From jopurvis at cisco.com Wed Dec 2 16:35:09 2020 From: jopurvis at cisco.com (Jos Purvis (jopurvis)) Date: Wed, 2 Dec 2020 16:35:09 +0000 Subject: [cabfpub] Test for SMTP delivery Message-ID: <16DE9F93-61D2-4C9D-8C17-FD6EFFFA01B3@cisco.com> Please ignore -- Jos Purvis (jopurvis at cisco.com) .:|:.:|:. cisco systems | Cryptographic Services PGP: 0xFD802FEE07D19105 | Controls and Trust Verification -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3699 bytes Desc: not available URL: From dean.coclin at digicert.com Fri Dec 4 14:22:19 2020 From: dean.coclin at digicert.com (Dean Coclin) Date: Fri, 4 Dec 2020 14:22:19 +0000 Subject: [cabfpub] Draft CA/Browser Forum agenda - Thursday, December 10, 2020 at 11:30 am Eastern Time Message-ID: Here is the draft CA/B Forum agenda for the teleconference described in the subject of this message. CA/Browser Forum Agenda Time Start(ET) Stop Item Description Presenters 0:02 11:30 11:32 1. Roll Call Dean 0:01 11:32 11:33 2. Read Antitrust Statement 0:01 11:33 11:34 3. Review Agenda 0:01 11:34 11:35 4. Approval of minutes of last call Dean 0:05 11:35 11:40 5. Forum Infrastructure Subcommittee update Jos 0:05 11:40 11:45 6. Code Signing Certificate Working Group update Dean 0:05 11:45 11:50 7. S/MIME Certificate Working Group update Stephen 0:05 11:50 11:55 8. Looking ahead at 2021 F2F meeting schedule Dean 0:04 11:55 11:59 9 Any Other Business 0:01 11:59 12:00 10. Next call: NO MEETING December 24th. Next call January 7th Adjourn; F2F Meeting Schedule: * 2021: Feb-March VIRTUAL, June -Virtual, October - Minneapolis (OATI) * 2022: Mar-April New Delhi / Bengaluru (e-Mudhra), June - [Open], October - [Open] -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4916 bytes Desc: not available URL: From dean.coclin at digicert.com Mon Dec 7 15:04:58 2020 From: dean.coclin at digicert.com (Dean Coclin) Date: Mon, 7 Dec 2020 15:04:58 +0000 Subject: [cabfpub] Final CA/Browser Forum agenda - Thursday, December 10, 2020 at 11:30 am Eastern Time Message-ID: Here is the final CA/B Forum agenda for the teleconference described in the subject of this message. CA/Browser Forum Agenda Time Start(ET) Stop Item Description Presenters 0:02 11:30 11:32 1. Roll Call Dean 0:01 11:32 11:33 2. Read Antitrust Statement 0:01 11:33 11:34 3. Review Agenda 0:01 11:34 11:35 4. Approval of minutes of last call Dean 0:05 11:35 11:40 5. Forum Infrastructure Subcommittee update Jos 0:05 11:40 11:45 6. Code Signing Certificate Working Group update Dean 0:05 11:45 11:50 7. S/MIME Certificate Working Group update Stephen 0:05 11:50 11:55 8. Looking ahead at 2021 F2F meeting schedule Dean 0:04 11:55 11:59 9 Any Other Business 0:01 11:59 12:00 10. Next call: NO MEETING December 24th. Next call January 7th Adjourn; F2F Meeting Schedule: * 2021: Feb-March VIRTUAL, June -Virtual, October - Minneapolis (OATI) * 2022: Mar-April New Delhi / Bengaluru (e-Mudhra), June - [Open], October - [Open] * Potential hosts (from postponed meetings): Globalsign, Cisco, Certum -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4916 bytes Desc: not available URL: From dean.coclin at digicert.com Thu Dec 10 17:16:23 2020 From: dean.coclin at digicert.com (Dean Coclin) Date: Thu, 10 Dec 2020 17:16:23 +0000 Subject: [cabfpub] Final Minutes for CA/Browser Forum Teleconference - November 12, 2020 Message-ID: These are the approved minutes of the subject meeting: Attendees (in alphabetical order) Adrian Mueller (SwissSign), Amanda Mendieta (Apple), Andrea Holland (SecureTrust), Ben Wilson (Mozilla), Bruce Morton (Entrust), Chris Kemmerer (SSL.com), Clint Wilson (Apple), Corey Bonnell (SecureTrust), Christy Berghoff (Federal PKI), Curt Spann (Apple), Daniela Hood (GoDaddy), David Kluge (Google), Dean Coclin (Digicert), Dimitris Zacharopoulos (HARICA), Doug Beattie (GlobalSign), Dustin Hollenback (Microsoft), Enrico Entschew (D-TRUST), Hazhar Ismail (MSC Trustgate), Inaba Atsushi (GlobalSign), Janet Hines (SecureTrust), Joanna Fox (GoDaddy), Johnny Reading (GoDaddy), Jos Purvis (Cisco Systems), Karina Sirota (Microsoft), Li-Chun Chen (Chunghwa Telecom), Mads Henriksveen (Buypass AS), Michelle Coon (OATI), Mike Reilly (Microsoft), Neil Dunbar (TrustCor Systems), Niko Carpenter (SecureTrust), Patrick Nohe (GlobalSign), Paul van Brouwershaven (Entrust), Pedro Fuentes (OISTE Foundation), Peter Miskovic (Disig), Rae Ann Gonzales (GoDaddy), Rebecca Kelley (Apple), Rich Smith (Sectigo), Ryan Sleevi (Google), Shelley Brewer (Digicert), Stephen Davidson (Digicert), Tadahiko Ito (SECOM Trust Systems), Thomas Zermeno (SSL.com), Tim Callan (Sectigo), Tim Hollebeek (Digicert), Tobias Josefowitz (Opera Software AS), Wayne Thayer (Mozilla), Wendy Brown (US Federal PKI Management Authority) Minutes CA/B Forum Meeting Minutes (2020-11-12) Dean Coclin (DigiCert) CA/B Forum Chair Administrative Updates * Anti-trust statement was read * Agenda was published. No comments. * Approval of Face-to-Face 51 minutes o No comments. Minutes approved. Forum Infrastructure Subcommittee Jos Purvis (Cisco) CA/B Forum Vice Chair * Conversion of CA/B Forum GIT Repository into separate sub-repositories o All repositories created and working out final details * Ryan Sleevi (Google) asked for owners in email to add 2FA or ask to be removed as an owner o At this point, only 2 members remaining without 2FA. Ryan will send them a direct email. o At this point, 2FA will be enabled. * Jim Gorz (GoDaddy) has been preparing to move the mailer host o He?ll post a change date once it is available to ensure we do not have discussions or voting periods during the migration to the new host Code Signing Certificate Working Group Dean Coclin (DigiCert) CA/B Forum Chair * CSCWG-4: Review period ended. Bruce published final version and it is up and running * Ian McMillan (Microsoft) proposed Key Protection ballot. This is about cloud based key protection requirements. Clarification needed on log retention. USB tokens needed for that. Auditing discussed. * Question about clarifying timeline for 3072 bit keys. Now June 2021. * If root issued before 2021 and is 2048 key size, can it still be used. Ian McMillan is going to get clarity. * Bruce Morton (Entrust) is investigating EV vs. Non-EV requirements in BRs. S/MIME Working Group Stephen Davidson (DigiCert) * Telia interested in participating in working group * Working group is currently at 38 members * Fast approaching stage of using GitHub o Steven will work with Infrastructure Subcommittee to use GitHub for S/MIME * Leaf certificate profile o Reviewed data within fields o Working on aligning format (table type) with what other working groups are using Additional Administrative Updates * Member applications o Jos Purvis (Cisco) will follow-up with members requesting to join the CA/B Forum o Stephen Davidson (DigiCert) will follow up with Telia regarding the S/MIME Working Group membership request * Responding to Mailing List Questions * Dean Coclin (DigiCert) discussed the process for how to respond to the questions list. If Dean can answer administrative questions, he?ll respond immediately. If the questions are more unique or not ?administrative?, he?ll ask for input from the group before sending a response. o Dean asked if anyone has any issues with how he?s been responding so far. No concerns were raised. * Next Meeting o The next scheduled meeting is canceled because it lands on the U.S. holiday of Thanksgiving. o December 10th is the now the next meeting. Adjourned F2F Meeting Schedule: * 2021: Feb-March -- Virtual, June ? Poland (Asseco-Certum), October - Minneapolis (OATI) * 2022: Mar-April New Delhi / Bengaluru (e-Mudhra), June - [Open], October - [Open] -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4916 bytes Desc: not available URL: From jopurvis at cisco.com Mon Dec 14 19:21:12 2020 From: jopurvis at cisco.com (Jos Purvis (jopurvis)) Date: Mon, 14 Dec 2020 19:21:12 +0000 Subject: [cabfpub] Final Minutes for CA/Browser Forum Teleconference - November 12, 2020 In-Reply-To: <010001764da785e1-2f61dc1a-9fbc-4985-80af-5529951a8ed7-000000@email.amazonses.com> References: <010001764da785e1-2f61dc1a-9fbc-4985-80af-5529951a8ed7-000000@email.amazonses.com> Message-ID: <416C6450-C406-49CE-ADC0-DE0BD38C084B@cisco.com> Published! -- Jos Purvis (jopurvis at cisco.com) .:|:.:|:. cisco systems | Cryptographic Services PGP: 0xFD802FEE07D19105 | Controls and Trust Verification From: Public on behalf of CA/B Forum Public List Reply-To: Dean Coclin , CA/B Forum Public List Date: Thursday, December 10, 2020 at 12:17 PM To: CA/B Forum Public List Subject: [cabfpub] Final Minutes for CA/Browser Forum Teleconference - November 12, 2020 These are the approved minutes of the subject meeting: Attendees (in alphabetical order) Adrian Mueller (SwissSign), Amanda Mendieta (Apple), Andrea Holland (SecureTrust), Ben Wilson (Mozilla), Bruce Morton (Entrust), Chris Kemmerer (SSL.com), Clint Wilson (Apple), Corey Bonnell (SecureTrust), Christy Berghoff (Federal PKI), Curt Spann (Apple), Daniela Hood (GoDaddy), David Kluge (Google), Dean Coclin (Digicert), Dimitris Zacharopoulos (HARICA), Doug Beattie (GlobalSign), Dustin Hollenback (Microsoft), Enrico Entschew (D-TRUST), Hazhar Ismail (MSC Trustgate), Inaba Atsushi (GlobalSign), Janet Hines (SecureTrust), Joanna Fox (GoDaddy), Johnny Reading (GoDaddy), Jos Purvis (Cisco Systems), Karina Sirota (Microsoft), Li-Chun Chen (Chunghwa Telecom), Mads Henriksveen (Buypass AS), Michelle Coon (OATI), Mike Reilly (Microsoft), Neil Dunbar (TrustCor Systems), Niko Carpenter (SecureTrust), Patrick Nohe (GlobalSign), Paul van Brouwershaven (Entrust), Pedro Fuentes (OISTE Foundation), Peter Miskovic (Disig), Rae Ann Gonzales (GoDaddy), Rebecca Kelley (Apple), Rich Smith (Sectigo), Ryan Sleevi (Google), Shelley Brewer (Digicert), Stephen Davidson (Digicert), Tadahiko Ito (SECOM Trust Systems), Thomas Zermeno (SSL.com), Tim Callan (Sectigo), Tim Hollebeek (Digicert), Tobias Josefowitz (Opera Software AS), Wayne Thayer (Mozilla), Wendy Brown (US Federal PKI Management Authority) Minutes CA/B Forum Meeting Minutes (2020-11-12) Dean Coclin (DigiCert) CA/B Forum Chair Administrative Updates ? Anti-trust statement was read ? Agenda was published. No comments. ? Approval of Face-to-Face 51 minutes o No comments. Minutes approved. Forum Infrastructure Subcommittee Jos Purvis (Cisco) CA/B Forum Vice Chair ? Conversion of CA/B Forum GIT Repository into separate sub-repositories o All repositories created and working out final details ? Ryan Sleevi (Google) asked for owners in email to add 2FA or ask to be removed as an owner o At this point, only 2 members remaining without 2FA. Ryan will send them a direct email. o At this point, 2FA will be enabled. ? Jim Gorz (GoDaddy) has been preparing to move the mailer host o He?ll post a change date once it is available to ensure we do not have discussions or voting periods during the migration to the new host Code Signing Certificate Working Group Dean Coclin (DigiCert) CA/B Forum Chair ? CSCWG-4: Review period ended. Bruce published final version and it is up and running ? Ian McMillan (Microsoft) proposed Key Protection ballot. This is about cloud based key protection requirements. Clarification needed on log retention. USB tokens needed for that. Auditing discussed. ? Question about clarifying timeline for 3072 bit keys. Now June 2021. ? If root issued before 2021 and is 2048 key size, can it still be used. Ian McMillan is going to get clarity. ? Bruce Morton (Entrust) is investigating EV vs. Non-EV requirements in BRs. S/MIME Working Group Stephen Davidson (DigiCert) ? Telia interested in participating in working group ? Working group is currently at 38 members ? Fast approaching stage of using GitHub o Steven will work with Infrastructure Subcommittee to use GitHub for S/MIME ? Leaf certificate profile o Reviewed data within fields o Working on aligning format (table type) with what other working groups are using Additional Administrative Updates ? Member applications o Jos Purvis (Cisco) will follow-up with members requesting to join the CA/B Forum o Stephen Davidson (DigiCert) will follow up with Telia regarding the S/MIME Working Group membership request ? Responding to Mailing List Questions ? Dean Coclin (DigiCert) discussed the process for how to respond to the questions list. If Dean can answer administrative questions, he?ll respond immediately. If the questions are more unique or not ?administrative?, he?ll ask for input from the group before sending a response. o Dean asked if anyone has any issues with how he?s been responding so far. No concerns were raised. ? Next Meeting o The next scheduled meeting is canceled because it lands on the U.S. holiday of Thanksgiving. o December 10th is the now the next meeting. Adjourned F2F Meeting Schedule: 2021: Feb-March -- Virtual, June ? Poland (Asseco-Certum), October - Minneapolis (OATI) 2022: Mar-April New Delhi / Bengaluru (e-Mudhra), June - [Open], October - [Open] -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3699 bytes Desc: not available URL: From aaron at letsencrypt.org Thu Dec 17 18:35:13 2020 From: aaron at letsencrypt.org (Aaron Gable) Date: Thu, 17 Dec 2020 10:35:13 -0800 Subject: [cabfpub] Microsoft and Baseline OCSP Next Update Requirements Message-ID: Hi everyone, The Microsoft Trusted Root Program Requirements ( https://docs.microsoft.com/en-us/security/trusted-root/program-requirements, henceforth MS) contain the following language in MS?3.C.2: > 3.C.2. CAs that issue Server Authentication certificates must support the following OCSP responder requirements: > a. Minimum validity of eight (8) hours; Maximum validity of seven (7) days; and > b. The next update must be available at least eight (8) hours before the current period expires. If the validity is more than 16 hours, then the next update must be available at ? of the validity period. I'm most interested in part (b). This piecewise function can be illustrated by the following examples: * 8 hour lifetime: 8 hours before (i.e. instantaneously) * 12 hour lifetime : 8 hours before * 16 hour lifetime : 8 hours before * 20 hour lifetime : 10 hours before * 80 hour lifetime : 40 hours before As of ballot SC31 (Browser Alignment), the version 1.7.3 of the Baseline Requirements ( https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.7.3.pdf, henceforth BR) contains the following language in BR?4.9.10: > 1. OCSP responses MUST have a validity interval greater than or equal to eight hours; > 2. OCSP responses MUST have a validity interval less than or equal to ten days; > 3. For OCSP responses with validity intervals less than sixteen hours, then the CA SHALL update the information provided via an Online Certificate Status Protocol prior to one-half of the validity period before the nextUpdate. > 4. For OCSP responses with validity intervals greater than or equal to sixteen hours, then the CA SHALL update the information provided via an Online Certificate Status Protocol at least eight hours prior to the nextUpdate, and no later than four days after the thisUpdate. As above, I'm most interested in parts (3) and (4). This piecewise function can be illustrated by these examples: * 8 hour lifetime : 4 hours before * 12 hour lifetime : 6 hours before * 16 hour lifetime : 8 hours before * 20 hour lifetime : 8 hours before * 80 hour lifetime : 8 hours before Both of these separate the requirements for when the next update must be available into two domains: for OCSP responses with validity less than 16 hours, and ones with validity greater than or equal to 16 hours. However, their behavior in these two domains is *exactly opposed*. MS?3.C.2 requires that responses be available 8 hours prior in the "8-16 hours validity" domain, and at half the lifetime in the "16+ hours validity" domain. BR?4.9.10 requires that responses be available 8 hours prior in the "16+ hours validity" domain, and at half the lifetime in the "8-16 hours validity" domain. Of course, these requirements are not contradictory. At all possible validity intervals, the Microsoft requirements are stricter (i.e. require the next update to be available earlier), so a CA can simply abide by the Microsoft requirements and be in conformance with everything. But this reversal is so precise that it seems at first that it must be a mistake. However, some spelunking through the drafts of Ballot SC31 shows that the language now incorporated into the BRs was in fact suggested by Microsoft. In the very first draft of SC31, the language proposed for BR?4.9.10 was identical to the language currently found in MS?3.C.2: https://github.com/cabforum/servercert/pull/195/commits/f4860a596625e2167aa3fea06b17ee07900a3a7a#diff-e0ac1bd190515a4f2ec09139d395ef6a8c7e9e5b612957c1f5a2dea80c6a6cfeR1143 Later, an update titled "Incorporate feedback from Microsoft" reversed the requirements, producing the language which made it into the final ballot and the BRs: https://github.com/cabforum/servercert/pull/195/commits/e824ca10671c3b428009091bd0e78f8a7f39ddb1#diff-e0ac1bd190515a4f2ec09139d395ef6a8c7e9e5b612957c1f5a2dea80c6a6cfeR1145 However, I have been unable to find any discussion on this list or elsewhere in which that feedback was provided, so the reasoning behind this change is unclear. This raises two questions for me, which I hope the members of this list will be able to address: 1) What was the reasoning behind the reversal of this piecewise function between the version included in MS?3.C.2 and the version proposed in SC31 and incorporated into BR?4.9.10? 2) Does Microsoft plan to remove its own requirements from MS?3.C.2, now that the baseline requirements have "aligned" on Microsoft's proposal? Thank you, Aaron -------------- next part -------------- An HTML attachment was scrubbed... URL: From jopurvis at cisco.com Wed Dec 2 16:35:09 2020 From: jopurvis at cisco.com (Jos Purvis (jopurvis)) Date: Wed, 2 Dec 2020 16:35:09 +0000 Subject: [cabfpub] Test for SMTP delivery Message-ID: <16DE9F93-61D2-4C9D-8C17-FD6EFFFA01B3@cisco.com> Please ignore -- Jos Purvis (jopurvis at cisco.com) .:|:.:|:. cisco systems | Cryptographic Services PGP: 0xFD802FEE07D19105 | Controls and Trust Verification -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3699 bytes Desc: not available URL: From dean.coclin at digicert.com Fri Dec 4 14:22:19 2020 From: dean.coclin at digicert.com (Dean Coclin) Date: Fri, 4 Dec 2020 14:22:19 +0000 Subject: [cabfpub] Draft CA/Browser Forum agenda - Thursday, December 10, 2020 at 11:30 am Eastern Time Message-ID: Here is the draft CA/B Forum agenda for the teleconference described in the subject of this message. CA/Browser Forum Agenda Time Start(ET) Stop Item Description Presenters 0:02 11:30 11:32 1. Roll Call Dean 0:01 11:32 11:33 2. Read Antitrust Statement 0:01 11:33 11:34 3. Review Agenda 0:01 11:34 11:35 4. Approval of minutes of last call Dean 0:05 11:35 11:40 5. Forum Infrastructure Subcommittee update Jos 0:05 11:40 11:45 6. Code Signing Certificate Working Group update Dean 0:05 11:45 11:50 7. S/MIME Certificate Working Group update Stephen 0:05 11:50 11:55 8. Looking ahead at 2021 F2F meeting schedule Dean 0:04 11:55 11:59 9 Any Other Business 0:01 11:59 12:00 10. Next call: NO MEETING December 24th. Next call January 7th Adjourn; F2F Meeting Schedule: * 2021: Feb-March VIRTUAL, June -Virtual, October - Minneapolis (OATI) * 2022: Mar-April New Delhi / Bengaluru (e-Mudhra), June - [Open], October - [Open] -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4916 bytes Desc: not available URL: From dean.coclin at digicert.com Mon Dec 7 15:04:58 2020 From: dean.coclin at digicert.com (Dean Coclin) Date: Mon, 7 Dec 2020 15:04:58 +0000 Subject: [cabfpub] Final CA/Browser Forum agenda - Thursday, December 10, 2020 at 11:30 am Eastern Time Message-ID: Here is the final CA/B Forum agenda for the teleconference described in the subject of this message. CA/Browser Forum Agenda Time Start(ET) Stop Item Description Presenters 0:02 11:30 11:32 1. Roll Call Dean 