[Servercert-wg] Final Minutes for Server Certificate Working Group Teleconference - April 2, 2020

Dimitris Zacharopoulos (HARICA) dzacharo at harica.gr
Mon Apr 20 22:48:16 MST 2020


*

These are the Final Minutes of the Teleconference described in the 
subject of this message.


      Attendees (in alphabetical order)

Arno Fiedler (D-TRUST), Bruce Morton (Entrust Datacard), Clint Wilson 
(Apple), Corey Bonnell (SecureTrust), Chris Kemmerer (SSL.com), Daniela 
Hood (GoDaddy), Dean Coclin (Digicert), Dimitris Zacharopoulos (HARICA), 
Doug Beattie (GlobalSign), Dustin Hollenback (Microsoft), Enrico 
Entschew (D-TRUST), Inaba Atsushi (GlobalSign), Janet Hines 
(SecureTrust), Joanna Fox (GoDaddy), Jos Purvis (Cisco Systems), Li-Chun 
Chen (Chunghwa Telecom), Mads Henriksveen (Buypass AS), Michelle Coon 
(OATI), Mike Reilly (Microsoft), Neil Dunbar (TrustCor Systems), Niko 
Carpenter (SecureTrust), Patrick Nohe (GlobalSign), Pedro Fuentes (OISTE 
Foundation), Peter Miskovic (Disig), Rich Smith (Sectigo), Robin Alden 
(Sectigo), Shelley Brewer (Digicert), Thanos Vrachnos (SSL.com), Tim 
Hollebeek (Digicert), Timo Schmitt (SwissSign), Tobias Josefowitz (Opera 
Software AS), Trevoli Ponds-White (Amazon), Wayne Thayer (Mozilla), 
Wendy Brown (US Federal PKI Management Authority)


      Minutes


        1. Roll Call

The Chair took attendance.


        2. Read Antitrust Statement

Robin read the Antitrust Statement.


        3. Review Agenda, assign minute taker

Dimitris asked Wayne if he would take the minutes and Wayne accepted.


Wayne suggested that minute takers be assigned in advance.


Tim volunteered for the next meeting.


The agenda was accepted without changes.


        4. Approval of minutes from previous teleconference


Accepted without objections.


        5. Validation Subcommittee Update


Tim said that on last week’s call the committee had been planning to 
review the profiles in section 7.1 line-by-line with a default-deny 
interpretation, but didn’t do that. Discussion quickly shifted to the 
format of the profiles. The current format is split up and not clear. 
Decided it would be much clearer if the entire profile was in one place. 
And also that a table format would be clearer than the English prose 
currently used. The order should be consistent with that in the actual 
certificate and as displayed by linting tools. Discussed the skeleton of 
the profile and decided that a spreadsheet would be the best tool to 
develop it in. Agreed to discuss the layout on the next call.


Ryan said that he will be creating the spreadsheet and will share it via 
a new email thread on the Validation list. Ryan said he will start on it 
today.


Dimitris asked if the spreadsheet will start with end-entity 
certificates? Or CA certificates?


Tim said that we will start with roots because they’re simpler.


Ryan said that he plans to tackle all three, plus OCSP responder 
profiles, so that we can see how it looks with all the profiles.


        6. NetSec Subcommittee Update

Neil said that on the last call they discussed SC28 regarding changing 
the time required for audit log retention. Plan is to split this 
information into three categories: CA certificate events, subscriber 
events, and security events. Spent a lot of time trying to clarify the 
new 5.4.3 and remove repetitive information as is currently the case. 
They also discussed NCSSR requirement to remove system accounts after 3 
months of inactivity. A ballot is forthcoming. Document restructuring 
continues, with the current activity around the use of terms with clear 
and defined meanings. Lastly, there was continued discussion on ballot 
SC29. The subcommittee is meeting again today to continue those discussions.


        7. Ballot Status

Ballots in Discussion Period

SC29 System Configuration Management (Neil)

Dimitris said that it is challenging to coordinate responses to the 
discussion with the HARICA team.


Neil said that he sent a response to Dimitris that is not showing on the 
list.


Ryan said that the email sent 5 hours ago did come through.



Dimitris said that he didn’t receive the Spring Cleanup email from Ryan 
either. Dean and some others agreed. All said that Doug’s reply was 
received.


Dimitris said that we can ask GoDaddy and Jos about this.


Wayne said that since the messages are in the list archive there’s 
probably not much they can do.


Dimitris said that he is still trying to digest Ryan’s response to his 
email on SC29. There are different interpretations of the practical 
implementation permitted by SC29.


