<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:"Yu Gothic";
panose-1:2 11 4 0 0 0 0 0 0 0;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"\@Yu Gothic";
panose-1:2 11 4 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-ligatures:standardcontextual;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:394548819;
mso-list-template-ids:-385702928;}
@list l0:level1
{mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level2
{mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level3
{mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level4
{mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level5
{mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level6
{mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level7
{mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level8
{mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level9
{mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1
{mso-list-id:647977548;
mso-list-template-ids:-1103172346;}
@list l1:level1
{mso-level-start-at:2;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level2
{mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level3
{mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level4
{mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level5
{mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level6
{mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level7
{mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level8
{mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level9
{mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2
{mso-list-id:916718001;
mso-list-template-ids:52983198;}
@list l2:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l2:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3
{mso-list-id:1811709727;
mso-list-template-ids:1421621388;}
@list l3:level1
{mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level2
{mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level3
{mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level4
{mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level5
{mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level6
{mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level7
{mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level8
{mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level9
{mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l4
{mso-list-id:1903324130;
mso-list-template-ids:517661690;}
@list l4:level1
{mso-level-start-at:3;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l4:level2
{mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l4:level3
{mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l4:level4
{mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l4:level5
{mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l4:level6
{mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l4:level7
{mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l4:level8
{mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l4:level9
{mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level1 lfo3
{mso-level-numbering:continue;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
@list l4:level1 lfo5
{mso-level-numbering:continue;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link="#0563C1" vlink="#954F72" style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal>The minutes for the November 2<sup>nd</sup> validation-sc meeting as taken by Wayne and approved on the November 16<sup>th</sup> call are below.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal style='mso-margin-top-alt:12.0pt;margin-right:0in;margin-bottom:12.0pt;margin-left:0in'><b><span style='font-family:"Arial",sans-serif;color:black;mso-ligatures:none'>Validation Subcommittee – 2 November 2023</span></b><span style='mso-ligatures:none'><o:p></o:p></span></p><p class=MsoNormal><span style='font-family:"Arial",sans-serif;color:black;mso-ligatures:none'>Attendees: Aaron Gable - (Let's Encrypt), Aaron Poulsen - (Amazon), Abhishek Bhat - (eMudhra), Aneta Wojtczak-Iwanicka - (Microsoft), Ben Wilson - (Mozilla), Bruce Morton - (Entrust), Cade Cairns - (Google), Chris Clements - (Google), Christophe Bonjean - (GlobalSign), Clint Wilson - (Apple), Eva Vansteenberge - (GlobalSign), Gregory Tomko - (GlobalSign), Janet Hines - (VikingCloud), Joseph Ramm - (OATI), Keshava Nagaraju - (eMudhra), Michael Slaughter - (Amazon), Michelle Coon - (OATI), Nargis Mannan - (VikingCloud), Nate Smith - (GoDaddy), Rebecca Kelley - (Apple), Rollin Yu - (TrustAsia Technologies, Inc.), Roman Fischer - (SwissSign), Ryan Dickson - (Google), Scott Rea - (eMudhra), Tobias Josefowitz - (Opera Software AS), Trevoli Ponds-White - (Amazon), Wayne Thayer - (Fastly), Wendy Brown - (US Federal PKI Management Authority)</span><span style='mso-ligatures:none'><o:p></o:p></span></p><p class=MsoNormal><span style='mso-ligatures:none'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Arial",sans-serif;color:black;mso-ligatures:none'>Wayne Thayer said that he would take minutes</span><span style='mso-ligatures:none'><o:p></o:p></span></p><p class=MsoNormal><span style='mso-ligatures:none'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Arial",sans-serif;color:black;mso-ligatures:none'>Wayne read the note well statement.