[cabf_validation] Draft Minutes of CABF Validation Subcommittee Teleconference - 1 August 2019
Ben Wilson
ben.wilson at digicert.com
Thu Aug 1 14:11:49 MST 2019
Present: Wayne Thayer, Dean Coclin, Ben Wilson, Tim Hollebeek, Ryan Sleevi,
Bruce Morton, Shelley Brewer, Daniella Hood, Tim Shirley,
Tim read the antitrust statement.
The agenda was discussed and set.
LEI Ballot
Tim discussed the LEI ballot. Tim has draft on GitHub, which was discussed
in Thessaloniki.
https://github.com/timfromdigicert/documents/commit/e99e65ff4a207806c8f7cc01
a9ec61184a8b55f1#diff-4d3fa7e751e9cac20a3014852be12e82 . He asked for
comments.
Ryan - SC17 refers to QGISes. How is the LEI a QGIS? Can you give an
example of how you would associate or bind the LEI?
Tim - Basically I'm not using the QGIS/QIIS, but I've added a definition of
the Global LEI index of the GLEIF, which includes the registration number
and jurisdiction. The verification process would require an exact match of
the registration number and jurisdiction found in the LEI index with the
registration number and jurisdiction determined in the EV process. So, it
references the subject registration number in section 9.2.5.
Ryan - So the subject registration number in section 9.2.5 is what appears
in the serial number field?
Tim - what do you mean by serial number?
Ryan - In EV, the serial number is the registration number. If I understand
correctly, the CA looks up the information in the QGIS and determines the
registration number and jurisdiction of incorporation. If they want to
include the LEI, they look for a match in the GLEIF database, and if so,
then they are allowed to include that in the certificate.
Tim - They should also look at the address information for matches, and
ensure that they are not grossly inconsistent.
Ryan - What's the threat model for checking the address? Is it to mitigate
risk or is it a quality of service reason? Are we concerned that the
registration number is not going to be a sufficiently strong match or is it
to help GLEIF maintain their database?
Tim - It's mainly the second one, and it's a belt-and-suspenders approach.
The registration number should be perfectly fine, but if the registration
number is off by one digit, then the address check would help.
Ryan - Also, the definitions are too much prose and insufficient as
technical definitions.
Tim - They were adopted from the GLIEF website in order to avoid
controversy.
Ryan - The second half of the definitions is unnecessary, can we discuss
this on Github or the list?
Wayne - The validation part of this is vague. It would be better to be more
specific, like "The CA SHALL ensure that the organization name in the Global
LEI index matches the organization name in the QGIS/QIIS and that the
registration number in the Global LEI index matches the registration number
in the QGIS/QIIS, etc."
Tim - I'm open to proposals to make the language more clear.
Question on the Questions List
Dean - There was a question on the questions list. Ryan had a response. Are
there any other comments? The question was whether the CABF was doing away
with attorney/accountant letters.
Ryan - the question is coming from a TLD. They've modeled a validation
process and they're trying to check on industry practice. EV Guidelines
allow attorney/accountant letter in lieu of QGIS information. Let's just
point them to the changes and let them decide.
Ryan will draft a response.
Certificate Lifetimes
Ryan - Circulated draft text regarding the shortening of certificate
lifetimes. It's on the list. Wayne provided feedback, which has been added.
Some information / discussion is on Github. Feedback from some concerned
implementation timeframes. Also, there have been questions about partial
days. The ballot proposes a lifetime of 397 days (a 366-day year plus a
31-day month). There is concern that CAs will screw up this calculation when
it comes to fractional days. Ryan would be willing to go with 398-day
period. How do people feel about the ballot? There hasn't been much
feedback even though people have indicated that they would provide feedback.
Dean - Word from customers is that the implementation is too soon (March
2020). Some customers won't be ready for it. Hopefully CAs are getting
feedback from their customers.
Ryan - Should this be done through browser policy, then?
Tim - I think it's a mistake to do this through browser policy vs. the CAB
Forum.
Ryan - If there is no feedback, that leads me to believe that browser policy
is the way to go.
Tim - the lack of feedback means that people haven't had time to provide
feedback. It's the first day of August, so that could be an explanation. I
would ask people who said they'd provide feedback to provide that feedback.
Dean - On the CAB Forum call next week it would be a good opportunity to
raise this again.
Ryan - Let's see about next Thursday's call.
Wayne - Best way to get feedback is to move a ballot forward.
Spring Clean-Up Ballot
Ryan sent a Github link to the Validation list.
https://github.com/cabforum/documents/compare/master...sleevi:2019-07-Cleanu
ps He is still finding things that need to be added to the Github branch.
Briefly, the corrections include definition of authorized ports, a few
spelling errors, there was a question about object identifiers in a
subscriber certificate (the person was confused whether they could be used
in the certificate - there was a problem with a verb); question about
request token; example text of a shell script was missing some back ticks;
some effective dates that are in the past (e.g. internal server names
sunset); inconsistencies exist in 3.2.2.4 and other trivial changes, ordered
lists, etc.; and the EV guidelines inconsistently refer to the Baseline
Requirements. Next steps - everyone - please make another pass. And in
another couple of weeks this will go to ballot.
Method 6 Ballot
Doug - Doug sent a draft out and got comments from Ryan and Wayne and
incorporated them. Doug just wants to make sure everyone is on board. Not
sure that a new numbered validation method needs to be created.
Tim - I don't see harm. Doug will add sunset date on ballot and add it as a
new method.
Ryan - Rather than sunset, the ballot could just allow a 3-month transition.
On the effective date CAs would need to start recording their new method
number. (E.g., CAs would just need to record it as method .16 instead of
Method .6) All existing validations would work for the remaining
certificate lifetime. Doug will get a revised version out later today or
tomorrow.
Any other business. None.
Adjourned.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20190801/3f6938e2/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4934 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/validation/attachments/20190801/3f6938e2/attachment-0001.p7s>
More information about the Validation
mailing list