0:01 11:32 11:33 2. Read Antitrust Statement 0:01 11:33 11:34 3. Review Agenda 0:01 11:34 11:35 4. Approval of minutes of last call Dean 0:05 11:35 11:40 5. Forum Infrastructure Subcommittee update Jos 0:05 11:40 11:45 6. Code Signing Certificate Working Group update Dean 0:05 11:45 11:50 7. S/MIME Certificate Working Group update Stephen 0:05 11:50 11:55 8. Looking ahead at 2021 F2F meeting schedule Dean 0:04 11:55 11:59 9 Any Other Business 0:01 11:59 12:00 10. Next call: NO MEETING December 24th. Next call January 7th Adjourn; F2F Meeting Schedule: * 2021: Feb-March VIRTUAL, June -Virtual, October - Minneapolis (OATI) * 2022: Mar-April New Delhi / Bengaluru (e-Mudhra), June - [Open], October - [Open] * Potential hosts (from postponed meetings): Globalsign, Cisco, Certum -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4916 bytes Desc: not available URL: From dean.coclin at digicert.com Thu Dec 10 17:16:23 2020 From: dean.coclin at digicert.com (Dean Coclin) Date: Thu, 10 Dec 2020 17:16:23 +0000 Subject: [cabfpub] Final Minutes for CA/Browser Forum Teleconference - November 12, 2020 Message-ID: These are the approved minutes of the subject meeting: Attendees (in alphabetical order) Adrian Mueller (SwissSign), Amanda Mendieta (Apple), Andrea Holland (SecureTrust), Ben Wilson (Mozilla), Bruce Morton (Entrust), Chris Kemmerer (SSL.com), Clint Wilson (Apple), Corey Bonnell (SecureTrust), Christy Berghoff (Federal PKI), Curt Spann (Apple), Daniela Hood (GoDaddy), David Kluge (Google), Dean Coclin (Digicert), Dimitris Zacharopoulos (HARICA), Doug Beattie (GlobalSign), Dustin Hollenback (Microsoft), Enrico Entschew (D-TRUST), Hazhar Ismail (MSC Trustgate), Inaba Atsushi (GlobalSign), Janet Hines (SecureTrust), Joanna Fox (GoDaddy), Johnny Reading (GoDaddy), Jos Purvis (Cisco Systems), Karina Sirota (Microsoft), Li-Chun Chen (Chunghwa Telecom), Mads Henriksveen (Buypass AS), Michelle Coon (OATI), Mike Reilly (Microsoft), Neil Dunbar (TrustCor Systems), Niko Carpenter (SecureTrust), Patrick Nohe (GlobalSign), Paul van Brouwershaven (Entrust), Pedro Fuentes (OISTE Foundation), Peter Miskovic (Disig), Rae Ann Gonzales (GoDaddy), Rebecca Kelley (Apple), Rich Smith (Sectigo), Ryan Sleevi (Google), Shelley Brewer (Digicert), Stephen Davidson (Digicert), Tadahiko Ito (SECOM Trust Systems), Thomas Zermeno (SSL.com), Tim Callan (Sectigo), Tim Hollebeek (Digicert), Tobias Josefowitz (Opera Software AS), Wayne Thayer (Mozilla), Wendy Brown (US Federal PKI Management Authority) Minutes CA/B Forum Meeting Minutes (2020-11-12) Dean Coclin (DigiCert) CA/B Forum Chair Administrative Updates * Anti-trust statement was read * Agenda was published. No comments. * Approval of Face-to-Face 51 minutes o No comments. Minutes approved. Forum Infrastructure Subcommittee Jos Purvis (Cisco) CA/B Forum Vice Chair * Conversion of CA/B Forum GIT Repository into separate sub-repositories o All repositories created and working out final details * Ryan Sleevi (Google) asked for owners in email to add 2FA or ask to be removed as an owner o At this point, only 2 members remaining without 2FA. Ryan will send them a direct email. o At this point, 2FA will be enabled. * Jim Gorz (GoDaddy) has been preparing to move the mailer host o He?ll post a change date once it is available to ensure we do not have discussions or voting periods during the migration to the new host Code Signing Certificate Working Group Dean Coclin (DigiCert) CA/B Forum Chair * CSCWG-4: Review period ended. Bruce published final version and it is up and running * Ian McMillan (Microsoft) proposed Key Protection ballot. This is about cloud based key protection requirements. Clarification needed on log retention. USB tokens needed for that. Auditing discussed. * Question about clarifying timeline for 3072 bit keys. Now June 2021. * If root issued before 2021 and is 2048 key size, can it still be used. Ian McMillan is going to get clarity. * Bruce Morton (Entrust) is investigating EV vs. Non-EV requirements in BRs. S/MIME Working Group Stephen Davidson (DigiCert) * Telia interested in participating in working group * Working group is currently at 38 members * Fast approaching stage of using GitHub o Steven will work with Infrastructure Subcommittee to use GitHub for S/MIME * Leaf certificate profile o Reviewed data within fields o Working on aligning format (table type) with what other working groups are using Additional Administrative Updates * Member applications o Jos Purvis (Cisco) will follow-up with members requesting to join the CA/B Forum o Stephen Davidson (DigiCert) will follow up with Telia regarding the S/MIME Working Group membership request * Responding to Mailing List Questions * Dean Coclin (DigiCert) discussed the process for how to respond to the questions list. If Dean can answer administrative questions, he?ll respond immediately. If the questions are more unique or not ?administrative?, he?ll ask for input from the group before sending a response. o Dean asked if anyone has any issues with how he?s been responding so far. No concerns were raised. * Next Meeting o The next scheduled meeting is canceled because it lands on the U.S. holiday of Thanksgiving. o December 10th is the now the next meeting. Adjourned F2F Meeting Schedule: * 2021: Feb-March -- Virtual, June ? Poland (Asseco-Certum), October - Minneapolis (OATI) * 2022: Mar-April New Delhi / Bengaluru (e-Mudhra), June - [Open], October - [Open] -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4916 bytes Desc: not available URL: From jopurvis at cisco.com Mon Dec 14 19:21:12 2020 From: jopurvis at cisco.com (Jos Purvis (jopurvis)) Date: Mon, 14 Dec 2020 19:21:12 +0000 Subject: [cabfpub] Final Minutes for CA/Browser Forum Teleconference - November 12, 2020 In-Reply-To: <010001764da785e1-2f61dc1a-9fbc-4985-80af-5529951a8ed7-000000@email.amazonses.com> References: <010001764da785e1-2f61dc1a-9fbc-4985-80af-5529951a8ed7-000000@email.amazonses.com> Message-ID: <416C6450-C406-49CE-ADC0-DE0BD38C084B@cisco.com> Published! -- Jos Purvis (jopurvis at cisco.com) .:|:.:|:. cisco systems | Cryptographic Services PGP: 0xFD802FEE07D19105 | Controls and Trust Verification From: Public on behalf of CA/B Forum Public List Reply-To: Dean Coclin , CA/B Forum Public List Date: Thursday, December 10, 2020 at 12:17 PM To: CA/B Forum Public List Subject: [cabfpub] Final Minutes for CA/Browser Forum Teleconference - November 12, 2020 These are the approved minutes of the subject meeting: Attendees (in alphabetical order) Adrian Mueller (SwissSign), Amanda Mendieta (Apple), Andrea Holland (SecureTrust), Ben Wilson (Mozilla), Bruce Morton (Entrust), Chris Kemmerer (SSL.com), Clint