[Servercert-wg] Draft Minutes for Server Certificate Working Group Teleconference - April 4, 2019

Dimitris Zacharopoulos (HARICA) dzacharo at harica.gr
Thu Apr 18 08:49:24 MST 2019

These are the Final Minutes of the Teleconference described in the 
subject of this message.

    Attendees (in alphabetical order)

Arno Fiedler (D-TRUST), Ben Wilson (Digicert), Chris Kemmerer (SSL.com), 
Daymion Reynolds (GoDaddy), Dean Coclin (Digicert), Dimitris 
Zacharopoulos (HARICA), Doug Beattie (GlobalSign), Dustin Hollenback 
(Microsoft), Enrico Entschew (D-TRUST), Fotis Loukos (SSL.com), Frank 
Corday (SecureTrust), Inaba Atsushi (GlobalSign), India Donald (US 
Federal PKI Management Authority), Joanna Fox (GoDaddy), Jos Purvis 
(Cisco Systems), Kirk Hall (Entrust Datacard), Marcelo Silva (Visa), 
Michael Guenther (SwissSign), Michelle Coon (OATI), Mike Reilly 
(Microsoft), Neil Dunbar (TrustCor Systems), Rich Smith (Sectigo), Scott 
Rea (Dark Matter), Shelley Brewer (Digicert), Tim Callan (Sectigo), Tim 
Hollebeek (Digicert), Tim Shirley (SecureTrust), Trevoli Ponds-White 
(Amazon), Wayne Thayer (Mozilla), Wendy Brown (US Federal PKI Management 


      1. Roll Call

The Chair took attendance

      2. Read Antitrust Statement

The Antitrust Statement was read

      3. Review Agenda

The Agenda was approved.

      4. Pending minutes from F2F 46

The minutes from F2F 46 are almost complete. Dimitris sent a reminder to 
a few minute-takers that haven't added the minutes of some sessions and 
will send another reminder on Friday April 5th.

      5. Validation Subcommittee Update

The Validation Subcommittee had a quick call and discussed the results 
of the F2F and priorities. The next two things the SC will work on is 
Ballot SC5 which is a phone validation method (Doug is working on that), 
and ballot SC6 (still looking for someone to work on it). Also the TLS 
ALPN ballot is on hold until the RFC is finalized.

      6. NetSec Subcommittee Update

Ben reported that the subcommittee had a call and will have another one 
after this one. The SC looked at the F2F minutes and focused on the 
discussions on the pain points and what the process should be to address 
the 9 items on that list. This sub-group meets every Monday. 2 items 
will be addressed by the Authentication and Access Control sub-group. 
There was also another sub-group meeting for the document restructure 
that went through the PCI-DSS framework. The threat modelling group is 
planning a call today.

Dimitris proposed that if these sub-groups meet regularly, we should 
probably add these meeting slots on the wiki section where all meetings 
are listed. Ben agreed and will follow-up to add this information on the 

      7. Ballot Status

        _Ballots in Discussion Period_

//Ballot /////SC17: Alternative registration numbers for EU 
certificates///(Tim H.)/

/Dimitris mentioned that there were some comments posted related to 
ballot SC17 and he and Tim are trying to address those comments. He is 
working with Tim to create a version 3 addressing as many 
comments/concerns as possible. Tim has been traveling the past weeks so 
the ballot update is moving slower than usual.

Some of the changes include:
- formatting improvements
- moving the alternative encoding of the subject:organizationIdentifier 
value to an extension instead of a separate subject Distinguished Name 
- making the alternative encoding a recommendation (SHOULD) in the 
beginning and a requirement (SHALL) after 12 months so that CAs have 
time to properly adjust their CA software to accommodate this extension 
along with the organizationIdentifier subjectDN attribute.

As soon as Tim is able to review the latest updates, a new version will 
be distributed to the public list. Finally, the name of the ballot will 
probably need to be changed because it doesn't only support "EU" 
Certificates but identifiers outside EU as well.

_*Ballots in Voting Period*_


_*Ballots in Review Period*_

/Ballot SC16: Other Subject Attributes/ (Wayne)

        _Draft Ballots under Consideration_

//Improvements for Method 5, Phone Contact with DNS CAA Phone Contact/ 
//No additional comments were made.//
Improvements for Method 6, website control/ (Tim H.)/
/No additional comments were made.

      8. Harmonization of WebTrust and ETSI with SCWG Guidelines

Dimitris asked if there is an official process to inform WebTrust or 
ETSI when a new version of the Guidelines is published, so they can be 
added in the update process of the corresponding standards of these two 
organizations. Especially the latest BRs version 1.6.4 incorporates 3 
ballots and introduces significant changes. It appeared that there is no 
such process and these organizations monitor the updates of the Forum 
guidelines and try to incorporate these changes in their next update cycle.

Dimitris recalled having heard about a maximum duration (not expressed 
as a requirement but as a best effort expectation) for how long it takes 
for a version of the Guidelines to be incorporated in the relevant 
standard by WebTrust and ETSI.

Arno responded that there is no official process because it depends on 
the requirement. ETSI has an update process which may take between days, 
weeks, months. He believes that defining a timeframe is quite difficult. 
Dimitris asked if it would be reasonable to set a timeframe based on 
past experience (e.g 6, 9, 12 months). Arno mentioned that ETSI has been 
collaborating with the forum for the past 10 years and doesn't 
understand why we should put additional burden on WebTrust and ETSI. 
There is also a chance that a requirement from the Forum is not accepted 
by WebTrust or ETSI, it is a possibility. He prefers to leave things as 
they are today.

Wayne recalled some previous conversations on this topic and at one 
point it was suggested that the BRs are updated in certain times of the 
year and there were pros and cons on the decision of doing that or not. 
He recommended that if we want to go down that road, we should look back 
to previous minutes.

Dimitris clarified that he added this slot to make sure he is following 
some expected notification process and it seems there is no official 
notification process which means that WebTrust and ETSI will pick up the 
latest versions on their own. He still thinks it is a good idea to 
notify the liaisons whenever a Guideline document is updated.

Mike Reilly recommended that we review the minutes from the Taipei 
meeting (F2F 42) where this particular topic was discussed.

      9. Any Other Business


      10. Next call

April 18, 2019 at 11:00 am Eastern Time.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20190418/27af88de/attachment-0001.html>

More information about the Servercert-wg mailing list