<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=iso-8859-1"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:"Yu Gothic";
panose-1:2 11 4 0 0 0 0 0 0 0;}
@font-face
{font-family:Aptos;}
@font-face
{font-family:"\@Yu Gothic";
panose-1:2 11 4 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:12.0pt;
font-family:"Aptos",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#467886;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Aptos",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link="#467886" vlink="#96607D" style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal>Here are the final minutes of the 2024-08-08 meeting of the validation-sc as taken by Aaron Gable and approved on yesterday's meeting.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal># Validation Subcommittee, Thursday 2024-08-08<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>## Administrivia<br>- Minutes taken by Aaron Gable<br>- Note Well read by Corey Bonnell<br>- Roll Call<br>- Minutes from 2024-07-11 approved<br><br>## Attendees<br>Aaron Gable (Let's Encrypt), Andrea Holland (VikingCloud), Aneta Wojtczak-Iwanicka (Microsoft), Ben Wilson (Mozilla), Clint Wilson (Apple), Corey Bonnell (DigiCert), Doug Beattie (GlobalSign), Iņigo Barreira (Sectigo), Jaime Hablutzel (OISTE Foundation), Janet Hines (VikingCloud), Johnny Reading (GoDaddy), Joseph Ramm (OATI), Li-Chun Chen (Chunghwa Telecom), Mads Henriksveen (Buypass AS), Mahua Chaudhuri (Microsoft), Martijn Katerbarg (Sectigo), Michael Slaughter (Amazon), Michelle Coon (OATI), Miguel Sanchez (Google), Nargis Mannan (VikingCloud), Nate Smith (GoDaddy), Paul van Brouwershaven (Entrust), Pekka Lahtiharju (Telia Company), Rebecca Kelly (SSL.com), Scott Rea (eMudhra), Sissel Hoel (Buypass AS), Sven Rajala (Keyfactor), Tobias Josefowitz (Opera Software AS), Trevoli Ponds-White (Amazon), Wayne Thayer (Fastly), Wendy Brown (US Federal PKI Management Authority)<br><br>## Status of Ballot SC-070 (Aaron Gable)<br>- Mads Henriksveen asked for clarification on the status of the ballot<br>- Discussed at ServerCert last week<br>- GoDaddy has withdrawn their exclusion notice in private communication to the IPR Committee<br>- Ben Wilson has asked them to state that withdrawal on a public list<br>- Some concerns were raised that the ballot should be reconsidered, since we've had more discussions about DTPs since then<br>- Aaron currently intends to reintroduce Ballot SC-070 as-is, because he believes it is still valuable and walks the right line<br>- But further discussion in both ServerCert WG and Validation SC is warranted<br><br>## Update on Subject Attributes (Martijn Katerbarg)<br>- Continuation of discussion from Face-to-Face<br>- Currently OV organizationName can contain only the Subject's name or their DBA, not both<br>- But EV and S/MIME can contain both, in a specific order<br>- Martijn [has a proposal](<a href="https://github.com/cabforum/servercert/compare/main...XolphinMartijn:servercert:orgNameAlignment" target="_blank">https://github.com/cabforum/servercert/compare/main...XolphinMartijn:servercert:orgNameAlignment</a>) to better align OV with the other profiles<br>- It still wouldn't be quite identical to the EVGs, which require both Assumed Name and DBA to be given<br>- Seeking endorsers<br>- Corey Bonnell pointed out that it might be good to introduce similar language for personal identity, since some jurisdictions allow DBA names for individuals<br><br>## Continuation of DNS discussion (Corey Bonnell)<br>- Note that discussion has been ongoing [on the mailing list](<a href="https://lists.cabforum.org/pipermail/validation/2024-July/001994.html" target="_blank">https://lists.cabforum.org/pipermail/validation/2024-July/001994.html</a>)<br>- Question: What are the specific threats being mitigated by this work?<br>- Question: If SC-070 passes again, is there additional work to be done?<br>- Tobias: DTPs are already banned for domain validation, so use of external resolvers is already forbidden. So why are we still having this conversation?<br>- Aaron: SC-070 was designed as a clarification, not new requirements<br>- Miguel Sanchez: Merely running one's own DNS resolver doesn't resolve all potential risks; we need a more thorough threat analysis<br>- Trevoli Ponds-White: >From this historical context, it's clear that DNS resolvers were not part of the original intended definition of "Delegated Third Party". SC-070 would be adding requirements, not just clarifying.<br>- Trevoli: In the context of MPIC, it's surprising that we're not requiring the use of mulitple DNS resolvers. It feels like requiring running your own is a step in the wrong direction.<br>- Clint Wilson: Delegation of the full validation process was what prompted the discussion, but the result was that all parts (including DNS resolution!) must be performed by the CA.<br>- Aaron: The reason for CAs to run their own DNS is so that it's under their control, not to mitigate specific attacks<br>- Michael Slaughter: We do still need to do threat modeling, though<br>- Tobias: MPIC mitigates BGP-level attacks, but not against all DNS-level attacks<br>- Miguel: Running your own DNS resolver can be non-trivial, and having CAs all run their own may introduce additional risks<br>- Tobias: Running a CA is already non-trivial, it's okay to require this<br>- Trevoli: So we should expect all CAs to have DNS experts on staff?<br>- Tobias: At least consulting with DNS experts is a reasonable expectation, yes. It's the single most important part of domain validation.<br>- Miguel: Not convinced that the value proposition of every CA running their own DNS resolvers (perhaps not in the most secure way) vs using several well-run public resolvers<br>- Tobias: But there are no public resolvers which satisfy all the current requirements<br>- Aaron: For example, Google DNS is willing to ignore DNSSEC failures in certain circumstances<br>- Corey: We need to have a shared understanding of what we're trying to mitigate. Next call we will use the [STRIDE model](<a href="https://en.wikipedia.org/wiki/STRIDE_model" target="_blank">https://en.wikipedia.org/wiki/STRIDE_model</a>) to do threat modeling.<br>- Aaron: The STRIDE model does not include one specific threat we need to include: "The CA doesn't understand their DNS resolver's behavior and it doesn't do what they think it does"<br>- Trevoli: A couple years ago some Amazon engineers gave a presentation to NETSEC on how to do good threat modeling on ambiguous problem spaces<br>- Corey: Motivation -- execution of the DCV process is the most critical concern. The problem is that the requirements are not very clear. We need to develop a shared<br>- Aaron: STRIDE modeling will do a good job of developing requirements to place on DNS resolvers to mitigate specific threats. But having CAs run their own DNS resolvers within their own audit scope is a necessary step 0 regardless of the outcome of the STRIDE modeling.<br>- Clint: Seconded, and Ballot SC-070 should move forward in parallel to the modeling.<br>- Corey: If you have alternatives to STRIDE, please propose them before the next meeting.<br><br>Meeting adjourned<o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p></div></body></html>