[Servercert-wg] Final Minutes for Server Certificate Working Group Teleconference - March 7, 2019
Dimitris Zacharopoulos (HARICA)
dzacharo at harica.gr
Sun Mar 17 08:36:39 MST 2019
These are the Final Minutes of the Teleconference described in the
subject of this message.
Attendees (in alphabetical order)
Anna Weinberg (Apple), Ben Wilson (Digicert), Bruce Morton (Entrust
Datacard), Chris Kemmerer (SSL.com), Daymion Reynolds (GoDaddy), Dean
Coclin (Digicert), Dimitris Zacharopoulos (HARICA), Doug Beattie
(GlobalSign), Dustin Hollenback (Microsoft), Frank Corday (SecureTrust),
Geoff Keating (Apple), Inaba Atsushi (GlobalSign), Iñigo Barreira (360
Browser), Joanna Fox (GoDaddy), Kirk Hall (Entrust Datacard), Li-Chun
Chen (Chunghwa Telecom), Mads Henriksveen (Buypass AS), Mahmud Khair
(SecureTrust), Marcelo Silva (Visa), Michelle Coon (OATI), Mike Reilly
(Microsoft), Neil Dunbar (TrustCor Systems), Niko Carpenter
(SecureTrust), Rich Smith (Sectigo), Robin Alden (Sectigo), Ryan Sleevi
(Google), Shelley Brewer (Digicert), Tim Shirley (SecureTrust), Trevoli
Ponds-White (Amazon), Wayne Thayer (Mozilla).
1. Roll Call
The Chair took attendance
2. Read Antitrust Statement
The Antitrust Statement was read
3. Review Agenda
The Agenda was approved.
4. Approval of Minutes of previous teleconference
The minutes of February 21, 2019 teleconference were approved and will
be posted to the Public list and the Public web site.
5. Validation Subcommittee Update
Dean attended the last call and mentioned that it was a very short call
and there was nothing to report.
6. NetSec Subcommittee Update
Ben reported that the subcommittee agreed to separate out some work in
smaller groups. Currently three sub-groups were identified:
- "Threat modelling" (Fotis, Trev, Nick)
- "documents structure" (Ben, Tim Hollebeek, Dimitris)
- "pain points" (David, Tim Crawford, Corey)
- "authentication access control" (Trev, Ben, Fotis)
Anyone interested in participating in those sub-groups can contact Ben
for more information.
Dean made a comment whether there are specific tasks and results
expected, for example he asked about the "Treat modelling" sub-group
whether there is a threat modelling statement or summary? What is the
One of the conclusions of tackling we don't have to select one path
forward and it is better to try parallel paths and there are different
paths for different areas. For example, the threat-modelling sub-group
would look at security at a macro level. The document structure
sub-group would also look at structuring security documents at a macro
level. Another sub-group might look at very specific "pain points" in
current documents and try to improve/fix the language. Another example
is the "authentication access control" sub-group that might take a look
at "passwords" in access control systems.
Trev commented that the subcommittee agreed that there is a need for
more broad changes, but at the same time need smaller more practical
changes, and this justified the parallel paths.
Dean mentioned that according to his experience, it would be best if
these sub-groups had a specific set of tasks, describe the goal of these
tasks (whether they are going to create a "white paper" or a "network
diagram" or something else) and deliver them back following some
timeline. Otherwise, he feels that this work will probably go on forever.
7. Ballot Status
_Ballots in Discussion Period_
//Ballot SC16: Other Subject Attributes/ (Wayne)
/Wayne mentioned that there are no comments in the discussion period
which ends on Friday March 8 and asked members to take a look. If he
receives no comments he plans on starting the voting period on that day.
Dimitris asked about the OU field whether it has a pointer to the
Baseline Requirements. Wayne responded that he copied the language from
the Baseline Requirements to the EV Guidelines. Basically, it allows
unvalidated information to be included in the EV Certificate in the OU
field as long as it's not misleading. In addition, the ballot explicitly
allows the OU field and explicitly forbids other Subject attributes if
they are not explicitly specified in the EV Guidelines. Adding a new
Subject attribute would mean that the EV guidelines would need to be
updated to support this new attribute.
Dimitris mentioned that he could have used similar language as the
street address field which points to the Baseline requirements so we
don't have to change two locations when we need to make a change. Wayne
said that this could be a possible way to write it but that's not how
the current ballot is written.
Dean commented that this ballot basically raises the bar of EV to only
have information that is explicitly allowed and the validation is
described in the Guidelines. Wayne mentioned that the ballot basically
tries to clarify the language of section 9.2.8 of the EV guidelines
because the way it is currently written, that section contradicts
itself. It also clarifies a section of the Baseline Requirements about
_*Ballots in Voting Period*_
_*Ballots in Review Period*_
//Ballot SC7: Update IP Address Validation Methods/ (Wayne)
Ballot SC14: Updated Phone Validation Methods/(Doug)
/Ballot SC15: Remove Validation Method Number 9/ (Doug)
_Draft Ballots under Consideration_
/Improvements for Method 6, website control/ (Tim H.)/
/No additional comments were made.
8. SCWG - F2F Agenda
Dimitris described the recent changes of the agenda, and specifically a
discussion about the differences between the current guidelines document
(PDF) and the automatically generated document (PDF) from GitHub.
He also mentioned that there is a proposal to end the second day
(Thursday) sooner and launch a "hackathon" that could work (among other
tasks) on improving the generation of PDFs from GitHub based on the
9. Any Other Business
Doug mentioned that this weekend (specifically on March 10th), the US
switches to Daylight Savings Time.
10. Next call
March 21, 2019 at 11:00 am Eastern Time.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Servercert-wg