<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:8.0pt;
margin-left:.5in;
mso-add-space:auto;
line-height:106%;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
p.MsoListParagraphCxSpFirst, li.MsoListParagraphCxSpFirst, div.MsoListParagraphCxSpFirst
{mso-style-priority:34;
mso-style-type:export-only;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
mso-add-space:auto;
line-height:106%;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
p.MsoListParagraphCxSpMiddle, li.MsoListParagraphCxSpMiddle, div.MsoListParagraphCxSpMiddle
{mso-style-priority:34;
mso-style-type:export-only;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
mso-add-space:auto;
line-height:106%;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
p.MsoListParagraphCxSpLast, li.MsoListParagraphCxSpLast, div.MsoListParagraphCxSpLast
{mso-style-priority:34;
mso-style-type:export-only;
margin-top:0in;
margin-right:0in;
margin-bottom:8.0pt;
margin-left:.5in;
mso-add-space:auto;
line-height:106%;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.style-link-2t2gt
{mso-style-name:style-link-2t2gt;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1249075833;
mso-list-type:hybrid;
mso-list-template-ids:281309988 67698691 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l1
{mso-list-id:1361855649;
mso-list-type:hybrid;
mso-list-template-ids:239390084 1689951532 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l1:level1
{mso-level-start-at:0;
mso-level-number-format:bullet;
mso-level-text:-;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:.75in;
text-indent:-.25in;
font-family:"Calibri",sans-serif;
mso-fareast-font-family:Calibri;}
@list l1:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:1.25in;
text-indent:-.25in;
font-family:"Courier New";}
@list l1:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:1.75in;
text-indent:-.25in;
font-family:Wingdings;}
@list l1:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:2.25in;
text-indent:-.25in;
font-family:Symbol;}
@list l1:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:2.75in;
text-indent:-.25in;
font-family:"Courier New";}
@list l1:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:3.25in;
text-indent:-.25in;
font-family:Wingdings;}
@list l1:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:3.75in;
text-indent:-.25in;
font-family:Symbol;}
@list l1:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:4.25in;
text-indent:-.25in;
font-family:"Courier New";}
@list l1:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:4.75in;
text-indent:-.25in;
font-family:Wingdings;}
@list l2
{mso-list-id:1848667574;
mso-list-type:hybrid;
mso-list-template-ids:-241248100 1689951532 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l2:level1
{mso-level-start-at:0;
mso-level-number-format:bullet;
mso-level-text:-;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Calibri",sans-serif;
mso-fareast-font-family:Calibri;}
@list l2:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l2:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l2:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l2:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l2:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l2:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l2:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l2:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l3
{mso-list-id:2041935532;
mso-list-type:hybrid;
mso-list-template-ids:-2110477856 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l3:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:.25in;
text-indent:-.25in;
font-family:Symbol;}
@list l3:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:.75in;
text-indent:-.25in;
font-family:"Courier New";}
@list l3:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:1.25in;
text-indent:-.25in;
font-family:Wingdings;}
@list l3:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:1.75in;
text-indent:-.25in;
font-family:Symbol;}
@list l3:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:2.25in;
text-indent:-.25in;
font-family:"Courier New";}
@list l3:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:2.75in;