</span><span style='mso-ligatures:none'><o:p></o:p></span></p><p class=MsoNormal><span style='mso-ligatures:none'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Arial",sans-serif;color:black;mso-ligatures:none'>The minutes from the 19-October meeting were approved.</span><span style='mso-ligatures:none'><o:p></o:p></span></p><p class=MsoNormal><span style='mso-ligatures:none'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Arial",sans-serif;color:black;mso-ligatures:none'>Today’s agenda</span><span style='mso-ligatures:none'><o:p></o:p></span></p><ol style='margin-top:0in' start=1 type=1><li class=MsoNormal style='color:black;mso-list:l3 level1 lfo1;vertical-align:baseline'><span style='font-family:"Arial",sans-serif;mso-ligatures:none'>Status update on multi-perspective domain validation<o:p></o:p></span></li><li class=MsoNormal style='color:black;mso-list:l3 level1 lfo1;vertical-align:baseline'><span style='font-family:"Arial",sans-serif;mso-ligatures:none'>Continue backlog grooming<o:p></o:p></span></li></ol><p class=MsoNormal><span style='mso-ligatures:none'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Arial",sans-serif;color:black;mso-ligatures:none'>It was agreed to add a discussion on improvements to automation for EV certificates as proposed by Christophe Bonjean on the mailing list.</span><span style='mso-ligatures:none'><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:12.0pt'><span style='mso-ligatures:none'><o:p> </o:p></span></p><ol style='margin-top:0in' start=1 type=1><li class=MsoNormal style='color:black;mso-list:l0 level1 lfo2;vertical-align:baseline'><span style='font-family:"Arial",sans-serif;mso-ligatures:none'>Multi-perspective domain validation<o:p></o:p></span></li></ol><p class=MsoNormal><span style='font-family:"Arial",sans-serif;color:black;mso-ligatures:none'>Ryan Dickson said that they are still fielding comments on the existing PR, and attempting to address all comments before moving into the discussion period, which he hopes to begin in the next few weeks.</span><span style='mso-ligatures:none'><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:12.0pt'><span style='mso-ligatures:none'><o:p> </o:p></span></p><p class=MsoNormal style='margin-left:0in;text-indent:0in;mso-list:l1 level1 lfo3;vertical-align:baseline'><![if !supportLists]><span style='font-family:"Arial",sans-serif;color:black;mso-ligatures:none'><span style='mso-list:Ignore'>2.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-family:"Arial",sans-serif;color:black;mso-ligatures:none'>Discussion on improvements for automation in the context of EV certificates <o:p></o:p></span></p><p class=MsoNormal><span style='font-family:"Arial",sans-serif;color:black;mso-ligatures:none'>Christophe said that they are exploring automation in the context of EV certificates, and there are a few areas that are ambiguous:</span><span style='mso-ligatures:none'><o:p></o:p></span></p><ul style='margin-top:0in' type=disc><li class=MsoNormal style='color:black;mso-list:l2 level1 lfo4;vertical-align:baseline'><span style='font-family:"Arial",sans-serif;mso-ligatures:none'>Due diligence<o:p></o:p></span></li><li class=MsoNormal style='color:black;mso-list:l2 level1 lfo4;vertical-align:baseline'><span style='font-family:"Arial",sans-serif;mso-ligatures:none'>Final cross-correlation<o:p></o:p></span></li></ul><p class=MsoNormal><span style='font-family:"Arial",sans-serif;color:black;mso-ligatures:none'>Does it make sense for a human to review an automated domain validation?</span><span style='mso-ligatures:none'><o:p></o:p></span></p><p class=MsoNormal><span style='mso-ligatures:none'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Arial",sans-serif;color:black;mso-ligatures:none'>What is in scope for the delegation of final cross-correlation. Can the enterprise RA perform this?</span><span style='mso-ligatures:none'><o:p></o:p></span></p><p class=MsoNormal><span style='mso-ligatures:none'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Arial",sans-serif;color:black;mso-ligatures:none'>Clint WIlson said that it is his opinion that EV cert issuance can be automated under some circumstances. It would be good to review the phrasing in the EVGLs and highlight the ambiguity. Just a few phrases are the souce of most of the confusion.</span><span style='mso-ligatures:none'><o:p></o:p></span></p><p class=MsoNormal><span style='mso-ligatures:none'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Arial",sans-serif;color:black;mso-ligatures:none'>Trevoli Ponds-White asked if Clint thinks EV can be automated without changing the rules?