<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>
</head>
<body dir="ltr">
<div class="elementToProof"><span style="color: rgb(36, 36, 36); font-family: Calibri, sans-serif; font-size: 14.6667px;" class="elementToProof">> A straw poll was conducted. Most favored making it a "MAY" and diverging from RFC 5280’s “SHOULD”.</span><br>
</div>
<div class="elementToProof"><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);"><span style="color:rgb(36, 36, 36);font-family:Calibri, sans-serif;font-size:14.6667px;background-color:rgb(255, 255, 255);display:inline !important" class="ContentPasted0">The
poll was asking SHOULD NOT <> MAY, so we did not ask if people agree to <span style="background-color:rgb(255, 255, 255);display:inline !important" class="ContentPasted1">diverge from RFC 5280 or not, the only option in this poll was to diverge from the standard.</span></span></span></div>
<div class="elementToProof"><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);"><span style="color:rgb(36, 36, 36);font-family:Calibri, sans-serif;font-size:14.6667px;background-color:rgb(255, 255, 255);display:inline !important" class="ContentPasted0"><span style="background-color:rgb(255, 255, 255);display:inline !important" class="ContentPasted1"><br>
</span></span></span></div>
<div class="elementToProof"><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);"><span style="color:rgb(36, 36, 36);font-family:Calibri, sans-serif;font-size:14.6667px;background-color:rgb(255, 255, 255);display:inline !important" class="ContentPasted0"><span style="background-color:rgb(255, 255, 255);display:inline !important" class="ContentPasted1">Can
we clarify this in the minutes?</span></span></span></div>
<div class="elementToProof"><br>
</div>
<div id="appendonsend"></div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> Validation <validation-bounces@cabforum.org> on behalf of Ben Wilson via Validation <validation@cabforum.org><br>
<b>Sent:</b> Friday, December 2, 2022 22:58<br>
<b>To:</b> CA/Browser Forum Validation SC List <validation@cabforum.org><br>
<b>Subject:</b> [EXTERNAL] [cabf_validation] Draft Minutes of Discussions on December 1, 2022</font>
<div> </div>
</div>
<div>WARNING: This email originated outside of Entrust.<br>
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.<br>
<hr>
<div dir="ltr">
<p class="x_MsoNormal" style="margin:0in 0in 8pt; line-height:107%; font-size:11pt; font-family:"Calibri",sans-serif">
All,</p>
<p class="x_MsoNormal" style="margin:0in 0in 8pt; line-height:107%; font-size:11pt; font-family:"Calibri",sans-serif">
Here are draft minutes from my notes for the Validation subcommittee meeting held Dec. 1, 2022.<br>
</p>
<p class="x_MsoNormal" style="margin:0in 0in 8pt; line-height:107%; font-size:11pt; font-family:"Calibri",sans-serif">
Ben<b><br>
</b></p>
<p class="x_MsoNormal" style="margin:0in 0in 8pt; line-height:107%; font-size:11pt; font-family:"Calibri",sans-serif">
<b><br>
</b></p>
<p class="x_MsoNormal" style="margin:0in 0in 8pt; line-height:107%; font-size:11pt; font-family:"Calibri",sans-serif">
<b>Meeting of December 1, 2022<span></span></b></p>
<p class="x_MsoNormal" style="margin:0in 0in 8pt; line-height:107%; font-size:11pt; font-family:"Calibri",sans-serif">
<b>Antitrust Statement:</b><span> </span>Corey Bonnell read the Antitrust Statement<span></span></p>
<p class="x_MsoNormal" style="margin:0in 0in 8pt; line-height:107%; font-size:11pt; font-family:"Calibri",sans-serif">
<b>Attendance:</b> <span> </span>Ben Wilson, Thomas Zermeno, Martijn Katerbarg, Aneta Wojtczak, Paul van Brouwershaven, Wayne Thayer, Pekka Lahtiharju, Chris Clements, Dimitris Zacharopoulos, Johnny Reading, Corey Rasmussen, Tim Hollebeek, Clint Wilson, Bruce
