<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:"Yu Gothic";
panose-1:2 11 4 0 0 0 0 0 0 0;}
@font-face
{font-family:Aptos;}
@font-face
{font-family:"\@Yu Gothic";
panose-1:2 11 4 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:12.0pt;
font-family:"Aptos",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Aptos",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:108012278;
mso-list-template-ids:-531322826;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1
{mso-list-id:1530292155;
mso-list-template-ids:1768831826;}
@list l1:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l1:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2
{mso-list-id:1670523466;
mso-list-template-ids:897250632;}
@list l2:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l2:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3
{mso-list-id:1687631332;
mso-list-template-ids:1748696018;}
@list l3:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l3:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l3:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l4
{mso-list-id:2054889649;
mso-list-template-ids:-1560089856;}
@list l4:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l4:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l4:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l4:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l4:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l4:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l4:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l4:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l4:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple style='word-wrap:break-word'><div class=WordSection1><div><p style='margin:0in'><span style='font-family:"Arial",sans-serif;color:black'>Here are the minutes for the 2024-08-22 meeting of the validation-sc, as recorded by Ryan Dickson and approved at the 2024-09-05 meeting.</span><b><span style='font-family:"Arial",sans-serif'><o:p></o:p></span></b></p><p style='margin:0in'><b><span style='font-family:"Arial",sans-serif'><o:p> </o:p></span></b></p><p style='margin:0in'><b><span style='font-family:"Arial",sans-serif'>Minutes of the Validation Subcommittee Meeting on 2024-08-22</span></b><span style='font-family:"Arial",sans-serif'><o:p></o:p></span></p><p class=MsoNormal><span style='font-family:"Arial",sans-serif'><o:p> </o:p></span></p><p style='margin:0in'><b><span style='font-family:"Arial",sans-serif'>Attendees<span style='color:black'>: </span></span></b><span style='font-family:"Arial",sans-serif;color:black'>Aaron Gable (Let's Encrypt), Aaron Poulsen (Amazon), Abhishek Bhat (eMudhra), Andrea Holland (VikingCloud), Aneta Wojtczak-Iwanicka (Microsoft), Ben Wilson (Mozilla), Chris Clements (Google), Clint Wilson (Apple), Corey Bonnell (DigiCert), Corey Rasmussen (OATI), Dimitris Zacharopoulos (HARICA), Dustin Hollenback (Microsoft), Enrico Entschew (D-TRUST), Gurleen Grewal (Google), Jaime Hablutzel (OISTE Foundation), Janet Hines (VikingCloud), Johnny Reading (GoDaddy), Kiran Tummala (Microsoft), Li-Chun Chen (Chunghwa Telecom), Mads Henriksveen (Buypass AS), Mahua Chaudhuri (Microsoft), Michael Slaughter (Amazon), Michelle Coon (OATI), Nargis Mannan (VikingCloud), Paul van Brouwershaven (Entrust), Rebecca Kelly (SSL.com), Rollin Yu (TrustAsia), Ryan Dickson (Google), Scott Rea (eMudhra), Stephen Davidson (DigiCert), Sven Rajala (Keyfactor), Tobias Josefowitz (Opera Software AS), Trevoli Ponds-White (Amazon), Wayne Thayer (Fastly), Wendy Brown (US Federal PKI Management Authority)</span><span style='font-family:"Arial",sans-serif'><o:p></o:p></span></p><p class=MsoNormal><span style='font-family:"Arial",sans-serif'><o:p> </o:p></span></p><p style='margin:0in'><b><span style='font-family:"Arial",sans-serif;color:black'>Meeting Kickoff:</span></b><span style='font-family:"Arial",sans-serif'><o:p></o:p></span></p><ul style='margin-top:0in' type=disc><li style='color:black;margin-top:0in;margin-bottom:0in;mso-list:l1 level1 lfo1;vertical-align:baseline;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal'><span style='font-family:"Arial",sans-serif'>Corey greeted participants and noted recording has started<o:p></o:p></span></li><li style='color:black;margin-top:0in;margin-bottom:0in;mso-list:l1 level1 lfo1;vertical-align:baseline;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal'><span style='font-family:"Arial",sans-serif'>Ryan will take