<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:"Yu Gothic";
panose-1:2 11 4 0 0 0 0 0 0 0;}
@font-face
{font-family:Aptos;}
@font-face
{font-family:"\@Yu Gothic";
panose-1:2 11 4 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:12.0pt;
font-family:"Aptos",sans-serif;
mso-ligatures:standardcontextual;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Aptos",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link="#467886" vlink="#96607D" style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt'>Here are the approved minutes from the February 28 Validation Subcommittee meeting. Thanks to Ben for taking these!<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Feb 28th, 2024 – Face-to-Face Validation Subcommittee Meeting<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Corey Bonnell ran the meeting.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Notewell read by Corey. <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Feb. 8, 2024, Meeting Minutes were unanimously approved.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Progress Summary – “Progress since Fall 2023 F2F”<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Corey reviewed:<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>• BR section 3.2.2.4 (7) improvements<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>• MPDV/MPIC effort led by Chris and Ryan<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>• Automation of EV certificate issuance – GlobalSign will continue its presentation today<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>• Identifying DTP in context of Domain and IP address validation (discussion postponed until 3/7/2024) <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Automation of EV Certificate Issuance – Eva Van Steenberge<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Slide 1: Introduction<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Context – The EVGs were not written with automation in mind. Allowed practices are not clear, and there is ambiguity. Some methods are easily automated while others are not, e.g., looking up a phone number in a QGIS and then calling it and then hoping that you get in touch with the right person. <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Goals - Automation of domain validation exists, but improvements could be made to clarify how processing of certificate requests could be automated.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Main Themes for This Round<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>We want to keep a narrow scope without rewriting the entire EVGs. The group has looked at “due diligence” and “cross-correlation” and to reduce the amount of work being done.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>GlobalSign and others looked at what these two concepts mean.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Eva then reviewed how these topics were addressed by proposed changes to the EVGs.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Due Diligence and Domain Validation (EVG 11.13)<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Eva – we moved away from requiring it for every certificate or certificate request and focused on the fact that the CA has to do the procedure as a whole, but that it has to have been done, and it’s not something that can be done after the fact.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Roman Fischer asked whether mention of “the Certificate” meant “each certificate”. Eva said that wasn’t their intent. <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Tim H. said that is how we typically write the requirements—in terms of a single certificate, which is what may cause this confusion, but it is implied that you may be doing multiple certificates.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Eva said that after her presentation it should be clear that things don’t need to be done on a certificate-by-certificate basis.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Clint said it should be understood that the CA has to “ensure” that the requirement is being done, but that an individual does not need to review every single certificate issued.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Ben asked why “due diligence” is tied together here with “domain validation”? From his perspective, “due diligence” doesn’t need to be performed on domain validation, but it is mainly for confirming subject identity information.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Eva – we tried to define “due diligence” (next slide) and we looked at whether all things have been done correctly. Then, if it is automated, due diligence doesn’t apply, but if manual, then it needs to have been done correctly and someone else needs to double-check it, but we didn’t want to out-scope it entirely. This proposes a definition for “due diligence”, any questions or comments?<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Clint – I don’t think it’s absolutely necessary that it be capitalized and defined, but it looks fine.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Ben – the definition is too narrow – it focuses too much on the processes/procedures and not enough on the contents of the certificates.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Eva – that’s not how we see it, not everything we do ends up in the contents of the certificate (e.g. company age, authorization of requester and signer, etc.)<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Clint – I agree with Ben, you can’t put the legal name of an organization into the certificate unless it meets the requirements that all the steps have been performed. The concepts are very similar, the processes and procedures lead to what is included in the certificate.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Eva – Are we hinting at the difference between due diligence and cross-correlation? All the different elements have to be done correctly, and those individual elements are subject to due diligence, and then everything combined goes into the certificate. That feels like cross-correlation.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Clint – It might. Those terms are not currently well-defined in the EVGs.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Ben – I wouldn’t lump them together like that even though they are part of the same phrase. I’d like something that says, “verification of certificate contents is done with due diligence”. I can hold my comments about “cross-correlation” until later.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Scott R. -- Can you clarify the scope of what you have for “due diligence” and “cross-correlation”? Because if you say it is automated and not subject to due diligence, but then with cross-correlation if you have to tie everything together, there might be a domain that is not related to the organization. <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Paul – With this definition we say, “due diligence is the process of ...” we might be able to re-word that section to say that the due diligence process must confirm that each verification process and procedure …, but that would no longer be a definition, it’s more contextual.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Eva – that sounds good.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Paul – And you could create sub-items by indenting and bulleting parts of it.