<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:"Yu Gothic";
panose-1:2 11 4 0 0 0 0 0 0 0;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"\@Yu Gothic";
panose-1:2 11 4 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-ligatures:standardcontextual;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link="#0563C1" vlink="#954F72" style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal>2023-11-16 Validation-sc meeting minutes<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Attendees: Aaron Gable (Let's Encrypt), Aaron Poulsen (Amazon), Andrea Holland (VikingCloud), Ben Wilson (Mozilla), Bruce Morton (Entrust), Cade Cairns (Google), Clint Wilson (Apple), Corey Bonnell (DigiCert), Dimitris Zacharopoulos (HARICA), Doug Beattie (GlobalSign), Dustin Hollenback (Microsoft), Eva Vansteenberge (GlobalSign), Gregory Tomko (GlobalSign), Inigo Barreira (Sectigo), Janet Hines (VikingCloud), Johnny Reading (GoDaddy), Joseph Ramm (OATI), Mads Henriksveen (Buypass AS), Martijn Katerbarg (Sectigo), Michael Slaughter (Amazon), Michelle Coon (OATI), Miguel Sanchez (Google), Nargis Mannan (VikingCloud), Nate Smith (GoDaddy), Paul van Brouwershaven (Entrust), Rebecca Kelley (Apple), Rollin Yu (TrustAsia Technologies Inc), Roman Fischer (SwissSign), Scott Rea (eMudhra), Thomas Zermeno (SSL.com), Tobias Josefowitz (Opera Software AS), Trevoli Ponds-White (Amazon), Wayne Thayer (Fastly), Wendy Brown (US Federal PKI Management Authority)<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Minute-taker: Corey<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Corey read the Note Well.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>The minutes of the November 2nd meeting were approved.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>There was no update for the MPDV/MPIC work.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Michael Slaughter provided an update on the improvements to BR 3.2.2.4 (7). Michael said he is in the process of adding the proposed text as a ballot to Github. He also asked for any feedback on the language.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Eva gave a presentation (<a href="https://url.avanan.click/v2/___https:/lists.cabforum.org/pipermail/validation/attachments/20231115/0dfe3d8f/attachment-0001.pdf___.YXAzOmRpZ2ljZXJ0OmE6bzpjNTg4MzBiMTgwYzk5ZjM4MjBkZWYxNjJlZGFhYjkzNjo2OmI3ZjY6MDA0MzU2NDdmZTQ4ZGEzNzFlZWJlMzQ3NjQ1YTFmM2Y3MjFmZTc2YjQ2ODA3Yzk2ODM2ZGFlZWMxMGRkYzExMDp0OkY">https://url.avanan.click/v2/___https://lists.cabforum.org/pipermail/validation/attachments/20231115/0dfe3d8f/attachment-0001.pdf___.YXAzOmRpZ2ljZXJ0OmE6bzpjNTg4MzBiMTgwYzk5ZjM4MjBkZWYxNjJlZGFhYjkzNjo2OmI3ZjY6MDA0MzU2NDdmZTQ4ZGEzNzFlZWJlMzQ3NjQ1YTFmM2Y3MjFmZTc2YjQ2ODA3Yzk2ODM2ZGFlZWMxMGRkYzExMDp0OkY</a>) on improving the EV Guidelines to foster automation of processing certificate requests.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>The first area raised for discussion is the due diligence and cross-correlation check. Eva asked for the group's interpretation whether this check is required for all validation information, including domain validation, or if it is more limited.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Aaron remarked that the intent should be that only manually validated elements need to be checked. Roman did not agree, as he sees organizations which operate domain names that do not match their organization name.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Dimitris agreed with Aaron that the intent is to double-check identity information. He also commented that evidence of domain control (not ownership) is sufficient.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Bruce suggested that all domain validation requirements in the EV Guidelines should be removed such that they are solely defined in the BRs. Dimitris said this is a good idea, as other groups have been using the EVGs to prescribe identity validation. Dimitris also called the group to EVG section 11.8.4, which speaks to pre-authorized Certificate Approvers. Dimitris said this section could be used to enable automation for EV issuance but his team was not 100% certain and are still struggling with the EV Guidelines language. Eva said that the interaction of that section and the due diligence requirements make it unclear to the extent of checking required when domains are added or removed from subsequent Certificate Requests. Roman said that the validation checks for organizational identity and domain validation are separate; no re-validation or re-checking is required. Dimitris said we should clarify the requirement to only require due diligence checking for identity validation so there is no room for ambiguity.