minutes<o:p></o:p></span></li><li style='color:black;margin-top:0in;margin-bottom:0in;mso-list:l1 level1 lfo1;vertical-align:baseline;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal'><span style='font-family:"Arial",sans-serif'>Corey read the note-well<o:p></o:p></span></li><li style='color:black;margin-top:0in;margin-bottom:0in;mso-list:l1 level1 lfo1;vertical-align:baseline;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal'><span style='font-family:"Arial",sans-serif'>Corey read the participants list (above)<o:p></o:p></span></li><li style='color:black;margin-top:0in;margin-bottom:0in;mso-list:l1 level1 lfo1;vertical-align:baseline;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal'><span style='font-family:"Arial",sans-serif'>The August 8, 2024 meeting minutes were approved due to no objections.<o:p></o:p></span></li><li style='color:black;margin-top:0in;margin-bottom:0in;mso-list:l1 level1 lfo1;vertical-align:baseline;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal'><span style='font-family:"Arial",sans-serif'>Question on minutes from Aaron: The participants list generated by the member tool wasn’t accurate after the meeting ended. Corey mentioned forcing the refresh is a good standard practice, but it’s not clear why the force refresh is needed. Dimitris encouraged Aaron to follow up with the Infrastructure WG or with Martijn directly. Scott also indicated similar issues in the past. Aaron also noticed refreshing changed the formatting of the list (hyphens removed). Wayne also volunteered to take note and raise with the Infrastructure WG during the next call.<o:p></o:p></span></li><li style='color:black;margin-top:0in;margin-bottom:0in;mso-list:l1 level1 lfo1;vertical-align:baseline;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal'><span style='font-family:"Arial",sans-serif'>Corey reviewed the Agenda, no updates.<o:p></o:p></span></li></ul><p class=MsoNormal><span style='font-family:"Arial",sans-serif'><o:p> </o:p></span></p><p style='margin:0in'><b><span style='font-family:"Arial",sans-serif'>Discussion and reminder for call for endorsers on Organization Name alignment ballot (</span></b><span style='font-family:"Arial",sans-serif'><a href="https://lists.cabforum.org/pipermail/validation/2024-August/002006.html"><b>https://lists.cabforum.org/pipermail/validation/2024-August/002006.html</b></a><b>)</b><o:p></o:p></span></p><ul style='margin-top:0in' type=disc><li style='margin-top:0in;margin-bottom:0in;mso-list:l2 level1 lfo2;vertical-align:baseline;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal'><span style='font-family:"Arial",sans-serif'>Martijn is seeking endorsers for the proposal, however was unable to join the call. If interested in endorsing, message Martijn or the list. <o:p></o:p></span></li><li style='margin-top:0in;margin-bottom:0in;mso-list:l2 level1 lfo2;vertical-align:baseline;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal'><span style='font-family:"Arial",sans-serif'>No further discussion.<o:p></o:p></span></li></ul><p style='margin:0in'><span style='font-family:"Arial",sans-serif'><o:p> </o:p></span></p><p style='margin:0in'><b><span style='font-family:"Arial",sans-serif'>Discussion on language improvements for cPSUri and CRLDP (</span></b><span style='font-family:"Arial",sans-serif'><a href="https://lists.cabforum.org/pipermail/validation/2024-August/002009.html"><b>https://lists.cabforum.org/pipermail/validation/2024-August/002009.html</b></a><b>)</b><o:p></o:p></span></p><ul style='margin-top:0in' type=disc><li style='margin-top:0in;margin-bottom:0in;mso-list:l3 level1 lfo3;vertical-align:baseline;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal'><span style='font-family:"Arial",sans-serif'>Corey highlighted the thread and Pull Request where changes were being proposed and discussed. <o:p></o:p></span></li><li style='margin-top:0in;margin-bottom:0in;mso-list:l3 level1 lfo3;vertical-align:baseline;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal'><span style='font-family:"Arial",sans-serif'>Corey mentioned some discussion on GitHub is ongoing focusing on defining the term “scheme.” <o:p></o:p></span></li><li style='margin-top:0in;margin-bottom:0in;mso-list:l3 level1 lfo3;vertical-align:baseline;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal'><span style='font-family:"Arial",sans-serif'>Use of “URI Scheme" appears to have general consensus from many members on the call (including Clint, Corey, and Dimitris). Enrico will work on creating updated language. <o:p></o:p></span></li><li style='margin-top:0in;margin-bottom:0in;mso-list:l3 level1 lfo3;vertical-align:baseline;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal'><span style='font-family:"Arial",sans-serif'>Next steps would be for the proposal to transition into the Server Certificate Working Group, Enrico agreed and will take action. <o:p></o:p></span></li></ul><p style='margin:0in'><span style='font-family:"Arial",sans-serif'><o:p> </o:p></span></p><p style='margin:0in'><b><span style='font-family:"Arial",sans-serif'>Discussion on language improvements for EV Registration Number (</span></b><span style='font-family:"Arial",sans-serif'><a href="https://lists.cabforum.org/pipermail/validation/2024-August/002008.html"><b>https://lists.cabforum.org/pipermail/validation/2024-August/002008.html</b></a><b>)</b><o:p></o:p></span></p><ul style='margin-top:0in' type=disc><li style='margin-top:0in;margin-bottom:0in;mso-list:l0 level1 lfo4;vertical-align:baseline;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal'><span style='font-family:"Arial",sans-serif'>Corey discussed recent feedback on the thread from Clint, and that the idea might require a forward-looking effective date.<o:p></o:p></span></li><li style='margin-top:0in;margin-bottom:0in;mso-list:l0 level1 lfo4;vertical-align:baseline;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal'><span style='font-family:"Arial",sans-serif'>Clint indicated consistent formatting of an attribute being included in Subject DNs would be helpful. A short effective date to require the recommended format appears to be a good middle ground. <o:p></o:p></span></li><li style='margin-top:0in;margin-bottom:0in;mso-list:l0 level1 lfo4;vertical-align:baseline;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal'><span style='font-family:"Arial",sans-serif'>Corey indicated he’d iterate and contemplate an effective date 3-6 months into the future. <o:p></o:p></span></li><li style='margin-top:0in;margin-bottom:0in;mso-list:l0 level1 lfo4;vertical-align:baseline;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal'><span style='font-family:"Arial",sans-serif'>Wayne re-visited the idea of having a lint available to accompany a potential future ballot. <o:p></o:p></span></li><li style='margin-top:0in;margin-bottom:0in;mso-list:l0 level1 lfo4;vertical-align:baseline;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal'><span style='font-family:"Arial",sans-serif'>Aaron offered a summary of past discussion (lints not required, but encouraged to accompany a ballot that updates profiles). <o:p></o:p></span></li><li style='margin-top:0in;margin-bottom:0in;mso-list:l0 level1 lfo4;vertical-align:baseline;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal'><span style='font-family:"Arial",sans-serif'>Wayne suggested as part of the future effective date, we should contemplate how long it might take to write a lint. <o:p></o:p></span></li><li style='margin-top:0in;margin-bottom:0in;mso-list:l0 level1 lfo4;vertical-align:baseline;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal'><span style='font-family:"Arial",sans-serif'>Corey also highlighted challenges with creating a lint that accurately detects potential mis-issuance. More investigation is required.<o:p></o:p></span></li><li style='margin-top:0in;margin-bottom:0in;mso-list:l0 level1 lfo4;vertical-align:baseline;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal'><span style='font-family:"Arial",sans-serif'>Dimitris shared a reminder that in the past there were discussions within the SCWG that offered potential improvement for more consistent methods of identifying organizations. Perhaps if pursued, those ideas could solve the challenge being addressed by this proposal. <o:p></o:p></span></li><li style='margin-top:0in;margin-bottom:0in;mso-list:l0 level1 lfo4;vertical-align:baseline;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal'><span style='font-family:"Arial",sans-serif'>Corey indicated this ballot arose out of an incident that appeared to be due to a misinterpretation of the existing language. He agreed the group should have a broader conversation on how to handle Organization ID moving forward.