<!DOCTYPE html>
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body>
<p class="MsoNormal">These are the Draft Minutes of the
Teleconference described in the subject of this message, prepared
by Dimitris Zacharopoulos (HARICA).<br>
</p>
<h1 id="minutes-validation-subcommittee-2023-03-09"
style="page-break-inside: avoid;">Minutes validation subcommittee
2023-09-21</h1>
<h2 id="roll-call" style="page-break-inside: avoid;">Roll call</h2>
<p style="page-break-inside: avoid;">Aaron Poulsen - (Amazon),
Andrea Holland - (VikingCloud), Aneta Wojtczak-Iwanicka -
(Microsoft), Ben Wilson - (Mozilla), Bilal Ashraf - (SSL.com),
Bruce Morton - (Entrust), Chris Clements - (Google), Clint Wilson
- (Apple), Corey Bonnell - (DigiCert), Corey Rasmussen - (OATI),
Daryn Wright - (GoDaddy), Dimitris Zacharopoulos - (HARICA), Doug
Beattie - (GlobalSign), Dustin Hollenback - (Microsoft), Inigo
Barreira - (Sectigo), Janet Hines - (VikingCloud), Joseph Ramm -
(OATI), Li-Chun Chen - (Chunghwa Telecom), Martijn Katerbarg -
(Sectigo), Michael Slaughter - (Amazon), Michelle Coon - (OATI),
Nargis Mannan - (VikingCloud), Nate Smith - (GoDaddy), Paul van
Brouwershaven - (Entrust), Pedro Fuentes - (OISTE Foundation),
Rebecca Kelley - (Apple), Rollin Yu - (TrustAsia Technologies,
Inc.), Roman Fischer - (SwissSign), Ryan Dickson - (Google), Scott
Rea - (eMudhra), Thomas Zermeno - (SSL.com), Tobias Josefowitz -
(Opera Software AS), Wayne Thayer - (Fastly).</p>
<h2 id="approval-of-minutes" style="page-break-inside: avoid;">Approval
of minutes</h2>
<p style="page-break-inside: avoid;">Minutes for the August 24<sup>th</sup>
and September 7<sup>th</sup> were approved.</p>
<h2 id="review-of-agenda" style="page-break-inside: avoid;">Review
of Agenda</h2>
<p style="page-break-inside: avoid;">Approved</p>
<ul>
<li>Update from MPDV team</li>
<li>Update from domain validation threat modeling team</li>
<li>F2F planning</li>
<li>(Time permitting) addressing the final item on the
“Applicant”/”Applicant Representative” todo list<br>
</li>
</ul>
<p style="page-break-inside: avoid;"></p>
<h2
id="update-from-ryan-on-multi-perspective-domain-validation-if-needed"
style="page-break-inside: avoid;">Update from MPDV team</h2>
<p style="page-break-inside: avoid;">Ryan gave a quick summary about
the IPR issue. Princeton's lawyers had a different interpretation
than the other organizations of the Forum. They counter-proposed
signing a Royalty-Free license and some language has been drafted
in that direction as a "backup" plan. The issue is somewhat on
hold. The draft language for the MPDV is currently on GitHub and
ready to go for a ballot.<br>
<br>
Dimitris exchanged some emails with the Princeton team and also
invited Members of the CA/B Forum Governance Reform Group who
provided insight to the Princeton team regarding the intent and
existing Member's interpretation of the Forum's IPR Policy.
Despite that effort and clarifications, Princeton's lawyers insist
on their interpretation and Ryan is working with them on that
matter.<br>
<br>
Tobi asked what is the Princeton lawyers' interpretation of the
Forum's IPR policy. Ryan summarized that their interpretation is
that any IP that the University owns, or professors of that
University is at risk by the MPDV Contributions to the Forum.<br>
</p>
<h2 id="discussion-on-certificate-issuance-flows"
style="page-break-inside: avoid;">Update from domain validation
threat modeling team</h2>
Michael Slaughter explained that the threat modeling team for domain
validation focused on delegated DNS Domain Validation method,
including when the CA is involved in the process. The group
discussed specific threats and possible mitigations. They also
proposed specific guardrails for the current method 7 that will come
with a revision of method 7. Other more impactful changes will
probably be introduced in a new validation method.<br>
<br>
The team is ready to present their work to the larger group. There
will be two ballots at different timelines.<br>
<br>
This will probably be presented at the F2F #60 during the Server
Certificate WG slot on Wednesday.<br>
<h2 id="traditional-hosting-provider-flow"
style="page-break-inside:
avoid;">F2F planning</h2>
<p>Corey will discuss with Inigo to possibly have a longer break
(more than 15'). Paul mentioned that during breaks, members have
the opportunity to discuss this is very helpful.<br>
</p>
<h3>What do we want to talk about?</h3>
<ul>
<li>Threat model for Domain Validation methods<br>
</li>
<li>MPDV (Ryan says he will explore how far we can get with the
IPR issue)</li>
<li>Ryan: The profiles ballot did not include some topics and were
deferred. Perhaps we can identify and list topics that remain
deferred. Clint can help capturing those which are probably in
GitHub issues. Perhaps not enough time to prepare for the F2F
but sometime in October we can start an email thread.</li>
<li>Paul: Domain Validation methods CAA with account binding
(similar to the method with CNAME). We can discuss the new ACME
RFC (<a class="moz-txt-link-freetext" href="https://www.rfc-editor.org/rfc/rfc8657">https://www.rfc-editor.org/rfc/rfc8657</a>). Corey reminded
that at the last F2F it was agreed to have a two-stage approach
where the first stage would be a more "surgical" update on
existing method 7 and then work on other improvements. For this
F2F, he recommended to focus on method 7 so we can drive the
ballot to success and then work on the other issues.<br>
</li>
<li>Paul proposed to discuss and cleanup some open GitHub issues
if we have time left.</li>
</ul>
<h3>How long do we need?</h3>
<p style="page-break-inside: avoid;">Corey will discuss with Inigo
about time to be allocated to the Validation Subcommittee.</p>
<p style="page-break-inside: avoid;">Ryan can present the latest
MPDV proposed ballot to the larger group to solicit feedback,
possible implementation challenges and other feedback. This
session could take up to 30'.</p>
<p style="page-break-inside: avoid;">Corey suggested that 1 hour and
45 minutes would be a reasonable time to reserve for the
Validation Subcommittee.</p>
<p></p>
<h2>Addressing the final item on the “Applicant”/”Applicant
Representative” from the TODO list</h2>
<p style="page-break-inside: avoid;">Item 7 from the previous TODO
list is the clean up in section 9.6.3 (4) for removal of
"install".</p>
<p style="page-break-inside: avoid;">The question is related to the
Subscriber Agreement (Use of Certificate). Dimitris proposed to
remove that language (first part of the sentence that includes the
word "install") because it doesn't make much sense to prohibit the
installation of a certificate anywhere. Ben mentioned that this
language may have been there to prevent the MiTM case. He said he
was ok with eliminating that language. Ben wondered what was the
threat that we were trying to mitigate with this language and he
could only think of the MiTM. Tobi said that at the time it might
have been added because of services being offered from physical
servers but that probably doesn't make sense now.</p>
<p style="page-break-inside: avoid;">The consensus was to remove the
first part of the sentence. Corey asked Ben and Dustin to tackle
that in their ballot.</p>
<h2 style="page-break-inside: avoid;">Adjourned</h2>
<p></p>
<style type="text/css">td, h1, h2, h3, h4, h5, p, ul, ol, li { page-break-inside: avoid; }</style>
</body>
</html>