Morton, Janet Hines, Corey Bonnell, <span></span>Tyler Myers, Michelle Coon, Rebecca Kelley, Andrea Holland, Rollin Yu, Aaron Poulsen, Michael Slaughter, Stephen Davidson, Tobias Josefowitz, Nargis Mannan, Joe Ramm, Trevoli Ponds-White<span></span></p>
<p class="x_MsoNormal" style="margin:0in 0in 8pt; line-height:107%; font-size:11pt; font-family:"Calibri",sans-serif">
<b>Minutes:<span> </span></b>Minutes of previous meeting Nov. 17<sup>th</sup> were recently distributed on the management list.<span>
</span>Minutes of the Validation sub-group from the F2F meeting should be approved within this sub-group. They will be approved during the next meeting of this sub-group.<span></span></p>
<p class="x_MsoNormal" style="margin:0in 0in 8pt; line-height:107%; font-size:11pt; font-family:"Calibri",sans-serif">
<b>Review of Agenda Topics<span></span></b></p>
<p class="x_gmail-MsoListParagraphCxSpFirst" style="margin:0in 0in 0in 0.5in; line-height:107%; font-size:11pt; font-family:"Calibri",sans-serif">
<span><span>1-<span style="font:7pt "Times New Roman""> </span></span></span>Certificate Profiles ballot<span></span></p>
<p class="x_gmail-MsoListParagraphCxSpMiddle" style="margin:0in 0in 0in 1in; line-height:107%; font-size:11pt; font-family:"Calibri",sans-serif">
<span><span>a.<span style="font:7pt "Times New Roman""> </span></span></span>Subject Key Identifiers<span></span></p>
<p class="x_gmail-MsoListParagraphCxSpMiddle" style="margin:0in 0in 0in 1in; line-height:107%; font-size:11pt; font-family:"Calibri",sans-serif">
<span><span>b.<span style="font:7pt "Times New Roman""> </span></span></span>CPS qualifiers
<span></span></p>
<p class="x_gmail-MsoListParagraphCxSpLast" style="margin:0in 0in 8pt 0.5in; line-height:107%; font-size:11pt; font-family:"Calibri",sans-serif">
<span><span>2-<span style="font:7pt "Times New Roman""> </span></span></span>Continued discussion of “Applicant” and “Applicant Representative”, resuming in BR section 9.6.3<span></span></p>
<p class="x_MsoNormal" style="margin:0in 0in 8pt; line-height:107%; font-size:11pt; font-family:"Calibri",sans-serif">
<b>Certificate Profiles Ballot<span></span></b></p>
<p class="x_MsoNormal" style="margin:0in 0in 8pt; line-height:107%; font-size:11pt; font-family:"Calibri",sans-serif">
Corey Bonnell reviewed <a href="https://urldefense.com/v3/__https://github.com/cabforum/servercert/pull/406__;!!FJ-Y8qCqXTj2!fNBUI2O2BopvZap8XVLC4GIIG2sFUW7ZwKcJUaY0dGohU1X6E4B_QDMo962Bnr-B9toy1toz3E7nqYswwaCbKLw8Aum41J5x$" style="color:rgb(5,99,193); text-decoration:underline">
PR #406 in GitHub</a>.<span> </span>It brings the profiles ballot up to date with ballots approved from the last couple of years.<span>
</span>Changes are extensive.<span> </span>There were no objections to merging the PR into the Profiles branch on GitHub. Corey will merge it.<span></span></p>
<p class="x_MsoNormal" style="margin:0in 0in 8pt; line-height:107%; font-size:11pt; font-family:"Calibri",sans-serif">
<b>Subject Key Identifiers (SKIs)<span></span></b></p>
<p class="x_MsoNormal" style="margin:0in 0in 8pt; line-height:107%; font-size:11pt; font-family:"Calibri",sans-serif">
Paul Van Brouwershaven has introduced the topic of SKIs by email – “Section 7.1.2.7.6 (Subscriber Certificate Extensions) of the new certificate profiles state that the inclusion of the subjectKeyIdentifier is NOT RECOMMENDED, this contradicts section 4.2.1.2
(Subject Key Identifier) of RFC 5280 that states that entity certificates SHOULD include the SKI”.
