[cabf_validation] June 21 Validation WG Meeting Notes
wthayer at mozilla.com
Thu Jun 21 09:01:40 MST 2018
Notes from the June 21 Validation WG Meeting:
Attendees: Tim Hollebeek, Ben Wilson, Corey Bonnell, Shelley Brewer, Frank
Corday, Joanna Fox, Li-Chun Chen, Tim Shirley, Doug Beattie, Cecilia Cam,
Rich Smith, Wayne Thayer
1. Tim updated the Trello board based on discussions at the F2F
2. Tim recommended against having a ballot in discussion or voting
during the governance transition- hold on ballots until July 3.
3. Tim is ready to move forward with IP address ballot to remove “any
other method”. He’ll draft it and prepare to move forward in July.
4. EV Guidelines ballot - still pending, no updates.
5. DNS alternative to WHOIS for domain validation - ballot is
progressing - expect to see a draft ballot soon.
6. Validation method OIDs - Wayne proposed putting this info into the
certificatePolicies extension, but that has a fatal flaw - a strict reading
of RFC 5280 requires the OID to be present in the intermediate, and that
would hobble improvements to validation methods. Wayne said he will propose
a new unique extension. Tim would still like to be able to log this
information outside of the certificate, but agreed that a future ballot
could add that capability. Ben asked why we need this info in the
certificate. Wayne answered that it provides relying parties more
information about the trustworthiness of the certificate, and it is very
useful to the ecosystem when confronted with issues like the weaknesses
found in methods 1, 5, 9, and 10.
7. CAA expression of permitted domain validation methods. Tim said that
ACME has defined and implemented a method for this. Tim expects this to be
discussed at the IETF meeting in Montreal. Tim questioned the scope -
should it be standardized as a “top level” CAA tag, or part of the “issue”
syntax? Doug said it would be more flexible at the “issue” tag level. Tim
Shirley said that the flexibility probably wouldn’t be used. Rich agreed.
Tim said it’s better to take the time to define a new tag. Corey said that
CAs might have different identifiers for validation methods. For instance,
ACME uses an IANA registry. Tim said that’s a problem with ACME doing their
own thing. The confusion is already there. Wayne said that we do want
friendly names, so there will be some type of “registry” for mapping
OIDs/method numbers to names. Tim said that we should register names with
IANA if we create a new top-level CAA tag. Rich said “let’s do it right”.
Tim will start a discussion about adding a new top-level tag on the IETF
LAMPS mailing list.
8. New ACME TLS-ALPN method - ACME is testing this. It currently falls
under 126.96.36.199.10. Is there interest in replacing 10 with the ALPN method?
Wayne and Tim agreed to work together on a ballot.
9. Revocation ballot - Wayne said that he is leaning toward leaving the
proposed changes to address revocation for “misuse” to a separate ballot
because the issue is complex and contentious. Others agreed. Wayne said
that he would publish a ballot and ask for endorsers.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Validation