[cabf_validation] 2024-04-18 Minutes of the Validation Subcommittee [DRAFT]

Andrea Holland andreaholland at vikingcloud.com
Thu May 2 13:59:13 UTC 2024 

Hi All,

Below are the DRAFT minutes from the April 18th meeting of the Validation subcommittee.

Meeting: April 18, 2024

Attendance:
Aaron Gable (Let's Encrypt), Aaron Poulsen (Amazon), Aggie Wang (TrustAsia), Andrea Holland (VikingCloud), Ben Wilson (Mozilla), Clint Wilson (Apple), Corey Bonnell (DigiCert), Corey Rasmussen (OATI), David Kluge (Google), Dimitris Zacharopoulos (HARICA), Doug Beattie (GlobalSign), Dustin Hollenback (Microsoft), Enrico Entschew (D-TRUST), Eva Vansteenberge (GlobalSign), Gregory Tomko (GlobalSign), Gurleen Grewal (Google), Inigo Barreira (Sectigo), Johnny Reading (GoDaddy), Joseph Ramm (OATI), Mahua Chaudhuri (Microsoft), Martijn Katerbarg (Sectigo), Michelle Coon (OATI), Miguel Sanchez (Google), Nargis Mannan (VikingCloud), Nate Smith (GoDaddy), Nome Huang (TrustAsia), Pekka Lahtiharju (Telia Company), Rollin Yu (TrustAsia), Roman Fischer (SwissSign), Scott Rea (eMudhra), Thomas Zermeno (SSL.com), Wayne Thayer (Fastly), Wendy Brown (US Federal PKI Management Authority)

Approval of Minutes:
None

Agenda:

  1.  Status update on EVG automation improvement ballot - Ewa

  *   Waiting for additional feedback
  *   Updating to the new EVG format and looking for endorsers



  1.  Status update on 3.2.2.4 (7) improvement ballot - Corey

  *   Ballot language will be circulated next week and looking for endorsers



  1.  Discussion on dns-account-01 draft - Corey, Wayne, Aaron, Roman, and Doug

  *   https://datatracker.ietf.org/doc/draft-ietf-acme-scoped-dns-challenges/00/
  *   RFC draft is still in early process so we should not reference it
  *   Options are to wait for one more wave of the draft so it is more stable or create own ballot
  *   Own ballot would be modification to Method 7 to allow 2 underscore labels

     *   Concerns with two arbitrary underscore labels with no constraints

        *   Concern a CA changes to look for either double or single prefix and a subscriber doesn't change their behavior, so the subscriber CNAME delegates underscore DNS challenge to another DNS operator and that DNS operator can CNAME subdomains to others
        *   Concerns about constraint of _acmechallenge is mixing ACME validation with generic validation
        *   Low risk for allowing unconstrainted second underscore

     *   Ballot might be drafted to get feedback on adjustments



  1.  Identifying DTPs in the context of domain validation - Corey, Aaron, Roman, Dimitris, and Clint

     *   Recap Method 18 identified external DNS and proxy that performs http no controlled by CAs
     *   This discussion is limited on to what CAs can control
     *   Review the methods for any third party components first, then review the TP components and choose which to address
     *   Methods 18, 19, and 20 are similar with minor differences so the concerns will be the same
     *   Additional concern TLS interception as a service like HTTP proxy
     *   Method 7 other than the ones mentioned for 18, 19, and 20

        *   DTP they could use a DNS cache, but Cache on behalf of subscriber is fine, read through cache is a recursive resolver and look aside cache is unlikely

     *   Mehothd 18 should replace authorization domain name use for FQDN
     *   Action item: GitHub item for method 7 using authorization domain name with no noted guardrails

Next meeting May 2nd.

Adjourn
Regards,
Andrea





Company Registration Details
VikingCloud is the registered business name of Sysxnet Limited. Sysxnet Limited is registered in Ireland under company registration number 147176 and its registered office is at 1st Floor, Block 71a, The Plaza, Park West Business Park, Dublin 12, Ireland.

Email Disclaimer
The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. If you are not the intended recipient you are hereby notified that any disclosure, copying, distribution or taking any action in reliance on the contents of this information is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by responding to this email and then delete it from your system. Sysxnet Limited is neither liable for the proper and complete transmission of the information contained in this communication nor for any delay in its receipt..
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20240502/ab1765a6/attachment-0001.html>

More information about the Validation mailing list