<div dir="ltr">
<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:"Calibri",sans-serif">All,</p><p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:"Calibri",sans-serif">Here are draft minutes from my notes for the Validation subcommittee meeting held Dec. 1, 2022.<br></p><p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:"Calibri",sans-serif">Ben<b><br></b></p><p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:"Calibri",sans-serif"><b><br></b></p><p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:"Calibri",sans-serif"><b>Meeting of December 1, 2022<span></span></b></p>
<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:"Calibri",sans-serif"><b>Antitrust Statement:</b><span>
</span>Corey Bonnell read the Antitrust Statement<span></span></p>
<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:"Calibri",sans-serif"><b>Attendance:</b> <span> </span>Ben
Wilson, Thomas Zermeno, Martijn Katerbarg, Aneta Wojtczak, Paul van
Brouwershaven, Wayne Thayer, Pekka Lahtiharju, Chris Clements, Dimitris
Zacharopoulos, Johnny Reading, Corey Rasmussen, Tim Hollebeek, Clint Wilson,
Bruce Morton, Janet Hines, Corey Bonnell, <span></span>Tyler Myers, Michelle Coon, Rebecca Kelley,
Andrea Holland, Rollin Yu, Aaron Poulsen, Michael Slaughter, Stephen Davidson,
Tobias Josefowitz, Nargis Mannan, Joe Ramm, Trevoli Ponds-White<span></span></p>
<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:"Calibri",sans-serif"><b>Minutes:<span> </span></b>Minutes
of previous meeting Nov. 17<sup>th</sup> were recently distributed on the management
list.<span> </span>Minutes of the Validation sub-group
from the F2F meeting should be approved within this sub-group. They will be
approved during the next meeting of this sub-group.<span></span></p>
<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:"Calibri",sans-serif"><b>Review of Agenda Topics<span></span></b></p>
<p class="gmail-MsoListParagraphCxSpFirst" style="margin:0in 0in 0in 0.5in;line-height:107%;font-size:11pt;font-family:"Calibri",sans-serif"><span><span>1-<span style="font:7pt "Times New Roman"">
</span></span></span>Certificate Profiles ballot<span></span></p>
<p class="gmail-MsoListParagraphCxSpMiddle" style="margin:0in 0in 0in 1in;line-height:107%;font-size:11pt;font-family:"Calibri",sans-serif"><span><span>a.<span style="font:7pt "Times New Roman"">
</span></span></span>Subject Key Identifiers<span></span></p>
<p class="gmail-MsoListParagraphCxSpMiddle" style="margin:0in 0in 0in 1in;line-height:107%;font-size:11pt;font-family:"Calibri",sans-serif"><span><span>b.<span style="font:7pt "Times New Roman"">
</span></span></span>CPS qualifiers <span></span></p>
<p class="gmail-MsoListParagraphCxSpLast" style="margin:0in 0in 8pt 0.5in;line-height:107%;font-size:11pt;font-family:"Calibri",sans-serif"><span><span>2-<span style="font:7pt "Times New Roman"">
</span></span></span>Continued discussion of “Applicant” and
“Applicant Representative”, resuming in BR section 9.6.3<span></span></p>
<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:"Calibri",sans-serif"><b>Certificate Profiles Ballot<span></span></b></p>
<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:"Calibri",sans-serif">Corey Bonnell reviewed <a href="https://github.com/cabforum/servercert/pull/406" style="color:rgb(5,99,193);text-decoration:underline">PR #406 in GitHub</a>.<span> </span>It brings the profiles ballot up to date with
ballots approved from the last couple of years.<span>
</span>Changes are extensive.<span> </span>There were
no objections to merging the PR into the Profiles branch on GitHub. Corey will
merge it.<span></span></p>
<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:"Calibri",sans-serif"><b>Subject Key Identifiers (SKIs)<span></span></b></p>
<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:"Calibri",sans-serif">Paul Van Brouwershaven has introduced the topic of SKIs by email
– “Section 7.1.2.7.6 (Subscriber Certificate Extensions) of the new certificate
profiles state that the inclusion of the subjectKeyIdentifier is NOT
RECOMMENDED, this contradicts section 4.2.1.2 (Subject Key Identifier) of RFC
5280 that states that entity certificates SHOULD include the SKI”. <span> </span><a href="https://lists.cabforum.org/pipermail/validation/2022-November/001832.html" style="color:rgb(5,99,193);text-decoration:underline">https://lists.cabforum.org/pipermail/validation/2022-November/001832.html</a><span></span></p>
<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:"Calibri",sans-serif">RFC 5280 says that end entity certificates SHOULD include
the SKI, whereas the currently drafted profiles ballot says it is not
recommended - because it is not particularly relevant and presents additional
bytes in the certificate, and it contradicts RFC 5280.<span></span></p>
<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:"Calibri",sans-serif">The rationale behind the “SHOULD” apparently was that it could
help to quickly identify those certificates that are using the same key.<span> </span>However, in RFC 5280 there are two methods to
calculate the SKI. So there may be no guarantee.<span> </span>Without the SKI, you would need to separately
calculate the SKI. Some applications might use the SKI for some purpose.<span> </span>We should stay as close to RFC 5280 as
possible.<span> </span>There isn’t a good enough
reason to deviate from RFC 5280.<span></span></p>
<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:"Calibri",sans-serif">Tim H. – We should think long term about having one method
to calculate the SKI.<span> </span>We should deviate
from RFC 5280.<span></span></p>
<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:"Calibri",sans-serif">Dimitris – supports Paul’s position, although we use the SKI
