[cabf_validation] 2023-11-16 Approved Minutes

Corey Bonnell Corey.Bonnell at digicert.com
Thu Dec 14 17:36:32 UTC 2023 

2023-11-16 Validation-sc meeting minutes

 

Attendees: Aaron Gable (Let's Encrypt), Aaron Poulsen (Amazon), Andrea
Holland (VikingCloud), Ben Wilson (Mozilla), Bruce Morton (Entrust), Cade
Cairns (Google), Clint Wilson (Apple), Corey Bonnell (DigiCert), Dimitris
Zacharopoulos (HARICA), Doug Beattie (GlobalSign), Dustin Hollenback
(Microsoft), Eva Vansteenberge (GlobalSign), Gregory Tomko (GlobalSign),
Inigo Barreira (Sectigo), Janet Hines (VikingCloud), Johnny Reading
(GoDaddy), Joseph Ramm (OATI), Mads Henriksveen (Buypass AS), Martijn
Katerbarg (Sectigo), Michael Slaughter (Amazon), Michelle Coon (OATI),
Miguel Sanchez (Google), Nargis Mannan (VikingCloud), Nate Smith (GoDaddy),
Paul van Brouwershaven (Entrust), Rebecca Kelley (Apple), Rollin Yu
(TrustAsia Technologies Inc), Roman Fischer (SwissSign), Scott Rea
(eMudhra), Thomas Zermeno (SSL.com), Tobias Josefowitz (Opera Software AS),
Trevoli Ponds-White (Amazon), Wayne Thayer (Fastly), Wendy Brown (US Federal
PKI Management Authority)

 

Minute-taker: Corey

 

Corey read the Note Well.

 

The minutes of the November 2nd meeting were approved.

 

There was no update for the MPDV/MPIC work.

 

Michael Slaughter provided an update on the improvements to BR 3.2.2.4 (7).
Michael said he is in the process of adding the proposed text as a ballot to
Github. He also asked for any feedback on the language.

 

Eva gave a presentation
(https://url.avanan.click/v2/___https://lists.cabforum.org/pipermail/validat
ion/attachments/20231115/0dfe3d8f/attachment-0001.pdf___.YXAzOmRpZ2ljZXJ0OmE
6bzpjNTg4MzBiMTgwYzk5ZjM4MjBkZWYxNjJlZGFhYjkzNjo2OmI3ZjY6MDA0MzU2NDdmZTQ4ZGE
zNzFlZWJlMzQ3NjQ1YTFmM2Y3MjFmZTc2YjQ2ODA3Yzk2ODM2ZGFlZWMxMGRkYzExMDp0OkY
<https://url.avanan.click/v2/___https:/lists.cabforum.org/pipermail/validati
on/attachments/20231115/0dfe3d8f/attachment-0001.pdf___.YXAzOmRpZ2ljZXJ0OmE6
bzpjNTg4MzBiMTgwYzk5ZjM4MjBkZWYxNjJlZGFhYjkzNjo2OmI3ZjY6MDA0MzU2NDdmZTQ4ZGEz
NzFlZWJlMzQ3NjQ1YTFmM2Y3MjFmZTc2YjQ2ODA3Yzk2ODM2ZGFlZWMxMGRkYzExMDp0OkY> )
on improving the EV Guidelines to foster automation of processing
certificate requests.

 

The first area raised for discussion is the due diligence and
cross-correlation check. Eva asked for the group's interpretation whether
this check is required for all validation information, including domain
validation, or if it is more limited.

 

Aaron remarked that the intent should be that only manually validated
elements need to be checked. Roman did not agree, as he sees organizations
which operate domain names that do not match their organization name.

 

Dimitris agreed with Aaron that the intent is to double-check identity
information. He also commented that evidence of domain control (not
ownership) is sufficient.

 

Bruce suggested that all domain validation requirements in the EV Guidelines
should be removed such that they are solely defined in the BRs. Dimitris
said this is a good idea, as other groups have been using the EVGs to
prescribe identity validation. Dimitris also called the group to EVG section
11.8.4, which speaks to pre-authorized Certificate Approvers. Dimitris said
this section could be used to enable automation for EV issuance but his team
was not 100% certain and are still struggling with the EV Guidelines
language. Eva said that the interaction of that section and the due
diligence requirements make it unclear to the extent of checking required
when domains are added or removed from subsequent Certificate Requests.
Roman said that the validation checks for organizational identity and domain
validation are separate; no re-validation or re-checking is required.
Dimitris said we should clarify the requirement to only require due
diligence checking for identity validation so there is no room for
ambiguity.

