[cabf_validation] Minutes of the Validation Subcommittee Call on Feb 13, 2020

[Wayne Thayer]

# Minutes from the Validation Subcommittee Meeting on 13 February 2020.

## Attendees:
Tim Hollebeek, Doug Beattie, Corey Bonnell, Shelley Brewer, Dean Coclin,
Li-Chun Chen, Joanna Fox, Andrea Holland, Daniela Hood, Vincent Lynch,
Bruce Morton, Mike Reilly, Rich Smith, Wayne Thayer, Clint Wilson, Dimitris
Zacharopoulos

## Agenda:
F2F topics
EV Improvements (Dean)

The antitrust statement was read by Tim, and a minute taker was assigned.

## Next Week’s F2F Meeting
Tim - It’s worth continuing discussion on OU rules.
Tim - I will start with a recap of the discussion from our SC meetings and
the mailing list. Then would like to have a broad discussion of what the
group should be doing over the next third of this year.

## EV Improvements
Dean - Presented four ideas in Thessaloniki - whitelist of data sources,
allowing CA records, using LEIs, Trademarks. Last was most controversial.
Begin with discussion of validation sources. It’s a major step to create an
allow list. Then everyone must stick to it and we need a mechanism for
updating it.
Bruce - Suggestion for how we’ll do that?
Dean - It shouldn’t require a full ballot process
Mike - why haven’t CAs been sharing the data?
Bruce - Easy for CAs to provide the data, but so what? CAs want to know
what will be done with it
Dean - DigiCert list has over 100 sources. If a validation source isn’t in
the list, then it’s mis-issued.
Tim - easier to have a concrete discussion when we know what people are
doing. Similar to what we did with domain and IP address validation. Start
with what people are already doing. Proposal was that we wouldn’t be strict
at first - accept list of existing sources unless something is egregious.
Don’t want to go straight to the point where CAs are mis-issuing certs
using existing sources.
Dean - Issues are what comes first, how do we modify the list, and need for
a process.
Dimitris - Some CAs may have a competitive advantage over another via a
special source. Sharing that info might be difficult.
Tim - Is that what we want?
Dean - We need to improve EV and move forward. Show that efforts are
underway to make it a better product. So should we have a discussion about
ways to update the sources list at the F2F?
Tim - yes, especially if it would make CAs more comfortable sharing sources.
Bruce - No big issue sharing our sources, concern is being handcuffed.
Dean - Is this of interest to browsers?
Mike - Yes, interested in knowing how validation is happening.
Clint - Agree. We’re in a discovery mode of how validation is done.
Dimitris - Maybe we should start with a smaller set of sources
Dean - We need more than DigiCert’s sources before we scrub the list
Tim - We can continue in parallel - gather sources and work on the process.
First pass could be a “safe harbor” list. No restrictions, but sources on
the list are explicitly allowed as good. Right now we really don’t know if
some sources are better than others.
Dimitris - These are all EV QIIS, correct?
Tim - Correct
Bruce - We should be able to create a thorough list after 13 years of EV
issuance
Dean - Need to come up with a process
Bruce - Removals could happen via incident reports
Dean - When was the last time a validation source was added?
Joanna - We alter sources multiple times per month. Will a slight name
change of a source require an update to the allow-list?
Shelley - Agree. List is continually being updated. Nothing says that
DigiCert will be maintaining the master list.
Tim - Our list changes on a regular basis. There has to be a lightweight
process for updating the list, but we also want good quality control.
Dean - Next step is to come up with a plan. Develop the list, scrub the
list, procedures for adding & removing.
Dimitris - Recommend focusing on QGIS first
Joanna - Second that
Shelley - DigiCert doesn’t want to maintain the list.
Dean - Next is the expression of cert types in CAA records. How would we do
that?
Wayne - Want to review Thessaloniki minutes because this was discussed
there.
Doug - CAA is complicated enough. There would need to be a strong security
argument for the added complexity.
Tim - CAA spec allows CAs to define extensions. The reason to discuss at
the forum is if policies are required, and to standardize the semantics
Wayne - We could standardize the semantics first, leave policies for later
Tim - Correct. We could document the semantics then register with IANA
Bruce - Do we know how broadly CAA is in use?
Tim - Relatively widespread, but don’t have statistics
Corey - More features might help with adoption
Tim - Other CAA extensions are going through IETF processes at this time.
Dimitris - Consider adding semantics for the type of domain validation
Tim - This is a good one to add. It can reduce the attack surface for a
given organization. Main sticking point has been how to express the
validation methods in the face of improvements to those methods.
Dean - Think using LEIs to correlate identity in EV certs is a good idea.
Tim - Opinions are split. We might just need to take it to a ballot
Dimitris - Which order does validation occur in?
Tim - No specific order - Just match registration information gathered with
EV process with LEI database.
Mike - There’s been some discussion. Unclear if it’s useful. Adding more
validated information can be bad.
Wayne - Agree. More information
Dean - People see value in it, but there are two viewpoints.
Tim - We have one hour allotted next week
Dean - We could take an hour to talk about validation sources.
Tim - An hour is about right for the entire SC discussion
Dimitris - Discussing LEI will add some time - 90 minutes is good.
Dean - Are LEIs permitted in certs today?
Tim - In an extension, yes, but not in the Subject.
Wayne - What about future work and OU rules?
Tim - Let’s allot 2 hours for the F2F meeting.

Meeting adjourned.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20200213/7267f46e/attachment.html>