in crt.sh, Censys, and other logs. <span></span></p>
<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:"Calibri",sans-serif">Paul – I prefer to keep in line with RFC 5280 if we can. If
we weaken it to a “MAY,” then at least we’re not saying “SHOULD NOT”.<span></span></p>
<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:"Calibri",sans-serif">Dimitris – unless there are strong reasons to diverge, then
we should stick with RFC 5280.<span></span></p>
<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:"Calibri",sans-serif">Tim – I have strong feelings that the “SHOULD” in RFC5280 is
antiquated and that it would be a step backward.<span></span></p>
<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:"Calibri",sans-serif">Corey<span> </span>B. - Across the
ecosystem, SKI cannot be used as the identifier.<span></span></p>
<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:"Calibri",sans-serif">A straw poll was conducted. Most favored making it a "MAY" and
diverging from RFC 5280’s “SHOULD”. <span></span></p>
<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:"Calibri",sans-serif"><b>CPS Qualifiers <span></span></b></p>
<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:"Calibri",sans-serif">Paul – it is much easier to find the relevant documentation
when there is a URL for the CPS in the certificate. This is the way to find the
relevant CPS associated with the certificate. Details in the CPS matter. It makes
it easier for relying parties.<span></span></p>
<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:"Calibri",sans-serif">Tim – unless we’re mandating it, it is not helpful across
the ecosystem.<span></span></p>
<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:"Calibri",sans-serif">Clint – For most CAs, the CPS pointer just goes to the legal
repository and in the certificate, it provides no value.<span> </span>It is a pointer to nothing and is not
helpful. There is way too much complexity in CA repositories.<span> </span>Making it “not recommended” is the correct
approach.<span></span></p>
<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:"Calibri",sans-serif">Ben – we just want to point people in the right direction. If
I want to look at the CPS for a certificate, then do I just go to a large
organization’s website? <span> </span>Will I be able
to find the CPS that way? If I have to use a search engine, will I find the
repository?<span></span></p>
<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:"Calibri",sans-serif">Dimitris – it may be difficult to find, unless I have the
CPS URI – then I can just go there.<span>
</span>Researchers use this information.<span></span></p>
<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:"Calibri",sans-serif">Paul – if the link isn’t working, it should be considered a mis-issuance.<span></span></p>
<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:"Calibri",sans-serif">Tim – if the website is down, the URL is still correct. <span></span></p>
<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:"Calibri",sans-serif">Corey – if the CA issues it with a URL that it cannot
control, that might be mis-issuance.<span></span></p>
<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:"Calibri",sans-serif">Tim – that would be misissuance.<span></span></p>
<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:"Calibri",sans-serif">Trev – researchers will still be able to navigate to this
information and determine the applicable CP and CPS.<span></span></p>
<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:"Calibri",sans-serif">Tim – researchers have difficulty finding CPSes.<span></span></p>
<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:"Calibri",sans-serif">Clint – if someone goes to the legal repository, they still must
figure out which CPS applies to a given certificate. <span> </span>Relying parties will have difficulty
navigating the legal repositories.<span></span></p>
<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:"Calibri",sans-serif">Paul – it helps users identify useful information <span></span></p>
<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:"Calibri",sans-serif">Bruce – we need to provide a way to tell relying parties about
our policies and practices<span></span></p>
<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:"Calibri",sans-serif">Paul – it is for the users who are sophisticated enough to
find it<span></span></p>
<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:"Calibri",sans-serif">Tim – do we have to pay an internet tax in bytes for these URLs
in certificates?<span></span></p>
<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:"Calibri",sans-serif">Paul – we have something today that works, at least for those
users who are aware of it. <span></span></p>
<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:"Calibri",sans-serif">Tim – let’s increase use and reliance on the CCADB for
identifying CPSes.<span></span></p>
<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:"Calibri",sans-serif">Wayne – We are debating something not that relevant to
getting the profiles ballot out.<span> </span>Let’s
move this forward.<span> </span>Why can’t we leave as
a “MAY”?<span> </span>Has a compromise been suggested
with allowing it in the intermediate CA?<span></span></p>
<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:"Calibri",sans-serif">Paul – doing it in the ICA will at least provide people with
some way to locate a CA’s document repository.<span>
</span>Paul will work on a pull request.<span></span></p>
<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:"Calibri",sans-serif"><b>Meeting adjourned.<span></span></b></p><div><br></div><div><br></div>
</div>