text-indent:-.25in;
font-family:Wingdings;}
@list l3:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:3.25in;
text-indent:-.25in;
font-family:Symbol;}
@list l3:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:3.75in;
text-indent:-.25in;
font-family:"Courier New";}
@list l3:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:4.25in;
text-indent:-.25in;
font-family:Wingdings;}
@list l4
{mso-list-id:2049866895;
mso-list-type:hybrid;
mso-list-template-ids:-1133849836 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l4:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l4:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l4:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l4:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l4:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l4:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l4:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l4:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l4:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple style='word-wrap:break-word'><div class=WordSection1><div><p class=MsoNormal>Validation Minutes 2021-07-01<br><br>Tim read the Antitrust Statement.<br><br>## Attendees<br>Andrea Holland<o:p></o:p></p><p class=MsoNormal>Aneta Wojtczak<o:p></o:p></p><p class=MsoNormal>Corey Bonnell<o:p></o:p></p><p class=MsoNormal>Enrico Entschew<o:p></o:p></p><p class=MsoNormal>Janet Hines<o:p></o:p></p><p class=MsoNormal>Johnny reading<o:p></o:p></p><p class=MsoNormal>Kati Davids<o:p></o:p></p><p class=MsoNormal>Niko Carpenter<o:p></o:p></p><p class=MsoNormal>Paul van Brouwershaven<o:p></o:p></p><p class=MsoNormal>Ryan Sleevi<o:p></o:p></p><p class=MsoNormal>Shelley Brewer<o:p></o:p></p><p class=MsoNormal>Tim Hollebeek<o:p></o:p></p><p class=MsoNormal>Tobias Josefowitz<o:p></o:p></p><p class=MsoNormal>Trevoli Ponds-White<o:p></o:p></p><p class=MsoNormal>Wayne Thayer<o:p></o:p></p><p class=MsoNormal><br><br>Antitrust statement read.<o:p></o:p></p><p class=MsoNormal>Agenda<o:p></o:p></p><ul style='margin-top:0in' type=disc><li class=MsoListParagraph style='margin-left:-.25in;mso-add-space:auto;mso-list:l3 level1 lfo1'>No Agenda<o:p></o:p></li></ul><p class=MsoNormal>Discussion topics follow:<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>No progress on certificate profiles since the F2F<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><b>Ballot 202<o:p></o:p></b></p><ul style='margin-top:0in' type=disc><li class=MsoListParagraphCxSpFirst style='margin-left:0in;mso-add-space:auto;mso-list:l2 level1 lfo2'>Ryan, Dimitris and Corey are working language<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:0in;mso-add-space:auto;mso-list:l2 level1 lfo2'>Adjusted definition of domain name (domain label <span style='font-family:Wingdings'>è</span> Domain Label, defined term)<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:0in;mso-add-space:auto;mso-list:l2 level1 lfo2'>IDNA versions discussion: Ryan and Corey agree<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:0in;mso-add-space:auto;mso-list:l2 level1 lfo2'>Ready to start discussion period next week.<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:0in;mso-add-space:auto;mso-list:l2 level1 lfo2'>There are some changes, please review the changes and send comments to discussion list.<o:p></o:p></li><li class=MsoListParagraphCxSpLast style='margin-left:0in;mso-add-space:auto;mso-list:l2 level1 lfo2'>See: <span class=style-link-2t2gt><span style='font-size:10.5pt;line-height:106%;font-family:"Arial",sans-serif;color:#049FD9;background:white'><a href="https://github.com/cabforum/servercert/pull/285">https://github.com/cabforum/servercert/pull/285</a></span></span><o:p></o:p></li></ul><p class=MsoNormal><b>General Profile discussion<o:p></o:p></b></p><p class=MsoNormal><u>Back and forward dating and how this interplays with CT</u><o:p></o:p></p><ul style='margin-top:0in' type=disc><li class=MsoListParagraphCxSpFirst style='margin-left:-.25in;mso-add-space:auto;mso-list:l3 level1 lfo1'>Ryan working on this. Need deep review of this part of the profiles update.