[Servercert-wg] Final Minutes for Server Certificate Working Group Teleconference - March 7, 2019

[Dimitris Zacharopoulos (HARICA)]

These are the Final Minutes of the Teleconference described in the 
subject of this message.


    Attendees (in alphabetical order)

Anna Weinberg (Apple), Ben Wilson (Digicert), Bruce Morton (Entrust 
Datacard), Chris Kemmerer (SSL.com), Daymion Reynolds (GoDaddy), Dean 
Coclin (Digicert), Dimitris Zacharopoulos (HARICA), Doug Beattie 
(GlobalSign), Dustin Hollenback (Microsoft), Frank Corday (SecureTrust), 
Geoff Keating (Apple), Inaba Atsushi (GlobalSign), Iñigo Barreira (360 
Browser), Joanna Fox (GoDaddy), Kirk Hall (Entrust Datacard), Li-Chun 
Chen (Chunghwa Telecom), Mads Henriksveen (Buypass AS), Mahmud Khair 
(SecureTrust), Marcelo Silva (Visa), Michelle Coon (OATI), Mike Reilly 
(Microsoft), Neil Dunbar (TrustCor Systems), Niko Carpenter 
(SecureTrust), Rich Smith (Sectigo), Robin Alden (Sectigo), Ryan Sleevi 
(Google), Shelley Brewer (Digicert), Tim Shirley (SecureTrust), Trevoli 
Ponds-White (Amazon), Wayne Thayer (Mozilla).


    Minutes


      1. Roll Call

The Chair took attendance


      2. Read Antitrust Statement

The Antitrust Statement was read


      3. Review Agenda

The Agenda was approved.


      4. Approval of Minutes of previous teleconference


The minutes of February 21, 2019 teleconference were approved and will 
be posted to the Public list and the Public web site.


      5. Validation Subcommittee Update

Dean attended the last call and mentioned that it was a very short call 
and there was nothing to report.


      6. NetSec Subcommittee Update

Ben reported that the subcommittee agreed to separate out some work in 
smaller groups. Currently three sub-groups were identified:
- "Threat modelling" (Fotis, Trev, Nick)
- "documents structure"  (Ben, Tim Hollebeek, Dimitris)
- "pain points" (David, Tim Crawford, Corey)
- "authentication access control" (Trev, Ben, Fotis)

Anyone interested in participating in those sub-groups can contact Ben 
for more information.

Dean made a comment whether there are specific tasks and results 
expected, for example he asked about the "Treat modelling" sub-group 
whether there is a threat modelling statement or summary? What is the 
expected goal?

One of the conclusions of tackling we don't have to select one path 
forward and it is better to try parallel paths and there are different 
paths for different areas. For example, the threat-modelling sub-group 
would look at security at a macro level. The document structure 
sub-group would also look at structuring security documents at a macro 
level. Another sub-group might look at very specific "pain points" in 
current documents and try to improve/fix the language. Another example 
is the "authentication access control" sub-group that might take a look 
at "passwords" in access control systems.

Trev commented that the subcommittee agreed that there is a need for 
more broad changes, but at the same time need smaller more practical 
changes, and this justified the parallel paths.

Dean mentioned that according to his experience, it would be best if 
these sub-groups had a specific set of tasks, describe the goal of these 
tasks (whether they are going to create a "white paper" or a "network 
diagram" or something else) and deliver them back following some 
timeline. Otherwise, he feels that this work will probably go on forever.


      7. Ballot Status


        _Ballots in Discussion Period_

//Ballot SC16: Other Subject Attributes/ (Wayne)

/Wayne mentioned that there are no comments in the discussion period 
which ends on Friday March 8 and asked members to take a look. If he 
receives no comments he plans on starting the voting period on that day.

Dimitris asked about the OU field whether it has a pointer to the 
Baseline Requirements. Wayne responded that he copied the language from 
the Baseline Requirements to the EV Guidelines. Basically, it allows 
unvalidated information to be included in the EV Certificate in the OU 
field as long as it's not misleading. In addition, the ballot explicitly 
allows the OU field and explicitly forbids other Subject attributes if 
they are not explicitly specified in the EV Guidelines. Adding a new 
Subject attribute would mean that the EV guidelines would need to be 
updated to support this new attribute.

Dimitris mentioned that he could have used similar language as the 
street address field which points to the Baseline requirements so we 
don't have to change two locations when we need to make a change. Wayne 
said that this could be a possible way to write it but that's not how 
the current ballot is written.

Dean commented that this ballot basically raises the bar of EV to only 
have information that is explicitly allowed and the validation is 
described in the Guidelines. Wayne mentioned that the ballot basically 
tries to clarify the language of section 9.2.8 of the EV guidelines 
because the way it is currently written, that section contradicts 
itself. It also clarifies a section of the Baseline Requirements about 
metadata.

_*Ballots in Voting Period*_

None

_*Ballots in Review Period*_

//Ballot SC7: Update IP Address Validation Methods/ (Wayne)

Ballot SC14: Updated Phone Validation Methods/(Doug)

/Ballot SC15: Remove Validation Method Number 9/ (Doug)


        _Draft Ballots under Consideration_


/Improvements for Method 6, website control/ (Tim H.)/
/No additional comments were made.


      8. SCWG - F2F Agenda

Dimitris described the recent changes of the agenda, and specifically a 
discussion about the differences between the current guidelines document 
(PDF) and the automatically generated document (PDF) from GitHub.

He also mentioned that there is a proposal to end the second day 
(Thursday) sooner and launch a "hackathon" that could work (among other 
tasks) on improving the generation of PDFs from GitHub based on the 
Member's feedback.


      9. Any Other Business

Doug mentioned that this weekend (specifically on March 10th), the US 
switches to Daylight Savings Time.


      10. Next call

March 21, 2019 at 11:00 am Eastern Time.


      Adjourned


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20190317/22a5c03e/attachment-0001.html>