Ryan agreed and suggested that practical implementations should be 
explored on the thread. There may be a way to achieve agility with the 
proposed language.


Dimitris said that the intended implementation from Neil is something 
HARICA already does, but there is a more fundamental disagreement. For 
systems exposed to the internet, they feel it is better to auto-approve 
and install patches sooner due to the risk rather than waiting 2-3 days 
for approval.


Trev said that auto-approval could be an acceptable change management 
process. You are describing a process that has been thought through and 
a specific decision made.


Dimitris agreed.


Ryan gave the example of Windows Update on the local network or a Linux 
RPM mirror. If you have a system in place that describes how you manage 
those updates and know what’s an approved change, that’s okay.


Dimitris said that he would try to describe it better. They also have a 
process to monitor changes.


Neil said that he thought a non-change-managed system was being 
described as being desired. That’s not going to work. If you have a 
properly risk assessed and documented decision describing how a given 
system is updated, that’s a change management process.


Dimitris agreed but said that Ryan’s response didn’t seem to accommodate 
that.


Toby said that we may still not be talking about the same thing. 
Dimitris is describing updating straight from the OS vendor when it is 
determined that not accepting a patch is a greater risk.


Ryan said that directly enabling updates from a vendor is not 
acceptable. If you implement a mirror, changes can be tracked, assessed, 
and inventoried.


Dimitris said that he always knows what’s installed on the system. 
Mirroring updates from the vendor just adds an unnecessary step.


Tim said that two things should be disallowed: One is: don’t just 
require a risk management policy that is meaningless, and the other is 
to require someone who is competent to approve the updates.


Jos said that we’re conflating where you get updates - a local mirror 
doesn’t make things more secure - with deciding what to apply before you 
apply it. It doesn’t have to go through a long testing process but 
someone has to look at patches before applying them.


Ryan said that his opinion is the inverse of Jos’ and suggested it be 
discussed further on the list.


Jos said that - as long as the packages are signed - you have to trust 
your OS vendor, and pulling them to a local system only buys you so much.


Ballots in Voting Period

None


Ballots in Review Period

SC26 - Pandoc-Friendly Markdown Formatting Changes (Jos)


        Draft Ballots under Consideration

LEI ballot (Tim H)

Tim said that he’s not convinced there is enough support for it to 
continue. If people support it, please let Tim know or post to the list. 
DigiCert still supports it, but there’s no use talking about it if it’s 
not going to pass.


Spring Cleanup Ballot (Ryan)

Ryan said that there are three ballot proposals in his recent email. 
First is the Browser Alignment Ballot. Ryan is adding some new changes 
to better align with Apple’s program requirements. The Browser Alignment 
Ballot question asked by Doug on the list is if requirements from a 
particular browser root program that are more restrictive than other 
programs should go into the BRs? Are we better off putting those into 
the BRs for alignment, or not?


The second ballot is about requiring CAs to disclose the Agency of 
Registration/Agency of Incorporation sources used to validate certificates.


Finally, the Spring Cleanup ballot fixes issues in the BRs and EVGLs and 
tries to clarify confusion that has come up.


Circling back to the Browser Alignment ballot, each browser has some 
requirements that are more restrictive. Should those go into the BRs?


Doug asked if comments should be made on GitHub or on the list?


Ryan said whatever is easiest is fine but GitHub allows you to comment 
on specific lines, so it’s better for substantive discussion.


Pedro said he is not familiar with GitHub. Can we have a “GitHub for 
dummies” guidelines to get a better sense for how to use it?


Ryan said that GitHub is primarily to provide a redline - the intent 
wasn’t to force folks to use it. The Infrastructure WG is working on the 
ability to produce redlines in different formats.


Tim said that there is not a blanket answer to the question about moving 
changes from browser root programs not the BRs. DigiCert would support 
some and have issues with others. How do we deal with the fact that some 
of these changes are more or less controversial?


Ryan said that’s a good question. He consulted with root programs to get 
their requirements correct. Ryan said that if there are technical 
details to improve root program requirements, he is open to improving 
them, but root programs aren’t going to make policy changes based on 
this. Other things like phase-in time are going to be up to the programs.


Tim agreed with the approach and said that we will discuss this on the list.


        9. Any other business

None


        10. Next call

April 16th, 2020


        Adjourned

*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20200421/322b958d/attachment-0001.html>
-------------- next part --------------
_______________________________________________
Management mailing list
Management at cabforum.org
https://cabforum.org/mailman/listinfo/management



More information about the Servercert-wg mailing list