert-wg] Final minutes of the SCWG call of April 25th

Thu May 9 16:38:03 UTC 2024

Subject: Final minutes of the SCWG call of April 25th

These are the Final Minutes of the Teleconference described in the subject
of this message, prepared by Ryan Dickson (Google Chrome).

Server Certificate Working Group Agenda – 25 April 2024

Attendees: Aaron Poulsen (Amazon Trust Services), Adam Jones (Microsoft),
Andrea Holland (VikingCloud), Ben Wilson (Mozilla), Bindi Davé (DigiCert),
Brianca Martin (Amazon), Chris Clements (Google Chrome), Clint Wilson
(Apple), Corey Bonnell (DigiCert), Corey Rasmussen (OATI), Dimitris
Zacharopoulos (HARICA), Dong Wha Shin (MOIS), Doug Beattie (GlobalSign),
Dustin Hollenback (Microsoft), Enrico Entschew (D-Trust), Gregory Tomko
(GlobalSign), Inaba Atsushi (GlobalSign), Inigo Barreira (Sectigo), Jaime
Hablutzel (OISTE Foundation), Janet Hines (VikingCloud), Jay Wilson
(Sectigo), Johnny Reading (GoDaddy), Keshava Nagaraju (eMudhra), Kiran
Tummala (Microsoft), Li-Chun Chen (Chunghwa Telecom), Lynn Jeun (Visa), Mads
Henriksveen (Buypass AS), Mahua Chaudhuri (Microsoft), Marco Schambach
(IdenTrust), Martijn Katerbarg (Sectigo), Michael Slaughter (Amazon Trust
Services), Miguel Sanchez (Google Trust Services), Mrugesh Chandarana
(IdenTrust), Nargis Mannan (VikingCloud), Nate Smith (GoDaddy), Nicol So
(CommScope), Nome Huang (TrustAsia), Peter Miskovic (Disig), Rollin Yu
(TrustAsia), Ryan Dickson (Google Chrome), Scott Rea (eMudhra), Sissel Hoel
(Buypass), Stephen Davidson (DigiCert), Steven Deitte - (GoDaddy), Tadahiko
Ito (SECOM Trust Systems), Tathan Thacker (IdenTrust), Thomas Zermeno (
<https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fssl.com%2F
&data=05%7C02%7Cinigo.barreira%40sectigo.com%7Cec1a9e714b11414d3ea308dc686cf
b41%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638500064567763323%7CUnknow
n%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6
Mn0%3D%7C0%7C%7C%7C&sdata=xfphV2NWCVE2ABLMT0OX4sb4ozpdhKO6d7RJNzFMsYk%3D&res
erved=0> SSL.com), Tim Hollebeek (DigiCert), Trevoli Ponds-White (Amazon
Trust Services), Tsung-Min Kuo (Chunghwa Telecom), Wayne Thayer (Fastly),
Wendy Brown (US Federal PKI Management Authority), Yashwanth TM (eMudhra)

Begin Recording and Roll Call

The call’s recording was enabled.

Inigo greeted participants and opened the meeting.

Ryan Dickson is taking minutes.

Inigo completed Roll Call (attendees listed above).

Read Note-well 

Inigo read the Note-well.

Review Agenda 

Inigo reviewed the agenda.

No additional agenda items were raised for discussion.

Minutes:

The following minutes were distributed prior to the call:

Minutes from February 15th circulated on April 11

Minutes from March 28th circulated on April 22

Minutes from April 11th circulated on April 18 

There was no discussion on the above sets of minutes, they are considered
approved.

Inigo will soon publish the approved minutes to the website.

Membership:

N/A - no open requests.

Issues/topics to discuss

Inigo pre-staged three discussion items.

GitHub open issues triage (10 issues per call min): 153, 154, 160, 181, 187,
193, 229, 243, 148 and 252

PAG

F2F agenda

Discussion:

GitHub open issues:

On triage approach: Ping issues twice a year. If no update in six months,
evaluate the issue and determine whether it should be closed,
re-prioritized, or re-assigned. If an issue hasn’t been touched in three
years, it might be closed.

We discussed the 10 oldest issues:

153
<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.co
m%2Fcabforum%2Fservercert%2Fissues%2F153&data=05%7C02%7Cinigo.barreira%40sec
tigo.com%7Cec1a9e714b11414d3ea308dc686cfb41%7C0e9c48946caa465d96604b6968b49f
b7%7C0%7C0%7C638500064567777357%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAi
LCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=vgY%2BIx%2
FmDxHH%2B%2BVx6gOZ5AKGA6aBUFTyWTk054CKTwM%3D&reserved=0> 

Update from Corey: Not a high priority, but still should be completed.
Collaboration welcome. 

