[cabf_validation] Minutes from the Validation Subcommittee meeting of 17 January 2019

Robin Alden robin.alden at sectigo.com
Thu Jan 17 13:52:27 MST 2019

Robin Alden
Ben Wilson
Bruce Morton
Doug Beattie
Frank Corday
Janet Hines
Li-Chun Chen
Rich Smith
Ryan Sleevi
Tim Hollebeek
Tim Shirley

Anti-Trust Statement was read by Ryan

Wayne asked about Ballot SC14
Doug had received and addressed some comments from Ryan, removed some changes at Wayne's request, and sent out a new version yesterday.
1 week discussion review period starts now, then hopefully voting commences 1 week from today.

Wayne introduced the topic of Ballot SC7 - removing 'any other method' for IP address validation.
There is a draft of the ballot in a Google document.  Comments have been received from Doug and Ryan and have been incorporated.
1) I was waiting for SC14 language duplicated from the ( phone contact with IP address.  I don't think thats a holdup any more.
2) We got a good comment on the last call that whatever we're doing should not conflict with what LE does.  Reached out to LE.
JHA says he feels that the http validation method that ACME uses (both domain and ip address) should be separate in the BRs, because it is a more tightly specified method and potentially could be distinguished from the more generic method if we go forward with a future ballot to put the method used into the certificate.
Wayne was ambivalent as to whether that was a good idea or not.
Tim H said he had been pushing for that for over 2 years.  Acme methods do need their own well specified language, especially as that gives us a path to remove method 10.

Wayne asked whether we should include a link to the specific current TLS-ALPN draft, or should we refer to it by name?
Discussion ensued and the alternatives seemed worse, so resolved to link to the specific draft (04).
It does mean that when the TLS-ALPN doc is finalized, if there are breaking changes subsequent to draft 04, CAs probably won't be able to deploy without a change to the BRs.

Other thing JHA said, it was decided not to support reverse IP lookup method because of flakiness of that name space.
I think the purpose of this ballot is to do away with 'any other method' and to replace it with methods in use by CAs currently, rather than to fix the potential flakiness.
Tim: +1
Wayne: Is anyone in favour of removing (Reverse address lookup)?
Some discussion, but resolved to leave it in for now.
Wayne said that the ballot is now ready to go to the WG and start the discussion.
He will get a redline sent out to the larger list.

Tim: Method 6 is next..
There were some comments on method 6 that Ryan was going to address.  Do we wait for that or press forward to initial draft ballot language?
Ryan suggested to go forward to produce the ballot language with the recommended updates.  It helps concentrate the mind.
Tim wondered if Doug had volunteered to write the ballot for method 6.  Doug said he had not, but would do method 9.
Tim said we need someone to take lead on ballot 6.
The validation summit notes have the recommendations at the end.  In outline form it is clear, but needs to be turned into ballot language.
Tim won't get to it for a couple of weeks.  If anyone else can pick it up...
Wayne: Let's park that until the next call. I may be able to get to it, too.

Tim: Methods 9 & 10, as Doug pointed out need to be handled separately.
9: No one using
10. tied to ACME validation.
Ryan said he can work with JHA on method 10 , to replace it with TLS-ALPN with draft.  
Or would people rather see ballot language?
The approach would be to sunset method #10 like we expect #9 to go, and introduce a new method for TLS-ALPN.
Only distinction is whether to specifically reference the ACME TLS-ALPN validation method, or if other folks are using a TLS-ALPN method they have not yet referenced.
Would prefer to point to ACME and if other methods come out of the woodwork will reconsider.
Tim: I agree.

Doug: Are we thinking about what sort of agenda items we should be looking for for the F2F?
Tim: how long we want is a first step.
Beijing was a bit rushed at 2Hr, so maybe get a bit more time.  Keeping the validation summit tasks rolling forward is important.

Robin Alden
Sectigo Limited

More information about the Validation mailing list