[Servercert-wg] Final Minutes for Server Certificate Working Group Teleconference - May 28, 2020

Dimitris Zacharopoulos (HARICA) dzacharo at harica.gr
Thu Jun 11 01:40:07 MST 2020

These are the final Minutes of the Teleconference described in the 
subject of this message as prepared by Enrico Entschew (D-TRUST).*

    Attendees (in alphabetical order)

Ben Wilson (Mozilla), Bruce Morton (Entrust Datacard), Clint Wilson 
(Apple), Corey Bonnell (SecureTrust), Chris Kemmerer (SSL.com 
<http://SSL.com>), Curt Spann (Apple), Daniel Rendon (SSL.com 
<http://SSL.com>), Daniela Hood (GoDaddy), Dean Coclin (Digicert), 
Dimitris Zacharopoulos (HARICA), Dustin Hollenback (Microsoft), Enrico 
Entschew (D-TRUST), Inaba Atsushi (GlobalSign), Janet Hines 
(SecureTrust), Jos Purvis (Cisco Systems), Li-Chun Chen (Chunghwa 
Telecom), Mads Henriksveen (Buypass AS), Michael Guenther (SwissSign), 
Mike Reilly (Microsoft), Neil Dunbar (TrustCor Systems), Niko Carpenter 
(SecureTrust), Patrick Nohe (GlobalSign), Pedro Fuentes (OISTE 
Foundation), Peter Miskovic (Disig), Rich Smith (Sectigo), Robin Alden 
(Sectigo), Ryan Sleevi (Google), Shelley Brewer (Digicert), Stephen 
Davidson (Quo Vadis), Taconis Lewis (US Federal PKI Management 
Authority), Tim Hollebeek (Digicert), Tobias Josefowitz (Opera Software 
AS), Trevoli Ponds-White (Amazon), Vijayakumar (Vijay) Manjunatha 
(eMudhra), Wayne Thayer (Mozilla), Wendy Brown (US Federal PKI 
Management Authority), Andrea Holland (SecureTrust).


      1. Roll Call

The Chair took attendance.

      2. Read Antitrust Statement

The Antitrust Statement was read.

      3. Review Agenda

Accepted without changes.

      4. Approval of minutes from previous teleconference

Accepted without objections. Neil volunteered to take minutes next call.

      5. Validation Subcommittee Update

Tim reported that the Subcommittee had a discussion about certificate 
profiles and the current strategy which is documented in a Google 
spreadsheet. The Google spreadsheet has an organized view of the 
requirements for a particular entry into a certificate coalesced into 
one spot. But its incomplete and the subcommittee is still working on 
that. Strategy is to go through the BRs line by line and comparing it to 
the spreadsheet and discussing the interesting topics that come up. They 
made it through section C before they stopped.

Tim said that they found it very useful to have a new column Q in the 
spreadsheet which is where the requirements are put. They will continue 
going through the spreadsheet and updating it in two weeks.

The draft minutes of that particular Subcommittee meeting are available 
at the following thread:

  * https://lists.cabforum.org/pipermail/validation/2020-May/001478.html

      6. NetSec Subcommittee Update

Neil reported that ballot SC28 is now open for discussion. He got some 
feedback from Ryan. Will respond to that very soon. Still crafting a 
ballot on removal for unnecessary accounts. Neil has got the text 
agreed, proposers and endorsers, so that the ballot should be ready to 
go very soon.

Similarly the SC has got the ballot to remove the secure zones 
terminology. Got a final text, Ben will propose that and a couple of 
endorsers are ready. Waiting for red line version to move forward.

The pain points team still working on authentication controls. This is 
with regard to replacing section “2.k.” and amending “2.g.” of the 
NCSSRs and replacing this brute force lock out with another option.

Last meeting Bruce uncovered an ambiguous text in the NSRs. It will 
probably need a minor cleanup ballot just to make it clear that it's 
actually remote administrative access that was intended to be 
controlled, not access as a separate requirement.

The subcommittee had a long discussion on the availability requirements 
of OCSP. This was in reference to an outage that was reported on 
IdentTrust. The BRs have got a kind of vague reference to 24/7 
availability and the group discussed it. It might be an additional 
requirement for CAs to publish their service level objectives (SLO) in 
the CPS under 4.10.2. in order to be able to demonstrate and test them 
and comply with this SLO. Currently no ballot text is ready. Discussion 
is ongoing.

