[cabf_validation] May 10 Validation WG Meeting Notes

[Wayne Thayer]

Thank you Robin for writing detailed minutes for the second half of
Thursday's call!

Attendees: Tim Hollebeek, Ben WIlson, Bruce Morton, Corey Bonnell, Doug
Beattie, Frazier Evans, Li-Chun Chen, Robin Alden, Shelley Brewer, Tim
Shirley, Cecilia Kam, Tyler Myers, Rich Smith

- Get back to EV updates in preparation for the F2F meeting. What problem
are we trying to solve? Focusing on the weaknesses that led to the
"Identity Verified" and Stripe demonstrations is a good place to start.
Self-reported data in QIIS may be the cause.
- Frazier asked if there are any requirements for CAs to report issues like
the recent Stripe demonstration. In these cases, Tim responded that the
mozilla.dev.security.policy list is a good place for this type of
disclosure, but it is not required in cases like this where the CA relied
on questionable information.
- How do we strengthen operational existence requirements without excluding
companies that haven't been in business for 3+ years. Robin commented that
even with stronger operational existence requirements, we will still have
duplication of company names.

*(at this point Robin took over note taking duties)*

Should we record the calls for note-taking purposes?

Probably, but need to remember to hit record!

(Ben starts Recording)

Doug will work on a draft ballot for item 3 on the agenda.

If anyone has comments on method 3 on the shared google drive, make them on
the doc and Doug will follow up tomorrow.

Method 3 was chosen because it was a place to start, not because it is so
much worse than others.



EV: continuing:

IP validation ballot.  Tim has a draft out there.  Same as Jeremy's.
Anything to add?

Comodo will probably endorse, but want to take another read thru.



Wayne's RDAP ballot.  GDPR hits in 2 weeks + 1 day

Getting WHOIS directly from the website is valid, but will get harder.

Robin: I think RDAP is a good thing.  There may be better, but RDAP could
be good.

Tim: Agreed.  I think the BRs allow RDAP, but others may have other views.

Tim: The argument we're trying to shoot down is that WHOIS refers to the
WHOIS protocol and no other method.  That seems overly prescriptive reading
of BR language as RFC language.

Let's include RDAP as a permissible protocol, or let's remove the protocol
specificity.

Take a look at Wayne's ballot.

He noted that it is common practice for a validation specialist to go to
the https lookup page and the ballot allows that too. (this may be on github
?)

What is the appropriate level of authentication for each method of getting
WHOIS info.

WHOIS - no auth

https: - some level of auth

RDAP - client auth.



Bruce: Tim, you missed item 2 on the agenda.

Tim: Correct!



Item 2.

Tim: With email addresses disappearing from WHOIS, I don't see why you
couldn't get an email from DNS.

There is a WHOAMI protocol which associates an email address with a domain
name.

I don't see any security problems with it.

Bruce: Just need help addressing comments from (chiefly) Ryan.  He didn't
like DNS TXT (but we use it elsewhere).  I used CNAME incorrectly (but its
used that way in another method).

I think we just need to work through , that some of the stuff needs to be
specific in terms of coming up with a name for it, we all use the same name.
If in CAA, he's saying that you can't use MAILTO email because that is not
the purpose of that element.  CAA would need a change to the RFC to put it
in there.  Not sure that is desirable.

Tim: Digicert is extremely supportive of this method, and once off PTO I
will help with the ballot language.  As for email addresses in CAA records,
there is a 'properties' field that CAs are allowed to put their own defined
extensions into, so those could be useful.

IETF is there to standardize existing practice, not to create practice in
advance.

IETF: rough consensus and working code.

So if we want to experiment with putting email addresses into DNS and then
... CABF .. then we got to IETF and get an RFC to support that use case.

I don't think CABF should be sidelined by saying that you need to take 'x'
think to the IETF.

My personal end state would be that the IETF and the CABF could work
together.

Bruce: The 'issue' records probably aren't right for this because they
would be CA specific, but we're looking for something for all CAs to use,
so we put it in a new place.

Tim: or we put it somewhere else in DNS.  Or we say 'we'll put it somewhere
else if you make us to.'

We want to put email addresses in DNS and will work with anyone who wants
to help us operationalize that.



London meet: Tim: plan is for 3.5 hours of validation wkg group.

What do others think?

Bruce: In our last meet, we had a day on this stuff and we had the sheet of
the validation summit findings.

Should we go through to get people to lead on closing off topics with open
items out of the 10-ish methods.

Tim: Are you thinking like Doug took the lead on item 3?

Yes

Tim: I really like that idea.

Bruce: We bring up the item, have a discussion, see if we can get an owner
and try and close it out.

or we determine nothing to close out and move on.

Feels like there are still question marks from March.

Tim: There are a dizzying amount of CA/B ballots in flight now.  Need to
organize and assign owners, or we will lose track.

Need to talk about the Trello board too.

Other ideas for London?

Bruce: Do we need to work on our charter?

Tim: We are becoming a sub-committee of the server group, so no charter
needed.

Bruce: If other cert groups to form, I guess a lot of things could be drawn
from the server group.

Tim: My code-signing working group charter is also circulating.

Should the EV group have a sub-committee for validation, and should that
group work with this group - is an interesting question.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20180511/4c0e0091/attachment.html>