Wilson (Apple), Corey Bonnell (SecureTrust), Christy Berghoff (Federal PKI), Curt Spann (Apple), Daniela Hood (GoDaddy), David Kluge (Google), Dean Coclin (Digicert), Dimitris Zacharopoulos (HARICA), Doug Beattie (GlobalSign), Dustin Hollenback (Microsoft), Enrico Entschew (D-TRUST), Hazhar Ismail (MSC Trustgate), Inaba Atsushi (GlobalSign), Janet Hines (SecureTrust), Joanna Fox (GoDaddy), Johnny Reading (GoDaddy), Jos Purvis (Cisco Systems), Karina Sirota (Microsoft), Li-Chun Chen (Chunghwa Telecom), Mads Henriksveen (Buypass AS), Michelle Coon (OATI), Mike Reilly (Microsoft), Neil Dunbar (TrustCor Systems), Niko Carpenter (SecureTrust), Patrick Nohe (GlobalSign), Paul van Brouwershaven (Entrust), Pedro Fuentes (OISTE Foundation), Peter Miskovic (Disig), Rae Ann Gonzales (GoDaddy), Rebecca Kelley (Apple), Rich Smith (Sectigo), Ryan Sleevi (Google), Shelley Brewer (Digicert), Stephen Davidson (Digicert), Tadahiko Ito (SECOM Trust Systems), Thomas Zermeno (SSL.com), Tim Callan (Sectigo), Tim Hollebeek (Digicert), Tobias Josefowitz (Opera Software AS), Wayne Thayer (Mozilla), Wendy Brown (US Federal PKI Management Authority) Minutes CA/B Forum Meeting Minutes (2020-11-12) Dean Coclin (DigiCert) CA/B Forum Chair Administrative Updates ? Anti-trust statement was read ? Agenda was published. No comments. ? Approval of Face-to-Face 51 minutes o No comments. Minutes approved. Forum Infrastructure Subcommittee Jos Purvis (Cisco) CA/B Forum Vice Chair ? Conversion of CA/B Forum GIT Repository into separate sub-repositories o All repositories created and working out final details ? Ryan Sleevi (Google) asked for owners in email to add 2FA or ask to be removed as an owner o At this point, only 2 members remaining without 2FA. Ryan will send them a direct email. o At this point, 2FA will be enabled. ? Jim Gorz (GoDaddy) has been preparing to move the mailer host o He?ll post a change date once it is available to ensure we do not have discussions or voting periods during the migration to the new host Code Signing Certificate Working Group Dean Coclin (DigiCert) CA/B Forum Chair ? CSCWG-4: Review period ended. Bruce published final version and it is up and running ? Ian McMillan (Microsoft) proposed Key Protection ballot. This is about cloud based key protection requirements. Clarification needed on log retention. USB tokens needed for that. Auditing discussed. ? Question about clarifying timeline for 3072 bit keys. Now June 2021. ? If root issued before 2021 and is 2048 key size, can it still be used. Ian McMillan is going to get clarity. ? Bruce Morton (Entrust) is investigating EV vs. Non-EV requirements in BRs. S/MIME Working Group Stephen Davidson (DigiCert) ? Telia interested in participating in working group ? Working group is currently at 38 members ? Fast approaching stage of using GitHub o Steven will work with Infrastructure Subcommittee to use GitHub for S/MIME ? Leaf certificate profile o Reviewed data within fields o Working on aligning format (table type) with what other working groups are using Additional Administrative Updates ? Member applications o Jos Purvis (Cisco) will follow-up with members requesting to join the CA/B Forum o Stephen Davidson (DigiCert) will follow up with Telia regarding the S/MIME Working Group membership request ? Responding to Mailing List Questions ? Dean Coclin (DigiCert) discussed the process for how to respond to the questions list. If Dean can answer administrative questions, he?ll respond immediately. If the questions are more unique or not ?administrative?, he?ll ask for input from the group before sending a response. o Dean asked if anyone has any issues with how he?s been responding so far. No concerns were raised. ? Next Meeting o The next scheduled meeting is canceled because it lands on the U.S. holiday of Thanksgiving. o December 10th is the now the next meeting. Adjourned F2F Meeting Schedule: 2021: Feb-March -- Virtual, June ? Poland (Asseco-Certum), October - Minneapolis (OATI) 2022: Mar-April New Delhi / Bengaluru (e-Mudhra), June - [Open], October - [Open] -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3699 bytes Desc: not available URL: From aaron at letsencrypt.org Thu Dec 17 18:35:13 2020 From: aaron at letsencrypt.org (Aaron Gable) Date: Thu, 17 Dec 2020 10:35:13 -0800 Subject: [cabfpub] Microsoft and Baseline OCSP Next Update Requirements Message-ID: Hi everyone, The Microsoft Trusted Root Program Requirements ( https://docs.microsoft.com/en-us/security/trusted-root/program-requirements, henceforth MS) contain the following language in MS?3.C.2: > 3.C.2. CAs that issue Server Authentication certificates must support the following OCSP responder requirements: > a. Minimum validity of eight (8) hours; Maximum validity of seven (7) days; and > b. The next update must be available at least eight (8) hours before the current period expires. If the validity is more than 16 hours, then the next update must be available at ? of the validity period. I'm most interested in part (b). This piecewise function can be illustrated by the following examples: * 8 hour lifetime: 8 hours before (i.e. instantaneously) * 12 hour lifetime : 8 hours before * 16 hour lifetime : 8 hours before * 20 hour lifetime : 10 hours before * 80 hour lifetime : 40 hours before As of ballot SC31 (Browser Alignment), the version 1.7.3 of the Baseline Requirements ( https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.7.3.pdf, henceforth BR) contains the following language in BR?4.9.10: > 1. OCSP responses MUST have a validity interval greater than or equal to eight hours; > 2. OCSP responses MUST have a validity interval less than or equal to ten days; > 3. For OCSP responses with validity intervals less than sixteen hours, then the CA SHALL update the information provided via an Online Certificate Status Protocol prior to one-half of the validity period before the nextUpdate. > 4. For OCSP responses with validity intervals greater than or equal to sixteen hours, then the CA SHALL update the information provided via an Online Certificate Status Protocol at least eight hours prior to the nextUpdate, and no later than four days after the thisUpdate. As above, I'm most interested in parts (3) and (4). This piecewise function can be illustrated by these examples: * 8 hour lifetime : 4 hours before * 12 hour lifetime : 6 hours before * 16 hour lifetime : 8 hours before * 20 hour lifetime : 8 hours before * 80 hour lifetime : 8 hours before Both of these separate the requirements for when the next update must be available into two domains: for OCSP responses with validity less than 16 hours, and ones with validity greater than