<o:p></o:p></span></li></ul><p style='margin:0in'><span style='font-family:"Arial",sans-serif'><o:p> </o:p></span></p><p style='margin:0in'><b><span style='font-family:"Arial",sans-serif'>Threat modeling DNS-based domain validation (method #7) using the STRIDE model (</span></b><span style='font-family:"Arial",sans-serif'><a href="https://en.wikipedia.org/wiki/STRIDE_model"><b>https://en.wikipedia.org/wiki/STRIDE_model</b></a><b>)</b><o:p></o:p></span></p><ul style='margin-top:0in' type=disc><li style='margin-top:0in;margin-bottom:0in;mso-list:l4 level1 lfo5;vertical-align:baseline;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal'><span style='font-family:"Arial",sans-serif'>On previous calls, various participants had different ideas on what was permitted during the DCV process. There also appeared to exist assumptions that were not universally shared. <o:p></o:p></span></li><li style='margin-top:0in;margin-bottom:0in;mso-list:l4 level1 lfo5;vertical-align:baseline;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal'><span style='font-family:"Arial",sans-serif'>Through the STRIDE exercise, the goal is to establish a common understanding and perspective.<o:p></o:p></span></li><li style='margin-top:0in;margin-bottom:0in;mso-list:l4 level1 lfo5;vertical-align:baseline;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal'><span style='font-family:"Arial",sans-serif'>The main reason for STRIDE is that it was used successfully in the past within the subcommittee. <o:p></o:p></span></li><li style='margin-top:0in;margin-bottom:0in;mso-list:l4 level1 lfo5;vertical-align:baseline;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal'><span style='font-family:"Arial",sans-serif'>There was some discussion on whether STRIDE was most appropriate, but no further discussion on list about a better threat modeling framework that might be better suited for the group.<o:p></o:p></span></li><li style='margin-top:0in;margin-bottom:0in;mso-list:l4 level1 lfo5;vertical-align:baseline;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal'><span style='font-family:"Arial",sans-serif'>No comments or objections related to using STRIDE, the group will proceed with this model. <o:p></o:p></span></li><li style='margin-top:0in;margin-bottom:0in;mso-list:l4 level1 lfo5;vertical-align:baseline;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal'><span style='font-family:"Arial",sans-serif'>Corey highlighted the existence of a video previously shared by Trev in NetSec that summarized STRIDE and how to sequence steps of the analysis. <o:p></o:p></span></li><li style='margin-top:0in;margin-bottom:0in;mso-list:l4 level1 lfo5;vertical-align:baseline;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal'><span style='font-family:"Arial",sans-serif'>High-level steps:<o:p></o:p></span></li></ul><ul style='margin-top:0in' type=disc><ul style='margin-top:0in' type=circle><li style='margin-top:0in;margin-bottom:0in;mso-list:l4 level2 lfo5;vertical-align:baseline;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal'><span style='font-family:"Arial",sans-serif'>Step 1: Model the system (components and interactions between components)<o:p></o:p></span></li></ul></ul><ul style='margin-top:0in' type=disc><ul style='margin-top:0in' type=circle><ul style='margin-top:0in' type=square><li style='margin-top:0in;margin-bottom:0in;mso-list:l4 level3 lfo5;vertical-align:baseline;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal'><span style='font-family:"Arial",sans-serif'>Challenge: We’ll need to come up with a model that’s applicable to all CAs, despite possible differences between them.<o:p></o:p></span></li></ul></ul></ul><ul style='margin-top:0in' type=disc><ul style='margin-top:0in' type=circle><li style='margin-top:0in;margin-bottom:0in;mso-list:l4 level2 lfo5;vertical-align:baseline;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal'><span style='font-family:"Arial",sans-serif'>Step 2: Come up with list of attacks on the system<o:p></o:p></span></li><li style='margin-top:0in;margin-bottom:0in;mso-list:l4 level2 lfo5;vertical-align:baseline;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal'><span style='font-family:"Arial",sans-serif'>Step 3: Come up with list of mitigations<o:p></o:p></span></li></ul></ul><ul style='margin-top:0in' type=disc><li style='margin-top:0in;margin-bottom:0in;mso-list:l4 level1 lfo5;vertical-align:baseline;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal'><span style='font-family:"Arial",sans-serif'>The group discussed the best approach for operationalizing the framework.