<o:p></o:p></li></ul><ul style='margin-top:0in' type=disc><ul style='margin-top:0in' type=circle><li class=MsoListParagraphCxSpMiddle style='margin-left:-.25in;mso-add-space:auto;mso-list:l3 level2 lfo1'>Not after is “simple” which is X after notBefore<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:-.25in;mso-add-space:auto;mso-list:l3 level2 lfo1'>notBefore is more complicated<o:p></o:p></li></ul></ul><ul style='margin-top:0in' type=disc><li class=MsoListParagraphCxSpMiddle style='margin-left:-.25in;mso-add-space:auto;mso-list:l3 level1 lfo1'>Intermediates may need to be backdated to support replacements<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:-.25in;mso-add-space:auto;mso-list:l3 level1 lfo1'>Add language based on past discussions of validations and hopefully reflects how we’re doing this today, or if we need to specify effective dates.<o:p></o:p></li><li class=MsoListParagraphCxSpLast style='margin-left:-.25in;mso-add-space:auto;mso-list:l3 level1 lfo1'>First step is to get clear language in this ballot<o:p></o:p></li></ul><p class=MsoNormal><u>Does the current set of profiles support all use cases?<o:p></o:p></u></p><ul style='margin-top:0in' type=disc><li class=MsoListParagraph style='margin-left:0in;mso-add-space:auto;mso-list:l4 level1 lfo3'>For example, are there special Infra structure certs with smart card login that we need profiles for, or are all certificate use cases clearly specified? Please send questions to the list if there are other profiles needed<o:p></o:p></li></ul><p class=MsoNormal>Aneta had 4 questions on profiles: <o:p></o:p></p><ul style='margin-top:0in' type=disc><li class=MsoListParagraphCxSpFirst style='margin-left:0in;mso-add-space:auto;mso-list:l2 level1 lfo2'>The CP policies are in a specified order. Is there a specified order for AIA fields?<o:p></o:p></li></ul><ul style='margin-top:0in' type=disc><ul style='margin-top:0in' type=circle><li class=MsoListParagraphCxSpMiddle style='margin-left:0in;mso-add-space:auto;mso-list:l2 level2 lfo2'>AIA: Does it need to be in specify order? <o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:0in;mso-add-space:auto;mso-list:l2 level2 lfo2'>Ryan: The ordering does not matter. <o:p></o:p></li></ul></ul><ul style='margin-top:0in' type=disc><ul style='margin-top:0in' type=circle><ul style='margin-top:0in' type=square><li class=MsoListParagraphCxSpMiddle style='margin-left:0in;mso-add-space:auto;mso-list:l2 level3 lfo2'>The order of different access methods doesn’t matter<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:0in;mso-add-space:auto;mso-list:l2 level3 lfo2'>The ordering for the same access method does matter<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:0in;mso-add-space:auto;mso-list:l2 level3 lfo2'>If you have multiple CaIssuers (Access method), the order should be the order of the CAs preference (RFC 5280). We’d want the HTTP version first.<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:0in;mso-add-space:auto;mso-list:l2 level3 lfo2'>If you had 10 CaIssuers followed by 10 OCSP, that’s fine, or any mix and match,<o:p></o:p></li></ul></ul></ul><ul style='margin-top:0in' type=disc><ul style='margin-top:0in' type=circle><li class=MsoListParagraphCxSpMiddle style='margin-left:0in;mso-add-space:auto;mso-list:l2 level2 lfo2'>Ryan to take action to provide clarity on this.<o:p></o:p></li></ul></ul><ul style='margin-top:0in' type=disc><li class=MsoListParagraphCxSpMiddle style='margin-left:0in;mso-add-space:auto;mso-list:l2 level1 lfo2'>SKI is currently specified as “Should not” be present:<o:p></o:p></li></ul><ul style='margin-top:0in' type=disc><ul style='margin-top:0in' type=circle><li class=MsoListParagraphCxSpMiddle style='margin-left:0in;mso-add-space:auto;mso-list:l2 level2 lfo2'>5280 says this (allows but indicates based on purpose), and since TLS should not need it, but eventually it may turn to MUST not. Are there reasons to keep it?