[cabf_validation] 27-Feb Validation Subcommittee Meeting Minutes (draft)

[Robin Alden]

This is a first draft of the minutes.  I will check and add the attendees and post a final version.

 

Present: (tbc)

 

Wayne Thayer chaired the meeting.

 

1. Preliminaries

** Assign minute taker

** Read antitrust statement

** Review/update agenda

 

2. Priorities from F2F:

1. Default deny.

Doug posted a google doc in which we can identify areas that would benefit from attention.

https://docs.google.com/document/d/1i3CvNbd6mHI9KYYith94C7RQ-ny6ibuo7x7j7m9hSM4/edit

2. Permitted fields in the subject of CA certificates.

(related to default deny)

A number of CA certs have more than the 3 fields mentioned in the BRs.

Ryan was drafting a ballot.

Still a priority, but probably no work to do until we have a ballot.

Ryan looking at a sunsetting strategy.

3. Creating a list of registration agencies (or JoIs)

Last week at the F2F we agreed that the list is much narrower than had been targeted by CAs so far.

This is specific to registration agencies.  It has become apparent that CAs may not have such a list.

Do we want to pursue this? - If so, how do we move forward.

(silence)

Dean: Joanna from GoDaddy has some experience.

Ryan: We can take a small subset list.

E.g. we discussed LEI, and curtail it for jurisdictions and see about adopting that list and using that as a forcing function to see what sources CAs use.

Ryan will draft a ballot requiring disclosure.

Does a 3 month phase-in feel like enough?

Doug: Depends on how new items are added.

If we can add new items on an ad-hoc list going forward, then OK.

Ryan: Yes, a CA could modify the list whenever they want. But how long does it take place to put a procedure in place to allow a CA to modify their list and publish it.

Doug: You may go through an entity that provides the info.

 

Ryan: The CA discloses as part of their procedure the list of agencies they trust.

 

Wayne: more acceptable if CAs can add to the list  after using it.  "within 90 days.."

BR ballot or EV ballot?

Ryan: EV. Registry of Incorporation.

 

Wayne: We're not going forward asking CAs to update the spreadsheet?

Ryan: That's right.

 

4. CAA semantics

A set of standard semantics for expressing DV/OV/EV/IV in CAA methods.

The semantics for validation methods was thought to be harmful as it could prevent updates to those methods.

Doug: Just validation types? - 

 

5. Updating requirements for OU fields in certificates.

Is there energy around updating these?

Robin – Sectigo is interested in seeing these updated.

* Dimitris pointed out that OU can't be used at all.

* OU appear in DV certificates?

* Does the OU field in a cert need to be bound to the subject identity?

* Conversation ensued around the issue of purpose - is this for the subscriber, for the relying party (e.g. brand of CA), Uniqueness requirements

Ryan: interested 1st in the purpose and use cases for it, as requirements will be shaped by that.

Looking across the spectrum of OU values, there appear to be multiple motivations, and that could be a good starting point to elaborate on the use cases for the OU. (relying party, subscriber, what ?

Sectigo will work on this.

 

6. LEI ballot.

Tim still working on it. 

Ryan: haven't seen movement since 1st draft.  recap: The purpose and the requirements.

Do we know what feedback he is addressing or rejecting?

Wayne: It will be on the agenda for our next meeting.

7. Movement to standardize state and province names.

Short discussion at F2F. A difficult topic and not a big priority.

Does anyone feel this is a priority?

Ryan: State and Province, no, Jurisdiction fields - that will hopefully get sorted as we make progress getting the incorporating agencies sorted.  So maybe backburner this until we have a sense of the sources that CAs use.

So if a 3 month phase in, then maybe we come back to this in 9-12 months.

Doug: in the US we'd look to Sec of state.  Some may abbreviate states and others not.  So does the registration agency actually help for S&P?

Ryan: Agree.  I was thinking that, e.g. for Sec of State, say 4-5 months from now, we'd start seeing the CAs document the Registration agency.  6 months after that we start looking through the sources and normalizing.

e.g. in US, define expected values for the Jurisdiction fields are for that Registration Authority.

That would define what the Jurisdiction fields would have.  OV fields are more complex, but tackling the Jurisdiction fields first we can bring out the .....

Doug: It seems we know for US & Canada & a bunch of others, we know the list, so why not start defining some of the known ones.  Colleagues point out that e.g. Belgium is complex because of language.

Shelly Brewer: based on our own experience, there are some nation states that are quite easy, but what about contested areas such as Palestine.

Is there a mechanism that we can build a jurisdiction based on consensus?

Rich: One of the things we did a number of years ago was define country code XX for countries not yet recognized and hence not having an ISO code.  (e.g. Kosovo, originally)  

Must be recognized where the CA operates.

Put the area in the state or province field.

Ryan: .. recognized by at least 2 UN member nations..

Shelley: That answers a good chunk, but there are outliers that are quite problematic, e.g. HK.

Not very many, but can cause business issues. would like to see some mechanism for places like that.

Wayne: Seems consistent to what I heard, that a completely consistent list worldwide would be hard.