</span><span style='mso-ligatures:none'><o:p></o:p></span></p><p class=MsoNormal><span style='mso-ligatures:none'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Arial",sans-serif;color:black;mso-ligatures:none'>Clint said that he thinks EV issuance can currently be automated.</span><span style='mso-ligatures:none'><o:p></o:p></span></p><p class=MsoNormal><span style='mso-ligatures:none'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Arial",sans-serif;color:black;mso-ligatures:none'>Wayne asked about the final cross-correlation and due diligence piece.</span><span style='mso-ligatures:none'><o:p></o:p></span></p><p class=MsoNormal><span style='mso-ligatures:none'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Arial",sans-serif;color:black;mso-ligatures:none'>Clint said that he’d have to dig through the text to answer.</span><span style='mso-ligatures:none'><o:p></o:p></span></p><p class=MsoNormal><span style='mso-ligatures:none'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Arial",sans-serif;color:black;mso-ligatures:none'>Ryan said that he is aware of some ACME endpoints intended to issue EV certificates.</span><span style='mso-ligatures:none'><o:p></o:p></span></p><p class=MsoNormal><span style='mso-ligatures:none'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Arial",sans-serif;color:black;mso-ligatures:none'>Wayne said that using ACME doesn’t automate the validation process. Trev agreed.</span><span style='mso-ligatures:none'><o:p></o:p></span></p><p class=MsoNormal><span style='mso-ligatures:none'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Arial",sans-serif;color:black;mso-ligatures:none'>Clint clarified that issuance is what can be automated, but once that has been completed the issuance of multiple certificates can be automated.</span><span style='mso-ligatures:none'><o:p></o:p></span></p><p class=MsoNormal><span style='mso-ligatures:none'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Arial",sans-serif;color:black;mso-ligatures:none'>Eva Van Steenberge said that this discussion shows that the current language is not clear</span><span style='mso-ligatures:none'><o:p></o:p></span></p><p class=MsoNormal><span style='mso-ligatures:none'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Arial",sans-serif;color:black;mso-ligatures:none'>Bruce Morton said there have been similar comments on code signing. EV is still close to the original spec from 2005 and incorporates a lot of manual work. It may be time for an upgrade of the entire EVGLs.</span><span style='mso-ligatures:none'><o:p></o:p></span></p><p class=MsoNormal><span style='mso-ligatures:none'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Arial",sans-serif;color:black;mso-ligatures:none'>Trev said that automating validation is where the value is. We should consider a bigger upgrade, for instance maybe some data should be valid for longer.</span><span style='mso-ligatures:none'><o:p></o:p></span></p><p class=MsoNormal><span style='mso-ligatures:none'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Arial",sans-serif;color:black;mso-ligatures:none'>Clint said that there are boundaries to what is currently automatable. This isn’t a focus for Apple.</span><span style='mso-ligatures:none'><o:p></o:p></span></p><p class=MsoNormal><span style='mso-ligatures:none'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Arial",sans-serif;color:black;mso-ligatures:none'>Eva said that they looked at this from the perspective of automating validation, not just issuance. Some elements seem to hinder this.</span><span style='mso-ligatures:none'><o:p></o:p></span></p><p class=MsoNormal><span style='mso-ligatures:none'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Arial",sans-serif;color:black;mso-ligatures:none'>Wayne said that there seems to be interest in this work, and proposed adding a task for the backlog scoped to analyzing and clarifying the existing EVGLs.</span><span style='mso-ligatures:none'><o:p></o:p></span></p><p class=MsoNormal><span style='mso-ligatures:none'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Arial",sans-serif;color:black;mso-ligatures:none'>Christophe said that he could add this to our backlog.</span><span style='mso-ligatures:none'><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:12.0pt'><span style='mso-ligatures:none'><o:p> </o:p></span></p><p class=MsoNormal style='margin-left:0in;text-indent:0in;mso-list:l4 level1 lfo5;vertical-align:baseline'><![if !supportLists]><span style='font-family:"Arial",sans-serif;color:black;mso-ligatures:none'><span style='mso-list:Ignore'>3.