 

Eva then presented the second topic, which is the Enterprise RA checks prior
to issuance. She questioned the value of the checks prescribed in section
14.2.2, as they are redundant with the checks performed by the CA. Bruce
remarked that if the CA does not permit the Enterprise RA to perform this
check and always do the check by the CA, then there is no redundancy. Eva
asked Bruce to explain how this works in more detail. Also, Doug asked how
the addition/removal of domains are handled in this case. Bruce clarified
that domains are tied to the Enterprise account and validated. Dimitris
noted this seems inconsistent, as Enterprise RAs would seemingly be no
different than a Subscriber. He said that if no one sees the value in this
old language, then we should just remove it or make it more reasonable.

 

The idea of "modernizing" the EVGs and extracting all domain validation
requirements was raised again. Section 11.7 was mentioned as a potential
area that needs to be removed. Martijn said that there are some requirements
concerning Onion Domain Names. Corey said that those requirements are
already in the BRs, so they can be removed. Bruce said that the mixed
character set requirements are vague, as they refer to a visual comparison.
Bruce said he'd like to work with interested folks in improving this area of
the requirements.

 

Eva asked for confirmation on these two points from the previous discussion:

 

1. The due diligence check only needs to cover the manual/identity
validation, not domain validation

2. The EVGs should be updated to remove all requirements for domain
validation and instead defer entirely to the BRs

 

Mads agreed with both points.

 

Clint asked if the purpose of the Enterprise RA due diligence check is to
have the Applicant organization verify its own details, as it is assumed it
is the best source of information? Bruce said the intent is unclear, as
there is no requirement to treat an Applicant as an Enterprise RA. Clint
said that if the CA treats an Applicant as an Enterprise RA, then the
requirements in 14.2.2 apply.

 

Dimitris asked for CAs who are currently issuing EV certificates via ACME to
provide their interpretation of the EVGs which support such automation.

 

Eva said that she'll be spearheading the work to improve the due diligence
requirements to decouple domain validation.

 

Meeting adjourned.

 

 

From: Management <management-bounces at cabforum.org
<mailto:management-bounces at cabforum.org> > On Behalf Of Corey Bonnell via
Management
Sent: Monday, November 27, 2023 10:34 AM
To: CABforum2 <management at cabforum.org <mailto:management at cabforum.org> >
Subject: [cabfman] 2023-11-16 Validation-sc draft minutes

 

2023-11-16 Validation-sc meeting minutes

 

Attendees: Aaron Gable (Let's Encrypt), Aaron Poulsen (Amazon), Andrea
Holland (VikingCloud), Ben Wilson (Mozilla), Bruce Morton (Entrust), Cade
Cairns (Google), Clint Wilson (Apple), Corey Bonnell (DigiCert), Dimitris
Zacharopoulos (HARICA), Doug Beattie (GlobalSign), Dustin Hollenback
(Microsoft), Eva Vansteenberge (GlobalSign), Gregory Tomko (GlobalSign),
Inigo Barreira (Sectigo), Janet Hines (VikingCloud), Johnny Reading
(GoDaddy), Joseph Ramm (OATI), Mads Henriksveen (Buypass AS), Martijn
Katerbarg (Sectigo), Michael Slaughter (Amazon), Michelle Coon (OATI),
Miguel Sanchez (Google), Nargis Mannan (VikingCloud), Nate Smith (GoDaddy),
Paul van Brouwershaven (Entrust), Rebecca Kelley (Apple), Rollin Yu
(TrustAsia Technologies Inc), Roman Fischer (SwissSign), Scott Rea
(eMudhra), Thomas Zermeno (SSL.com), Tobias Josefowitz (Opera Software AS),
Trevoli Ponds-White (Amazon), Wayne Thayer (Fastly), Wendy Brown (US Federal
PKI Management Authority)

 

Minute-taker: Corey

 

Corey read the Note Well.

 

The minutes of the November 2nd meeting were approved.

 

There was no update for the MPDV/MPIC work.

 

Michael Slaughter provided an update on the improvements to BR 3.2.2.4 (7).
Michael said he is in the process of adding the proposed text as a ballot to
Github. He also asked for any feedback on the language.

