[cabf_validation] 2024-03-21 Minutes of the Validation Subcommittee [DRAFT]

Aneta Wojtczak-Iwanicka anetaw at microsoft.com
Sun Apr 21 14:05:26 UTC 2024 

Hi All,

Below DRAFT minutes from the March 21st meeting of the Validation WG.

Meeting Notes: Validation Subcommittee Call
Participants:

  *   Tephen Davidson (DigiCert)
  *   Aaron Poulsen - Amazon Trust Services
  *   Clint Wilson
  *   Aggie Wang-TrustAsia
  *   David Kluge
  *   Scott Rea – eMudhra
  *   Thomas Zermeno - SSL.com
  *   Wayne Thayer
  *   Bhat Abhishek – eMudhra
  *   Cade Cairns - Google Trust Services
  *   Jay Wilson – Sectigo
  *   Michael Slaughter Amazon Trust Services
  *   Chris Clements - Google Chrome
  *   Rollin Yu – TrustAsia
  *   Martijn Katerbarg – Sectigo
  *   Miguel Sanchez GTS
  *   Pekka Lahtiharju / Telia
  *   Keshava N – eMudhra
  *   Tobias Josefowitz Opera
  *   Roman Fischer – SwissSign
  *   Trevoli Ponds-White - Amazon Trust Services
  *   Ben Wilson – Mozilla
  *   Corey Rasmussen OATI
  *   Greg Tomko – GlobalSign
  *   Dimitris Zacharopoulos (HARICA)
  *   Nome Huang-TrustAsia
  *   Nargis Mannan - Viking Cloud
  *   Eva Van Steenberge - GlobalSign
  *   Nate Smith – GoDaddy
  *   Ryan Dickson Google Chrome
  *   Inigo Barreira
  *   Michelle Coon (OATI)
  *   Joe Ramm OATI
  *   Aneta Wojtczak - Microsoft


Meeting Agenda:

  1.
Wayne Thayer read the note well statement

  2.  Approval of Previous Minutes
     *
Approval of minutes from March 7th, which were sent out by Janet on March 17th, was approved without objections.

  3.  Status update for MPIC
     *
Chris Clements (Google Chrome) reported on the recent initiation of the public discussion regarding the MPIC ballot, which started on a Monday (March 18th , 2024). He noted that feedback from Dimitris suggested extending the original discussion period. As a result, the discussion period was extended from 21 days to at least 30 days to allow ample time for stakeholders to consult with their legal teams concerning related to the IP disclosure commitments. The current public discussion period was scheduled to conclude in the second half of April, followed by any subsequent periods necessary for further deliberations.
     *
Wayne Thayer expressed enthusiasm about the progress of the MPIC ballot and encourage everyone to take a look at it.

      4. Status update for EVG automation language improvements (Comparing cabforum:main...chrisbn:improve-evg-automation-issue-467 · cabforum/servercert · GitHub<https://github.com/cabforum/servercert/compare/main...chrisbn:servercert:improve-evg-automation-issue-467>)

     *   Eva Van Steenberge (GlobalSign) detailed the structural changes made to the automation language, focusing on the differentiation between text revisions from the last face-to-face meeting and the current version. Significant emphasis was placed on aligning the text with practical requirements and making it more user-friendly by simplifying the language and restructuring content for clarity.
     *   Reference to due diligence and cross-correlation: Eva Van Steenberge explained the necessity of ensuring all validation steps not only comply with EV guidelines but also consistently support the issuance of certificates. The language there was adjusted to make it less like definition and more like a requirement. There was a reference added what was out-scoped (rather than verification of “Domain Name(s)).
     *   Dimitris Zacharopoulos recommended to leave is with a reference to 11.7. (Due diligence and domain validation 11.13 slide)
     *   In regards to domain validation and cross-correlation - there was a discussion between Eva, Tobias, Dimitris and Ben about linking between the organization name and the domain name. Group decided to leave it out for now and come back to this discussion later if required.
     *   Requirements for Re-use of existing Documentation (11.14) – Eva added references in this section. Minor tweaks. There was some feedback received about too restrictive language but they have not received a proposal for alternative language, so Eva encouraged to provide the feedback.
     *   Separation of Duties (14.1.3) – Eva Van Steenberge mentioned that there were a few small changes. The refence was included and some language changes were made.
     *
Detailed feedback was provided by Ben Wilson regarding the interpretation and implications of due diligence definitions. The discussion emphasized the need for clarity to prevent future misunderstandings.

