<div dir="ltr"><div><b>Draft Minutes </b>- Please provide any comments, additions, or corrections.<b><br></b></div><div><br></div><div>
<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:"Calibri",sans-serif"><b>Validation Subcommittee of the Server Certificate Working
Group<span></span></b></p>
<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:"Calibri",sans-serif"><b>7-October-2021<span></span></b></p>
<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:"Calibri",sans-serif"><b>Attendees:</b><span> </span>Ben
Wilson, Bruce Morton, Amanda Mendieta, Aneta Wojtczak, Tim Hollebeek, Clint Wilson,
Corey Bonnell, Janet Hines, Johnny Reading, Julie Olson, Kati Davids, Michelle
Coon, Niko Carpenter, Paul Van Brouwershaven, Rebecca Kelley, Ryan Sleevi,
Shelley Brewer, Stephen Davidson, Wayne Thayer, Tobias Josefowitz, Trev Ponds-White,
Tyler Myers<span></span></p>
<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:"Calibri",sans-serif"><b>Antitrust Statement</b> read by Tim<span></span></p>
<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:"Calibri",sans-serif"><b>Agenda topics</b>:<span>
</span>Validity Intervals for CRLs and Agenda for F2F Meeting<span></span></p>
<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:"Calibri",sans-serif"><b>Validity Intervals for CRLs <span></span></b></p>
<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:"Calibri",sans-serif">Wayne noted that this topic originates from incident reports
filed over the past few weeks caused by some ambiguity in the requirements for
CRL lifetimes (the allowed time between thisUpdate and nextUpdate). This issue
affects both Root-issued CRLs and end-entity CRLs. Relevant sections of the
Baseline Requirements are sections 4.9.7 and 4.9.10. (Section 4.9.10 defines
time periods in seconds.) Section 4.9.7 says, “[For subscriber certificates] the
value of the nextUpdate field MUST NOT be more than ten days beyond the value
of the thisUpdate field” and <span> </span>“For the
status of Subordinate CA Certificates:<span> </span>The
CA SHALL update and reissue CRLs at least:<span>
</span>i. once every twelve months; …<span> </span>The
value of the nextUpdate field MUST NOT be more than twelve months beyond the value
of the thisUpdate field.” He proposed that the SCWG amend BR section 4.9.7 to
take language from section 4.9.10.<span></span></p>
<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:"Calibri",sans-serif">Tim, Corey and Ryan were in agreement that the language
needs to be cleaned up. <span> </span><span></span></p>
<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:"Calibri",sans-serif">Ryan suggested that the language should be in Section 7 for
the CRL and OCSP Profiles.<span></span></p>
<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:"Calibri",sans-serif">Bruce asked what CAs should do between now and the effective
date of the to-be-proposed ballot and whether they should file incident reports.<span></span></p>
<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:"Calibri",sans-serif">Corey said that CAs should not run right up to the maximum-allowed
timeframes, but BR section 4.9.7 does not currently mention the inclusive set. The
language only addresses the simple difference between the two fields. So, it is
not a clear violation of the BRs to issue a CRL with a validity period that has
an extra second. Ryan said that the issue is whether we’re talking about the
value or the period. Section 4.9.7 is talking about the value, and the
inclusiveness or exclusiveness of the nextUpdate is not addressed. <span></span></p>
<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:"Calibri",sans-serif">Ryan said that there is benefit to raising awareness of the issue
among members of the CA community with the filing of incident reports that are
resolved as “WONTFIX” – not an issue. It is helpful for CAs to disclose what
they’re doing, e.g., not running right up to maximum allowed periods. Also of
value is how clear CAs will state timeframes in their CPs and CPSes. There is a
benefit to transparency. Still, these incidents could be closed as non-issues.<span></span></p>
<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:"Calibri",sans-serif">Wayne noted that when a ballot to clarify this issue is
adopted, CAs with Root CRLs in this state should not be required to re-issue
them on an accelerated timeline. We should have ballot language that says, “For
CRLs signed after such-and-such date.” <span> </span><span></span></p>
<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:"Calibri",sans-serif">Paul noted that CAs should not be required to re-create 1-year
CRLs because of a 1-second difference when there is no associated security
issue.<span></span></p>
<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:"Calibri",sans-serif">Based on relative consensus, several people volunteered to
work on and/or endorse a ballot.<span></span></p>
<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:"Calibri",sans-serif"><b>Agenda for F2F Meeting<span></span></b></p>
<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:"Calibri",sans-serif">Tim noted that we have an hour assigned for discussion during
the face-to-face meeting next week. He will review the GitHub comments related
to Pull Request #36 (<a href="https://github.com/sleevi/cabforum-docs/pull/36" style="color:rgb(5,99,193);text-decoration:underline">https://github.com/sleevi/cabforum-docs/pull/36</a>)
and create a high-level summary of the main discussion points and accompanying
slides. <span></span></p>
<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:"Calibri",sans-serif">Aneta asked about how “effective dates” would be handled in
the ballot.<span> </span>There was debate between Ryan and Tim on whether
the ballot would have one all-encompassing effective date along with specific
effective dates. Ryan argued that a default effective date for the whole ballot would
lead to confusion, non-compliance, and added risks. As a counterargument, Tim argued that a variety of effective dates might be difficult for CAs to track. Tim offered to work on a proposal with Aneta and others. Ryan said that it would not be an easy fix. It was eventually suggested that it was
premature to decide the issue and that the issue would not be discussed at the
face-to-face meeting due to the short time allowed. In summary, it was recommended that people
review Pull Request #36 and identify/flag any new substantive/normative provisions
that might require different effective dates.<span></span></p>
<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:"Calibri",sans-serif">Meeting adjourned.<span></span></p>
</div></div>