<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<div class="moz-cite-prefix"><br>
Hi Inigo,<br>
<br>
These are draft minutes. According to the Bylaws they must first
be sent to the Member's list (i.e. "management"), and once
approved, they can be distributed to the Public list. Please read
the Bylaws and if you have any questions or if something is
unclear, we could discuss on the <a class="moz-txt-link-abbreviated" href="mailto:public@cabforum.org">public@cabforum.org</a> list.<br>
<br>
<br>
Thanks,<br>
Dimitris Zacharopoulos<br>
CA/B Forum Chair<br>
<br>
<br>
On 24/11/2022 2:13 μ.μ., Inigo Barreira via Servercert-wg wrote:<br>
</div>
<blockquote type="cite"
cite="mid:01000184a98e76e1-60319920-b6f4-484d-abf8-e2c66fb78d82-000000@email.amazonses.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style>@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin-top:0cm;
margin-right:0cm;
margin-bottom:8.0pt;
margin-left:0cm;
line-height:106%;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0cm;
margin-right:0cm;
margin-bottom:8.0pt;
margin-left:36.0pt;
mso-add-space:auto;
line-height:106%;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}p.MsoListParagraphCxSpFirst, li.MsoListParagraphCxSpFirst, div.MsoListParagraphCxSpFirst
{mso-style-priority:34;
mso-style-type:export-only;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
mso-add-space:auto;
line-height:106%;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}p.MsoListParagraphCxSpMiddle, li.MsoListParagraphCxSpMiddle, div.MsoListParagraphCxSpMiddle
{mso-style-priority:34;
mso-style-type:export-only;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
mso-add-space:auto;
line-height:106%;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}p.MsoListParagraphCxSpLast, li.MsoListParagraphCxSpLast, div.MsoListParagraphCxSpLast
{mso-style-priority:34;
mso-style-type:export-only;
margin-top:0cm;
margin-right:0cm;
margin-bottom:8.0pt;
margin-left:36.0pt;
mso-add-space:auto;
line-height:106%;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}span.EstiloCorreo17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}p.qt-qt-qt-qt-qt-qt-, li.qt-qt-qt-qt-qt-qt-, div.qt-qt-qt-qt-qt-qt-
{mso-style-name:qt-qt-qt-qt-qt-qt-;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}div.WordSection1
{page:WordSection1;}ol
{margin-bottom:0cm;}ul
{margin-bottom:0cm;}</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span lang="EN-US">Attendance: <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Aaron Poulsen (Amazon
Trust Services), Adam Jones (Microsoft), Adrian Mueller
(SwissSign), Andrea Holland (SecureTrust/VikingCloud),
Atsushi Inaba (GlobalSign), Ben Wilson (Mozilla), Brittany
Randall (GoDaddy), Bruce Morton (Entrust), Chris Clements
(Google Chrome), Chris Kemmerer (SSL.com), Clint Wilson
(Mozilla), Daryn Wright (GoDaddy), Dimitris Zacharopoulous
(HARICA), Dustin Hollenback (Microsoft), Enrico Entschew
(D-Trust), Janet Hines (SecureTrust/VikingCloud), Joanna Fox
(TrustCor), Jos Purvis (Fastly), Ingio Barreira (Sectigo),
Lynn Jeun (Visa), Mads Henriksveen (Buypass), Marco
Schambach (IdenTrust), Martijn Katerbarg (Sectigo), Nargis
Mannan (SecureTrust/VikingCloud), Paul van Brouwershaven
(Entrust), Pedro Fuentes (OISTE), Peter Miskovic (Disig),
Rebecca Kelley (Apple), Ryan Dickson (Google Chrome),
Tadahiko Ito (SECOM), Trevoli Ponds-White (Amazon Trust
Services), Tyler Myers (GoDaddy), Vijay Kumar (eMudhra),
Wayne Thayer (Fastly), Wendy Brown (FPKI)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Inigo read the antitrust
statement<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Previous minutes<o:p></o:p></span></p>
<ul style="margin-top:0cm" type="disc">
<li class="MsoListParagraphCxSpFirst"
style="margin-left:0cm;mso-add-space:auto;mso-list:l1 level1
lfo1"><span lang="EN-US">October 13 – approved <o:p></o:p></span></li>
<li class="MsoListParagraphCxSpLast"
style="margin-left:0cm;mso-add-space:auto;mso-list:l1 level1
lfo1"><span lang="EN-US">October F2F – in progress<o:p></o:p></span></li>
</ul>
<p class="MsoNormal"><span lang="EN-US">Validation Subcommittee
– Wayne T.<o:p></o:p></span></p>