<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:0in;mso-add-space:auto;mso-list:l2 level2 lfo2'>If there are use cases, then include, but as a TLS certificate it should not be needed<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:0in;mso-add-space:auto;mso-list:l2 level2 lfo2'>Aneta asks if there are security risks with including it? Ryan, No. <o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:0in;mso-add-space:auto;mso-list:l2 level2 lfo2'>The Google Meta goal is that every extension in the profile must have a specific TLS purpose. Including SKI won’t be a security issue, but it adds 160+ bits (24 bytes) and that may matter for some http3 QUIC. If there is a reason we need it, then keep it, else let’s remove it. It will remain Should not for V1, but will consider MUST not for V2 unless specific TLS use cases can be defined.<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:0in;mso-add-space:auto;mso-list:l2 level2 lfo2'>Ryan: V2 is where we can start removing unneeded extensions.<o:p></o:p></li></ul></ul><ul style='margin-top:0in' type=disc><li class=MsoListParagraphCxSpMiddle style='margin-left:0in;mso-add-space:auto;mso-list:l2 level1 lfo2'>Can we put multiple URLs for CRL?<o:p></o:p></li></ul><ul style='margin-top:0in' type=disc><ul style='margin-top:0in' type=circle><li class=MsoListParagraphCxSpMiddle style='margin-left:0in;mso-add-space:auto;mso-list:l2 level2 lfo2'>Ryan: A goal is to move to singular URLs. Today many CAs include multiple CLRs and mix http and LDAP.<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:0in;mso-add-space:auto;mso-list:l2 level2 lfo2'>It would be good to address this because it does have processing impacts and effects. For CLRLs, you need to download all CRLs listed, so it has performance implications.<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:0in;mso-add-space:auto;mso-list:l2 level2 lfo2'>Ryan to check language. Find balance between not changing too much.<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:0in;mso-add-space:auto;mso-list:l2 level2 lfo2'>Tim: Some countries need their own, so there are legitimate cases where multiple are needed. In V2 we can narrow down, like LDAP links, there is not a reason for that.<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:0in;mso-add-space:auto;mso-list:l2 level2 lfo2'>For now, multiple URLs will be allowed so language will be updated to permit this.<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:0in;mso-add-space:auto;mso-list:l2 level2 lfo2'>CRL distribution point is a sequence of X with multiple URLs within general names.<o:p></o:p></li></ul></ul><ul style='margin-top:0in' type=disc><ul style='margin-top:0in' type=circle><ul style='margin-top:0in' type=square><li class=MsoListParagraphCxSpMiddle style='margin-left:0in;mso-add-space:auto;mso-list:l2 level3 lfo2'>So, 2 places where sequences can be multiple:<o:p></o:p></li></ul></ul></ul><ul style='margin-top:0in' type=disc><ul style='margin-top:0in' type=circle><ul style='margin-top:0in' type=square><ul style='margin-top:0in' type=disc><li class=MsoListParagraphCxSpMiddle style='margin-left:0in;mso-add-space:auto;mso-list:l2 level4 lfo2'>Multiple CRL distribution points, or multiple URIs within generalName<o:p></o:p></li></ul></ul></ul></ul><ul style='margin-top:0in' type=disc><ul style='margin-top:0in' type=circle><ul style='margin-top:0in' type=square><li class=MsoListParagraphCxSpMiddle style='margin-left:0in;mso-add-space:auto;mso-list:l2 level3 lfo2'>Idea is multiple CDPs each with one generalName<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:0in;mso-add-space:auto;mso-list:l2 level3 lfo2'>Double check CT to see how it’s happening today.<o:p></o:p></li></ul></ul></ul><ul style='margin-top:0in' type=disc><ul style='margin-top:0in' type=circle><li class=MsoListParagraphCxSpMiddle style='margin-left:0in;mso-add-space:auto;mso-list:l2 level2 lfo2'>Goal is to have one CRL<o:p></o:p></li></ul></ul><p class=MsoListParagraphCxSpMiddle><o:p> </o:p></p><ul style='margin-top:0in' type=disc><li class=MsoListParagraphCxSpMiddle style='margin-left:0in;mso-add-space:auto;mso-list:l2 level1 lfo2'>Do OCSP responders need to have basic constraints? It’s marked as MUST for OCSP responder certificates but SHOULD NOT for TLS certificates<o:p></o:p></li></ul><ul style='margin-top:0in' type=disc><li class=MsoListParagraphCxSpMiddle style='margin-left:.25in;mso-add-space:auto;mso-list:l1 level1 lfo4'>Ryan said that this needs to be a MUST because there are some implementations that need it to make sure it’s not a CA certificate.