[cabf_validation] Minutes of the Validation Subcommittee Teleconference June 13, 2024

Corey Bonnell Corey.Bonnell at digicert.com
Thu Jun 27 16:25:44 UTC 2024 

These are the Final Minutes of the Teleconference described in the subject of this message, prepared by Dimitris Zacharopoulos (HARICA) and approved on June 27th.


Note-well


Corey read the note-well.




Attendees


Aaron Gable - (Let's Encrypt), Aaron Poulsen - (Amazon), Ben Wilson - (Mozilla), Corey Bonnell - (DigiCert), Corey Rasmussen - (OATI), Dimitris Zacharopoulos - (HARICA), Doug Beattie - (GlobalSign), Enrico Entschew - (D-TRUST), Eva Vansteenberge - (GlobalSign), Gregory Tomko - (GlobalSign), Johnny Reading - (GoDaddy), Joseph Ramm - (OATI), Mahua Chaudhuri - (Microsoft), Martijn Katerbarg - (Sectigo), Michael Slaughter - (Amazon), Michelle Coon - (OATI), Nate Smith - (GoDaddy), Paul van Brouwershaven - (Entrust), Pedro Fuentes - (OISTE Foundation), Rebecca Kelly - (SSL.com), Scott Rea - (eMudhra), Stephen Davidson - (DigiCert), Thomas Zermeno - (SSL.com), Tobias Josefowitz - (Opera Software AS), Wayne Thayer - (Fastly), Wendy Brown - (US Federal PKI Management Authority).


Agenda


Pedro proposed to discuss the role of QGIS when used as a validation source.

Enrico proposed to add an agenda topic for a proposal regarding section 7.1.2.7.7.


Approval of minutes


*	2024-05-16. Minutes were distributed. Members will have time to review and approve at the next meeting.


1. Improving requirements for EV registration numbers (this is the topic we didn’t get to at the F2F)


Corey referred to a public incident in Bugzilla that inspired this proposal and went through the summary of the issue. Registration Numbers apply only to Private Organizations and the language in the EV Guidelines needs to be more consistent.

The proposal tries to clarify the expectations for Registration Numbers for Government Entities and other types.

Corey went through the draft language in https://url.avanan.click/v2/___https://github.com/CBonnell/servercert/pull/6/files___.YXAzOmRpZ2ljZXJ0OmE6bzphMjkxNGFhMTM5NWViNDkzODQ2ZjUwY2YwNTgwNzE2ZDo2OjZhZTE6YWYwNWMxNjZhYjFhYTg2NmM3ZmQ2N2QzOTZhOTgyYWFmMmZjYzA1YmQ2ODFmZTMxODBlM2VjZGQ1ZDZkYjM4Yjp0OkY <https://url.avanan.click/v2/___https:/github.com/CBonnell/servercert/pull/6/files___.YXAzOmRpZ2ljZXJ0OmE6bzphMjkxNGFhMTM5NWViNDkzODQ2ZjUwY2YwNTgwNzE2ZDo2OmY3OGM6OTQ5MmE2NTBmYTRlMDRhMWEwYWNlNGFjYmMyMDk3ZDI2MjBjZjE4ZTBjMTc2ZTg2ZWVlOTMxMmU3YzFhZjAzNjpoOkY>  and provided explanations of the changes.

Dimitris noted that the "Date of Formation" language in the Non-Commercial Entity Subjects should also include the previous language regarding the legal act of formation.

Corey agreed and noted that he doesn't intend to start a ballot soon so there will be time for Members to evaluate and propose improvements or raise concerns.

After discussing the concrete language improvements that are not effectively changing any existing requirements, perhaps there is an opportunity to add specific improvements, like mandating a specific date format, "appropriate language to indicate the Subject is a Government/Non-Commercial Entity"?


2. Delegated Third Parties and DCV: where did this requirement come from and how did we get here? (a discussion of the historical origins of this requirement as it was deemed useful to have on our previous call on the DTP topic)


Decided to spend time at the next meeting.


