[cabf_validation] Minutes of the Validation Subcommittee call on Dec 5th, 2019
wthayer at mozilla.com
Thu Dec 5 11:03:55 MST 2019
Minutes of the Validation Subcommittee call on Dec 5th, 2019
Attendees: Tim Hollebeek, Bruce Morton, Mike Reilly, Joanna Fox, Shelly
Brewer, Vincent Lynch, Daniela Hood, Doug Beattie, Ryan Sleevi, Wendy Brown
The Antitrust Statement was read by Tim.
Agenda: Method 6 and validation sources. Also, subject attributes in CAs
Method 6 -
Tim: Where are we?
Doug: Sent out an update one month ago. Still need to get it into GitHub.
Didn’t receive any comments.
Validation Sources -
Tim: Discussed idea in Greece of developing a list of validation sources
Ryan: DigiCert has been helpful by publishing their existing sources
Robin: Happy to help in principle. See benefit of getting this info out
Ryan: We can put it on the wiki or in a collaborative spreadsheet.
Particularly helpful to get input from regional CAs
Doug: Can we reuse the Validation Summit Google doc?
Wayne: prefer a new doc, happy to create one
Doug: What about discussion of issues, which is easier in a Word-style doc?
Tim: Might need both a spreadsheet with the list and a doc with the
Ryan: Include a column indicating which CAs are using the source. The
initial list can include all sources in use, even if there are concerns
about some of them. After the list is compiled, we can challenge/dispute
individual sources. This preserves the status quo.
Tim: Wayne will create and share the docs as we’ve discussed
Subject Attributes in CAs -
Tim: I’ve seen different proposed approaches
Ryan: Had started work on a ballot. Looking at existing set of
publicly-trusted CA certificates. Trying to account for everything that has
been done. There are requirements from relying parties on certificate size
that lead to the desire to sunset fields that aren’t essential. Sunset can
be years away, and exceptions can be discussed. Moving to a world where
only required information is included is the goal.
Tim: Sunsetting fields is going to be controversial. Ryan, do you have a
list of the field currently found in CA certs?
Ryan: Yes, planning to share with the ballot. Expect to make progress on
the ballot this week.
Tim: I think the discussion of the current requirements (versus future
rules) now makes sense. Clarifying the current requirements is urgent
because it is blocking the issuance of ICAs.
Ryan: Agree, need to get something out that unblocks the creation of ICAs,
but can’t support that ballot without agreeing to a sunset in, say, 3
years. Then we can discuss changes that exempt fields from the sunset
later. Trying to find a middle ground
Tim: Concerned about setting up sunsets for fields that are later found to
Doug: Good to allow other fields for now. We create CAs for organizations
that could be confused without the additional fields, so we need the
Doug: Will the ballot discuss cross-certificates?
Ryan: Scope is certificates with isCA=True. Not tackling the clarity issue
discussed on the list.
Doug: Concerned that it wouldn’t allow creation of cross-certs with a
subset of the 3 required fields.
Ryan: If we want to make any of those 3 fields not required, I think we
should treat that as a separate issue.
Tim: It would be a regression to stop requiring those 3 fields.
Ryan: Intent is to not restrict one CA from cross-signing another CA’s root
Doug: Issue is roots created before this requirement that don’t contain
those 3 fields.
Ryan: Unique case there is how to grandfather in legacy roots
Tim: We would support grandfathering
Any Other Business -
Wayne: TOR folks are interested in DV Onion certs. I plan to propose a
Ryan: we can probably remove the EV Onion extension as well. They’ve
adopted x25519 keys so the public keys aren’t truncated anymore, and thus
the EV extension is redundant.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Validation