Additional discussion: Tim noted this would be an easy “First Ballot" for
someone looking to learn the balloting process. We should consider applying
that label to issues, where appropriate. 

<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.co
m%2Fcabforum%2Fservercert%2Fissues%2F154&data=05%7C02%7Cinigo.barreira%40sec
tigo.com%7Cec1a9e714b11414d3ea308dc686cfb41%7C0e9c48946caa465d96604b6968b49f
b7%7C0%7C0%7C638500064567787887%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAi
LCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=r4c6Vlpi4L
1qBplQwmiA6YtAjKg9AB0IfyzHQhDfiDw%3D&reserved=0> 154 

Update from Corey: I think this can be closed due to the Profiles Ballot.

Additional discussion: Clint mentioned the only action left, as he recalled,
was verifying the profile ballot addressed the issue. The group discussed
and decided to close the issue, though it can always be reopened if anyone
disagrees.

<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.co
m%2Fcabforum%2Fservercert%2Fissues%2F160&data=05%7C02%7Cinigo.barreira%40sec
tigo.com%7Cec1a9e714b11414d3ea308dc686cfb41%7C0e9c48946caa465d96604b6968b49f
b7%7C0%7C0%7C638500064567796401%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAi
LCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=kFM3cFqUCG
Krkx7SFTESo%2FBjAYbg4pkLIZ%2FPhpUVUXs%3D&reserved=0> 160 

Update from Clint: Profiles Ballot helps with some of this, but there’s
still some potential improvements we could make. His last thought was to see
if it was something we’d address in the Definitions and Glossary Working
Group. Still ongoing. We later went back to this discussion, and Clint
shared what additional clarifications we might benefit from. Tim recalled
the discussion might relate to SRV names (which would need to be addressed
first in the IETF). This issue should be left open.

181
<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.co
m%2Fcabforum%2Fservercert%2Fissues%2F181&data=05%7C02%7Cinigo.barreira%40sec
tigo.com%7Cec1a9e714b11414d3ea308dc686cfb41%7C0e9c48946caa465d96604b6968b49f
b7%7C0%7C0%7C638500064567804512%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAi
LCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=jNAZn0xwfM
9Gf%2BgRMWYQTvOf71QXuoljHRyvDjBWGxk%3D&reserved=0>  

Update from Inigo: No clear action owner.

Additional discussion: This should be a clean-up item. Label added.

187
<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.co
m%2Fcabforum%2Fservercert%2Fissues%2F187&data=05%7C02%7Cinigo.barreira%40sec
tigo.com%7Cec1a9e714b11414d3ea308dc686cfb41%7C0e9c48946caa465d96604b6968b49f
b7%7C0%7C0%7C638500064567811384%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAi
LCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=MW%2F7F%2B
XA1twuiIhy8Z9WIe0iuK2xh09mWp%2FlKosPMoM%3D&reserved=0>  

Update from Inigo: Assigned to Pedro (not on call)

Additional discussion: The issue appears to challenge the existing
requirements. The described goal of the update would be to reduce
opportunity for the existing requirements to be misinterpreted - especially
when considering the order of operations that might take place. Trev asked
whether we need these types of callouts for Technically-Constrained CAs.

Tim thinks the rules are pretty clear today. Dimitris accepts action to also
join the review and to help determine next steps.

193
<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.co
m%2Fcabforum%2Fservercert%2Fissues%2F193&data=05%7C02%7Cinigo.barreira%40sec
tigo.com%7Cec1a9e714b11414d3ea308dc686cfb41%7C0e9c48946caa465d96604b6968b49f
b7%7C0%7C0%7C638500064567817751%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAi
LCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=7YPOMneyXB
MY36GScH0eL7PbcHunV1lCxei%2BJyBG%2Bhs%3D&reserved=0>  

Update from Inigo: This is related to 432 (
<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.co
m%2Fcabforum%2Fservercert%2Fissues%2F432&data=05%7C02%7Cinigo.barreira%40sec
tigo.com%7Cec1a9e714b11414d3ea308dc686cfb41%7C0e9c48946caa465d96604b6968b49f
b7%7C0%7C0%7C638500064567823202%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAi
LCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=RDm5KtH9Q1
AkyAELfmoT97iULyDtyX8cHWBdHGCA3ko%3D&reserved=0> style
<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.co
m%2Fcabforum%2Fservercert%2Fissues%2F432&data=05%7C02%7Cinigo.barreira%40sec
tigo.com%7Cec1a9e714b11414d3ea308dc686cfb41%7C0e9c48946caa465d96604b6968b49f
b7%7C0%7C0%7C638500064567829239%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAi
LCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=XS5PB8tTSZ
qGzXp4jFwhuB5vaXPAD%2F4KVSz6DB0nXXc%3D&reserved=0>  guide).

