<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin-top:0cm;
margin-right:0cm;
margin-bottom:8.0pt;
margin-left:0cm;
line-height:106%;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0cm;
margin-right:0cm;
margin-bottom:8.0pt;
margin-left:36.0pt;
mso-add-space:auto;
line-height:106%;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
p.MsoListParagraphCxSpFirst, li.MsoListParagraphCxSpFirst, div.MsoListParagraphCxSpFirst
{mso-style-priority:34;
mso-style-type:export-only;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
mso-add-space:auto;
line-height:106%;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
p.MsoListParagraphCxSpMiddle, li.MsoListParagraphCxSpMiddle, div.MsoListParagraphCxSpMiddle
{mso-style-priority:34;
mso-style-type:export-only;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
mso-add-space:auto;
line-height:106%;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
p.MsoListParagraphCxSpLast, li.MsoListParagraphCxSpLast, div.MsoListParagraphCxSpLast
{mso-style-priority:34;
mso-style-type:export-only;
margin-top:0cm;
margin-right:0cm;
margin-bottom:8.0pt;
margin-left:36.0pt;
mso-add-space:auto;
line-height:106%;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
span.EstiloCorreo17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
p.qt-qt-qt-qt-qt-qt-, li.qt-qt-qt-qt-qt-qt-, div.qt-qt-qt-qt-qt-qt-
{mso-style-name:qt-qt-qt-qt-qt-qt-;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 3.0cm 70.85pt 3.0cm;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:706612509;
mso-list-template-ids:1631070300;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:36.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:72.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:108.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:144.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:180.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:216.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:252.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:288.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:324.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1
{mso-list-id:782503483;
mso-list-type:hybrid;
mso-list-template-ids:-2005248190 354867016 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l1:level1
{mso-level-start-at:0;
mso-level-number-format:bullet;
mso-level-text:-;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-font-family:Calibri;}
@list l1:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l1:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l1:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Symbol;}
@list l1:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l1:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l1:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Symbol;}
@list l1:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l1:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=ES link="#0563C1" vlink="#954F72" style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal><span lang=EN-US>Attendance: <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>Aaron Poulsen (Amazon Trust Services), Adam Jones (Microsoft), Adrian Mueller (SwissSign), Andrea Holland (SecureTrust/VikingCloud), Atsushi Inaba (GlobalSign), Ben Wilson (Mozilla), Brittany Randall (GoDaddy), Bruce Morton (Entrust), Chris Clements (Google Chrome), Chris Kemmerer (SSL.com), Clint Wilson (Mozilla), Daryn Wright (GoDaddy), Dimitris Zacharopoulous (HARICA), Dustin Hollenback (Microsoft), Enrico Entschew (D-Trust), Janet Hines (SecureTrust/VikingCloud), Joanna Fox (TrustCor), Jos Purvis (Fastly), Ingio Barreira (Sectigo), Lynn Jeun (Visa), Mads Henriksveen (Buypass), Marco Schambach (IdenTrust), Martijn Katerbarg (Sectigo), Nargis Mannan (SecureTrust/VikingCloud), Paul van Brouwershaven (Entrust), Pedro Fuentes (OISTE), Peter Miskovic (Disig), Rebecca Kelley (Apple), Ryan Dickson (Google Chrome), Tadahiko Ito (SECOM), Trevoli Ponds-White (Amazon Trust Services), Tyler Myers (GoDaddy), Vijay Kumar (eMudhra), Wayne Thayer (Fastly), Wendy Brown (FPKI)<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>Inigo read the antitrust statement<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>Previous minutes<o:p></o:p></span></p><ul style='margin-top:0cm' type=disc><li class=MsoListParagraphCxSpFirst style='margin-left:0cm;mso-add-space:auto;mso-list:l1 level1 lfo1'><span lang=EN-US>October 13 – approved <o:p></o:p></span></li><li class=MsoListParagraphCxSpLast style='margin-left:0cm;mso-add-space:auto;mso-list:l1 level1 lfo1'><span lang=EN-US>October F2F – in progress<o:p></o:p></span></li></ul><p class=MsoNormal><span lang=EN-US>Validation Subcommittee – Wayne T.