or equal to 16 hours. However, their behavior in these two domains is *exactly opposed*. MS?3.C.2 requires that responses be available 8 hours prior in the "8-16 hours validity" domain, and at half the lifetime in the "16+ hours validity" domain. BR?4.9.10 requires that responses be available 8 hours prior in the "16+ hours validity" domain, and at half the lifetime in the "8-16 hours validity" domain. Of course, these requirements are not contradictory. At all possible validity intervals, the Microsoft requirements are stricter (i.e. require the next update to be available earlier), so a CA can simply abide by the Microsoft requirements and be in conformance with everything. But this reversal is so precise that it seems at first that it must be a mistake. However, some spelunking through the drafts of Ballot SC31 shows that the language now incorporated into the BRs was in fact suggested by Microsoft. In the very first draft of SC31, the language proposed for BR?4.9.10 was identical to the language currently found in MS?3.C.2: https://github.com/cabforum/servercert/pull/195/commits/f4860a596625e2167aa3fea06b17ee07900a3a7a#diff-e0ac1bd190515a4f2ec09139d395ef6a8c7e9e5b612957c1f5a2dea80c6a6cfeR1143 Later, an update titled "Incorporate feedback from Microsoft" reversed the requirements, producing the language which made it into the final ballot and the BRs: https://github.com/cabforum/servercert/pull/195/commits/e824ca10671c3b428009091bd0e78f8a7f39ddb1#diff-e0ac1bd190515a4f2ec09139d395ef6a8c7e9e5b612957c1f5a2dea80c6a6cfeR1145 However, I have been unable to find any discussion on this list or elsewhere in which that feedback was provided, so the reasoning behind this change is unclear. This raises two questions for me, which I hope the members of this list will be able to address: 1) What was the reasoning behind the reversal of this piecewise function between the version included in MS?3.C.2 and the version proposed in SC31 and incorporated into BR?4.9.10? 2) Does Microsoft plan to remove its own requirements from MS?3.C.2, now that the baseline requirements have "aligned" on Microsoft's proposal? Thank you, Aaron -------------- next part -------------- An HTML attachment was scrubbed... URL: From jopurvis at cisco.com Wed Dec 2 16:35:09 2020 From: jopurvis at cisco.com (Jos Purvis (jopurvis)) Date: Wed, 2 Dec 2020 16:35:09 +0000 Subject: [cabfpub] Test for SMTP delivery Message-ID: <16DE9F93-61D2-4C9D-8C17-FD6EFFFA01B3@cisco.com> Please ignore -- Jos Purvis (jopurvis at cisco.com) .:|:.:|:. cisco systems | Cryptographic Services PGP: 0xFD802FEE07D19105 | Controls and Trust Verification -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3699 bytes Desc: not available URL: From dean.coclin at digicert.com Fri Dec 4 14:22:19 2020 From: dean.coclin at digicert.com (Dean Coclin) Date: Fri, 4 Dec 2020 14:22:19 +0000 Subject: [cabfpub] Draft CA/Browser Forum agenda - Thursday, December 10, 2020 at 11:30 am Eastern Time Message-ID: Here is the draft CA/B Forum agenda for the teleconference described in the subject of this message. CA/Browser Forum Agenda Time Start(ET) Stop Item Description Presenters 0:02 11:30 11:32 1. Roll Call Dean 0:01 11:32 11:33 2. Read Antitrust Statement 0:01 11:33 11:34 3. Review Agenda 0:01 11:34 11:35 4. Approval of minutes of last call Dean 0:05 11:35 11:40 5. Forum Infrastructure Subcommittee update Jos 0:05 11:40 11:45 6. Code Signing Certificate Working Group update Dean 0:05 11:45 11:50 7. S/MIME Certificate Working Group update Stephen 0:05 11:50 11:55 8. Looking ahead at 2021 F2F meeting schedule Dean 0:04 11:55 11:59 9 Any Other Business 0:01 11:59 12:00 10. Next call: NO MEETING December 24th. Next call January 7th Adjourn; F2F Meeting Schedule: * 2021: Feb-March VIRTUAL, June -Virtual, October - Minneapolis (OATI) * 2022: Mar-April New Delhi / Bengaluru (e-Mudhra), June - [Open], October - [Open] -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4916 bytes Desc: not available URL: From dean.coclin at digicert.com Mon Dec 7 15:04:58 2020 From: dean.coclin at digicert.com (Dean Coclin) Date: Mon, 7 Dec 2020 15:04:58 +0000 Subject: [cabfpub] Final CA/Browser Forum agenda - Thursday, December 10, 2020 at 11:30 am Eastern Time Message-ID: Here is the final CA/B Forum agenda for the teleconference described in the subject of this message. CA/Browser Forum Agenda Time Start(ET) Stop Item Description Presenters 0:02 11:30 11:32 1. Roll Call Dean 0:01 11:32 11:33 2. Read Antitrust Statement 0:01 11:33 11:34 3. Review Agenda 0:01 11:34 11:35 4. Approval of minutes of last call Dean 0:05 11:35 11:40 5. Forum Infrastructure Subcommittee update Jos 0:05 11:40 11:45 6. Code Signing Certificate Working Group update Dean 0:05 11:45 11:50 7. S/MIME Certificate Working Group update Stephen 0:05 11:50 11:55 8. Looking ahead at 2021 F2F meeting schedule Dean 0:04 11:55 11:59 9 Any Other Business 0:01 11:59 12:00 10. Next call: NO MEETING December 24th. Next call January 7th Adjourn; F2F Meeting Schedule: * 2021: Feb-March VIRTUAL, June -Virtual, October - Minneapolis (OATI) * 2022: Mar-April New Delhi / Bengaluru (e-Mudhra), June - [Open], October - [Open] * Potential hosts (from postponed meetings): Globalsign, Cisco, Certum -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4916 bytes Desc: not available URL: From dean.coclin at digicert.com Thu Dec 10 17:16:23 2020 From: dean.coclin at digicert.com (Dean Coclin) Date: Thu, 10 Dec 2020 17:16:23 +0000 Subject: [cabfpub] Final Minutes for CA/Browser Forum Teleconference - November 12, 2020 Message-ID: These are the approved minutes of the subject meeting: Attendees (in alphabetical order) Adrian Mueller (SwissSign), Amanda Mendieta (Apple), Andrea Holland (SecureTrust), Ben Wilson (Mozilla), Bruce Morton (Entrust), Chris Kemmerer (SSL.com), Clint Wilson (Apple), Corey Bonnell (SecureTrust), Christy Berghoff (Federal PKI), Curt Spann (Apple), Daniela Hood (GoDaddy), David Kluge (Google), Dean Coclin (Digicert), Dimitris Zacharopoulos (HARICA), Doug Beattie (GlobalSign), Dustin Hollenback (Microsoft), Enrico Entschew (D-TRUST), Hazhar Ismail (MSC Trustgate), Inaba Atsushi (GlobalSign), Janet Hines (SecureTrust), Joanna Fox (GoDaddy), Johnny Reading (GoDaddy), Jos Purvis (Cisco Systems), Karina Sirota (Microsoft), Li-Chun Chen (Chunghwa Telecom), Mads Henriksveen (Buypass AS), Michelle Coon (OATI), Mike Reilly (Microsoft), Neil Dunbar (TrustCor Systems), Niko Carpenter (SecureTrust), Patrick Nohe (GlobalSign), Paul van Brouwershaven (Entrust), Pedro Fuentes (OISTE Foundation), Peter Miskovic (Disig), Rae Ann Gonzales (GoDaddy), Rebecca Kelley (Apple), Rich Smith (Sectigo), Ryan Sleevi (Google), Shelley Brewer (Digicert), Stephen Davidson (Digicert), Tadahiko Ito (SECOM Trust Systems), Thomas Zermeno (SSL.com), Tim Callan (Sectigo), Tim Hollebeek (Digicert), Tobias Josefowitz (Opera Software AS), Wayne Thayer (Mozilla), Wendy Brown (US Federal PKI Management Authority) Minutes CA/B Forum Meeting Minutes (2020-11-12) Dean Coclin (DigiCert) CA/B Forum Chair Administrative Updates * Anti-trust statement was read * Agenda was published. No comments. * Approval of Face-to-Face 51 minutes o No comments. Minutes approved. Forum Infrastructure Subcommittee Jos Purvis (Cisco) CA/B Forum Vice Chair * Conversion of CA/B Forum GIT Repository into separate sub-repositories o All repositories created and working out final details * Ryan Sleevi (Google) asked for owners in email to add 2FA or ask to be removed as an owner o At this point, only 2 members remaining without 2FA. Ryan will send them a direct email. o At this point, 2FA will be enabled. * Jim Gorz (GoDaddy) has been preparing to move the mailer host o He?ll post a change date once it is available to ensure we do not have discussions or voting periods during the migration to the new host Code Signing Certificate Working Group Dean Coclin (DigiCert) CA/B Forum Chair * CSCWG-4: Review period ended. Bruce published final version and it is up and running * Ian McMillan (Microsoft) proposed Key Protection ballot. This is about cloud based key protection requirements. Clarification needed on log retention. USB tokens needed for that. Auditing discussed. * Question about clarifying timeline for 3072 bit keys. Now June 2021. * If root issued before 2021 and is 2048 key size, can it still be used. Ian McMillan is going to get clarity. * Bruce Morton (Entrust) is investigating EV vs. Non-EV requirements in BRs. S/MIME Working Group Stephen Davidson (DigiCert) * Telia interested in participating in working group * Working group is currently at 38 members * Fast approaching stage of using GitHub o Steven will work with Infrastructure Subcommittee to use GitHub for S/MIME * Leaf certificate profile o Reviewed data within fields o Working on aligning format (table type) with what other working groups are using Additional Administrative Updates * Member applications o Jos Purvis (Cisco) will follow-up with members requesting to join the CA/B Forum o Stephen Davidson (DigiCert) will follow up with Telia regarding the S/MIME Working Group membership request * Responding to Mailing List Questions * Dean Coclin (DigiCert) discussed the process for how to respond to the questions list. If Dean can answer administrative questions, he?ll respond immediately. If the questions are more unique or not ?administrative?, he?ll ask for input from the group before sending a response. o Dean asked if anyone has any issues with how he?s been responding so far. No concerns were raised. * Next Meeting o The next scheduled meeting is canceled because it lands on the U.S. holiday of Thanksgiving. o December 10th is the now the next meeting. Adjourned F2F Meeting Schedule: * 2021: Feb-March -- Virtual, June ? Poland (Asseco-Certum), October - Minneapolis (OATI) * 2022: Mar-April New Delhi / Bengaluru (e-Mudhra), June - [Open], October - [Open] -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4916 bytes Desc: not available URL: From jopurvis at cisco.com Mon Dec 14 19:21:12 2020 From: jopurvis at cisco.com (Jos Purvis (jopurvis)) Date: Mon, 14 Dec 2020 19:21:12 +0000 Subject: [cabfpub] Final Minutes for CA/Browser Forum Teleconference - November 12, 2020 In-Reply-To: <010001764da785e1-2f61dc1a-9fbc-4985-80af-5529951a8ed7-000000@email.amazonses.com> References: <010001764da785e1-2f61dc1a-9fbc-4985-80af-5529951a8ed7-000000@email.amazonses.com> Message-ID: <416C6450-C406-49CE-ADC0-DE0BD38C084B@cisco.com> Published! -- Jos Purvis (jopurvis at cisco.com) .:|:.:|:. cisco systems | Cryptographic Services PGP: 0xFD802FEE07D19105 | Controls and Trust Verification From: Public on behalf of CA/B Forum Public List Reply-To: Dean Coclin , CA/B Forum Public List Date: Thursday, December 10, 2020 at 12:17 PM To: CA/B Forum Public List Subject: [cabfpub] Final Minutes for CA/Browser Forum Teleconference - November 12, 2020 These are the approved minutes of the subject meeting: Attendees (in alphabetical order) Adrian Mueller (SwissSign), Amanda Mendieta (Apple), Andrea Holland (SecureTrust), Ben Wilson (Mozilla), Bruce Morton (Entrust), Chris Kemmerer (SSL.com), Clint Wilson (Apple), Corey Bonnell (SecureTrust), Christy Berghoff (Federal PKI), Curt Spann (Apple), Daniela Hood (GoDaddy), David Kluge (Google), Dean Coclin (Digicert), Dimitris Zacharopoulos (HARICA), Doug Beattie (GlobalSign), Dustin Hollenback (Microsoft), Enrico Entschew (D-TRUST), Hazhar Ismail (MSC Trustgate), Inaba Atsushi (GlobalSign), Janet Hines (SecureTrust), Joanna Fox (GoDaddy), Johnny Reading (GoDaddy), Jos Purvis (Cisco Systems), Karina Sirota (Microsoft), Li-Chun Chen (Chunghwa Telecom), Mads Henriksveen (Buypass AS), Michelle Coon (OATI), Mike Reilly (Microsoft), Neil Dunbar (TrustCor Systems), Niko Carpenter (SecureTrust), Patrick Nohe (GlobalSign), Paul van Brouwershaven (Entrust), Pedro Fuentes (OISTE Foundation), Peter Miskovic (Disig), Rae Ann Gonzales (GoDaddy), Rebecca Kelley (Apple), Rich Smith (Sectigo), Ryan Sleevi (Google), Shelley Brewer (Digicert), Stephen Davidson (Digicert), Tadahiko Ito (SECOM Trust Systems), Thomas Zermeno (SSL.com), Tim Callan (Sectigo), Tim Hollebeek (Digicert), Tobias Josefowitz (Opera Software AS), Wayne Thayer (Mozilla), Wendy Brown (US Federal PKI Management Authority) Minutes CA/B Forum Meeting Minutes (2020-11-12) Dean Coclin (DigiCert) CA/B Forum Chair Administrative Updates ? Anti-trust statement was read ? Agenda was published. No comments. ? Approval of Face-to-Face 51 minutes o No comments. Minutes approved. Forum Infrastructure Subcommittee Jos Purvis (Cisco) CA/B Forum Vice Chair ? Conversion of CA/B Forum GIT Repository into separate sub-repositories o All repositories created and working out final details ? Ryan Sleevi (Google) asked for owners in email to add 2FA or ask to be removed as an owner o At this point, only 2 members remaining without 2FA. Ryan will send them a direct email. o At this point, 2FA will be enabled. ? Jim Gorz (GoDaddy) has been preparing to move the mailer host o He?ll post a change date once it is available to ensure we do not have discussions or voting periods during the migration to the new host Code Signing Certificate Working Group Dean Coclin (DigiCert) CA/B Forum Chair ? CSCWG-4: Review period ended. Bruce published final version and it is up and running ? Ian McMillan (Microsoft) proposed