<span> </span><a href="https://urldefense.com/v3/__https://lists.cabforum.org/pipermail/validation/2022-November/001832.html__;!!FJ-Y8qCqXTj2!fNBUI2O2BopvZap8XVLC4GIIG2sFUW7ZwKcJUaY0dGohU1X6E4B_QDMo962Bnr-B9toy1toz3E7nqYswwaCbKLw8Ao-rWkuz$" style="color:rgb(5,99,193); text-decoration:underline">https://lists.cabforum.org/pipermail/validation/2022-November/001832.html</a><span></span></p>
<p class="x_MsoNormal" style="margin:0in 0in 8pt; line-height:107%; font-size:11pt; font-family:"Calibri",sans-serif">
RFC 5280 says that end entity certificates SHOULD include the SKI, whereas the currently drafted profiles ballot says it is not recommended - because it is not particularly relevant and presents additional bytes in the certificate, and it contradicts RFC 5280.<span></span></p>
<p class="x_MsoNormal" style="margin:0in 0in 8pt; line-height:107%; font-size:11pt; font-family:"Calibri",sans-serif">
The rationale behind the “SHOULD” apparently was that it could help to quickly identify those certificates that are using the same key.<span>
</span>However, in RFC 5280 there are two methods to calculate the SKI. So there may be no guarantee.<span>
</span>Without the SKI, you would need to separately calculate the SKI. Some applications might use the SKI for some purpose.<span>
</span>We should stay as close to RFC 5280 as possible.<span> </span>There isn’t a good enough reason to deviate from RFC 5280.<span></span></p>
<p class="x_MsoNormal" style="margin:0in 0in 8pt; line-height:107%; font-size:11pt; font-family:"Calibri",sans-serif">
Tim H. – We should think long term about having one method to calculate the SKI.<span>
</span>We should deviate from RFC 5280.<span></span></p>
<p class="x_MsoNormal" style="margin:0in 0in 8pt; line-height:107%; font-size:11pt; font-family:"Calibri",sans-serif">
Dimitris – supports Paul’s position, although we use the SKI in crt.sh, Censys, and other logs.
<span></span></p>
<p class="x_MsoNormal" style="margin:0in 0in 8pt; line-height:107%; font-size:11pt; font-family:"Calibri",sans-serif">
Paul – I prefer to keep in line with RFC 5280 if we can. If we weaken it to a “MAY,” then at least we’re not saying “SHOULD NOT”.<span></span></p>
<p class="x_MsoNormal" style="margin:0in 0in 8pt; line-height:107%; font-size:11pt; font-family:"Calibri",sans-serif">
Dimitris – unless there are strong reasons to diverge, then we should stick with RFC 5280.<span></span></p>
<p class="x_MsoNormal" style="margin:0in 0in 8pt; line-height:107%; font-size:11pt; font-family:"Calibri",sans-serif">
Tim – I have strong feelings that the “SHOULD” in RFC5280 is antiquated and that it would be a step backward.<span></span></p>
<p class="x_MsoNormal" style="margin:0in 0in 8pt; line-height:107%; font-size:11pt; font-family:"Calibri",sans-serif">
Corey<span> </span>B. - Across the ecosystem, SKI cannot be used as the identifier.<span></span></p>
<p class="x_MsoNormal" style="margin:0in 0in 8pt; line-height:107%; font-size:11pt; font-family:"Calibri",sans-serif">
A straw poll was conducted. Most favored making it a "MAY" and diverging from RFC 5280’s “SHOULD”.
<span></span></p>
<p class="x_MsoNormal" style="margin:0in 0in 8pt; line-height:107%; font-size:11pt; font-family:"Calibri",sans-serif">
<b>CPS Qualifiers <span></span></b></p>
<p class="x_MsoNormal" style="margin:0in 0in 8pt; line-height:107%; font-size:11pt; font-family:"Calibri",sans-serif">
Paul – it is much easier to find the relevant documentation when there is a URL for the CPS in the certificate. This is the way to find the relevant CPS associated with the certificate. Details in the CPS matter. It makes it easier for relying parties.<span></span></p>
<p class="x_MsoNormal" style="margin:0in 0in 8pt; line-height:107%; font-size:11pt; font-family:"Calibri",sans-serif">
Tim – unless we’re mandating it, it is not helpful across the ecosystem.<span></span></p>
<p class="x_MsoNormal" style="margin:0in 0in 8pt; line-height:107%; font-size:11pt; font-family:"Calibri",sans-serif">
Clint – For most CAs, the CPS pointer just goes to the legal repository and in the certificate, it provides no value.<span>
</span>It is a pointer to nothing and is not helpful. There is way too much complexity in CA repositories.<span>
</span>Making it “not recommended” is the correct approach.<span></span></p>
<p class="x_MsoNormal" style="margin:0in 0in 8pt; line-height:107%; font-size:11pt; font-family:"Calibri",sans-serif">
Ben – we just want to point people in the right direction. If I want to look at the CPS for a certificate, then do I just go to a large organization’s website?
