[cabf_validation] 2023-04-06 Minutes of the Validation Subcommittee

[Wayne Thayer]

*Validation Subcommittee – 6 April 2023Attendees: Aaron Poulsen - (Amazon),
Aneta Wojtczak-Iwanicka - (Microsoft), Ben Wilson - (Mozilla), Chris
Clements - (Google), Clint Wilson - (Apple), Corey Bonnell - (DigiCert),
Daryn Wright - (GoDaddy), Dimitris Zacharopoulos - (HARICA), Doug Beattie -
(GlobalSign), Janet Hines - (VikingCloud), Johnny Reading - (GoDaddy),
Joseph Ramm - (OATI), Li-Chun Chen - (Chunghwa Telecom), Michelle Coon -
(OATI), Nargis Mannan - (VikingCloud), Nate Smith - (GoDaddy), Paul van
Brouwershaven - (Entrust), Rebecca Kelley - (Apple), Rollin Yu - (TrustAsia
Technologies, Inc.), Thomas Zermeno - (SSL.com), Tobias Josefowitz - (Opera
Software AS), Trevoli Ponds-White - (Amazon), Wayne Thayer - (Fastly),
Wendy Brown - (US Federal PKI Management Authority)Corey Bonnell read the
attendance.Corey read the note well statement.Clint Wilson said that the
minutes from the 23-March meeting are mostly done.Dimitris Zacharopoulos
asked if we had approved the minutes from the Ottawa F2F. Corey said that
they had just been sent on Monday and asked if anyone needs more time to
review them. No one requested more time, so F2F minutes were
approved.Today’s agenda 1. Status update on multi-perspective domain
validation (if needed)2. Follow-up discussion on Wayne’s CDN workflow
write-up (if needed)3. Resume discussion of the “traditional hosting
provider” workflow write-up (we left off at step 12)4. Start discussion of
ACME workflow write-up (time permitting) 1. Multi-perspective domain
validationChris Clements said that a follow-up meeting has been scheduled
for 19-April and the agenda for that meeting will be sent out next week. 1.
CDN workflow Corey asked if any follow-up discussion was needed, and there
was none. 1. Traditional hosting provider workflowCorey shared the doc and
started at step 12. He made a few clarifications to the doc based on the
prior discussion.In step 12 the CA completes domain validation, then
certificate is issued and can be downloaded by the Subscriber and sent to
the hosting provider where it is manually or automatically installed on the
web server.Trevoli Ponds-White asked about the .zip file and Corey said
that it was just an approach that he has seen.Ben Wilson asked about
Applicant and Subscriber versus hosting provider tasks.Corey said that he
considered this flow a base case where the Applicant is communicating with
the CA and performing all the traditional responsibilities.Trev said that
this flow is not necessarily more or less complex.Ben asked about a comment
in the doc from Martin that stated that there is an option for the hosting
provider to perform more of the steps.Corey responded to the comment
stating that the ‘reseller’ flow will cover the option Martijn
described.Doug Beattie said that he has been busy but would work on the
reseller flow.Doug said that he thinks of a hosting provider as getting
certificates on behalf of the user and having the ability to configure the
domain validation step. Where would this flow be described?Corey said that
this flow represents a Subscriber that is hosting their own.Trev suggested
renaming the flow and Corey agreed to think about a better name.Ben
suggested ‘traditional historical model’.Dimitris suggested documenting
assumptions at the top of the doc. He said that one assumption of this flow
is no automation.Ben asked if we want to have a 3rd party involved. Step 16
had an admin at the hosting provider installing the cert, and that is good
but it might contradict the documented assumptions.Doug asked if this
implies that SA obligations like protecting the private key are
delegated?Wendy Brown said that there was discussion about the private key
not being compromised when the hosting provider has access to it.Trev said
that the private key is not compromised because the Subscriber has done due
diligence about where and with whom the private key is stored.Wendy said
step 16 sounds like the key is handed over to another party.Corey said that
handing over the key is allowed because it is given to an authorized party.
Key is generated by the Subscriber on the Web server.Ben suggested
rewording step 16 to installing the certificate chain rather than the
key.Wayne Thayer suggested renaming the CDN flow to ‘modern’ or’ automated’
hosting provider.Trev said that ‘CDN’ is more clear.Doug said that
GlobalSign uses the term ‘service provider’ to describe automation. Trev
agreed.Trev said that these flows could be described as ‘webmaster makes
the CSR’ and ‘service provider makes the CSR’Corey suggested ‘bring your
own host’ for this flow, and ‘service provider’ for the CDN flow.Chris
asked what all the flows are that we identified? Traditional, CDN,
reseller, ACME? Was there a 5th?Corey recalled that ‘partner’ was split out
from ‘reseller’. 1. ACME issuance flowCorey shared the flow (link is on the
wiki) and said that he would add assumptions.Corey clarified the meaning of
‘ACME client’ and ‘ACME server’ by referencing RFC 8555.Corey talked
through the steps in the flow.Doug said that there have been discussions
about who DNS permissions may be delegated to, such as the CA. That part
should be clarified.Dimitris said that there was consensus in the past that
CNAME delegation should not point back to the CA.Doug said that this should
be made explicit and referenced AWC CNAME logic described at
https://docs.aws.amazon.com/acm/latest/userguide/dns-validation.html
<https://docs.aws.amazon.com/acm/latest/userguide/dns-validation.html>.Clint
said that a key component is that a separate entity is operating the
CA.Trev said that they are often separate legal entities. DNS can be
delegated to whomever the Applicant wants. People don’t care. What is
acceptable?Dimitris said that Subscribers just want to get their site
working the easiest way possible. Is there harm in delegating to the CA,
and what are the risks?Trev said that it would then work more like code
signing, which we decided is more secure (allowing CA to create the
CSR).Wayne said that this is the most important issue to address from this
work.Trev said that we should have this discussion soon, and people should
bring their concerns about CAs generating CSRs and having the ability to
continually issue certs for a domain.Corey and Doug said that we should
first finish discussing these flows.Next time we will discuss any other
issuance flows that have been documented.Meeting adjourned.*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20230406/0288cc82/attachment-0001.html>