 

Eva gave a presentation
(https://url.avanan.click/v2/___https://lists.cabforum.org/pipermail/validat
ion/attachments/20231115/0dfe3d8f/attachment-0001.pdf___.YXAzOmRpZ2ljZXJ0OmE
6bzpjNTg4MzBiMTgwYzk5ZjM4MjBkZWYxNjJlZGFhYjkzNjo2OmI3ZjY6MDA0MzU2NDdmZTQ4ZGE
zNzFlZWJlMzQ3NjQ1YTFmM2Y3MjFmZTc2YjQ2ODA3Yzk2ODM2ZGFlZWMxMGRkYzExMDp0OkY
<https://url.avanan.click/v2/___https:/lists.cabforum.org/pipermail/validati
on/attachments/20231115/0dfe3d8f/attachment-0001.pdf___.YXAzOmRpZ2ljZXJ0OmE6
bzpjNTg4MzBiMTgwYzk5ZjM4MjBkZWYxNjJlZGFhYjkzNjo2OmI3ZjY6MDA0MzU2NDdmZTQ4ZGEz
NzFlZWJlMzQ3NjQ1YTFmM2Y3MjFmZTc2YjQ2ODA3Yzk2ODM2ZGFlZWMxMGRkYzExMDp0OkY> )
on improving the EV Guidelines to foster automation of processing
certificate requests.

 

The first area raised for discussion is the due diligence and
cross-correlation check. Eva asked for the group's interpretation whether
this check is required for all validation information, including domain
validation, or if it is more limited.

 

Aaron remarked that the intent should be that only manually validated
elements need to be checked. Roman did not agree, as he sees organizations
which operate domain names that do not match their organization name.

 

Dimitris agreed with Aaron that the intent is to double-check identity
information. He also commented that evidence of domain control (not
ownership) is sufficient.

 

Bruce suggested that all domain validation requirements in the EV Guidelines
should be removed such that they are solely defined in the BRs. Dimitris
said this is a good idea, as other groups have been using the EVGs to
prescribe identity validation. Dimitris also called the group to EVG section
11.8.4, which speaks to pre-authorized Certificate Approvers. Dimitris said
this section may be problematic for automation. Eva said that the
interaction of that section and the due diligence requirements make it
unclear to the extent of checking required when domains are added or removed
from subsequent Certificate Requests. Roman said that the validation checks
for organizational identity and domain validation are separate; no
re-validation or re-checking is required. Dimitris said we should clarify
the requirement to only require due diligence checking for identity
validation so there is no room for ambiguity.

 

Eva then presented the second topic, which is the Enterprise RA checks prior
to issuance. She questioned the value of the checks prescribed in section
14.2.2, as they are redundant with the checks performed by the CA. Bruce
remarked that if the CA does not permit the Enterprise RA to perform this
check and always do the check by the CA, then there is no redundancy. Eva
asked Bruce to explain how this works in more detail. Also, Doug asked how
the addition/removal of domains are handled in this case. Bruce clarified
that domains are tied to the Enterprise account and validated. Dimitris
noted this seems inconsistent, as Enterprise RAs would seemingly be no
different than a Subscriber. He said that if no one sees the value in this
old language, then we should just remove it or make it more reasonable.

 

The idea of "modernizing" the EVGs and extracting all domain validation
requirements was raised again. Section 11.7 was mentioned as a potential
area that needs to be removed. Martijn said that there are some requirements
concerning Onion Domain Names. Corey said that those requirements are
already in the BRs, so they can be removed. Bruce said that the mixed
character set requirements are vague, as they refer to a visual comparison.
Bruce said he'd like to work with interested folks in improving this area of
the requirements.

 

Eva asked for confirmation on these two points from the previous discussion:

 

1. The due diligence check only needs to cover the manual/identity
validation, not domain validation

2. The EVGs should be updated to remove all requirements for domain
validation and instead defer entirely to the BRs

 

Mads agreed with both points.

 

Clint asked if the purpose of the Enterprise RA due diligence check is to
have the Applicant organization verify its own details, as it is assumed it
is the best source of information? Bruce said the intent is unclear, as
there is no requirement to treat an Applicant as an Enterprise RA. Clint
said that if the CA treats an Applicant as an Enterprise RA, then the
requirements in 14.2.2 apply.

 

Dimitris asked for CAs who are currently issuing EV certificates via ACME to
provide their interpretation of the EVGs which support such automation.

 

Eva said that she'll be spearheading the work to improve the due diligence
requirements to decouple domain validation.

 

Meeting adjourned.

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20231214/f9d2c551/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5231 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20231214/f9d2c551/attachment-0001.p7s>

More information about the Validation mailing list