<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body>
<div dir="ltr">
<p dir="ltr"
style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"
id="gmail-m_7317359474464406643gmail-docs-internal-guid-d6623f6a-7fff-f441-dd01-cf3176061d08"><span style="font-size:11pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">These are the Final <span class="gmail-il">Minutes</span> of the Teleconference described in the subject of this message as prepared by Neil Dunbar.</span></p>
<p dir="ltr"
style="line-height:1.38;margin-top:12pt;margin-bottom:12pt"><span style="font-size:11pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">Present:
Amanda Mendieta (Apple)
Andrea Holland (SecureTrust)
Andreas Hentschel (D-TRUST)
Ben Wilson (Mozilla)
Bruce Morton (Entrust Datacard)
Clint Wilson (Apple)
Corey Bonnell (SecureTrust)
Chris Kemmerer (SSL.com)
Curt Spann (Apple)
Daniela Hood (GoDaddy)
Dean Coclin (Digicert)
Doug Beattie (GlobalSign)
Dustin Hollenback (Microsoft)
Hazhar Ismail (MSC Trustgate)
Inaba Atsushi (GlobalSign)
Joanna Fox (GoDaddy)
Jos Purvis (Cisco Systems)
Karina Sirota (Microsoft)
Kirk Hall (Entrust Datacard)
Mads Henriksveen (Buypass AS)
Mayur Manchanda (Visa)
Michelle Coon (OATI)
Neil Dunbar (TrustCor Systems)
Niko Carpenter (SecureTrust)
Patrick Nohe (GlobalSign)
Pedro Fuentes (OISTE Foundation)
Rae Ann Gonzales (Godaddy)
Robin Alden (Sectigo)
Ryan Sleevi (Google)
Stephen Davidson (Digicert)
Tim Callan (Sectigo)
Tim Hollebeek (Digicert)
Tobias Josefowitz (Opera Software AS)
Trevoli Ponds-White (Amazon)
Wayne Thayer (Mozilla)
Wendy Brown (US Federal PKI Management Authority)
1. Roll Call
The Roll Call was taken. Wayne noted that Dimitris was on vacation and that he would chair the call.
2. Read Antitrust Statement
The Antitrust Statement was read.
3. Review Agenda, assign minute taker
No changes to the agenda were noted. Neil Dunbar was assigned as minute taker. In the absence
of volunteers, Wayne will take the minutes of the next meeting.
4. Approval of minutes from last teleconference
Wayne had updated the attendee list of the draft minutes, and the updated minutes
were approved.
5. Validation Subcommittee Update
Tim Hollebeek provided the subcommittee update. Last Thursday, the team began work
on the end-entity certificate profiles, working through the fields one by one in the
order they appear in the Baseline Requirements. Some initial discussion was had for
several of the fields. That work will continue next week. Tim noted that the details
are too long to easily summarize, so that if interested parties wish to examine the
work, they should consult the online spreadsheet, or read the minutes of the
subcommittee meetings.
Wayne noted that the spreadsheet is linked from the wiki, under the Validation
Subcommittee page.
6. NetSec Subcommittee Update
Neil provided the subcommittee update.
Ballot SC34 on account management is prepared and ready for submission, although
has not been submitted to the full working group as yet.
We have begun some discussions on future plans for NetSec Requirements - specifically
if and how Cloud based CA Architectures can or should be supported; what policies
stop them right now, and what would be needed to comply with such policies.
This discussion is still preliminary and will go for some time.
The Offline CA discussion document has been refined - the exact terminology has been
refined so that the pre-ballot is now ready for discussion after agreement reached
last meeting. Submission to the main working group is expected in the next few days.
Pain points team has noted the discussion on moz.dev.sec.pol regarding sites
discovered to be engaged in phishing - and is discussing whether clarifications on
4.9.1.1 should be sought. No decision has been reached yet.
An older proposal to address the remediation of critical vulnerabilities,
per NSR Section 4(f) has been brought back. The team is trying to get clarity on
when the 96 hour timeframe starts from; which brought up further discussion on what
the vulnerability scanning and penetration testing should entail and what systems
it needs to touch. More of this matter will be discussed in the meeting today.
7. Ballot Status
Neil reported that SC28 is still on heartbeat until ready to be considered
per Dimitris's request. Wayne asked if it would be opened for consideration
in the next few weeks, and Neil replied that he hoped to do so.
There are no ballots in the voting period.
Wayne noted that SC30 (Disclosure of Registration and Incorporation Agencies )
and SC31 (Browser Alignment) have completed their review period. These ballots
are now final and the working group will produce new versions of the guidelines.
In review is Ballot SC33 (TLS Using ALPN Method), which replaces validation
method 10. The review ends on September 17th.
For draft ballots under consideration, Wayne asked Ryan for any comments on
this draft. Ryan reported that the ballot was going to be started but there
had been a slow trickle of corrections. Clint had provided some typographical
corrections which are being integrated and Corey had also submitted some
corrections. Ryan wanted to review the new document against the guidelines
amended by SC30 and SC31 which Dimitris had attempted to merge in, despite
his vacation. After this review, the Spring cleanup ballot should be ready
to start voting.
Also to be discussed was the updating of BR 6.1.1.3; Wayne thought that the
discussion was ballot ready at this point. Chris replied that they have
language, but they are reviewing the SC30/SC31 changes; Chris's ballot has
changes to both sections 6.1.1.3 and 4.9.1.1, but that some of the team reviewing
the changes is on PTO, and they should be able to push forward once those
members can look at the changes. Chris noted that the ballot language changes
showed no major deviations between version 1.7.0 and 1.7.1 of the BRs;
but the authors wanted to perform final checks - they are confident that
the ballot will be ready soon.
Wayne noted the Offline CA Security Requirements. Ben was on the call but
no update was able to be provided.
8. Any Other Business
There was no additional business.
9. Adjourn
The meeting was adjourned and will reconvene September 3, 2020 11:00 am Eastern Time
</span></p>
</div>
</body>
</html>