[Servercert-wg] Final Minutes for Server Certificate Working Group Teleconference - September 3, 2020

Jos Purvis (jopurvis) jopurvis at cisco.com
Fri Sep 18 09:19:43 MST 2020 

Published!

 

 

-- 
Jos Purvis (jopurvis at cisco.com)
.:|:.:|:. cisco systems | Cryptographic Services
PGP: 0xFD802FEE07D19105 | Controls and Trust Verification

 

 

From: Servercert-wg <servercert-wg-bounces at cabforum.org> on behalf of CABF Server Cert WG <servercert-wg at cabforum.org>
Reply-To: "Dimitris Zacharopoulos (HARICA)" <dzacharo at harica.gr>, CABF Server Cert WG <servercert-wg at cabforum.org>
Date: Friday, September 18, 2020 at 4:55 AM
To: CABF Server Cert WG <servercert-wg at cabforum.org>
Subject: [Servercert-wg] Final Minutes for Server Certificate Working Group Teleconference - September 3, 2020

 


These are the Final Minutes of the Teleconference described in the subject of this message as prepared by Wayne Thayer (Mozilla).
Attendees (in alphabetical order)
Amanda Mendieta (Apple), Ben Wilson (Mozilla), Bruce Morton (Entrust Datacard), Clint Wilson (Apple), Corey Bonnell (SecureTrust), Chris Kemmerer (SSL.com), Curt Spann (Apple), Daniela Hood (GoDaddy), Dean Coclin (Digicert), Dimitris Zacharopoulos (HARICA), Dustin Hollenback (Microsoft), Enrico Entschew (D-TRUST), Hazhar Ismail (MSC Trustgate), Huo Haitao (Halton) (360 Browser), Inaba Atsushi (GlobalSign), Janet Hines (SecureTrust), Joanna Fox (GoDaddy), Johny Reading (GoDaddy), Jos Purvis (Cisco Systems), Karina Sirota (Microsoft), Kirk Hall (Entrust Datacard), Leo Grove (SSL.com), Li-Chun Chen (Chunghwa Telecom), Mads Henriksveen (Buypass AS), Mayur Manchanda (Visa), Michelle Coon (OATI), Mike Reilly (Microsoft), Neil Dunbar (TrustCor Systems), Niko Carpenter (SecureTrust), Peter Miskovic (Disig), Rae Ann Gonzales (Godaddy), Rebecca Kelley (Apple), Robin Alden (Sectigo), Ryan Sleevi (Google), Shelley Brewer (Digicert), Stephen Davidson (Digicert), Tim Hollebeek (Digicert), Tobias Josefowitz (Opera Software AS), Trevoli Ponds-White (Amazon), Wayne Thayer (Mozilla), Wendy Brown (US Federal PKI Management Authority).
Minutes 
1. Roll Call
The Roll Call was taken.
2. Read Antitrust Statement
The Antitrust Statement was read.
3. Review Agenda
No changes to the agenda were noted. It was noted that Wayne Thayer volunteered to take minutes for this meeting. Dimitris will take the minutes for the next call.
4. Approval of minutes from last teleconference
Accepted without objections.
5. Validation Subcommittee Update
Wayne said that the subcommittee continued discussions of the end-entity certificate profile on the past call. EKU was discussed, as was the remainder of the profile. Then discussion shifted to remaining work and Subject distinguishedNames. Issues with validating the stateOrProvinceName were discussed, as were concerns over the organizationalUnitName field.

Tim said that he will not be able to attend next week’s call.
6. NetSec Subcommittee Update
Neil said that two ballots are in process. We have feedback from Ryan and Wayne on SC34 (Account Management) on GitHub and are planning to address it. SC28 has just begun voting. We have created a discussion document for using cloud services for hosting CA services. This will not result in any immediate ballots, but will feed into future changes. Meeting today to model threats. This relates to the dropped zones ballot, shifting from physical to logical zones.

Ben said that we’re still trying to finalize the offline CAs ballot. Have replaced ‘offline’ with ