[cabf_validation] Draft Minutes for the Validation Subcommittee Meeting held on August 25, 2022

Martijn Katerbarg martijn.katerbarg at sectigo.com
Mon Aug 29 10:49:12 UTC 2022



Draft minutes can be found below.



*	Aaron Poulsen - Amazon Trust Services
*	Andrea Holland - SecureTrust
*	Aneta Wojtczak - Microsoft
*	Bruce Morton - Entrust
*	Ben Wilson - Mozilla
*	Chris Clements - Google Chrome
*	Clint Wilson – Apple
*	Corey Bonnell – DigiCert
*	Corey Rasmussen - OATI
*	Doug Beattie - GlobalSign
*	Dustin Hollenback – Microsoft
*	Inigo Barreira - Sectigo
*	Janet Hines - SecureTrust
*	Joanna Fox - TrustCor Systems
*	Johnny Reading – GoDaddy
*	Li-Chun Chen - Chunghwa Telecom
*	Martijn Katerbarg – Sectigo
*	Michael Slaughter – Amazon Trust Services
*	Michelle Coon – OATI
*	Paul van Brouwershaven - Entrust
*	Pekka Lahtiharju - Telia
*	Rebecca Kelley - Apple
*	Ryan Dickson - Google Chrome
*	Tim Hollebeek - DigiCert
*	Tobias Josefowitz - Opera
*	Trevoli Ponds-White - Amazon Trust Services
*	Tyler Myers – GoDaddy
*	Wayne Thaylor - Fastly
*	Wendy Brown - US Federal PKI Management Authority


Antitrust Statement

The Antitrust Statement was read.


Minutes approval

The minutes of the last meeting on August 11, 2022 were approved.


Certificate Profiles


“Pending prohibition” Defined Term

PR 383 was opened by Aneta which adds explicit text to the dataEncipherment key usage stating it is allowed but will be removed in a future date. This change adds a new Pending Prohibition definition.

Wayne mentioned that at it’s currently written, it could be interpreted in such a way that it already is a MUST NOT. There is a discussion on which language should be used.

Aneta will amend the language in the PR.


Ryan suggests we should open up a GitHub issue any time we insert Pending Prohibition into the document.

There is consensus on this and recommended to reference the GitHub issue in the document as a way of keeping track and make sure it will indeed be changed in a future ballot.


All-encompassing effective date

PR 381. Corey has made changes to the document set an effective date. It calls out a term where both the current as well as the new requirements may be used. 

Ryan inquired if this approach was acceptable for auditors. This concern was raised during the last face-to-face and resolved at that time.


Clint points out that a MUST NOT appears to have been turned into a NOT RECOMMENDED in the certificatePolicies requirement for OCSP Responder Extensions. This still remains a wide-spread practice. Corey will reverse this change.


GRID resolution

Martijn asked regarding the status of the GRID resolution. This currently is pending a draft to be created by Dimitris



Cleanup items


Clean up EV Enterprise RA language

GitHub issue 344 has commits for a proposal to remove the EV Enterprise RA language. There are no comments at this point. 


Removal of EV CRL 3-second rule

No current comments on the proposal to remove this language. 

Both items are to be combined in a single cleanup ballot



High-priority “on deck” items


Clarify Applicant/Subscriber and CA relationship 

Wayne: says that the Applicant must prove control of the domain, and implies that the CA is not allowed to do this themselves. When the CA is also the Applicant, the CA is directly performing the domain validation.

Tim suggests starting with a couple of troublesome use cases, such as the CA issuing a certificate to themselves. 


There’s a discussion on how permissive the requirements should or could be read. Trevoli suggests members take a fresh read through the BRs, specifically sections where “Applicant” is used, and come back fresh to the next meeting to help sort this out.


This will be the first topic on the next meeting.





Martijn Katerbarg



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20220829/477fd894/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6827 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20220829/477fd894/attachment-0001.p7s>

More information about the Validation mailing list