<o:p></o:p></span></li></ul><ul style='margin-top:0in' type=disc><ul style='margin-top:0in' type=circle><li style='margin-top:0in;margin-bottom:0in;mso-list:l4 level2 lfo5;vertical-align:baseline;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal'><span style='font-family:"Arial",sans-serif'>Slaughter supported use of a Google Doc<o:p></o:p></span></li><li style='margin-top:0in;margin-bottom:0in;mso-list:l4 level2 lfo5;vertical-align:baseline;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal'><span style='font-family:"Arial",sans-serif'>Corey suggested we create a blank doc and make the URL accessible on the Wiki<o:p></o:p></span></li></ul></ul><ul style='margin-top:0in' type=disc><li style='margin-top:0in;margin-bottom:0in;mso-list:l4 level1 lfo5;vertical-align:baseline;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal'><span style='font-family:"Arial",sans-serif'>We started using the model<o:p></o:p></span></li></ul><ul style='margin-top:0in' type=disc><ul style='margin-top:0in' type=circle><li style='margin-top:0in;margin-bottom:0in;mso-list:l4 level2 lfo5;vertical-align:baseline;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal'><span style='font-family:"Arial",sans-serif'>Slaughter asked what we should consider the scope. Corey suggested strictly Method 7. Dimitris indicated we aren’t questioning the underlying security properties of DNS, in general.<o:p></o:p></span></li><li style='margin-top:0in;margin-bottom:0in;mso-list:l4 level2 lfo5;vertical-align:baseline;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal'><span style='font-family:"Arial",sans-serif'>Corey suggested the scope should be a system that performs Method 7, and study the interactions of the components of that system. At that point, we can identify interactions and define them as in or out of scope.<o:p></o:p></span></li><li style='margin-top:0in;margin-bottom:0in;mso-list:l4 level2 lfo5;vertical-align:baseline;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal'><span style='font-family:"Arial",sans-serif'>Tobi indicated the challenge is the DNS protocol itself and how it’s used by resolvers, and the idea of outsourcing the core functionality of what a CA has to provide before issuing certificates. In his opinion, this doesn’t translate into what the STRIDE model describes. He does not believe the framework will be useful. <o:p></o:p></span></li><li style='margin-top:0in;margin-bottom:0in;mso-list:l4 level2 lfo5;vertical-align:baseline;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal'><span style='font-family:"Arial",sans-serif'>The group briefly debated the value of the STRIDE model.<o:p></o:p></span></li><li style='margin-top:0in;margin-bottom:0in;mso-list:l4 level2 lfo5;vertical-align:baseline;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal'><span style='font-family:"Arial",sans-serif'>Tobi: Whatever part of the system actually makes the requests to the authoritative name server of the domains in question — that are used to determine if validation has passed or not — in the proposal from Google Trust Services, that could be a third-party resolver — and in my perspective, that can only be a name server or some other implementation on the CA side. No other part of the system factors into it.<o:p></o:p></span></li><li style='margin-top:0in;margin-bottom:0in;mso-list:l4 level2 lfo5;vertical-align:baseline;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal'><span style='font-family:"Arial",sans-serif'>Slaughter: Scoping - you want to scope this to when the CA creates a DNS query to something? <o:p></o:p></span></li><li style='margin-top:0in;margin-bottom:0in;mso-list:l4 level2 lfo5;vertical-align:baseline;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal'><span style='font-family:"Arial",sans-serif'>Tobi: There are two distinct DNS protocols. They have the same name, they use the same packet format, but they are different. One is for requests to authoritative name servers and those responses. The other is for requests to resolvers. Some people here are suggesting that a CA could make a request to the resolver, the resolver does all the work, give you a single response back, and the CA would make a determination on the response. This is a different version of the protocol than the one used to talk to authoritative name servers. My concern is primarily in the addition of the DNS protocol spoken between authoritative name servers and resolvers. That is where I see the problem that in my opinion makes it not a viable option to use 3rd parties for DNS resolution in domain validation. If anyone wants to model anything in response to my concern, I don’t think STRIDE is a useful model.