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Eva – We wanted to split them out because of the different treatment for domain validation. <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Cross-Correlation<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>We started work on cross-correlation with something that is like a definition. We don’t mention the whole of certificate contents, but we do mention certificate contents. Cross-correlation confirms that there are no discrepancies when everything is combined. We could consider whether to make it more explicit that it needs to support all of the information that goes into the certificate. During our review process, we considered that maybe we take verification of domain names out of the EVGs altogether, since they mainly refer to the BRs. When things were manual, it made sense, but it no longer makes sense to require cross-correlation for the domain control. Historically, there was the lawyer’s letter, but it required that you verify the lawyer’s signature and license to practice. But then when exclusive control of the domain dropped off, it no longer made sense to require cross-correlation of domain ownership. Do people have opinions about this?<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Toby – I don’t know if I have an opinion, but I have questions. let’s say we have a domain name of a well-known bank, but it is clearly not the bank, how would that factor in under cross-correlation? In the past, when we had signals like the green bar, it would be very unfortunate to display those. <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Tim – Yes. That’s the purpose of section 3.2.5, Verification of Authority. The CA is required to verify that the applicant actually legitimately represents the organization. So, in that case the section 3.2.5 checks should fail. <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Eva – All of the processes should stop that, but I’m not sure that it needs to be cross-correlation that stops that.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Clint – Section 3.2.5 is part of the domain validation process, even if it is not part of the domain control validation process. If we’re going to scope things out of the EVGs, then we ought to be clear that we’re scoping section 3.2.2.4 out of the due diligence and cross-correlation requirements. What is the intent of having the certificate go through an extended verification? Perhaps it is handled by section 3.2.5, but we want to make sure that we’re backing up the claim that they are “Extended Validation”. Having an extra EV component for domain validation would make sense.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Eva – The EVGs have procedures not just for the domain and identity, but also the things to flesh out section 3.2.5. For example, the signer and the approver requirements, but I don’t know what added value is adding domain control in due diligence and cross-correlation.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Tim – Great point of Clint. We need to be more specific. We need to clarify for other CAs who are not doing things properly, e.g. they are not aware that they need to verify that the requester of the certificate works for the organization requesting the certificate. So adding clarification and specificity in this area would be good.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Eva – Is that related to due diligence and cross-correlation, or is it that sections 11.8 and 11.9 of the EVGs are just more specific versions of BR section 3.2.5?<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Tim – I’m just saying that we need to make it clear that DCV has been performed. <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Eva – So we should make it clear that domain validation is to be performed according to these specific sections.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Toby – I’m not sure about the explanation of section 3.2.5. For example, if I control a domain, but it is an impersonating domain, like if I registered globalsignCA.com as a domain I own. And then I get an EV certificate for an entity that doesn’t even claim to be GlobalSign.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Eva – but is that a problem?<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Toby - In the past it would have been a signal to relying parties for banking sites, e-commerce sites, etc., and it might become relevant again with QWACs.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Tim – If the verification works correctly, then the confirmed identity will be accurate and portrayed correctly. That is how the process is supposed to work. The domain might say globalsignca.com, but the identity information won’t say GlobalSign, it will say something like “Hollebeek Enterprises”. If the process correctly identifies the right subject organization, then that’s how it’s supposed to work.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Toby – But according to research, this will expose people to fraud. <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Eva – We as CAs don’t control what is on these pages, but we provide a very thorough and reliable verification process, so you can complain to this legal person who we verified. So I don’t think that matching the domain name to the organization was ever within scope.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Paul – This issue is not part of this section we’re discussing.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Toby – We cannot separate the discussion of how these are issued and how browsers display the information.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Dimitris – The purpose of Eva’s discussion is to focus on the barriers to automation.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Toby – I’ll step back, but I am skeptical about automation because of this reason.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Dimitris – The cross-correlation step will continue to be done as it is done today, but we’re also looking at what information can be reused after that has been done.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Paul – Cross-correlation and due diligence are done and you need to have the authorization from the organization and that domain and organization entities can be combined. And those validation processes happen before any certificate request is processed or certificate is issued. Let’s assume we reopen the discussion about phishing and misleading domains – because both have been verified before issuance.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>As soon as the applicant authorizes the domain name to be used in combination with that organization, the CA could say, “we have a process to verify it and we don't allow that combination,” but that should not be involved at the actual time of issuance because the domain and the organization both are being verified in advance for issuance.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Clint – I agree with Toby, but the way that we have been considering the EVGs for years is changing because they are being incorporated into other standards and procedures, e.g. eIDAS legislation. It will change how relying parties have to interact with the EVGs going forward. <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Mads – I agree the focus of this proposal is due diligence, cross-correlation, and automating issuance, but let’s address EVG 11.7, too, which talks about domain validation. It is related and needs to be fixed, even if it is not part of this proposal.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Eva – Thanks. The reason we decided not to is because there are things in EVG 11.7 and the BRs and we don’t want to be locked down because we are waiting for some changes to be made in the BRs. But we don’t mind, either way. … I will skip through some of the slides.