<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Georgia;
panose-1:2 4 5 2 5 4 5 2 3 3;}
@font-face
{font-family:"Times New Roman \(Body CS\)";
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
h2
{mso-style-priority:9;
mso-style-link:"Heading 2 Char";
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:18.0pt;
font-family:"Calibri",sans-serif;
font-weight:bold;}
h3
{mso-style-priority:9;
mso-style-link:"Heading 3 Char";
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:13.5pt;
font-family:"Calibri",sans-serif;
font-weight:bold;}
h4
{mso-style-priority:9;
mso-style-link:"Heading 4 Char";
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Calibri",sans-serif;
font-weight:bold;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
span.Heading2Char
{mso-style-name:"Heading 2 Char";
mso-style-priority:9;
mso-style-link:"Heading 2";
font-family:"Calibri Light";
color:#2F5496;}
span.Heading3Char
{mso-style-name:"Heading 3 Char";
mso-style-priority:9;
mso-style-link:"Heading 3";
font-family:"Calibri Light";
color:#1F3763;}
span.Heading4Char
{mso-style-name:"Heading 4 Char";
mso-style-priority:9;
mso-style-link:"Heading 4";
font-family:"Calibri Light";
color:#2F5496;
font-style:italic;}
span.EmailStyle22
{mso-style-type:personal-reply;
font-family:"Georgia",serif;
color:windowtext;
font-weight:normal;
font-style:normal;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:240411364;
mso-list-template-ids:330963542;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1
{mso-list-id:830681298;
mso-list-template-ids:1221259660;}
@list l1:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l1:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style></head><body lang=EN-US link=blue vlink=purple style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal><span style='font-family:"Georgia",serif'>Published! Sorry for missing this one.<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:"Georgia",serif'><o:p> </o:p></span></p><div><p class=MsoNormal><span style='font-size:9.0pt;font-family:Consolas;color:black'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:Consolas;color:black'>-- <br>Jos Purvis (</span><a href="mailto:jopurvis@cisco.com"><span style='font-size:9.0pt;font-family:Consolas;color:#954F72'>jopurvis@cisco.com</span></a><span style='font-size:9.0pt;font-family:Consolas;color:black'>)<br>.:|:.:|:. cisco systems | Cryptographic Services<br>PGP: 0xFD802FEE07D19105 | Controls and Trust Verification</span><o:p></o:p></p></div><p class=MsoNormal><span style='font-family:"Georgia",serif'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Georgia",serif'><o:p> </o:p></span></p><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:12.0pt;color:black'>From: </span></b><span style='font-size:12.0pt;color:black'>Servercert-wg <servercert-wg-bounces@cabforum.org> on behalf of CABF Server Cert WG <servercert-wg@cabforum.org><br><b>Reply-To: </b>"Dimitris Zacharopoulos (HARICA)" <dzacharo@harica.gr>, CABF Server Cert WG <servercert-wg@cabforum.org><br><b>Date: </b>Thursday, October 1, 2020 at 11:44 AM<br><b>To: </b>CABF Server Cert WG <servercert-wg@cabforum.org><br><b>Subject: </b>[Servercert-wg] Final Minutes for Server Certificate Working Group Teleconference - September 17, 2020<o:p></o:p></span></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><p class=MsoNormal><br>These are the Final Minutes of the Teleconference described in the subject of this message.<o:p></o:p></p><h2>Attendees (in alphabetical order)<o:p></o:p></h2><p>Amanda Mendieta (Apple), Andrea Holland (SecureTrust), Ben Wilson (Mozilla), Bruce Morton (Entrust Datacard), Chris McMillan (Visa), Clint Wilson (Apple), Chris Kemmerer (SSL.com), Daniela Hood (GoDaddy), Dean Coclin (Digicert), Dimitris Zacharopoulos (HARICA), Doug Beattie (GlobalSign), Dre Aremeda (GoDaddy), Dustin Hollenback (Microsoft), Enrico Entschew (D-TRUST), Hazhar Ismail (MSC Trustgate), Inaba Atsushi (GlobalSign), India Donald (US Federal PKI Management Authority), Janet Hines (SecureTrust), Joanna Fox (GoDaddy), Karina Sirota (Microsoft), Kirk Hall (Entrust Datacard), Mayur Manchanda (Visa), Michelle Coon (OATI), Michol Murray (GoDaddy), Mike Reilly (Microsoft), Neil Dunbar (TrustCor Systems), Patrick Nohe (GlobalSign), Pedro Fuentes (OISTE Foundation), Peter Miskovic (Disig), Rae Ann Gonzales (GoDaddy), Rebecca Kelley (Apple), Rich Smith (Sectigo), Ryan Sleevi (Google), Shelley Brewer (Digicert), Sissel Hoel (Buypass AS), Stephen Davidson (Digicert), Tim Hollebeek (Digicert), Tobias Josefowitz (Opera Software AS), Trevoli Ponds-White (Amazon), Vijayakumar (Vijay) Manjunatha (eMudhra), Wayne Thayer (Mozilla), Wendy Brown (US Federal PKI Management Authority).