<ul style="margin-top:0cm" type="disc">
<li class="MsoListParagraphCxSpFirst"
style="margin-left:0cm;mso-add-space:auto;mso-list:l1 level1
lfo1"><span lang="EN-US">Final Changes to Certificate
Profiles ballot<o:p></o:p></span></li>
<ul style="margin-top:0cm" type="circle">
<li class="MsoListParagraphCxSpMiddle"
style="margin-left:0cm;mso-add-space:auto;mso-list:l1
level2 lfo1"><span lang="EN-US">Merged PR that forbids OUs
in CA certificates<o:p></o:p></span></li>
<li class="MsoListParagraphCxSpMiddle"
style="margin-left:0cm;mso-add-space:auto;mso-list:l1
level2 lfo1"><span lang="EN-US">Merged PR that has minor
fixes, adding some ordering and encoding requirements
for subject domain component attributes, removing overly
specific cross cert requirements, fixing serial number
encodings, clarifying main constraint extensions, and
removing the domain name or IP address validation
requirement. There was discussion around the last item
because the definition of domain name is overly broad
and there is concern that any word in the subject of its
certificate to be validated as a domain name.<o:p></o:p></span></li>
</ul>
<li class="MsoListParagraphCxSpMiddle"
style="margin-left:0cm;mso-add-space:auto;mso-list:l1 level1
lfo1"><span lang="EN-US">New type of DNS record - alternate
service record (SVCB record). There was discussion on type
and how certs can be domain validated against these
records. We will create a work items to investigate use
and method type.<o:p></o:p></span></li>
<li class="MsoListParagraphCxSpLast"
style="margin-left:0cm;mso-add-space:auto;mso-list:l1 level1
lfo1"><span lang="EN-US">Continue review of the terms
applicant and applicant representative. Worked on Section
6.1.13 which includes a clause that says CAs May Not
generate private key pairs for subscriber certificates.
Discussion on whether the BRs allow CAs to generate
private keys for when the CA is also the subscriber for
instance with test website certificates. Potential to add
a phrase at the beginning of the BRs that would clarify
that a CA could hold multiple roles if they were also
requesting a certificate for their own use.<o:p></o:p></span></li>
</ul>
<p class="MsoNormal"><span lang="EN-US">Ballot Status – Inigo B.<o:p></o:p></span></p>
<ul type="disc">
<li class="qt-qt-qt-qt-qt-qt-" style="mso-list:l1 level1 lfo1"><span
lang="EN-GB">Completed IPR<o:p></o:p></span></li>
<ul type="circle">
<li class="qt-qt-qt-qt-qt-qt-" style="mso-list:l1 level2
lfo1"><span lang="EN-GB">SC58 </span><span lang="EN-US">require
distributionPoint in sharded CRLs - IPR completed on
November 7<sup>th</sup></span><span lang="EN-US"><o:p></o:p></span></li>
</ul>
<li class="qt-qt-qt-qt-qt-qt-" style="mso-list:l1 level1 lfo1"><span
lang="EN-GB">Passed<o:p></o:p></span></li>
<ul type="circle">
<li class="qt-qt-qt-qt-qt-qt-" style="mso-list:l1 level2
lfo1"><span lang="EN-GB">SC56 Cleanup ballot - IPR ends on
November 30<sup>th</sup><o:p></o:p></span></li>
</ul>
<li class="qt-qt-qt-qt-qt-qt-" style="mso-list:l1 level1 lfo1"><span
lang="EN-US">Under consideration<o:p></o:p></span></li>
</ul>
<ul type="disc">
<ul type="circle">
<li class="qt-qt-qt-qt-qt-qt-" style="mso-list:l0 level2
lfo2"><span lang="EN-GB">SCXX Debian Weak Keys Ballot –
Chris K.: seeking one more endorser<o:p></o:p></span></li>
<li class="qt-qt-qt-qt-qt-qt-" style="mso-list:l0 level2
lfo2"><span lang="EN-GB">SCXX SLO/Response for CRL &
OCSP Responses – Clint W.: still on hold, waiting for
discussion brought up by Ryan Dickson on removing OCSP
to conclude <o:p></o:p></span></li>
<li class="qt-qt-qt-qt-qt-qt-" style="mso-list:l0 level2
lfo2"><span lang="EN-GB">SCXX Incorporation of Mozilla
Revocation Reason Codes – Ben W.: Will send out a draft
ballot for review prior to the dicussion period<o:p></o:p></span></li>
</ul>
</ul>
<p class="qt-qt-qt-qt-qt-qt-">Any Other<o:p></o:p></p>
<ul type="disc">
<li class="qt-qt-qt-qt-qt-qt-" style="mso-list:l1 level1 lfo1"><span
lang="EN-US">Ryan D. – Two items on github for discussion:
making OCSP optional and incentivizing short lived
certificates and automation. <o:p></o:p></span></li>
<ul type="circle">