<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:.25in;mso-add-space:auto;mso-list:l1 level1 lfo4'>OCSP responder cert must not be treated as a CA cert, so Basic Constraints is a MUST.<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:.25in;mso-add-space:auto;mso-list:l1 level1 lfo4'>Default encoding is CA default false. Need to clarify that/double check<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:.25in;mso-add-space:auto;mso-list:l1 level1 lfo4'>Tim: Basic constraint has no values since default is what we want, so it’s an empty extension<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:.25in;mso-add-space:auto;mso-list:l1 level1 lfo4'><u>For end entity certs</u>: 5280 (must appear in CA certs), but others are all MAY.<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:.25in;mso-add-space:auto;mso-list:l1 level1 lfo4'>In V1, make it SHOULD NOT<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:.25in;mso-add-space:auto;mso-list:l1 level1 lfo4'>In V2, make MUST NOT and follow RFC5280, to save up to 9 bytes<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:.25in;mso-add-space:auto;mso-list:l1 level1 lfo4'>Tim: for OCSP responder we want to make it clear that this is not a CA certificate.<o:p></o:p></li><li class=MsoListParagraphCxSpLast style='margin-left:.25in;mso-add-space:auto;mso-list:l1 level1 lfo4'>Ryan to check and make applicable updates.<o:p></o:p></li></ul><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Cory:<o:p></o:p></p><p class=MsoNormal style='background:white'><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:black'><a href="https://cabf.webex.com/cabf-en/url.php?frompanel=false&gourl=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Frfc5280" target="_blank"><span style='font-size:10.5pt;color:#049FD9'>https://datatracker.ietf.org/doc/html/rfc5280</span></a></span><span style='font-size:10.5pt;font-family:"Arial",sans-serif;color:#4D4D4D'>#section-4.2.1.2</span><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:#AEAEAF'>11:19</span><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:black'><o:p></o:p></span></p><p class=MsoNormal style='background:white'><span style='font-size:10.5pt;font-family:"Arial",sans-serif;color:#4D4D4D'>"To assist applications in identifying the appropriate end entity certificate, this extension SHOULD be included in all end entity certificates."</span><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:black'><o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p><ul style='margin-top:0in' type=disc><li class=MsoListParagraphCxSpFirst style='margin-left:.25in;mso-add-space:auto;mso-list:l1 level1 lfo4'>If we intend to deviate from the RFCs, we should be clear if we prescribe something different in the BRs.<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:.25in;mso-add-space:auto;mso-list:l1 level1 lfo4'>Ryan: Should we specify in the profiles where we deviate from 5280?<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:.25in;mso-add-space:auto;mso-list:l1 level1 lfo4'>Corey, for example, the BRs support wildcards and this deviates and we call that out. Also, we have a should for AKI in self-signed root certificates (deviates). We might want to have a short statement somewhere acknowledging that this deviates from 5820.<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:.25in;mso-add-space:auto;mso-list:l1 level1 lfo4'>Ryan to take a pass on that also.<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:.25in;mso-add-space:auto;mso-list:l1 level1 lfo4'>Something less than every field, but call out unique items, and play with presentation of this in the spec. An appendix explaining non-normative decisions are to help CAs with guidance.<o:p></o:p></li><li class=MsoListParagraphCxSpLast style='margin-left:.25in;mso-add-space:auto;mso-list:l1 level1 lfo4'>Ryan: We want to optimize certificate sizes for TLS and there there’s a tension between allowing CAs to optional include things that are useful for their users and browsers wanting to represent their users that don’t want optional fields. Will look into this and provide some general design guidance how those principles manifest within the profiles.