<o:p></o:p></p><h2>Minutes <o:p></o:p></h2><h3>1. Roll Call<o:p></o:p></h3><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>The Roll Call was taken.<o:p></o:p></p><h3>2. Read Antitrust Statement<o:p></o:p></h3><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>The Antitrust Statement was read.<o:p></o:p></p><h3>3. Review Agenda<o:p></o:p></h3><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>No changes to the agenda were noted. Dimitris took minutes for this meeting. Jos will take the minutes for the next call.<o:p></o:p></p><h3>4. Approval of minutes from last teleconference<o:p></o:p></h3><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Accepted without objections.<o:p></o:p></p><h3>5. Validation Subcommittee Update<o:p></o:p></h3><p class=MsoNormal>Doug provided a summary of the last subcommittee's meeting.<br><br>They focused on TLS distinguished names tab of the Certificate Profile spreadsheet. The following attributes were reviewed:<o:p></o:p></p><ul type=disc><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level1 lfo1'>countryName<o:p></o:p></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level1 lfo1'>statOrProvinceName <o:p></o:p></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level1 lfo1'>localityName<o:p></o:p></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level1 lfo1'>streetAddress<o:p></o:p></li></ul><p class=MsoNormal>The goal was to simplify the current wording because the current language is quite complicated. It is also important to have a clear view of what's optional/conditional, and by separating those out it will be easier to read and consume the specs.<br><br>They briefly talked about profiling the subjectDN based on certificate types DV/OV/IV/EV to simplify things, but there was no decision on that. They will discuss further and review the validation rules about attributes, when it's optional/required.<br><br>The Subcommittee also discussed about the conditional cases where the countryName is XX, there are conditional values based on localityName, to put the countryName in the stateOrProvince field and it gets quite complicated and convoluted. They will try to clarify in more straightforward English so it's easier to review.<br><br>Wayne added that they also touched upon issues discussed in the past, like allowing the countryName field in DV Certificates and whether that's a necessary thing, as well as cases where there are Countries with no localityName or StateOrProvince and how to handle those.<br><br>Subcommittee minutes: <a href="https://lists.cabforum.org/pipermail/validation/2020-September/001548.html">https://lists.cabforum.org/pipermail/validation/2020-September/001548.html</a><o:p></o:p></p><h3>6. NetSec Subcommittee Update<o:p></o:p></h3><p class=MsoNormal>Neil provided the update. The subcommittee tried to address some feedback they received from GitHub regarding SC34. They agreed that the scope of the ballot must be clear and this could be done by reordering some of the section 2 provisions.<br><br>They proposed some changes to the account lockout provisions.<br><br>Long discussion about modeling the threats related to zones and the issues related to the physical and logical zones. They will also replace SC32 which was abandoned.<br><br>There was some discussion on the offline CAs ballot and whether to proceed with it as-is or move some of the Trusted Roles language in the BRs on a separate ballot first. No decision has been made.<br><br>They also discussed about some of the challenges operating a cloud CA. They are building a discussion document that will be CA-specific requirements coming from the BRs vs other requirements like PCI-DSS, FedRamp.