The draft minutes of that particular Subcommittee meeting are available 
at the following thread:

  * https://lists.cabforum.org/pipermail/netsec/2020-May/000347.html

      7. Ballot Status

        _Ballots in Discussion Period_


*_Ballots in Voting Period_*

*_Ballots in Review Period_*
/SC29: System Configuration Management (Neil)/.*Review period ends 15:00 
UTC 7 June 2020*.//

        _Draft Ballots under Consideration_

/Aligning the BRs with existing Browser Requirements /(Ryan)
Ryan: Still waiting for feedback from the Mozilla communication, which 
will be expected on Monday, June 01, 2020.

Adriano raised a question about prohibiting subscriber key generation 
which is a Mozilla requirement. Ryan sent it out to the list.

If Microsoft and Apple are good with the draft and with Mozilla’s 
feedback it should be stable enough that everyone should be looking at 
it. Everybody is encouraged to provide feedback soon.

Dimitris asked if Ryan thinks aboutsetting some time aside to discuss 
for example during the face-to-face meeting in two weeks.

Ryan: There is a very long description in the draft about the proposed 
changes, that should cover everything. Repeating this topic at the face 
to face makes no sense.

/Spring 2020 cleanup (Ryan)/
Ryan: There are some discussions about what a known weak key means. 
There can be something that causes you to revoke a certificate. If it is 
known to be weak at the time when the certificate was issued it is 
called a known weak.

Ballot is trying to clarify the existing requirements which are causing 
ambiguities. Ryan got some feedback to the questions list which were 
reposted over the management list, so that everybody may have seen it. 
Some questions were about the CA root key generation, terminology of 
what a root CA key is and the applicability of these requirements to 
subordinated CA’s.

There is the consideration that in certain cases no external auditors 
are required as witnesses for the key generation ceremony for 
technically constrained SubCAs. However, this should be included in 
another ballot.

Dimitris asked if Ryan plans on addressing the two categories 
(technically unconstrained and constrained SubCAs) separately. Ryan 
replied that section applies to technically constrained SubCAs 
and it would be the goal to exempt them from that. However, that would 
require a larger restructuring of this section to prevent a loophole. 
Section must also be considered.It will be a separate ballot to 
show that if the key is ever used in an unconstrained SubCA or an 
unconstrained root CA, the full auditing must go back to the time the 
key was generated. It's close to the key lifecycle issue that Wayne 
presented about in Shanghai face to face 45.

/Disclosures of data sources (Ryan)/
Ryan: The draft is right for discussion. It has been updated, as 
mentioned in the last call. There was feedback from Tim regarding what 
the sequencing of things look like and making sure that things like 
GitHub are permitted. There were some questions raised by Doug, mostly 
related to the scenario of if a CA does not restrict the type of 
registration number for that particular registration sources. Some 
registration sources document proactively what their serial number form 
is and some don't. It is just intended to clarify that there is an 
option for the CAs to disclose them.

Looking for endorsers. Microsoft might be willing to do that. Ryan 
thinks that the Ballot can be brought to a formal discussion period and 
to vote.

/Updating BR Section
Chris: Appreciated the discussion Dimitris, Ryan and Tim had a couple 
weeks ago. After last call there is now a new language for the proposal 
that is likely to be accepted. Now the question is whether it should 
become a separate ballot or be part of the spring clarification and 
cleanup ballot.

Ryan: Depends on what the languages is and how exciting that language 
changes are.

Chris: Would like this to be decided before we look at the language.

Dimitris: There was a thread proposing very specific language on the 
public mailing list where Chris, Ryan, Corey and other people 
participated. Seems to be too complicated to fit in a cleanup or 
clarification ballot.

Chris: The discussion that Dimitris was referring to was incredibly 
valuable for our purpose. The language now takes all that into account.

Dimitris: Are you planning to post it to the list?

Chris: Yes, ASAP.

/SC 28/

Neil: The purpose is to modify the retention period of evidence, i.e. 
the duration of data storage for CAs. Thus, instead of a flat rate of 7 
years for everything, data should be retained during the lifetime of the 
object (certificate) and for two years after the certificate has 
expired. The same applies to CA certificates. Logs should only be backed 
up for 2 years instead of 7 years, since their value is forensically 

Ryan has provided some valuable feedback. Most of it has to do with 
cleaning up the actual text but there was a couple of substantive and 
semantic issues. Next step: talk through with the NetSecTeam and getting 

      8. Approval of F2F 50 Agenda

      Dimitris: Removed empty slots. Now the wiki states that the server
      certificate working group should start on Wednesday at 11:30 am
      and end at 1:20 pm. On Thursday plenary starts at 10:00 am and
      ends at 11:40.

      If there are new topics to discuss they can be introduced at the
      beginning of each day.

      No objections to the agenda. Agenda is approved.

      9. Any Other Business

No other business.

      10. Next call

June 25, 2020 at 11:00 am Eastern Time.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20200611/eb8b19c6/attachment-0001.html>

More information about the Servercert-wg mailing list