[cabf_validation] 2nd draft Minutes for the Validation Subcommittee Server Certificate Working Group Teleconference - July 14, 2022
Dimitris Zacharopoulos (HARICA)
dzacharo at harica.gr
Fri Jul 15 06:52:10 UTC 2022
This is the 2nd draft of the Minutes of the Teleconference described in
the subject of this message as prepared by Dimitris Zacharopoulos
(HARICA) and updated by Wendy Brown (FPKI).*
*
Please review the minutes and propose edits if necessary. These minutes
will be considered for approval at the next meeting. The recording of
the meeting will be deleted once the minutes are approved.
Attendees(in alphabetical order)
1. Aaron Poulsen - Amazon Trust Services
2. Andrea Holland - SecureTrust
3. Aneta Wojtczak - Microsoft
4. Ben Wilson - Mozilla
5. Chris Clements - Google
6. Clint Wilson - Apple
7. Corey Bonnell - Digicert
8. Dimitris Zacharopoulos - HARICA
9. Dustin Hollenback - Microsoft
10. Janet Hines - SecureTrust
11. Joanna Fox - TrustCor Systems
12. Joe Ramm - OATI
13. Michael Slaughter - Amazon Trust Services
14. Michelle Coon - OATI
15. Trevoli Ponds-White - Amazon Trust Services
16. Wayne Thayer - Fastly
17. Tobias Josefowitz - Opera
18. Tyler Myers - Godaddy
19. Wendy Brown - FPKI
Antitrust statement
The Antitrust Statement was read.
Approval of minutes
Two sets of meetings were approved:
* June 16, 2022
* June 30, 2022
Agenda
1. Review list of discussions at the F2F
(https://lists.cabforum.org/pipermail/validation/2022-July/001778.html)
2. Call for volunteers to draft language for the various items discussed
Minutes
Corey gave an update about the relocation of the profiles work that
moved to a cabf GitHub branch
https://github.com/cabforum/servercert/pull/373
Review of list of discussions at the F2F
Clint made a general comment that he wants to avoid a possible
misunderstanding that just because some requirements are more explicitly
stated in the new version doesn't mean that the requirements were not
existent in the current version. It should not be interpreted that if it
is now explicitly stated it's not already a requirement in existing
language. Some of those requirements are infered by normative RFCs and
other parts of the BRs.
Top-level effective date for new profile
No discussion.
Allow for previous version of the profile until new effective date
No discussion.
Defer prohibition on keyAgreement in ECDSA certs and
dataEncipherment until v2
For the prohibition of those two KeyUsages, Clint believes some
restrictions are already in place today because it should be considered
not just based on the KU and algorithm but also in combination of the
id-kp-serverAuth EKU. However, he's ok to defer to v2 but CAs must not
conflict with existing RFCs.
Add carve-out for multiple DC attributes (GRID)
Clint wants to address this and respond to the GRID community.
Corey mentioned that we should not include the DC in the SAN values and
restore ballot 110 language. Clint agreed.
Update subject attribute validation requirements to not require
3.2.2.4 validation for those fields whose validation steps are
documented in the BRs
Corey reminded that the issue was if a Domain Name is included in the
Certificate, what elements need to be validated. Clint understands that
addressing this issue may cause more issues than it resolves so he wants
to be careful.
Call for volunteers to draft language for the various items discussed
Dimitris offered to assist in the language for the DC attributes for the
GRID certificates.
Corey will reach out to Tim Hollebeek to try to take a stab on the first
two items. Clint can assist in those items too.
Aneta volunteered to draft language for the two Key Usages issue.
Corey will take a stab at the last one.
Wendy Brown asked about the request to make the AKI a SHOULD in the Root
Certificate. She had asked Microsoft employees who told her they had
checked with the CAPI team and were told that the path decision would be
based on other factors before CAPI would check whether the AKI was
present in a root certificate and matched the SKI in that certificate.
The exact response she received was: “If a cross-certificate is
preferred, it would be for other reasons and not the absence of the AKI
in the root. If the AKI isn’t present, then, the encoded Issuer and
Subject names must be identical in a root. I would expect other fields
in the cert, such as NotBefore/NotAfter to be used before AKI would even
be considered.”
Dustin said he would ask around but might not get a definitive answer.
Aneta mentioned that AKI/SKI is first checked for path building. If it
is not set, then the subject/issuerDN values are used. She will check
and confirm.
Clint: AKI matching/chain-building, here's an (older) article that
describes how AKI is used in some older Windows versions:
https://social.technet.microsoft.com/wiki/contents/articles/4954.windows-xp-certificate-status-and-revocation-checking.aspx#Path_Construction_and_Validation
Corey recalled Wendy asking a question about the policyConstraints
extension. Upcoming prohibition in OCSP responders might cause a problem
because the FPKI requires all Certificates to include a
certificatePolicies extension, including OCSP responder Certificates.
Dimitris asked whether the inclusion of the certificatePolicies
extension in an OCSP Responder Certificate is currently prohibited.
Wendy mentioned that it's not clearly restricted. Corey confirms that
there are no restrictions for the OCSP responder certificate profiles
except for the id-pkix-ocsp-nocheck (RFC6960) extension.
Corey said we can add future effective date for such a change. Clint
mentioned that this change should have its own effective date outside of
the top-level one.
Wendy asked about the Subject Information Access extension in Root
Certificates. Corey mentioned that it is a SHOULD NOT as captured by the
"any other extensions" clause in the BRs.
Any Other Business
Corey said there are other topics in the backlog. He was thinking that
we could split the first 30' to discuss about the profiles work and the
rest on other topics from the backlog.
He mentioned some topics:
* EV Guidelines pointing to the BRs for some common areas
* Delegation to the CA for Domain Validation
* Securing Domain Validations (RPKI, DNSSEC)
Clint mentioned his interest to discuss some OCSP SLA improvements.
Corey mentioned that this is work in progress at the NetSec WG and asked
Clint to ask on the servercert list.
Wayne said that if a person wants to drive discussion on a certain
topic, we should prioritize that topic. Clint agreed.
Dimitris mentioned that it might be a good idea to review a list of
currently open issues on the next call, remove topics that are no longer
interesting, add others that are of current interest, and prioritize.
Wayne and Corey agreed to proceed with this.
Wayne wanted to add an issue regarding methods 6 and 19 whether a CA
must follow HSTS directives. If they use HTTPS, should they properly
validate the certificate chain? What root store should they use? It's
not very clear in the current BRs but it might make sense to clarify in
a future revision of the BRs.
Corey thinks this is a good topic to discuss. By extension, some similar
questions apply to the Domain Validation methods related to the DNS
protocols.
Next call
scheduled for July 28th
Adjourned
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20220715/d069b40e/attachment-0001.html>
More information about the Validation
mailing list