<o:p></o:p></span></li><li style='margin-top:0in;margin-bottom:0in;mso-list:l4 level2 lfo5;vertical-align:baseline;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal'><span style='font-family:"Arial",sans-serif'>Dimitris: I agree with Tobi, we should not allow delegated resolvers. This model will help us prove that. Maybe along the way we’ll find other threats that we may deem unacceptable. The reason for the proposal was to help explore unknown threats.<o:p></o:p></span></li><li style='margin-top:0in;margin-bottom:0in;mso-list:l4 level2 lfo5;vertical-align:baseline;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal'><span style='font-family:"Arial",sans-serif'>Tobi: I don’t see the assets we’d be discussing defined. <o:p></o:p></span></li><li style='margin-top:0in;margin-bottom:0in;mso-list:l4 level2 lfo5;vertical-align:baseline;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal'><span style='font-family:"Arial",sans-serif'>Dimitris: In my mind, any rogue resolver between a CA and the authoritative name server could alter the results. The framing could be as simple as that.<o:p></o:p></span></li><li style='margin-top:0in;margin-bottom:0in;mso-list:l4 level2 lfo5;vertical-align:baseline;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal'><span style='font-family:"Arial",sans-serif'>Slaughter: In modeling terms, this is an abstract asset. For example, maintaining the integrity of the Web PKI.<o:p></o:p></span></li><li style='margin-top:0in;margin-bottom:0in;mso-list:l4 level2 lfo5;vertical-align:baseline;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal'><span style='font-family:"Arial",sans-serif'>Tobi: The asset is the correctness of issued certificates.<o:p></o:p></span></li><li style='margin-top:0in;margin-bottom:0in;mso-list:l4 level2 lfo5;vertical-align:baseline;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal'><span style='font-family:"Arial",sans-serif'>Corey re-framed the discussion. Defining the system components is a good start to begin evaluating this. I see this as a way of identifying potential problems with Method 7 that we might be able to improve by updating the BRs. It’s about identifying concrete improvements to bolster security. <o:p></o:p></span></li><li style='margin-top:0in;margin-bottom:0in;mso-list:l4 level2 lfo5;vertical-align:baseline;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal'><span style='font-family:"Arial",sans-serif'>Tobi: I think it contemplates extending the scope of DNS validation which should not be allowed. When we say in the BRs that we need to check DNS, it’s unfortunate that it could be misinterpreted as allowing a CA to simply check a resolver, rather than the authoritative resolver. I have a problem expanding the scope to include that - it would be a distraction. This practice should not be considered acceptable to begin with. <o:p></o:p></span></li><li style='margin-top:0in;margin-bottom:0in;mso-list:l4 level2 lfo5;vertical-align:baseline;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal'><span style='font-family:"Arial",sans-serif'>Slaughter: To make sure I understand, the mitigation is to only query authoritative name servers. This mitigates a threat that is available when you query recursive resolvers. <o:p></o:p></span></li><li style='margin-top:0in;margin-bottom:0in;mso-list:l4 level2 lfo5;vertical-align:baseline;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal'><span style='font-family:"Arial",sans-serif'>Tobi: Correct, you don’t know if a recursive resolver is telling the truth. It’s not trusted to be authoritative. This is fundamentally always true, unless when operated by the CA. <o:p></o:p></span></li><li style='margin-top:0in;margin-bottom:0in;mso-list:l4 level2 lfo5;vertical-align:baseline;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal'><span style='font-family:"Arial",sans-serif'>Slaughter: Summarizes - top-level threat - use of a 3rd-party recursive resolver can result in tampered or forged DNS responses being returned and relied upon during DCV.<o:p></o:p></span></li><li style='margin-top:0in;margin-bottom:0in;mso-list:l4 level2 lfo5;vertical-align:baseline;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal'><span style='font-family:"Arial",sans-serif'>[Corey began defining entities and components in the doc, and we discussed possible assumptions.]