[cabf_validation] Minutes of the Validation Subcommittee - March 25, 2021

[Wayne Thayer]

Tim read the antitrust statement.

Attendance: Tim Hollebeek, Wayne Thayer, Clint Wilson, Corey Bonnell, Bruce
Morton, Aneta Wojtczak, Daniela Hood, Paul VanBrouwershaven, Johnny
Reading, Curt Spann, Christy Berghoff, Natalia Kotliasky, Andrea Holland,
Nico Carpenter

Tim suggested the following agenda topics:
- Certificate policies and draft profile. Ryan is unable to attend.
Validation reuse ballot. Tim said that Ben is not present and there may not
be anything to discuss.

Niko asked for a discussion of SC43 effective dates.

SC43 Effective Dates:
Niko said that he heard no objections to an effective date of July 1 for
SC43 - Acceptable Status Codes. Niko asked for guidance on the process to
add the effective date and Tim said adding the effective date would be a
‘version 2’ of the ballot. Niko asked if the current BR version is 1.7.3
and someone said that is is 1.7.4.

Certificate Profiles:
Earlier this week, Ryan sent out an email summarizing the work he’s done.
Tim said that it is mostly formatting and polishing. At some point we’ll
have to get back to the content of the spreadsheet - it has not been
finalized.

Corey said that a few interesting changes that weren’t discussed are
included. One is the near-universal requirement for the use of UTF8String.
Corey said that there is still a lot of use of PrintableString in various
fields. This is in 7.1.4.2 on page 80 of the PDF Ryan emailed out. Corey
said that he is not aware of discussion of this change in the past.

Tim said that he proposed this change before and received a lot of
push-back.

Corey said this particularly impacts the commonName field.

Tim said that we had agreed to avoid introducing big changes in the first
version of this effort. RFC 5280 clearly permits PrintableString.

Corey said that there is also a new profile for OCSP delegated responder
certificates in section 7.1.2.7 and asked if anyone had thoughts about
this. He said that prohibiting the certificatePoliices extension may be a
concern. Are any browsers expecting policy chaining for OCSP responder
certificates?

Tim said that CAs who use certificatePolicies to link the CPS to the cert
to meet Mozilla requirements may have problems with this.

Corey said that client software that looks at policy chaining might be
affected.

Tim said there are similar concerns about scope with time stamping
certificates, and the most clear solution is to use certificatePolicies to
assert this. Similarly, the OCSP responder certificate could assert that
the responder is BR compliant. If we want to do this, we should document it.

There was no further discussion, so the call ended.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20210325/b32ff51b/attachment.html>