<li class="qt-qt-qt-qt-qt-qt-" style="mso-list:l1 level2
lfo1"><span lang="EN-US">Wayne T.– what is the impact of
removing OCSP on OCSP stappling?<o:p></o:p></span></li>
<li class="qt-qt-qt-qt-qt-qt-" style="mso-list:l1 level2
lfo1"><span lang="EN-US">Ryan D. – The intent of the
proposal, is if CAs want to provide it to their clients
because they feel it is an important security quality of
TLS then it is still encouraged and recommended. Given
some of the other issues related to privacy concerns and
the numbers of bugs related to operating a highly
available resilient service we want to leave it up to
the CA if they want to make it available for their
clients. <o:p></o:p></span></li>
<li class="qt-qt-qt-qt-qt-qt-" style="mso-list:l1 level2
lfo1"><span lang="EN-US">Wayne T.– My concern is CAs have
a lot of incentive not to operate OCSP because it is an
involved service. If a website operate wants to benefit
from OCSP stappling which give the benefits of
revocation, performance, and privacy, won’t have the
opportunity because their CA won’t provide it. <o:p></o:p></span></li>
<li class="qt-qt-qt-qt-qt-qt-" style="mso-list:l1 level2
lfo1"><span lang="EN-US">Trev – If a client wanted it they
could go to a CA that supported it.<o:p></o:p></span></li>
<li class="qt-qt-qt-qt-qt-qt-" style="mso-list:l1 level2
lfo1"><span lang="EN-US">Dimitris Z. – These are the
baseline requirements so if someone wanted to go above
and beyond to offer additional services, they are able
to.<o:p></o:p></span></li>
<li class="qt-qt-qt-qt-qt-qt-" style="mso-list:l1 level2
lfo1"><span lang="EN-US">Ryan D. – Similar scenario to EV,
where some CAs support and some don’t. So those
customers who want EV will use the CAs that support it.<o:p></o:p></span></li>
</ul>
<li class="qt-qt-qt-qt-qt-qt-" style="mso-list:l1 level1 lfo1"><span
lang="EN-US">Dimitris Z. – Do we need to separate the
ServerCert WG meeting and the Forum meeting? The Forum
meeting has more people, it might be better to just swap
the meetings times and those who want to stay on for the
ServerCert can remain on the call.<o:p></o:p></span></li>
<ul type="circle">
<li class="qt-qt-qt-qt-qt-qt-" style="mso-list:l1 level2
lfo1"><span lang="EN-US">Trev – The reason we had
ServerCert first was more people would join that
meeting. Now that we have more working groups it makes
sense to revisit the meeting order.<o:p></o:p></span></li>
<li class="qt-qt-qt-qt-qt-qt-" style="mso-list:l1 level2
lfo1"><span lang="EN-US">Inigo B.- Do we want to have a
separate call for each?<o:p></o:p></span></li>
<li class="qt-qt-qt-qt-qt-qt-" style="mso-list:l1 level2
lfo1"><span lang="EN-US">Martijn K. – We could switch to
the next call earlier that would address the automation
for attendance gathering.<o:p></o:p></span></li>
<li class="qt-qt-qt-qt-qt-qt-" style="mso-list:l1 level2
lfo1"><span lang="EN-US">Trev - We wouldn’t want to have a
variable start time for the ServerCert working group.<o:p></o:p></span></li>
<li class="qt-qt-qt-qt-qt-qt-" style="mso-list:l1 level2
lfo1"><span lang="EN-US">Inigo – If it was a set 30
minutes we would potentially wait 10 minutes for the
next meeting.<o:p></o:p></span></li>
<li class="qt-qt-qt-qt-qt-qt-" style="mso-list:l1 level2
lfo1"><span lang="EN-US">Dimitris Z.- I think most people
wouldn’t want to wait and those attending the ServerCert
will likely be attending the Forum call. Consensus is to
switch the meeting order. I will also bring this up on
the Forum call.<o:p></o:p></span></li>
</ul>
</ul>
<p class="qt-qt-qt-qt-qt-qt-"><span lang="EN-US">Next meeting on
November 24<sup>th</sup> is cancelled. Meeting will resume
on December 8<sup>th</sup>.<o:p></o:p></span></p>
<p class="qt-qt-qt-qt-qt-qt-"><span lang="EN-US">Adjourn <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
</div>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Servercert-wg mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Servercert-wg@cabforum.org">Servercert-wg@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://lists.cabforum.org/mailman/listinfo/servercert-wg">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a>
</pre>
</blockquote>
<br>
</body>
</html>