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Eva then presented the second topic, which is the Enterprise RA checks prior to issuance. She questioned the value of the checks prescribed in section 14.2.2, as they are redundant with the checks performed by the CA. Bruce remarked that if the CA does not permit the Enterprise RA to perform this check and always do the check by the CA, then there is no redundancy. Eva asked Bruce to explain how this works in more detail. Also, Doug asked how the addition/removal of domains are handled in this case. Bruce clarified that domains are tied to the Enterprise account and validated. Dimitris noted this seems inconsistent, as Enterprise RAs would seemingly be no different than a Subscriber. He said that if no one sees the value in this old language, then we should just remove it or make it more reasonable.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>The idea of "modernizing" the EVGs and extracting all domain validation requirements was raised again. Section 11.7 was mentioned as a potential area that needs to be removed. Martijn said that there are some requirements concerning Onion Domain Names. Corey said that those requirements are already in the BRs, so they can be removed. Bruce said that the mixed character set requirements are vague, as they refer to a visual comparison. Bruce said he'd like to work with interested folks in improving this area of the requirements.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Eva asked for confirmation on these two points from the previous discussion:<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>1. The due diligence check only needs to cover the manual/identity validation, not domain validation<o:p></o:p></p><p class=MsoNormal>2. The EVGs should be updated to remove all requirements for domain validation and instead defer entirely to the BRs<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Mads agreed with both points.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Clint asked if the purpose of the Enterprise RA due diligence check is to have the Applicant organization verify its own details, as it is assumed it is the best source of information? Bruce said the intent is unclear, as there is no requirement to treat an Applicant as an Enterprise RA. Clint said that if the CA treats an Applicant as an Enterprise RA, then the requirements in 14.2.2 apply.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Dimitris asked for CAs who are currently issuing EV certificates via ACME to provide their interpretation of the EVGs which support such automation.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Eva said that she'll be spearheading the work to improve the due diligence requirements to decouple domain validation.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Meeting adjourned.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><b><span style='mso-ligatures:none'>From:</span></b><span style='mso-ligatures:none'> Management <<a href="mailto:management-bounces@cabforum.org">management-bounces@cabforum.org</a>> <b>On Behalf Of </b>Corey Bonnell via Management<br><b>Sent:</b> Monday, November 27, 2023 10:34 AM<br><b>To:</b> CABforum2 <<a href="mailto:management@cabforum.org">management@cabforum.org</a>><br><b>Subject:</b> [cabfman] 2023-11-16 Validation-sc draft minutes<o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>2023-11-16 Validation-sc meeting minutes<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Attendees: Aaron Gable (Let's Encrypt), Aaron Poulsen (Amazon), Andrea Holland (VikingCloud), Ben Wilson (Mozilla), Bruce Morton (Entrust), Cade Cairns (Google), Clint Wilson (Apple), Corey Bonnell (DigiCert), Dimitris Zacharopoulos (HARICA), Doug Beattie (GlobalSign), Dustin Hollenback (Microsoft), Eva Vansteenberge (GlobalSign), Gregory Tomko (GlobalSign), Inigo Barreira (Sectigo), Janet Hines (VikingCloud), Johnny Reading (GoDaddy), Joseph Ramm (OATI), Mads Henriksveen (Buypass AS), Martijn Katerbarg (Sectigo), Michael Slaughter (Amazon), Michelle Coon (OATI), Miguel Sanchez (Google), Nargis Mannan (VikingCloud), Nate Smith (GoDaddy), Paul van Brouwershaven (Entrust), Rebecca Kelley (Apple), Rollin Yu (TrustAsia Technologies Inc), Roman Fischer (SwissSign), Scott Rea (eMudhra), Thomas Zermeno (SSL.com), Tobias Josefowitz (Opera Software AS), Trevoli Ponds-White (Amazon), Wayne Thayer (Fastly), Wendy Brown (US Federal PKI Management Authority)<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Minute-taker: Corey<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Corey read the Note Well.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>The minutes of the November 2nd meeting were approved.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>There was no update for the MPDV/MPIC work.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Michael Slaughter provided an update on the improvements to BR 3.2.2.4 (7). Michael said he is in the process of adding the proposed text as a ballot to Github. He also asked for any feedback on the language.