<o:p></o:p></span></p><ul style='margin-top:0cm' type=disc><li class=MsoListParagraphCxSpFirst style='margin-left:0cm;mso-add-space:auto;mso-list:l1 level1 lfo1'><span lang=EN-US>Final Changes to Certificate Profiles ballot<o:p></o:p></span></li><ul style='margin-top:0cm' type=circle><li class=MsoListParagraphCxSpMiddle style='margin-left:0cm;mso-add-space:auto;mso-list:l1 level2 lfo1'><span lang=EN-US>Merged PR that forbids OUs in CA certificates<o:p></o:p></span></li><li class=MsoListParagraphCxSpMiddle style='margin-left:0cm;mso-add-space:auto;mso-list:l1 level2 lfo1'><span lang=EN-US>Merged PR that has minor fixes, adding some ordering and encoding requirements for subject domain component attributes, removing overly specific cross cert requirements, fixing serial number encodings, clarifying main constraint extensions, and removing the domain name or IP address validation requirement. There was discussion around the last item because the definition of domain name is overly broad and there is concern that any word in the subject of its certificate to be validated as a domain name.<o:p></o:p></span></li></ul><li class=MsoListParagraphCxSpMiddle style='margin-left:0cm;mso-add-space:auto;mso-list:l1 level1 lfo1'><span lang=EN-US>New type of DNS record - alternate service record (SVCB record). There was discussion on type and how certs can be domain validated against these records. We will create a work items to investigate use and method type.<o:p></o:p></span></li><li class=MsoListParagraphCxSpLast style='margin-left:0cm;mso-add-space:auto;mso-list:l1 level1 lfo1'><span lang=EN-US>Continue review of the terms applicant and applicant representative. Worked on Section 6.1.13 which includes a clause that says CAs May Not generate private key pairs for subscriber certificates. Discussion on whether the BRs allow CAs to generate private keys for when the CA is also the subscriber for instance with test website certificates. Potential to add a phrase at the beginning of the BRs that would clarify that a CA could hold multiple roles if they were also requesting a certificate for their own use.<o:p></o:p></span></li></ul><p class=MsoNormal><span lang=EN-US>Ballot Status – Inigo B.<o:p></o:p></span></p><ul type=disc><li class=qt-qt-qt-qt-qt-qt- style='mso-list:l1 level1 lfo1'><span lang=EN-GB>Completed IPR<o:p></o:p></span></li><ul type=circle><li class=qt-qt-qt-qt-qt-qt- style='mso-list:l1 level2 lfo1'><span lang=EN-GB>SC58 </span><span lang=EN-US>require distributionPoint in sharded CRLs - IPR completed on November 7<sup>th</sup></span><span lang=EN-US><o:p></o:p></span></li></ul><li class=qt-qt-qt-qt-qt-qt- style='mso-list:l1 level1 lfo1'><span lang=EN-GB>Passed<o:p></o:p></span></li><ul type=circle><li class=qt-qt-qt-qt-qt-qt- style='mso-list:l1 level2 lfo1'><span lang=EN-GB>SC56 Cleanup ballot - IPR ends on November 30<sup>th</sup><o:p></o:p></span></li></ul><li class=qt-qt-qt-qt-qt-qt- style='mso-list:l1 level1 lfo1'><span lang=EN-US>Under consideration<o:p></o:p></span></li></ul><ul type=disc><ul type=circle><li class=qt-qt-qt-qt-qt-qt- style='mso-list:l0 level2 lfo2'><span lang=EN-GB>SCXX Debian Weak Keys Ballot – Chris K.: seeking one more endorser<o:p></o:p></span></li><li class=qt-qt-qt-qt-qt-qt- style='mso-list:l0 level2 lfo2'><span lang=EN-GB>SCXX SLO/Response for CRL & OCSP Responses – Clint W.: still on hold, waiting for discussion brought up by Ryan Dickson on removing OCSP to conclude <o:p></o:p></span></li><li class=qt-qt-qt-qt-qt-qt- style='mso-list:l0 level2 lfo2'><span lang=EN-GB>SCXX Incorporation of Mozilla Revocation Reason Codes – Ben W.: Will send out a draft ballot for review prior to the dicussion period<o:p></o:p></span></li></ul></ul><p class=qt-qt-qt-qt-qt-qt->Any Other<o:p></o:p></p><ul type=disc><li class=qt-qt-qt-qt-qt-qt- style='mso-list:l1 level1 lfo1'><span lang=EN-US>Ryan D. – Two items on github for discussion: making OCSP optional and incentivizing short lived certificates and automation. <o:p></o:p></span></li><ul type=circle><li class=qt-qt-qt-qt-qt-qt- style='mso-list:l1 level2 lfo1'><span lang=EN-US>Wayne T.