<o:p></o:p></span></li><li style='margin-top:0in;margin-bottom:0in;mso-list:l4 level2 lfo5;vertical-align:baseline;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal'><span style='font-family:"Arial",sans-serif'>Slaughter: Back to the threat, any recursive resolver can result in tampered/forged resolvers. I believe what Tobi is implying is that there are steps a CA can perform to mitigate that threat. <o:p></o:p></span></li><li style='margin-top:0in;margin-bottom:0in;mso-list:l4 level2 lfo5;vertical-align:baseline;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal'><span style='font-family:"Arial",sans-serif'>Tobi agreed that there are many mitigations possible. <o:p></o:p></span></li><li style='margin-top:0in;margin-bottom:0in;mso-list:l4 level2 lfo5;vertical-align:baseline;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal'><span style='font-family:"Arial",sans-serif'>[We iterated on the doc.]<o:p></o:p></span></li><li style='margin-top:0in;margin-bottom:0in;mso-list:l4 level2 lfo5;vertical-align:baseline;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal'><span style='font-family:"Arial",sans-serif'>Tobi: If you say you can use a third-party resolver, it means you can use any third-party resolver. And that is definitely a threat for the use case a CA is relying on for certificate issuance.<o:p></o:p></span></li><li style='margin-top:0in;margin-bottom:0in;mso-list:l4 level2 lfo5;vertical-align:baseline;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal'><span style='font-family:"Arial",sans-serif'>Corey: A similar issue is if you use a 1st party resolver and have no mitigations in place to prevent attacks. <o:p></o:p></span></li><li style='margin-top:0in;margin-bottom:0in;mso-list:l4 level2 lfo5;vertical-align:baseline;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal'><span style='font-family:"Arial",sans-serif'>Tobi: No. Because a third-party can lie to you. It’s not the same. <o:p></o:p></span></li><li style='margin-top:0in;margin-bottom:0in;mso-list:l4 level2 lfo5;vertical-align:baseline;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal'><span style='font-family:"Arial",sans-serif'>Corey: A first party resolver could be grossly misconfigured, we have no requirements for these systems. You can still have bad security outcomes. There’s a difference in who controls it.<o:p></o:p></span></li><li style='margin-top:0in;margin-bottom:0in;mso-list:l4 level2 lfo5;vertical-align:baseline;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal'><span style='font-family:"Arial",sans-serif'>Tobi: It’s still a threat, but it’s a different threat.<o:p></o:p></span></li><li style='margin-top:0in;margin-bottom:0in;mso-list:l4 level2 lfo5;vertical-align:baseline;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal'><span style='font-family:"Arial",sans-serif'>Slaughter: Both threats require different mitigations and should be addressed separately.<o:p></o:p></span></li><li style='margin-top:0in;margin-bottom:0in;mso-list:l4 level2 lfo5;vertical-align:baseline;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal'><span style='font-family:"Arial",sans-serif'>Corey: We're running out of time. There's an opportunity to clean-up the doc, I’ll share the URL on the Wiki and we can pick it up here at the next meeting.<o:p></o:p></span></li></ul></ul><p style='margin:0in'><span style='font-family:"Arial",sans-serif'><o:p> </o:p></span></p><p style='margin:0in'><b><span style='font-family:"Arial",sans-serif'>Meeting Adjourned</span></b><span style='font-family:"Arial",sans-serif'><o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p></div><p class=MsoNormal>-- <br>You received this message because you are subscribed to the Google Groups "Management (CA/B Forum)" group.<br>To unsubscribe from this group and stop receiving emails from it, send an email to <a href="mailto:management+unsubscribe@groups.cabforum.org">management+unsubscribe@groups.cabforum.org</a>.<br>To view this discussion on the web visit <a href="https://groups.google.com/a/groups.cabforum.org/d/msgid/management/CADEW5O-HoNg%3DEvkG6RxMnTk8V_2RAaOv%3DAzh-K4ApWT_2aVVyA%40mail.gmail.com?utm_medium=email&utm_source=footer">https://groups.google.com/a/groups.cabforum.org/d/msgid/management/CADEW5O-HoNg%3DEvkG6RxMnTk8V_2RAaOv%3DAzh-K4ApWT_2aVVyA%40mail.gmail.com</a>.<o:p></o:p></p></div></body></html>