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Eva gave a presentation (<a href="https://url.avanan.click/v2/___https:/lists.cabforum.org/pipermail/validation/attachments/20231115/0dfe3d8f/attachment-0001.pdf___.YXAzOmRpZ2ljZXJ0OmE6bzpjNTg4MzBiMTgwYzk5ZjM4MjBkZWYxNjJlZGFhYjkzNjo2OmI3ZjY6MDA0MzU2NDdmZTQ4ZGEzNzFlZWJlMzQ3NjQ1YTFmM2Y3MjFmZTc2YjQ2ODA3Yzk2ODM2ZGFlZWMxMGRkYzExMDp0OkY">https://url.avanan.click/v2/___https://lists.cabforum.org/pipermail/validation/attachments/20231115/0dfe3d8f/attachment-0001.pdf___.YXAzOmRpZ2ljZXJ0OmE6bzpjNTg4MzBiMTgwYzk5ZjM4MjBkZWYxNjJlZGFhYjkzNjo2OmI3ZjY6MDA0MzU2NDdmZTQ4ZGEzNzFlZWJlMzQ3NjQ1YTFmM2Y3MjFmZTc2YjQ2ODA3Yzk2ODM2ZGFlZWMxMGRkYzExMDp0OkY</a>) on improving the EV Guidelines to foster automation of processing certificate requests.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>The first area raised for discussion is the due diligence and cross-correlation check. Eva asked for the group's interpretation whether this check is required for all validation information, including domain validation, or if it is more limited.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Aaron remarked that the intent should be that only manually validated elements need to be checked. Roman did not agree, as he sees organizations which operate domain names that do not match their organization name.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Dimitris agreed with Aaron that the intent is to double-check identity information. He also commented that evidence of domain control (not ownership) is sufficient.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Bruce suggested that all domain validation requirements in the EV Guidelines should be removed such that they are solely defined in the BRs. Dimitris said this is a good idea, as other groups have been using the EVGs to prescribe identity validation. Dimitris also called the group to EVG section 11.8.4, which speaks to pre-authorized Certificate Approvers. Dimitris said this section may be problematic for automation. Eva said that the interaction of that section and the due diligence requirements make it unclear to the extent of checking required when domains are added or removed from subsequent Certificate Requests. Roman said that the validation checks for organizational identity and domain validation are separate; no re-validation or re-checking is required. Dimitris said we should clarify the requirement to only require due diligence checking for identity validation so there is no room for ambiguity.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Eva then presented the second topic, which is the Enterprise RA checks prior to issuance. She questioned the value of the checks prescribed in section 14.2.2, as they are redundant with the checks performed by the CA. Bruce remarked that if the CA does not permit the Enterprise RA to perform this check and always do the check by the CA, then there is no redundancy. Eva asked Bruce to explain how this works in more detail. Also, Doug asked how the addition/removal of domains are handled in this case. Bruce clarified that domains are tied to the Enterprise account and validated. Dimitris noted this seems inconsistent, as Enterprise RAs would seemingly be no different than a Subscriber. He said that if no one sees the value in this old language, then we should just remove it or make it more reasonable.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>The idea of "modernizing" the EVGs and extracting all domain validation requirements was raised again. Section 11.7 was mentioned as a potential area that needs to be removed. Martijn said that there are some requirements concerning Onion Domain Names. Corey said that those requirements are already in the BRs, so they can be removed. Bruce said that the mixed character set requirements are vague, as they refer to a visual comparison. Bruce said he'd like to work with interested folks in improving this area of the requirements.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Eva asked for confirmation on these two points from the previous discussion:<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>1. The due diligence check only needs to cover the manual/identity validation, not domain validation<o:p></o:p></p><p class=MsoNormal>2. The EVGs should be updated to remove all requirements for domain validation and instead defer entirely to the BRs<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Mads agreed with both points.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Clint asked if the purpose of the Enterprise RA due diligence check is to have the Applicant organization verify its own details, as it is assumed it is the best source of information? Bruce said the intent is unclear, as there is no requirement to treat an Applicant as an Enterprise RA. Clint said that if the CA treats an Applicant as an Enterprise RA, then the requirements in 14.2.2 apply.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Dimitris asked for CAs who are currently issuing EV certificates via ACME to provide their interpretation of the EVGs which support such automation.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Eva said that she'll be spearheading the work to improve the due diligence requirements to decouple domain validation.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Meeting adjourned.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p></div></body></html>