[cabf_validation] Approved minutes for 2023-11-02 meeting
Corey.Bonnell at digicert.com
Fri Nov 17 12:47:51 UTC 2023
The minutes for the November 2nd validation-sc meeting as taken by Wayne and
approved on the November 16th call are below.
Validation Subcommittee - 2 November 2023
Attendees: Aaron Gable - (Let's Encrypt), Aaron Poulsen - (Amazon), Abhishek
Bhat - (eMudhra), Aneta Wojtczak-Iwanicka - (Microsoft), Ben Wilson -
(Mozilla), Bruce Morton - (Entrust), Cade Cairns - (Google), Chris Clements
- (Google), Christophe Bonjean - (GlobalSign), Clint Wilson - (Apple), Eva
Vansteenberge - (GlobalSign), Gregory Tomko - (GlobalSign), Janet Hines -
(VikingCloud), Joseph Ramm - (OATI), Keshava Nagaraju - (eMudhra), Michael
Slaughter - (Amazon), Michelle Coon - (OATI), Nargis Mannan - (VikingCloud),
Nate Smith - (GoDaddy), Rebecca Kelley - (Apple), Rollin Yu - (TrustAsia
Technologies, Inc.), Roman Fischer - (SwissSign), Ryan Dickson - (Google),
Scott Rea - (eMudhra), Tobias Josefowitz - (Opera Software AS), Trevoli
Ponds-White - (Amazon), Wayne Thayer - (Fastly), Wendy Brown - (US Federal
PKI Management Authority)
Wayne Thayer said that he would take minutes
Wayne read the note well statement.
The minutes from the 19-October meeting were approved.
1. Status update on multi-perspective domain validation
2. Continue backlog grooming
It was agreed to add a discussion on improvements to automation for EV
certificates as proposed by Christophe Bonjean on the mailing list.
1. Multi-perspective domain validation
Ryan Dickson said that they are still fielding comments on the existing PR,
and attempting to address all comments before moving into the discussion
period, which he hopes to begin in the next few weeks.
2. Discussion on improvements for automation in the context of
Christophe said that they are exploring automation in the context of EV
certificates, and there are a few areas that are ambiguous:
* Due diligence
* Final cross-correlation
Does it make sense for a human to review an automated domain validation?
What is in scope for the delegation of final cross-correlation. Can the
enterprise RA perform this?
Clint WIlson said that it is his opinion that EV cert issuance can be
automated under some circumstances. It would be good to review the phrasing
in the EVGLs and highlight the ambiguity. Just a few phrases are the souce
of most of the confusion.
Trevoli Ponds-White asked if Clint thinks EV can be automated without
changing the rules?
Clint said that he thinks EV issuance can currently be automated.
Wayne asked about the final cross-correlation and due diligence piece.
Clint said that he'd have to dig through the text to answer.
Ryan said that he is aware of some ACME endpoints intended to issue EV
Wayne said that using ACME doesn't automate the validation process. Trev
Clint clarified that issuance is what can be automated, but once that has
been completed the issuance of multiple certificates can be automated.
Eva Van Steenberge said that this discussion shows that the current language
is not clear
Bruce Morton said there have been similar comments on code signing. EV is
still close to the original spec from 2005 and incorporates a lot of manual
work. It may be time for an upgrade of the entire EVGLs.
Trev said that automating validation is where the value is. We should
consider a bigger upgrade, for instance maybe some data should be valid for
Clint said that there are boundaries to what is currently automatable. This
isn't a focus for Apple.
Eva said that they looked at this from the perspective of automating
validation, not just issuance. Some elements seem to hinder this.
Wayne said that there seems to be interest in this work, and proposed adding
a task for the backlog scoped to analyzing and clarifying the existing
Christophe said that he could add this to our backlog.
3. Backlog grooming
Wayne said that we'd start in the backlog where we left off at the last
- Workaround for DNS fragmentation attacks - Wayne said this came from an
academic paper. Will MPIC mitigate this?
Aaron Gable said that the attack allowed the authors to poison certain DNS
servers. It requires a global BGP attack so MPIC doesn't mitigate it.
Tobias Josefowitz said that he is not certain this refers to the attack that
Aaron described. This may not be mitigated by MPIC.
Ryan asked for a link to the paper and said that he would send it on to the
Wayne said that he'd do that.
Aaron said that MPIC does multiply the work and seems likely to mitigate
this in the same way it does other DNS poisoning.
- Validity period for Technically Constrained Sub-CA and validation period
for Domain Namespace - Wayne said that Ryan Sleevi filed this and it has to
do with the 'verified namespace' for an enterprise RA.
Clint said that this is on Apple's backlog. In particular clarifying that a
domain name in a technically constrained subCA needs to be revalidated on
the same cadence as any other domain name. Clint said that he hopes to work
in this in the next year.
- Analyze JOI disclosures resulting from ballot SC30 - Wayne said that this
was the next step after requiring CAs to validate this information.
Trev suggested we break the task down into smaller chunks. It was suggested
and agreed to ask DigiCert if they are interested in pursuing this.
- Permit the inclusion of LEIs in Subject fields - Bruce said that LEI may
be an alternative for the registration number in EV.
Trev said that this was discussed in the Spring and the decision was to
- Standardize State and Province names - Trev said that this is for states &
provinces not covered by ISO 3166-2. Are there undisputed countries that are
missing, or is this to resolve disputed territories?
- Create allow-list of Registration agencies used by CAs for EV JOI - Trev
said that this is the output of the earlier task to Analyze JOI disclosures.
- Ensure CAs are collecting sufficient data to investigate CAA errors - Trev
said that it's unclear if this is for CA's own investigations, or for the
forum to use the data. If the former, the guidelines should specify the
outcome but not the type of data to be collected.
Aaron said that the MPIC work introduces new rules that might help. Ryan
said that it's not detailed. Aaron said that this is likely related to a CAA
error 'outside the CA's infrastructure" and expressed interest in removing
that carve out.
- Prohibit the inclusion of dataEncipherment and keyAgreement KU bits -
Wayne said that this was deferred from the profiles ballot.
Wendy Brown asked if keyAgreement is needed for ECC.
Aaron said that keyAgreement is NOT RECOMMENDED in the current version of
Trev asked if these should be split into two tasks - one for RSA and one for
- Create a domain validation method that uses SVCB/HTTPS DNS RRs - there was
- "Certificate request" - Revisit usage - Ben WIlson said that there is
confusion between a request and a CSR.
- Clarify usage and requirements for random numbers - Aaron said that this
one is an active PR. Wayne noted that it is from 2018. Aaron suggested that
Michael Slaughter might be interested for the work on CA assisted domain
validation as this is related.
Clint said that the approach in the PR doesn't make the most sense.
Wayne said that he would close the issue.
-------------- next part --------------
An HTML attachment was scrubbed...
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 5231 bytes
Desc: not available
More information about the Validation