– what is the impact of removing OCSP on OCSP stappling?<o:p></o:p></span></li><li class=qt-qt-qt-qt-qt-qt- style='mso-list:l1 level2 lfo1'><span lang=EN-US>Ryan D. – The intent of the proposal, is if CAs want to provide it to their clients because they feel it is an important security quality of TLS then it is still encouraged and recommended. Given some of the other issues related to privacy concerns and the numbers of bugs related to operating a highly available resilient service we want to leave it up to the CA if they want to make it available for their clients. <o:p></o:p></span></li><li class=qt-qt-qt-qt-qt-qt- style='mso-list:l1 level2 lfo1'><span lang=EN-US>Wayne T.– My concern is CAs have a lot of incentive not to operate OCSP because it is an involved service. If a website operate wants to benefit from OCSP stappling which give the benefits of revocation, performance, and privacy, won’t have the opportunity because their CA won’t provide it. <o:p></o:p></span></li><li class=qt-qt-qt-qt-qt-qt- style='mso-list:l1 level2 lfo1'><span lang=EN-US>Trev – If a client wanted it they could go to a CA that supported it.<o:p></o:p></span></li><li class=qt-qt-qt-qt-qt-qt- style='mso-list:l1 level2 lfo1'><span lang=EN-US>Dimitris Z. – These are the baseline requirements so if someone wanted to go above and beyond to offer additional services, they are able to.<o:p></o:p></span></li><li class=qt-qt-qt-qt-qt-qt- style='mso-list:l1 level2 lfo1'><span lang=EN-US>Ryan D. – Similar scenario to EV, where some CAs support and some don’t. So those customers who want EV will use the CAs that support it.<o:p></o:p></span></li></ul><li class=qt-qt-qt-qt-qt-qt- style='mso-list:l1 level1 lfo1'><span lang=EN-US>Dimitris Z. – Do we need to separate the ServerCert WG meeting and the Forum meeting? The Forum meeting has more people, it might be better to just swap the meetings times and those who want to stay on for the ServerCert can remain on the call.<o:p></o:p></span></li><ul type=circle><li class=qt-qt-qt-qt-qt-qt- style='mso-list:l1 level2 lfo1'><span lang=EN-US>Trev – The reason we had ServerCert first was more people would join that meeting. Now that we have more working groups it makes sense to revisit the meeting order.<o:p></o:p></span></li><li class=qt-qt-qt-qt-qt-qt- style='mso-list:l1 level2 lfo1'><span lang=EN-US>Inigo B.- Do we want to have a separate call for each?<o:p></o:p></span></li><li class=qt-qt-qt-qt-qt-qt- style='mso-list:l1 level2 lfo1'><span lang=EN-US>Martijn K. – We could switch to the next call earlier that would address the automation for attendance gathering.<o:p></o:p></span></li><li class=qt-qt-qt-qt-qt-qt- style='mso-list:l1 level2 lfo1'><span lang=EN-US>Trev - We wouldn’t want to have a variable start time for the ServerCert working group.<o:p></o:p></span></li><li class=qt-qt-qt-qt-qt-qt- style='mso-list:l1 level2 lfo1'><span lang=EN-US>Inigo – If it was a set 30 minutes we would potentially wait 10 minutes for the next meeting.<o:p></o:p></span></li><li class=qt-qt-qt-qt-qt-qt- style='mso-list:l1 level2 lfo1'><span lang=EN-US>Dimitris Z.- I think most people wouldn’t want to wait and those attending the ServerCert will likely be attending the Forum call. Consensus is to switch the meeting order. I will also bring this up on the Forum call.<o:p></o:p></span></li></ul></ul><p class=qt-qt-qt-qt-qt-qt-><span lang=EN-US>Next meeting on November 24<sup>th</sup> is cancelled. Meeting will resume on December 8<sup>th</sup>.<o:p></o:p></span></p><p class=qt-qt-qt-qt-qt-qt-><span lang=EN-US>Adjourn <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p></div></body></html>