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Corey – Let’s skip the Delegated-Third-Party topic until next week and continue through with this topic.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Eva – OK. We removed delegation of due diligence and cross-correlation by Enterprise RAs. We felt like it didn’t add value. So we are not delegating due diligence and cross-correlation to Enterprise RAs.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Re-use of Existing Documentation from Due Diligence and Cross-Correlation<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Eva – We want to make sure the due diligence and cross-correlation can be reused in a safe and secure manner We changed EVG section 11.14, the main body content, because it’s not all about age, and because some are about conditions, so we changed it to be about “conditions”.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>We added reliance on previously performed due diligence. It has to have been done, but not just before certificate issuance. We didn’t like to use the word “reuse” but things that we continuously rely upon. If the age has expired, then it has to be re-performed. Approval must have been given in an appropriate way. Manual processes should still be reviewed with due diligence and cross-correlation. But if you have used automated processes, then you should be allowed to rely on previously performed steps. For example, if you have a portal where certificate approvers have already been verified, then they can approve certificates without cross-correlation and due diligence. <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Tim – We have some concerns that you were too restrictive in choosing which methods to keep and which to remove. There are some methods that could be automated and not removed.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Eva – Do you have any suggestions to make now?<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Tim – Yes. EVG section 11.10.2, option 2, and section 11.9.2, option 3. There are potentially options that could be automated. <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Eva - If this needs to be broader, then we can look at those. We can discuss further when people have had a chance to review this.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Separation of Duties (EVG 14.1.3)<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Eva – We replaced language that suggested that steps needed to be done for every separate certificate issuance with “complete all verification processes and procedures.” Are there any questions?<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Mads – I posted a comment about the last sentence – collecting the information by one person and reviewing it by another person for due diligence and cross-correlation. We collect a lot of information today using automated means. Do we mean that one person reviews all of the information we collect to make sure that it is correct? <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Eva – Got it. Thank you. Any other comments?<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Approval of EV Certificate Request (EVG 11.10)<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Eva – The CA must verify that the certificate request has been approved. “Verifying” sounds very much like after the fact. We replaced this with “ensure” to capture the fact that this could be done automated, without a manual process. A pre-authorized approver can give their approval in an automated way. <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Tim – I still owe more explicit language on this so that we can have something better than “ensure”.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Clint – Isn’t it pretty clear from the EVGs that the certificate requester can also be the certificate approver as well? <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Eva – If people think it is clear enough today, then great. We just wanted to add additional clarity that approval can be given in an automated way and you don’t have to verify the approval after it has been given.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Trev – I am in favor of removing derivatives of verification and validation wherever possible throughout the EVGs where it’s not the thing that we intend, but instead where we mean to process and check something. <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Clint – This approval can be automated if they are both the same. We’re looking to make sure that a thing happens. <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Clint will add a sentence to this section.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Verification of Signature on Subscriber Agreement (EVG 11.9)<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Eva – EVG 11.9 has a reference to 11.8.4 (pre-authorized approver). <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Clint – One of the “gotchas” in the EVGs is where it says the Contract Signer needs to authorize certificate approvers. There are other places like this in the EVGs, so any clarifications like this will help.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Eva –We’ve discussed requester and approvers being the same person, but we did not explore that topic in depth. Still, we had to fix this section.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Clint – The interactions among the three EV roles are interesting and documentation could be added.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Tim – We will help with additional rounds on this topic, too.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Data Security (EVG section16)<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Eva – There is a requirement that two trusted persons need to be involved. This is removed because we have enough language elsewhere in the EVGs.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Clint – I’m not opposed to removing this, but I’m not positive that removal of this would not have unintended consequences, depending on how this is implemented by CAs. This discussion of trusted persons could be subject to different interpretations. They could be validation specialists, and it may have some impact on due diligence and cross correlation. We should just make sure we’re not removing something important.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Eva – We previously talked about removing Enterprise RA role. I suppose this neutral language for due diligence and cross-correlation for Enterprise RAs. <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Brittany – I’ve seen due diligence and cross-correlation as a systematic control as opposed to a procedural control. <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Eva – The whole due diligence and cross-correlation process is system agnostic. It just says that it needs to be done, and that could be seen as systematic. Thoughts?<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Mads – This is a step towards helping with automating EV issuance processes.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Eva – Maybe we can remove the reference to “certificate request” and add systematic control.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Clint – This section could be moved into the due diligence and cross-correlation section.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Eva – That’s it. We’ve come to the end of this presentation.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Corey – Should folks provide feedback in GitHub or on the list?<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Eva – We prefer GitHub.<o:p></o:p></span></p></div></body></html>