[cabf_validation] 2024-06-13 Final validation-sc Meeting Minutes

Corey Bonnell Corey.Bonnell at digicert.com
Mon Jul 15 14:57:57 UTC 2024 

These are the Final Minutes of the Teleconference described in the subject
of this message, prepared by Dimitris Zacharopoulos (HARICA).


Note-well


Corey read the note-well.




Attendees


Aaron Gable - (Let's Encrypt), Aaron Poulsen - (Amazon), Ben Wilson -
(Mozilla), Corey Bonnell - (DigiCert), Corey Rasmussen - (OATI), Dimitris
Zacharopoulos - (HARICA), Doug Beattie - (GlobalSign), Enrico Entschew -
(D-TRUST), Eva Vansteenberge - (GlobalSign), Gregory Tomko - (GlobalSign),
Johnny Reading - (GoDaddy), Joseph Ramm - (OATI), Mahua Chaudhuri -
(Microsoft), Martijn Katerbarg - (Sectigo), Michael Slaughter - (Amazon),
Michelle Coon - (OATI), Nate Smith - (GoDaddy), Paul van Brouwershaven -
(Entrust), Pedro Fuentes - (OISTE Foundation), Rebecca Kelly - (SSL.com),
Scott Rea - (eMudhra), Stephen Davidson - (DigiCert), Thomas Zermeno -
(SSL.com), Tobias Josefowitz - (Opera Software AS), Wayne Thayer - (Fastly),
Wendy Brown - (US Federal PKI Management Authority).


Agenda


Pedro proposed to discuss the role of QGIS when used as a validation source.

Enrico proposed to add an agenda topic for a proposal regarding section
7.1.2.7.7.


Approval of minutes


*	2024-05-16. Minutes were distributed. Members will have time to
review and approve at the next meeting.


1. Improving requirements for EV registration numbers (this is the topic we
didn't get to at the F2F)


Corey referred to a public incident in Bugzilla that inspired this proposal
and went through the summary of the issue. Registration Numbers apply only
to Private Organizations and the language in the EV Guidelines needs to be
more consistent.

The proposal tries to clarify the expectations for Registration Numbers for
Government Entities and other types.

Corey went through the draft language in
https://url.avanan.click/v2/___https://github.com/CBonnell/servercert/pull/6
/files___.YXAzOmRpZ2ljZXJ0OmE6bzphMjkxNGFhMTM5NWViNDkzODQ2ZjUwY2YwNTgwNzE2ZD
o2OjZhZTE6YWYwNWMxNjZhYjFhYTg2NmM3ZmQ2N2QzOTZhOTgyYWFmMmZjYzA1YmQ2ODFmZTMxOD
BlM2VjZGQ1ZDZkYjM4Yjp0OkY
<https://url.avanan.click/v2/___https:/github.com/CBonnell/servercert/pull/6
/files___.YXAzOmRpZ2ljZXJ0OmE6bzphMjkxNGFhMTM5NWViNDkzODQ2ZjUwY2YwNTgwNzE2ZD
o2OmY3OGM6OTQ5MmE2NTBmYTRlMDRhMWEwYWNlNGFjYmMyMDk3ZDI2MjBjZjE4ZTBjMTc2ZTg2ZW
VlOTMxMmU3YzFhZjAzNjpoOkY>  and provided explanations of the changes.

Dimitris noted that the "Date of Formation" language in the Non-Commercial
Entity Subjects should also include the previous language regarding the
legal act of formation.

Corey agreed and noted that he doesn't intend to start a ballot soon so
there will be time for Members to evaluate and propose improvements or raise
concerns.

After discussing the concrete language improvements that are not effectively
changing any existing requirements, perhaps there is an opportunity to add
specific improvements, like mandating a specific date format, "appropriate
language to indicate the Subject is a Government/Non-Commercial Entity"?


2. Delegated Third Parties and DCV: where did this requirement come from and
how did we get here? (a discussion of the historical origins of this
requirement as it was deemed useful to have on our previous call on the DTP
topic)


Decided to spend time at the next meeting.