Additional discussion: Tim described the EV Guidelines describe CAs can set
a date, but there’s no expected format defined - resulting in inconsistency
across EV issuers. This is another example of a good “First Ballot" item.
Ben mentioned an open Incident Report related to DigiCert may result in some
of this language being updated, and perhaps this could also be considered at
that time.

229
<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.co
m%2Fcabforum%2Fservercert%2Fissues%2F229&data=05%7C02%7Cinigo.barreira%40sec
tigo.com%7Cec1a9e714b11414d3ea308dc686cfb41%7C0e9c48946caa465d96604b6968b49f
b7%7C0%7C0%7C638500064567835187%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAi
LCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=SDRSIHrJQB
uRHd7a0%2B%2BF1o%2FMIV2CryEU8YFuTgLa6fw%3D&reserved=0>  

Update from Dimitris: We now indicate which Validation methods allow
wildcards, this issue can be closed. Clint mentioned there is likely still a
useful change to take place in 3.2.2.6 because “an appropriate way" is
unclear. As described in Dimitris’ comment, this concern could be remedied
(i.e., “appropriate way" needs to point to the actual methods we have
defined.) Issue updated to clarify this status.

243
<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.co
m%2Fcabforum%2Fservercert%2Fissues%2F243&data=05%7C02%7Cinigo.barreira%40sec
tigo.com%7Cec1a9e714b11414d3ea308dc686cfb41%7C0e9c48946caa465d96604b6968b49f
b7%7C0%7C0%7C638500064567840831%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAi
LCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=5GMFpAYG7X
VR8nQ%2BKqfx3SjANsCX5%2FStTcSr3HY2Rns%3D&reserved=0>  

Update from Tim: This is a clean-up item. While some sections should have
requirements written, “No stipulation" is more appropriate than blank

148
<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.co
m%2Fcabforum%2Fservercert%2Fissues%2F148&data=05%7C02%7Cinigo.barreira%40sec
tigo.com%7Cec1a9e714b11414d3ea308dc686cfb41%7C0e9c48946caa465d96604b6968b49f
b7%7C0%7C0%7C638500064567847936%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAi
LCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=3EW6Ff2sfL
ytTL%2BU3iJ0GR3y10ChbKImzKH%2FAh9wD%2BM%3D&reserved=0> 

Discussion: This can be closed.

252
<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.co
m%2Fcabforum%2Fservercert%2Fissues%2F252&data=05%7C02%7Cinigo.barreira%40sec
tigo.com%7Cec1a9e714b11414d3ea308dc686cfb41%7C0e9c48946caa465d96604b6968b49f
b7%7C0%7C0%7C638500064567854654%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAi
LCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=jF5Tif40gx
MFatqJbHXtE83kG8LEleXi82vQZGrsn44%3D&reserved=0> 

Discussion: This would make a good F2F discussion, let’s consider broader
discussion at the F2F. Inigo took action to plan future agenda item. 

PAG

Ben shared an invite for a PAG meeting on Monday (4/29) at 11am ET - the
claimant of the exclusion (GoDaddy) was not included.

Ben asked if anyone had questions about the process, there were none.

Inigo suggested Ben share an update at the F2F for broader visibility. Ben
indicated there might not yet be any updates available at that time, but an
update might be worthwhile (depending on the circumstances).

F2F agenda

Send Inigo any discussion ideas for the F2F.

Ballot Status – see list below

Inigo shared overview of the “in discussion” ballots

SC67: Ryan indicated discussion Round 2 may start as early as tomorrow.

SC71: Dustin and Ben expressed updates are pending, subsequent round of
discussion to be opened at a later time.

SC73: Wayne indicated the discussion period ends this afternoon, no feedback
so far. Wayne is planning to move for voting later today or tomorrow. 

Review Period

SC74 – Clarify CP/CPS structure according to RFC 3647

Dimitris shared a pre-ballot with the list. Aaron from ATS volunteered as an
endorser. Tim volunteered to endorse, Dimitris will move forward with
Discussion.

Draft / Under Consideration

SCXX – Profiles cleanup ballot – on hold

SCXX – Measure all hours and days to the second – on hold-  removed

SCXX – Introduce linting in the TLS BRs

There are endorsers, draft language is on Wiki, it’s a work in progress.

Any Other Business

None

Next call: 9 May

Adjourn

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240509/65d1b36b/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6630 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240509/65d1b36b/attachment-0001.p7s>