[cabf_validation] Draft Minutes of Validation Subcommittee - Sept. 7, 2023

Mon Sep 11 21:25:09 UTC 2023

*Validation Subcommittee Meeting of September 7, 2023*

*Notewell: *

Read by Corey Bonnell

*Attendance: *

Aaron Gable - ISRG, Aaron Poulsen - Amazon Trust Services, Andrea Holland -
VikingCloud, Aneta Wojtczak - Microsoft, Antonis Eleftheriadis - HARICA,
Ben Wilson - Mozilla, Bhat Abhishek - eMudhra, Bruce Morton - Entrust,
Clint Wilson – Apple, Corey Bonnell - DigiCert, Corey Rasmussen - OATI,
Dimitris Zacharopoulos - HARICA, Doug Beattie - GlobalSign, Dustin
Hollenback - Microsoft, Gurleen Grewal - Google Trust Services, Inigo
Barreira - Sectigo, Joe Ramm - OATI, Johnny Reading - GoDaddy, Keshava
Nagaraju - eMudhra, Li-Chun Chen - Chunghwa Telecom, Martijn Katerbarg -
Sectigo, Michelle Coon - OATI, Nargis Mannan - VikingCloud, Nate Smith -
GoDaddy, Paul van Brouwershaven - Entrust, Q Misell (Speaker/Invited
Guest), Rebecca Kelley - Apple, Rollin Yu - TrustAsia, Roman Fischer -
SwissSign, Scott Rea - eMudhra, Tobias Josefowitz - Opera, Wayne Thayer -
Fastly, Wendy Brown – U.S. Federal PKI,

*Previous Minutes:*

Minutes for the August 10th meeting prepared by Aneta Wojtczak were
circulated August 23rd, and they were approved.

August 24th minutes prepared by circulated Andrea Holland on September 6th
and will be approved at the next meeting.

*Agenda Items:*

·        Q Misell’s presentation on ACME for Onion/Tor

·        Review of To-Do List from February 2023

*Q Misell’s “ACME for Onions” and CAA for Onion Domain Names presentation
by Q Misell*

See https://magicalcodewit.ch/cabf-2023-09-07-slides/

Q is working on defining a CAA extension for .onion domains.

See https://datatracker.ietf.org/doc/draft-ietf-acme-onion/ and
https://acmeforonions.org/

This will allow automated issuance of certificates to Tor hidden services
and make .onion domains act like the DNS from a WebPKI perspective.

Implementing with CAA provides consistency and reduces the risk of
misissuance.

Q reviewed how it works through the various layers of encrypted data.

.onion domains aren't in the DNS, so standard CAA records can't be used.
Instead, CAA records are encoded in the BIND zone file format in the second
layer hidden service descriptor.

A new field in the first layer hidden service descriptor signals that there
are CAA records in the second layer descriptor.

*Reviewed To-Do list from February 2023*

See
https://lists.cabforum.org/pipermail/validation/2023-February/001860.html

We discussed replacing "Applicant" with "Subscriber" in item 9 of section
4.9.1.1. Aaron G. expressed concerns about language in the parentheses
(i.e. "no longer legally permitted"). For example, it’s unclear what
happens when a registrant for a gTLD fails to renew its assignment with
ICANN.  How much detail do we want to get into in the parenthetical in this
section. And some examples don’t fall into the bucket of “no longer legally
permitted”.  Aaron was also concerned about why a certificate should have
to be revoked if the domain is still valid in the DNS. Aaron might file an
issue in GitHub, or Corey may file one for the overall issue.

We also discussed replacing “Applicant” or “Subscriber” with
“Applicant/Subscriber” in some places of section 9.6.3. Dimitrius proposed
that we split up the requirements between those applicable to either
“Applicants” or “Subscribers”. Wayne asked that we clarify the renewal
scenario and whether the entity is an applicant. Is the relationship
transactional (on a per-certificate basis), or does it depend on the
relationship between the CA and the entity? (In the BR definition of
“Applicant” we say that they are an applicant even when they are renewing a
certificate.)  Aaron G. said that in the ACME protocol, a subscriber is
someone who has agreed to the subscriber agreement, which you do when you
create an account, and who has had a certificate issued to them – then you
are a subscriber forever more.  But also, when you are obtaining new
certificates over a ten-year period, you are both a subscriber and an
applicant because you are applying for a new certificate now. Ben was
concerned that we don’t have sufficient consensus on how these concepts
should be expressed, and therefore it was too early to address them in the
upcoming “Subscriber Agreement” ballot that he and Dustin are working on.
Corey suggested that this issue be added to the agenda for an upcoming
meeting, such as a server certificate working group meeting or the
face-to-face.

Meeting adjourned.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20230911/61a661f0/attachment.html>