3. The role of the QGIS when used as a validation source


Aggregators or other governmental services and can be used as verification sources.

Registration or Incorporating Agencies do not always provide public access, making it very difficult to use

Pedro shared the proposed language in https://url.avanan.click/v2/___https://github.com/cabforum/servercert/pull/510/files___.YXAzOmRpZ2ljZXJ0OmE6bzphMjkxNGFhMTM5NWViNDkzODQ2ZjUwY2YwNTgwNzE2ZDo2Ojk0Nzc6N2NlMTc4NDEzYzc2OWM0ZTNhMDAwOTc0ZTczNDEzYmViZDE1MGY3NGZiMTk3MThmOTJhNjBkYTliMmI1ZWE3Nzp0OkY <https://url.avanan.click/v2/___https:/github.com/cabforum/servercert/pull/510/files___.YXAzOmRpZ2ljZXJ0OmE6bzphMjkxNGFhMTM5NWViNDkzODQ2ZjUwY2YwNTgwNzE2ZDo2OjdmMGM6NTNiN2ZjZGY0NTQxNWRjZWRmNjdjOTk3NTI3MDY2OWIwMzk2Nzg3NmFjNDdiYTMyNzI5NGVmYjU3NjAyNzBkNDpoOkY>  and walked through the changes.

The proposal is to add the QGIS as an appropriate verification source in addition to the Registration/Incorporation Agencies.

Dimitris noted that we must be careful with the aggregators for governmental services and should not consider aggregators in general as QGIS.

Corey recommended starting an email thread to solicit feedback.


4. Proposed change to BRs section 7.1.2.7.7


Enrico described an issue with adding LDAP URLs in the CRLDP, and wants to propose language to adjust the BRs to make this requirement clearer.

He shared a github redline with language taken primarily from the S/MIME BRs. The group agreed that the language in the S/MIME BRs seems clearer and easier to read/implement.

Dimitris noted the use of the term "HTTP scheme" and asked if this is a used term vs a "HTTPS scheme". Corey pointed to https://url.avanan.click/v2/___https://datatracker.ietf.org/doc/html/rfc3986%23section-3.1___.YXAzOmRpZ2ljZXJ0OmE6bzphMjkxNGFhMTM5NWViNDkzODQ2ZjUwY2YwNTgwNzE2ZDo2OjkyMTQ6ODgzZGM3YWUxYTk1ZjU1MDAzZDcxNWUzYWI4MWY2NjQ3NzAwYTI4NGYxM2E3ZjViNjc3Yjk0NGJkMzE3YWZhZDp0OkY <https://url.avanan.click/v2/___https:/datatracker.ietf.org/doc/html/rfc3986%23section-3.1___.YXAzOmRpZ2ljZXJ0OmE6bzphMjkxNGFhMTM5NWViNDkzODQ2ZjUwY2YwNTgwNzE2ZDo2OmM0OTE6NTBlZjFhNzRhODlkYWU0MDYzODRhZjVhNTdiOGRkYjVjMzUyODY3ZDdkOGYxMjJlZTRlM2JiMmEyMmQzODgyNDpoOkY>  which defines those schemes.

Taking this opportunity for a ballot, the group suggested going through the BRs and EVGs to make sure consistent language is used for HTTP/S "schemes" to avoid any unintended errors. Enrico agreed with the task.

Martijn proposed adding "HTTP scheme" in the definitions section so it can be used throughout the document. Dimitris proposed re-using the terminology of RFC 3986, perhaps combined with a definition in section 1.6.1 which will make it even more clear.

In terms of next steps, Enrico asked for some assistance to draft a ballot and will start from a new branch on GitHub. Many members volunteered to assist so Enrico can reach out to people for assistance with the process and GitHub. The same applies for Pedro.


Adjourn

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20240627/707177a5/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5231 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20240627/707177a5/attachment-0001.p7s>

More information about the Validation mailing list