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-family:"Arial",sans-serif;color:black;mso-ligatures:none'>Backlog grooming<o:p></o:p></span></p><p class=MsoNormal><span style='mso-ligatures:none'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Arial",sans-serif;color:black;mso-ligatures:none'>Wayne said that we’d start in the backlog where we left off at the last meeting: <a href="https://url.avanan.click/v2/___https:/github.com/orgs/cabforum/projects/1/views/1___.YXAzOmRpZ2ljZXJ0OmE6bzoyZWJjOWEzNGZiZjkzMzhjNjQ5NGNkM2EwOTViODVkNzo2OjMwYTg6MmMwZTYyMDU5NmNhZGU1MzI4YzVkYzdkMDYyN2JiZjMxNjZlNGI4MWE3NmI5YmFmOGYxOTVjMTBiNDUwNTU5ZDpoOkY" title="Protected by Avanan: https://github.com/orgs/cabforum/projects/1/views/1">https://github.com/orgs/cabforum/projects/1/views/1</a></span><span style='mso-ligatures:none'><o:p></o:p></span></p><p class=MsoNormal><span style='mso-ligatures:none'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Arial",sans-serif;color:black;mso-ligatures:none'>- Workaround for DNS fragmentation attacks - Wayne said this came from an academic paper. Will MPIC mitigate this?</span><span style='mso-ligatures:none'><o:p></o:p></span></p><p class=MsoNormal><span style='mso-ligatures:none'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Arial",sans-serif;color:black;mso-ligatures:none'>Aaron Gable said that the attack allowed the authors to poison certain DNS servers. It requires a global BGP attack so MPIC doesn’t mitigate it.</span><span style='mso-ligatures:none'><o:p></o:p></span></p><p class=MsoNormal><span style='mso-ligatures:none'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Arial",sans-serif;color:black;mso-ligatures:none'>Tobias Josefowitz said that he is not certain this refers to the attack that Aaron described. This may not be mitigated by MPIC.</span><span style='mso-ligatures:none'><o:p></o:p></span></p><p class=MsoNormal><span style='mso-ligatures:none'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Arial",sans-serif;color:black;mso-ligatures:none'>Ryan asked for a link to the paper and said that he would send it on to the MPIC researchers.</span><span style='mso-ligatures:none'><o:p></o:p></span></p><p class=MsoNormal><span style='mso-ligatures:none'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Arial",sans-serif;color:black;mso-ligatures:none'>Wayne said that he’d do that.</span><span style='mso-ligatures:none'><o:p></o:p></span></p><p class=MsoNormal><span style='mso-ligatures:none'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Arial",sans-serif;color:black;mso-ligatures:none'>Aaron said that MPIC does multiply the work and seems likely to mitigate this in the same way it does other DNS poisoning.</span><span style='mso-ligatures:none'><o:p></o:p></span></p><p class=MsoNormal><span style='mso-ligatures:none'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Arial",sans-serif;color:black;mso-ligatures:none'>- Validity period for Technically Constrained Sub-CA and validation period for Domain Namespace - Wayne said that Ryan Sleevi filed this and it has to do with the ‘verified namespace’ for an enterprise RA.</span><span style='mso-ligatures:none'><o:p></o:p></span></p><p class=MsoNormal><span style='mso-ligatures:none'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Arial",sans-serif;color:black;mso-ligatures:none'>Clint said that this is on Apple’s backlog. In particular clarifying that a domain name in a technically constrained subCA needs to be revalidated on the same cadence as any other domain name. Clint said that he hopes to work in this in the next year.</span><span style='mso-ligatures:none'><o:p></o:p></span></p><p class=MsoNormal><span style='mso-ligatures:none'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Arial",sans-serif;color:black;mso-ligatures:none'>- Analyze JOI disclosures resulting from ballot SC30 - Wayne said that this was the next step after requiring CAs to validate this information.</span><span style='mso-ligatures:none'><o:p></o:p></span></p><p class=MsoNormal><span style='mso-ligatures:none'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Arial",sans-serif;color:black;mso-ligatures:none'>Trev suggested we break the task down into smaller chunks. It was suggested and agreed to ask DigiCert if they are interested in pursuing this.</span><span style='mso-ligatures:none'><o:p></o:p></span></p><p class=MsoNormal><span style='mso-ligatures:none'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Arial",sans-serif;color:black;mso-ligatures:none'>- Permit the inclusion of LEIs in Subject fields - Bruce said that LEI may be an alternative for the registration number in EV.</span><span style='mso-ligatures:none'><o:p></o:p></span></p><p class=MsoNormal><span style='mso-ligatures:none'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Arial",sans-serif;color:black;mso-ligatures:none'>Trev said that this was discussed in the Spring and the decision was to ballot this.