<o:p></o:p></li></ul><p class=MsoNormal>Tim: We could add this to the preamble of the ballot. Ryan was planning to include this type of thing for the specific changes in this profile ballot, but there are other things and looking at all ballots and archives is not optimal, from a historical perspective.<o:p></o:p></p><p class=MsoNormal>One of the goals is to include what we need here so we don’t need to look at 5280. In some cases, we take more strict view (name constraints criticality).<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Tim: should probably list exhaustively all changes since there are only a “few”. Ryan, probably lots of work and of questionable value.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Ryan: come around to view the BRs as the BRs and include necessary RFC5280 items vs. needing to say: comply with 5280.<o:p></o:p></p><p class=MsoNormal>Tim: keep normative section clear and concise, and appendix can be in more detail (non-normative) without causing more confusion.<o:p></o:p></p><p class=MsoNormal>Ryan to put together some drafts for review on this topic.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Other topics:<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Cory: Paul raised name constraints issue. Do we need a bigger discussion for v1? Breaks svr names.<o:p></o:p></p><p class=MsoNormal>Ryan: The BRs definition of technically constrained is limited to TLS certificate types (dnsName, IpAddress). Root programs that support more cert types like Email and srv name constraints to say it’s permitted where appropriate and ensure they do the right thing.<o:p></o:p></p><ul style='margin-top:0in' type=circle><li class=MsoListParagraph style='margin-left:0in;mso-add-space:auto;mso-list:l0 level1 lfo5'>If you have an Email CA and want to issue that from a BR TLS CA that there are clear rules around that and that is where email and srv name constraints come in.<o:p></o:p></li></ul><p class=MsoNormal>V2 should include srv name support, and that is what Cory is asking if it’s not in current root programs. How do you specify that a CA cannot issue certs with SRV name certs? Ryan looking into this based on implication research.<o:p></o:p></p><p class=MsoNormal>Ryan will address and explain decision for srv name use and constraints. This is not unique to srv name constraints.<o:p></o:p></p><p class=MsoNormal>Uri name constraints for example vs. dns name constraints: Need to be clear and consistent on these constraints.<o:p></o:p></p><p class=MsoNormal>From Ryan: <a href="https://cabf.webex.com/cabf-en/url.php?frompanel=false&gourl=https%3A%2F%2Fgithub.com%2Fcabforum%2Fservercert%2Fissues%2F268" target="_blank"><span class=style-link-2t2gt><span style='font-size:10.5pt;font-family:"Arial",sans-serif;color:#049FD9;background:white;text-decoration:none'>https://github.com/cabforum/servercert/issues/268</span></span></a><o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Kati from GoDaddy:<o:p></o:p></p><ul style='margin-top:0in' type=disc><li class=MsoListParagraphCxSpFirst style='margin-left:.25in;mso-add-space:auto;mso-list:l1 level1 lfo4'>Shift from “should not” to “must not”: Is this a goal overall, or just in profiles?<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:.25in;mso-add-space:auto;mso-list:l1 level1 lfo4'>Ryan: in this part, yes, just profiles, this is where we should move to MUST or MUST NOT.<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:.25in;mso-add-space:auto;mso-list:l1 level1 lfo4'>We should have good reasons for what we need or do.<o:p></o:p></li><li class=MsoListParagraphCxSpLast style='margin-left:.25in;mso-add-space:auto;mso-list:l1 level1 lfo4'>Similar discussion on default allow vs. default deny<o:p></o:p></li></ul><p class=MsoNormal>2.1.1.9 Tim’s pet peeve: There is no clean term that “this is going away in the future”. Wishes this was a distinct verb.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p></div></div></body></html>