<span> </span>Will I be able to find the CPS that way? If I have to use a search engine, will I find the repository?<span></span></p>
<p class="x_MsoNormal" style="margin:0in 0in 8pt; line-height:107%; font-size:11pt; font-family:"Calibri",sans-serif">
Dimitris – it may be difficult to find, unless I have the CPS URI – then I can just go there.<span>
</span>Researchers use this information.<span></span></p>
<p class="x_MsoNormal" style="margin:0in 0in 8pt; line-height:107%; font-size:11pt; font-family:"Calibri",sans-serif">
Paul – if the link isn’t working, it should be considered a mis-issuance.<span></span></p>
<p class="x_MsoNormal" style="margin:0in 0in 8pt; line-height:107%; font-size:11pt; font-family:"Calibri",sans-serif">
Tim – if the website is down, the URL is still correct. <span></span></p>
<p class="x_MsoNormal" style="margin:0in 0in 8pt; line-height:107%; font-size:11pt; font-family:"Calibri",sans-serif">
Corey – if the CA issues it with a URL that it cannot control, that might be mis-issuance.<span></span></p>
<p class="x_MsoNormal" style="margin:0in 0in 8pt; line-height:107%; font-size:11pt; font-family:"Calibri",sans-serif">
Tim – that would be misissuance.<span></span></p>
<p class="x_MsoNormal" style="margin:0in 0in 8pt; line-height:107%; font-size:11pt; font-family:"Calibri",sans-serif">
Trev – researchers will still be able to navigate to this information and determine the applicable CP and CPS.<span></span></p>
<p class="x_MsoNormal" style="margin:0in 0in 8pt; line-height:107%; font-size:11pt; font-family:"Calibri",sans-serif">
Tim – researchers have difficulty finding CPSes.<span></span></p>
<p class="x_MsoNormal" style="margin:0in 0in 8pt; line-height:107%; font-size:11pt; font-family:"Calibri",sans-serif">
Clint – if someone goes to the legal repository, they still must figure out which CPS applies to a given certificate.
<span> </span>Relying parties will have difficulty navigating the legal repositories.<span></span></p>
<p class="x_MsoNormal" style="margin:0in 0in 8pt; line-height:107%; font-size:11pt; font-family:"Calibri",sans-serif">
Paul – it helps users identify useful information <span></span></p>
<p class="x_MsoNormal" style="margin:0in 0in 8pt; line-height:107%; font-size:11pt; font-family:"Calibri",sans-serif">
Bruce – we need to provide a way to tell relying parties about our policies and practices<span></span></p>
<p class="x_MsoNormal" style="margin:0in 0in 8pt; line-height:107%; font-size:11pt; font-family:"Calibri",sans-serif">
Paul – it is for the users who are sophisticated enough to find it<span></span></p>
<p class="x_MsoNormal" style="margin:0in 0in 8pt; line-height:107%; font-size:11pt; font-family:"Calibri",sans-serif">
Tim – do we have to pay an internet tax in bytes for these URLs in certificates?<span></span></p>
<p class="x_MsoNormal" style="margin:0in 0in 8pt; line-height:107%; font-size:11pt; font-family:"Calibri",sans-serif">
Paul – we have something today that works, at least for those users who are aware of it.
<span></span></p>
<p class="x_MsoNormal" style="margin:0in 0in 8pt; line-height:107%; font-size:11pt; font-family:"Calibri",sans-serif">
Tim – let’s increase use and reliance on the CCADB for identifying CPSes.<span></span></p>
<p class="x_MsoNormal" style="margin:0in 0in 8pt; line-height:107%; font-size:11pt; font-family:"Calibri",sans-serif">
Wayne – We are debating something not that relevant to getting the profiles ballot out.<span>
</span>Let’s move this forward.<span> </span>Why can’t we leave as a “MAY”?<span>
</span>Has a compromise been suggested with allowing it in the intermediate CA?<span></span></p>
<p class="x_MsoNormal" style="margin:0in 0in 8pt; line-height:107%; font-size:11pt; font-family:"Calibri",sans-serif">
Paul – doing it in the ICA will at least provide people with some way to locate a CA’s document repository.<span>
</span>Paul will work on a pull request.<span></span></p>
<p class="x_MsoNormal" style="margin:0in 0in 8pt; line-height:107%; font-size:11pt; font-family:"Calibri",sans-serif">
<b>Meeting adjourned.<span></span></b></p>
<div><br>
</div>
<div><br>
</div>
</div>
</div>
<i>Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the
information it contains. <u>Please notify Entrust immediately</u> and delete the message from your system.</i>
</body>
</html>