</span><span style='mso-ligatures:none'><o:p></o:p></span></p><p class=MsoNormal><span style='mso-ligatures:none'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Arial",sans-serif;color:black;mso-ligatures:none'>- Standardize State and Province names - Trev said that this is for states & provinces not covered by ISO 3166-2. Are there undisputed countries that are missing, or is this to resolve disputed territories?</span><span style='mso-ligatures:none'><o:p></o:p></span></p><p class=MsoNormal><span style='mso-ligatures:none'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Arial",sans-serif;color:black;mso-ligatures:none'>- Create allow-list of Registration agencies used by CAs for EV JOI - Trev said that this is the output of the earlier task to Analyze JOI disclosures.</span><span style='mso-ligatures:none'><o:p></o:p></span></p><p class=MsoNormal><span style='mso-ligatures:none'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Arial",sans-serif;color:black;mso-ligatures:none'>- Ensure CAs are collecting sufficient data to investigate CAA errors - Trev said that it’s unclear if this is for CA’s own investigations, or for the forum to use the data. If the former, the guidelines should specify the outcome but not the type of data to be collected.</span><span style='mso-ligatures:none'><o:p></o:p></span></p><p class=MsoNormal><span style='mso-ligatures:none'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Arial",sans-serif;color:black;mso-ligatures:none'>Aaron said that the MPIC work introduces new rules that might help. Ryan said that it’s not detailed. Aaron said that this is likely related to a CAA error ‘outside the CA’s infrastructure” and expressed interest in removing that carve out.</span><span style='mso-ligatures:none'><o:p></o:p></span></p><p class=MsoNormal><span style='mso-ligatures:none'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Arial",sans-serif;color:black;mso-ligatures:none'>- Prohibit the inclusion of dataEncipherment and keyAgreement KU bits - Wayne said that this was deferred from the profiles ballot.</span><span style='mso-ligatures:none'><o:p></o:p></span></p><p class=MsoNormal><span style='mso-ligatures:none'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Arial",sans-serif;color:black;mso-ligatures:none'>Wendy Brown asked if keyAgreement is needed for ECC.</span><span style='mso-ligatures:none'><o:p></o:p></span></p><p class=MsoNormal><span style='mso-ligatures:none'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Arial",sans-serif;color:black;mso-ligatures:none'>Aaron said that keyAgreement is NOT RECOMMENDED in the current version of the BRs.</span><span style='mso-ligatures:none'><o:p></o:p></span></p><p class=MsoNormal><span style='mso-ligatures:none'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Arial",sans-serif;color:black;mso-ligatures:none'>Trev asked if these should be split into two tasks - one for RSA and one for ECC</span><span style='mso-ligatures:none'><o:p></o:p></span></p><p class=MsoNormal><span style='mso-ligatures:none'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Arial",sans-serif;color:black;mso-ligatures:none'>- Create a domain validation method that uses SVCB/HTTPS DNS RRs - there was no discussion.</span><span style='mso-ligatures:none'><o:p></o:p></span></p><p class=MsoNormal><span style='mso-ligatures:none'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Arial",sans-serif;color:black;mso-ligatures:none'>- "Certificate request" - Revisit usage - Ben WIlson said that there is confusion between a request and a CSR.</span><span style='mso-ligatures:none'><o:p></o:p></span></p><p class=MsoNormal><span style='mso-ligatures:none'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Arial",sans-serif;color:black;mso-ligatures:none'>- Clarify usage and requirements for random numbers - Aaron said that this one is an active PR. Wayne noted that it is from 2018. Aaron suggested that Michael Slaughter might be interested for the work on CA assisted domain validation as this is related.</span><span style='mso-ligatures:none'><o:p></o:p></span></p><p class=MsoNormal><span style='mso-ligatures:none'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Arial",sans-serif;color:black;mso-ligatures:none'>Clint said that the approach in the PR doesn’t make the most sense.</span><span style='mso-ligatures:none'><o:p></o:p></span></p><p class=MsoNormal><span style='mso-ligatures:none'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Arial",sans-serif;color:black;mso-ligatures:none'>Wayne said that he would close the issue.</span><span style='mso-ligatures:none'><o:p></o:p></span></p><p class=MsoNormal><span style='mso-ligatures:none'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Arial",sans-serif;color:black;mso-ligatures:none'>Meeting adjourned.</span><span style='mso-ligatures:none'><o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p></div></body></html>