[Servercert-wg] Final Minutes for Server Certificate Working Group Teleconference - May 2, 2019

Dimitris Zacharopoulos (HARICA) dzacharo at harica.gr
Thu May 16 18:23:26 MST 2019 

These are the Final Minutes of the Teleconference described in the 
subject of this message.


    Attendees (in alphabetical order)

Antonio Perez (GoDaddy), Ben Wilson (Digicert), Chris Kemmerer 
(SSL.com), Dean Coclin (Digicert), Devon O'Brien (Google), Doug Beattie 
(GlobalSign), Dustin Hollenback (Microsoft), Enrico Entschew (D-TRUST), 
Frank Corday (SecureTrust), Geoff Keating (Apple), India Donald (US 
Federal PKI Management Authority), Joanna Fox (GoDaddy), Jos Purvis 
(Cisco Systems), Kenneth Myers (US Federal PKI Management Authority), 
Kirk Hall (Entrust Datacard), Li-Chun Chen (Chunghwa Telecom), Mads 
Henriksveen (Buypass AS), Michael Guenther (SwissSign), Michelle Coon 
(OATI), Mike Reilly (Microsoft), Neil Dunbar (TrustCor Systems), Niko 
Carpenter (SecureTrust), Peter Miskovic (Disig), Rich Smith (Sectigo), 
Robin Alden (Sectigo), Scott Rea (Dark Matter), Shelley Brewer 
(Digicert), Tim Callan (Sectigo), Tim Hollebeek (Digicert), Tim Shirley 
(SecureTrust), Timo Schmitt (SwissSign), Trevoli Ponds-White (Amazon), 
Wayne Thayer (Mozilla), Wendy Brown (US Federal PKI Management Authority).


    Minutes


      1. Roll Call

The Vice-Chair took attendance


      2. Read Antitrust Statement

The Antitrust Statement was read


      3. Review Agenda

The Agenda was approved.


      4. Approval of minutes from F2F 46 and previous teleconference


The minutes from F2F 46 were approved and will be published on the 
public web site.

The minutes from the previous teleconference were approved and will be 
circulated to the public list.


      5. Validation Subcommittee Update

Tim H. gave the update. There was a brief discussion for SC17 on the 
validation subcommittee call. There will be a new version coming up 
later today or tomorrow trying to resolve some parsing ambiguities due 
to the "hyphen" character. There will be at least one more version sent 
out before voting begins. The SC also discussed method 10 and Ryan was 
going to report on the status of the new ALPN RFC at IETF. The SC is 
also looking for a volunteer to draft a ballot for improving method 6.


      6. NetSec Subcommittee Update

Ben gave the report. The SC is working on a draft ballot to improve the 
language of 1.h of the network security requirements (the one that 
discusses about monitoring and detection of issues in logs). Move it in 
another section that is more suitable for monitoring and alerting.

There was discussion about differences between online and offline CAs 
which should probably be taken into account and resolved before trying 
to work on 1.h.

Another ballot which is about log integrity and integrity controls. The 
SC has concerns about the "human review" factor and try to focus more on 
automated tools and DE-emphasize the human review element.

Reorganize the framework using for the NetSec requirements, creating 
some high-level statements and then expanding to some granular 
statements. 6 major principles that need to be followed:

 1. implementing an information security program (should be based on
    other industry standards) annotated section which will
    cross-reference other standards as examples.
 2. discussion about trusted roles (properly vetted) with some expectations
 3. maintain secure networks and CA systems, which has about 10 controls
    currently associated with it.
 4. strong access control measures, which has about 10-15 controls
    currently associated with it.
 5. monitoring and testing networks and systems, logging and alerting
 6. vulnerability scanning and patch management, currently in section 4
    of the Network Security Requirements.

Wayne asked if this was going to be one big ballot and Ben responded 
that it would need to be broken down to smaller ballots.


      7. Ballot Status


        _Ballots in Discussion Period_

//Ballot /////SC17: Alternative registration numbers for EU 
certificates///(Tim H.)/

/No additional comments were made.

_*Ballots in Voting Period*_

None

_*Ballots in Review Period*_


        _Draft Ballots under Consideration_


/Improvements for Method 6, website control/ (Tim H.)/
/No additional comments were made.


      8. Any Other Business

None.


      9. Next call

May 16, 2019 at 11:00 am Eastern Time.


      Adjourned


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20190517/a7ce9f1d/attachment-0001.html>

More information about the Servercert-wg mailing list