Where not difficult, come up with the list, and come up with an exception process where not easy to define.

Rich: Against the CABF make adjudication on HK, TW, because that puts us squarely in the middle of political decisions that we don't want to be in the middle of.

Either CN, HK, or HK, HK (listed).

We dont want to say 'must use CN'.

Ryan: Browsers have had to deal with, and using GLEIF as an example (which CN makes heavy use of), GLEIF uses the HK code.

Browsers and OSs make clear that is a country or region code, not exclusively a sovereign state code.

That has largely addressed the geopolitical situation.

'Country or Region' in cert viewer, e.g.

As Wayne said , not suggesting we do a full list, but in the process for coming up with the registration agency list we will come up with the main ones.

E.g. HK companies House.  There is a canonical way to encode that in a number of different systems.

Tougher to enumerate all the ?? of Belgium. ??

 

Wayne: Use the ISO where it is not hard to solve. 

If someone doesn't wants to take on the second part, then it becomes a lower priority.

 

Agendum 3.

Default Deny.

Doug, thanks for creating the doc.

Doug: I'm not even sure that the scope is, but I thought I'd create a version of the doc we could collaborate on and raise issues.  See what is problematic.

I just started at the beginning and went through.

For the most part the validation methods are pretty well defined.  

Corey went through and added some comments, as did a few others.

Is it worth dividing it up ? - But not hard to flip through and pick a section and evaluate for whether default deny is a problem.

Wayne: Any comments on Doug's approach? - I saw comments on focussing on certificate profile, and on enumerated lists.

Doug: Those are areas with ambiguities, so I think those are a good place to look.

...

Ryan: In Its  in scope for the chartered working group, but is it in scope for the sub-committee? 

My suggestion is that it is on the line.  Certificate profile - directly related to cert content, so that’s related to the inclusion of info in certificates.

OCSP or CRLs - maybe not in scope for validation subcommittee.

The bylaws have requirements on groups, but subcommittees are more flexible.

For the whole issue, we may want to bump it up a level.

Wayne: Practically speaking, is this the right group of people to take on the work?

My opinion is that this is as good a group as any.  Maybe we accept this is marginal on the charter, or review the charter, or set a new group up.

Robin: I think we are the right people.  If the subcommittee isn't the right place then we can revue it or kick up to the working group level.

Doug: Agree.

Ryan: There is no difference in IP between Wg and subcommittee. The purpose is for communication.

Are there folks on the call who may not be interested?

Are there people not in the SC who would be interested?

In the past, members have had informal discussions and got on a call to socialize it.

(terrible option, but..) Similar to the telecons having the forum group and SSL Wkg group, could do both on this call.

The main caveat is just the time.  If this is the right group and the time works, subcommittees are meant to be more flexible.

Wayne: I would argue for continuing this work in this subcommittee.  Make it known we are doing the work, and invite others to join if they are interested (or to object if they don't like what we're doing in the SC).

No objections heard yet, more hypothetical issues.

I have another Q about this doc.  Makes sense to move forward with proposing additional areas of clarification.

Some areas feel a bit more substantial.  E.g. fields in CA certs.  That is going to require a separate ballot.

Perhaps same thing applies to OU fields. (maybe default deny).

Perhaps there is a cleanup ballot, but also other ballots that will need to be broken out from this work.

Ryan: I agree.  Would suggest priority is around cert profile (section 7).  

7.1, we’ve talked about CA subject fields, and OU for leaf and sub-CAs.

OCSP profile - distinct ballot.

Moving to a place where the profile in sec 7 is clean and locked down, then moving to practices.

Wayne: Does it make sense to pick individual sections on these calls, e.g. next time talk about section 7.1.

Ryan: That is certainly our biggest priority.

 

AOB?

Dean mentioned the paper presented at RSA about the ability to get EV certificates from the dark web.

The presentation highlights where improvements can be made in the EV process.  read the pres.

Wayne: Will add this to agenda for next time.

 

Regards
Robin Alden

Sectigo Limited

 

From: Validation <validation-bounces at cabforum.org> On Behalf Of Wayne Thayer via Validation
Sent: 26 February 2020 15:44
To: validation at cabforum.org
Subject: [cabf_validation] 27-Feb Validation Subcommittee Meeting Agenda

 

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.

 

I believe that Tim is on holiday this week, so I went ahead and drafted an agenda for tomorrow's call:

 

1. Preliminaries

** Assign minute taker

** Read antitrust statement

** Review/update agenda

 

2. Priorities from F2F:

** Default deny

** Permitted fields in the Subject of CA certs

** Create list of Registration Agencies for JOI + process to maintain the list

** Define CAA semantics

** Update OU field requirements

** LEI ballot

** Standardize State and Province names

 

3. Default Deny Discussion

** Doug's draft: https://docs.google.com/document/d/1i3CvNbd6mHI9KYYith94C7RQ-ny6ibuo7x7j7m9hSM4/edit

 

4. Any Other Business

** TLS-ALPN-01

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20200305/d9d47595/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5711 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/validation/attachments/20200305/d9d47595/attachment-0001.p7s>