<br><br>Touched on how to better use NSRs outside the SCWG for other Working Groups to use, because technically only SCWG members can contribute to that. There was some discussion on the call and some members raised concerns about IPR issues with Interested Parties and some scoping problems. <br><br>Jos mentioned that NCSSRs contributes mainly on things related to server certificates.<br><br>Ryan prefers the current NetSec Subcommittee to focus on Server Certificates and other Working Groups should probably create their own NetSec Subcommittees.<br><br>Subcommittee minutes: <a href="https://lists.cabforum.org/pipermail/netsec/2020-September/000398.html">https://lists.cabforum.org/pipermail/netsec/2020-September/000398.html</a><o:p></o:p></p><h3 style='mso-margin-top-alt:1.0pt;margin-right:0in;margin-bottom:1.0pt;margin-left:0in'>7. Ballot Status <o:p></o:p></h3><h4>Ballots in Discussion Period<o:p></o:p></h4><p class=MsoNormal><i><span style='color:black;border:none windowtext 1.0pt;padding:0in;background:white'>None.</span></i><br> <br><b>Ballots in Voting Period</b><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><i><span style='color:black;border:none windowtext 1.0pt;padding:0in;background:white'>None.<br><br></span></i><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b>Ballots in IPR Review Period</b><o:p></o:p></p><p class=MsoNormal><i><span style='color:black;border:none windowtext 1.0pt;padding:0in;background:white'>SC28: Logging and Log Retention </span></i><span style='color:black;border:none windowtext 1.0pt;padding:0in;background:white'>(Review ends October 14, 2020)</span><br><br><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><i><span style='color:black;border:none windowtext 1.0pt;padding:0in;background:white'>SC35: Cleanups and Clarifications </span></i><span style='color:black;border:none windowtext 1.0pt;padding:0in;background:white'>(Review ends October 14, 2020)</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='color:black;border:none windowtext 1.0pt;padding:0in;background:white'>There was a short discussion about whether we should cancel the existing IPR Review Period for SC28 and SC35 since it included multiple ballots or not. It was decided to leave this IPR Review Period as is, and make sure we have a distinct IPR Review period per ballot going forward.<br><br></span><o:p></o:p></p><h4 style='mso-margin-top-alt:1.0pt;margin-right:0in;margin-bottom:1.0pt;margin-left:0in'>Draft Ballots under Consideration<o:p></o:p></h4><p class=MsoNormal><br><i><span style='color:black;border:none windowtext 1.0pt;padding:0in;background:white'>Minimum expectations regarding weak keys </span></i><span style='color:black;border:none windowtext 1.0pt;padding:0in;background:white'>(Chris)<br><br>Chris mentioned that there was some discussion on the public list regarding language beyond Subscriber Keys. There was also input from Corey Bonnel (SecureTrust), Aaron Gable (LetsEncrypt), Jacob Hoffman-Andrews (LetsEncrypt). Chris tried to craft some language to cover all use cases but the intent was not to include something that was not required. Chris will prepare a reply based on the latest feedback. <br><br><i>Offline CA Security Requirements </i>(Ben)<br>The official discussion period has not started for this ballot so it has not been assigned a ballot number yet.<br><br><i>Remove “zone” from NCSSRs and add provisions to BR 5.1 </i>(Ben)<br>This ballot needs a new numbers because SC32 failed.<br><br><i>SC34 Account Management </i>(Tobi)</span><br>No additional updates.<o:p></o:p></p><h3>8. Topics for the next virtual F2F<o:p></o:p></h3><p class=MsoNormal style='margin-bottom:12.0pt'>Dimitris asked for Members to propose new topics for the upcoming F2F.<o:p></o:p></p><h3 style='mso-margin-top-alt:1.0pt;margin-right:0in;margin-bottom:1.0pt;margin-left:0in'>9. Any Other Business<o:p></o:p></h3><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>No other business was discussed.<o:p></o:p></p><h3>10. Next call<o:p></o:p></h3><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>The next call will take place on October 1, 2020 at 11:00am Eastern Time.<o:p></o:p></p><h3><span lang=DE>Adjourned</span><o:p></o:p></h3></div></body></html>