Key Protection ballot. This is about cloud based key protection requirements. Clarification needed on log retention. USB tokens needed for that. Auditing discussed. ? Question about clarifying timeline for 3072 bit keys. Now June 2021. ? If root issued before 2021 and is 2048 key size, can it still be used. Ian McMillan is going to get clarity. ? Bruce Morton (Entrust) is investigating EV vs. Non-EV requirements in BRs. S/MIME Working Group Stephen Davidson (DigiCert) ? Telia interested in participating in working group ? Working group is currently at 38 members ? Fast approaching stage of using GitHub o Steven will work with Infrastructure Subcommittee to use GitHub for S/MIME ? Leaf certificate profile o Reviewed data within fields o Working on aligning format (table type) with what other working groups are using Additional Administrative Updates ? Member applications o Jos Purvis (Cisco) will follow-up with members requesting to join the CA/B Forum o Stephen Davidson (DigiCert) will follow up with Telia regarding the S/MIME Working Group membership request ? Responding to Mailing List Questions ? Dean Coclin (DigiCert) discussed the process for how to respond to the questions list. If Dean can answer administrative questions, he?ll respond immediately. If the questions are more unique or not ?administrative?, he?ll ask for input from the group before sending a response. o Dean asked if anyone has any issues with how he?s been responding so far. No concerns were raised. ? Next Meeting o The next scheduled meeting is canceled because it lands on the U.S. holiday of Thanksgiving. o December 10th is the now the next meeting. Adjourned F2F Meeting Schedule: 2021: Feb-March -- Virtual, June ? Poland (Asseco-Certum), October - Minneapolis (OATI) 2022: Mar-April New Delhi / Bengaluru (e-Mudhra), June - [Open], October - [Open] -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3699 bytes Desc: not available URL: From aaron at letsencrypt.org Thu Dec 17 18:35:13 2020 From: aaron at letsencrypt.org (Aaron Gable) Date: Thu, 17 Dec 2020 10:35:13 -0800 Subject: [cabfpub] Microsoft and Baseline OCSP Next Update Requirements Message-ID: Hi everyone, The Microsoft Trusted Root Program Requirements ( https://docs.microsoft.com/en-us/security/trusted-root/program-requirements, henceforth MS) contain the following language in MS?3.C.2: > 3.C.2. CAs that issue Server Authentication certificates must support the following OCSP responder requirements: > a. Minimum validity of eight (8) hours; Maximum validity of seven (7) days; and > b. The next update must be available at least eight (8) hours before the current period expires. If the validity is more than 16 hours, then the next update must be available at ? of the validity period. I'm most interested in part (b). This piecewise function can be illustrated by the following examples: * 8 hour lifetime: 8 hours before (i.e. instantaneously) * 12 hour lifetime : 8 hours before * 16 hour lifetime : 8 hours before * 20 hour lifetime : 10 hours before * 80 hour lifetime : 40 hours before As of ballot SC31 (Browser Alignment), the version 1.7.3 of the Baseline Requirements ( https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.7.3.pdf, henceforth BR) contains the following language in BR?4.9.10: > 1. OCSP responses MUST have a validity interval greater than or equal to eight hours; > 2. OCSP responses MUST have a validity interval less than or equal to ten days; > 3. For OCSP responses with validity intervals less than sixteen hours, then the CA SHALL update the information provided via an Online Certificate Status Protocol prior to one-half of the validity period before the nextUpdate. > 4. For OCSP responses with validity intervals greater than or equal to sixteen hours, then the CA SHALL update the information provided via an Online Certificate Status Protocol at least eight hours prior to the nextUpdate, and no later than four days after the thisUpdate. As above, I'm most interested in parts (3) and (4). This piecewise function can be illustrated by these examples: * 8 hour lifetime : 4 hours before * 12 hour lifetime : 6 hours before * 16 hour lifetime : 8 hours before * 20 hour lifetime : 8 hours before * 80 hour lifetime : 8 hours before Both of these separate the requirements for when the next update must be available into two domains: for OCSP responses with validity less than 16 hours, and ones with validity greater than or equal to 16 hours. However, their behavior in these two domains is *exactly opposed*. MS?3.C.2 requires that responses be available 8 hours prior in the "8-16 hours validity" domain, and at half the lifetime in the "16+ hours validity" domain. BR?4.9.10 requires that responses be available 8 hours prior in the "16+ hours validity" domain, and at half the lifetime in the "8-16 hours validity" domain. Of course, these requirements are not contradictory. At all possible validity intervals, the Microsoft requirements are stricter (i.e. require the next update to be available earlier), so a CA can simply abide by the Microsoft requirements and be in conformance with everything. But this reversal is so precise that it seems at first that it must be a mistake. However, some spelunking through the drafts of Ballot SC31 shows that the language now incorporated into the BRs was in fact suggested by Microsoft. In the very first draft of SC31, the language proposed for BR?4.9.10 was identical to the language currently found in MS?3.C.2: https://github.com/cabforum/servercert/pull/195/commits/f4860a596625e2167aa3fea06b17ee07900a3a7a#diff-e0ac1bd190515a4f2ec09139d395ef6a8c7e9e5b612957c1f5a2dea80c6a6cfeR1143 Later, an update titled "Incorporate feedback from Microsoft" reversed the requirements, producing the language which made it into the final ballot and the BRs: https://github.com/cabforum/servercert/pull/195/commits/e824ca10671c3b428009091bd0e78f8a7f39ddb1#diff-e0ac1bd190515a4f2ec09139d395ef6a8c7e9e5b612957c1f5a2dea80c6a6cfeR1145 However, I have been unable to find any discussion on this list or elsewhere in which that feedback was provided, so the reasoning behind this change is unclear. This raises two questions for me, which I hope the members of this list will be able to address: 1) What was the reasoning behind the reversal of this piecewise function between the version included in MS?3.C.2 and the version proposed in SC31 and incorporated into BR?4.9.10? 2) Does Microsoft plan to remove its own requirements from MS?3.C.2, now that the baseline requirements have "aligned" on Microsoft's proposal? Thank you, Aaron -------------- next part -------------- An HTML attachment was scrubbed... URL: