[Servercert-wg] Final Minutes for Server Certificate Working Group Teleconference - April 30, 2020

Dimitris Zacharopoulos (HARICA) dzacharo at harica.gr
Fri May 15 00:30:40 MST 2020 

These are the Final Minutes of the Teleconference described in the 
subject of this message.*
*

Minute taker: Tobias S. Josefowitz


    Attendees (in alphabetical order)

Arno Fiedler (D-TRUST), Ben Wilson (Mozilla), Bruce Morton (Entrust 
Datacard), Clint Wilson (Apple), Corey Bonnell (SecureTrust), Chris 
Kemmerer (SSL.com), Daniela Hood (GoDaddy), Dean Coclin (Digicert), 
Dimitris Zacharopoulos (HARICA), Doug Beattie (GlobalSign), Dustin 
Hollenback (Microsoft), Inaba Atsushi (GlobalSign), Janet Hines 
(SecureTrust), Jos Purvis (Cisco Systems), Karina Sirota (Microsoft), 
Li-Chun Chen (Chunghwa Telecom), Mads Henriksveen (Buypass AS), Michael 
Guenther (SwissSign), Michelle Coon (OATI), Neil Dunbar (TrustCor 
Systems), Niko Carpenter (SecureTrust), Patrick Nohe (GlobalSign), Pedro 
Fuentes (OISTE Foundation), Peter Miskovic (Disig), Rich Smith 
(Sectigo), Robin Alden (Sectigo), Ryan Sleevi (Google), Tim Hollebeek 
(Digicert), Tobias Josefowitz (Opera Software AS), Trevoli Ponds-White 
(Amazon), Wayne Thayer (Mozilla), Wendy Brown (US Federal PKI Management 
Authority), Taconis Lewis (FPKI).


    Minutes


      1. Roll Call

The Chair took attendance.


      2. Read Antitrust Statement

The Antitrust Statement was read.


      3. Review Agenda

Accepted without changes.


      4. Approval of minutes from previous teleconference


Accepted without objections.


      5. Validation Subcommittee Update

Tim reports that the Subcommittee is continuing to tackle the same two 
topics it has been discussing for a while now.

The first topic was the voluntary or mandatory disclosure of information 
sources. The subcommittee had a discussion about purpose and roadmap of 
the effort, it seemed some CAs would be more comfortable if they had a 
better understanding of the motivation and goal(s). Ryan and Doug are 
joining up to formulate a paragraph on the purpose and direction of the 
effort.

The second topic was how to express the certificate profiles in the BRs 
and what a skeleton would look like for that. Some work will be done for 
traceability on where the skeleton semantics came from.

The draft minutes of that particular Subcommittee meeting are available 
at the following thread:

  * https://cabforum.org/pipermail/validation/2020-April/001462.html


      6. NetSec Subcommittee Update

Neil reports that the Painpoints subteam has been focusing on the 
details to a ballot concerning log retention, trying to tighten up the 
text.

The Threat modelling subteam is continuing to finesse a checklist for 
online and offline CAs and has identified risks potentially not covered 
by current NSRs.

The Document Restructuring subteam has been focussing on disentangling 
the "Secure Zones" terminology into instead specifying "physical and 
logical security requirements" for isolation within a CA system as well 
as clarifying which of the NSRs's requirements apply to offline systems 
- something not always very clearly defined in the current NSRs.

On its last teleconference, the NetSec Subcommittee had a long 
discussion about the drafted ballot regarding system account 
deactivation; the Subcommittee was not quite happy with the text but 
rather it might be the right thing to focus more on the "removal of 
access and credentials" rather than working with the vague term of 
"account deactivation". At the same time the Subcommittee wants to keep 
it simple as the goal here is to transition from periodic review to 
Continuous Monitoring and Alerting.

Question from Dimitris: Logical/physical separation of which parts?

Neil: Where we have secure zones as a sort of isolation terminology in 
the NSRs today; we are trying to break that apart into what are physical 
security requirements and what are logical security requirements.

The draft minutes of that particular Subcommittee meeting are available 
at the following thread:

  * https://cabforum.org/pipermail/netsec/2020-April/000334.html


      7. Ballot Status


        _Ballots in Discussion Period_

None.
////
_*Ballots in Voting Period*_
/////SC29: ///System Configuration Management/ /(Neil)
Neil asked members to vote.

_*Ballots in Review Period*_
/SC27: Version 3 Onion Certificates /(Wayne) (review ends 2020-03-26)//


        _Draft Ballots under Consideration_


/Aligning the BRs with existing Browser Requirements /(Ryan)
No updates
/
Spring 2020 cleanup (Ryan)/
Ryan reports this is based on github issues, and that he has received no 
feedback and has not heard from endorsers or non-endorsers.

/Disclosures of data sources (Ryan)/
Ryan reports there has been some discussion in the validation 
subcommittee, but that in his opinion this just needs to be tweaked a 
little in terms of explanation. There has been no feedback from CAs as 
to why September would be unreasonable. He is currently looking for 
endorsers. Also looking at mandating this through the Root Program, but 
at least having a Ballot to show what it would look like if incorporated 
into the BRs would be useful.

/Updating BR Section 6.1.1.3/
Chris: We are considering incorporating some of the changes Ryan has 
been suggesting, we'll need to review internally, we will comment shortly.


      8. Agenda topics for the upcoming F2F

Dimitris sent out a Draft Agenda for the Virtual Meeting (June 9th), 
tried to squeeze everything into three days. First day is subcommittee 
day, code signing working group is not scheduled as they will have a 
meeting anyway one week before and one week after. The same question 
applies to Subcommittee Chairs for Form Infrastructure, NetSec and 
Validation Subcommittee. He recommend having those meetings because 
hopefully more people are going to join than the regular meetings, but 
it is up to the Chairs. The Subcommittee chairs should contact Dimitris 
if they want to change the slots.

For days two and three we have regular sessions, Browser updates 
[Browsers: please contact Dimitris if there are no updates].

We have Browser updates, CCADB, Webtrust, ETSI, ACABc, reports from 
every Subcommittee and CSCWG and also discussion about S/MIME WG

If anybody wants to propose a topic feel free to send to the public list 
or to Dimitris directly.


      9. Any Other Business

No other business.


      10. Next call

May 14, 2020 at 11:00 am Eastern Time.


      Adjourned


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20200515/89973ac8/attachment-0001.html>

More information about the Servercert-wg mailing list