      5. DNS Validation Improvements (3.2.2.4.7) (Proposal: Modify section 3.2.2.4.7 to allow CA Assisted DNS Validation by slghtr-says · Pull Request #1 · slghtr-says/servercert · GitHub<https://github.com/slghtr-says/servercert/pull/1/files>)

     *   Michael Slaughter (Amazon Trust Services) provided updates on the feedback incorporated into DNS validation improvements. He detailed the upcoming steps for introducing these changes to the Certificate Server working group and mentioned a timeline for further review and finalization.
     *
Michael put out a last call for additional feedback, with a plan to introduce the revised language by April 4th.


       6. Identifying DTPs in the context of domain validation

     *   Wayne Thayer led a discussion on identifying delegated third parties in the context of domain and IP address validation. The group discussed methods to evaluate and prioritize based on usage and importance, with an emphasis on those required by Apple first (Clint Wilson: as of August 15th this year Apple will require all TLS providers to support at least 1 of 4 specific methods 7, 18, 19, 20).
     *   Dimitris Zacharopoulos suggested that after discussing those 4 methods (7, 18,19, 20), the one where email is sent should be prioritized (method 2 and 4).
     *   Michael Slaughter suggested that method 13 and 14 should be included in the next set suggested by Dimitris.
     *   Wayne Thayer asked if group wants to evaluate a method when a phone call is in use.
     *   Dimitris Zacharopoulos responded that for the consistency group should evaluate those ones as well and asked if we are allow to use SMS providers that are sending messages to cell phones.
     *   Wayne Thayer responded that this would encompass method 2 as well since it includes fax and SMS.
     *   Wayne Thayer said next methods to discuss will 15 and 16 this will covers pretty much all the methods.
     *   Dimitris Zacharopoulos stated that there is 3.2.2.4.8 (Confirming the Applicant’s control over the FQDN by confirming that the Applicant controls an IP
     *   address returned from a DNS lookup for A or AAAA records for the FQDN in accordance with Section 3.2.2.5).
     *   Wayne Thayer noticed that the one method that the group has not covered is method 12 validating the applicant as a domain contact and this is a special method where the is also a domain name register. Wayne Thayer stated: It's not immediately apparent to me that delegated 3rd parties play much of a role in that method.
     *   Dimitris Zacharopoulos agreed.
     *   Wayne Thayer: summarized the prioritization: the 4 methods that Apple is going to require. The methods that require email validation, the methods that require telephone or SMS validation and then anything else that’s remaining.

       7. Identifying DTPs in the context of IP address validation

     *   Wayne Thayer listed the methods: agreed upon change to a website, email fax SMS or postal mail to IP address contact, reverse address lookup, phone contact and ACME.
     *   Wayne Thayer asked whether we are going to cover some of those methods as we do the review for domain names. It seems like change to website and two ACME methods. Do we think we need to do a separate analysis of these in the context of IP addresses? It looks like delegated 3rd parties would not be any different whether it's a domain name or an IP address.
     *   Michael Slaughter said that he does not see the difference.
     *
Wayne Thayer stated that it makes sense to group those methods in with the domain name reviews. When we review the Acme methods for domain names we will also consider IP addresses, so that would put the 2 ACME methods in the 1st group as well agreed upon change to website. And then it would put the email fax SMS or postal mail and the 2nd group. Then there's a phone contact, which would be in the 3rd group. Then the only thing that's left is the reverse address lookup mechanism which could fall in the final group.


       8. Meeting adjourned.


Thanks,
Aneta
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20240421/e230f1a8/attachment-0001.html>

More information about the Validation mailing list