3. The role of the QGIS when used as a validation source


Aggregators or other governmental services and can be used as verification
sources.

Registration or Incorporating Agencies do not always provide public access,
making it very difficult to use

Pedro shared the proposed language in
https://url.avanan.click/v2/___https://github.com/cabforum/servercert/pull/5
10/files___.YXAzOmRpZ2ljZXJ0OmE6bzphMjkxNGFhMTM5NWViNDkzODQ2ZjUwY2YwNTgwNzE2
ZDo2Ojk0Nzc6N2NlMTc4NDEzYzc2OWM0ZTNhMDAwOTc0ZTczNDEzYmViZDE1MGY3NGZiMTk3MThm
OTJhNjBkYTliMmI1ZWE3Nzp0OkY
<https://url.avanan.click/v2/___https:/github.com/cabforum/servercert/pull/5
10/files___.YXAzOmRpZ2ljZXJ0OmE6bzphMjkxNGFhMTM5NWViNDkzODQ2ZjUwY2YwNTgwNzE2
ZDo2OjdmMGM6NTNiN2ZjZGY0NTQxNWRjZWRmNjdjOTk3NTI3MDY2OWIwMzk2Nzg3NmFjNDdiYTMy
NzI5NGVmYjU3NjAyNzBkNDpoOkY>  and walked through the changes.

The proposal is to add the QGIS as an appropriate verification source in
addition to the Registration/Incorporation Agencies.

Dimitris noted that we must be careful with the aggregators for governmental
services and should not consider aggregators in general as QGIS.

Corey recommended starting an email thread to solicit feedback.


4. Proposed change to BRs section 7.1.2.7.7


Enrico described an issue with adding LDAP URLs in the CRLDP, and wants to
propose language to adjust the BRs to make this requirement clearer.

He shared a github redline with language taken primarily from the S/MIME
BRs. The group agreed that the language in the S/MIME BRs seems clearer and
easier to read/implement.

Dimitris noted the use of the term "HTTP scheme" and asked if this is a used
term vs a "HTTPS scheme". Corey pointed to
https://url.avanan.click/v2/___https://datatracker.ietf.org/doc/html/rfc3986
%23section-3.1___.YXAzOmRpZ2ljZXJ0OmE6bzphMjkxNGFhMTM5NWViNDkzODQ2ZjUwY2YwNT
gwNzE2ZDo2OjkyMTQ6ODgzZGM3YWUxYTk1ZjU1MDAzZDcxNWUzYWI4MWY2NjQ3NzAwYTI4NGYxM2
E3ZjViNjc3Yjk0NGJkMzE3YWZhZDp0OkY
<https://url.avanan.click/v2/___https:/datatracker.ietf.org/doc/html/rfc3986
%23section-3.1___.YXAzOmRpZ2ljZXJ0OmE6bzphMjkxNGFhMTM5NWViNDkzODQ2ZjUwY2YwNT
gwNzE2ZDo2OmM0OTE6NTBlZjFhNzRhODlkYWU0MDYzODRhZjVhNTdiOGRkYjVjMzUyODY3ZDdkOG
YxMjJlZTRlM2JiMmEyMmQzODgyNDpoOkY>  which defines those schemes.

Taking this opportunity for a ballot, the group suggested going through the
BRs and EVGs to make sure consistent language is used for HTTP/S "schemes"
to avoid any unintended errors. Enrico agreed with the task.

Martijn proposed adding "HTTP scheme" in the definitions section so it can
be used throughout the document. Dimitris proposed re-using the terminology
of RFC 3986, perhaps combined with a definition in section 1.6.1 which will
make it even more clear.

In terms of next steps, Enrico asked for some assistance to draft a ballot
and will start from a new branch on GitHub. Many members volunteered to
assist so Enrico can reach out to people for assistance with the process and
GitHub. The same applies for Pedro.


Adjourn


 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20240715/b56d5f03/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5231 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20240715/b56d5f03/attachment-0001.p7s>

More information about the Validation mailing list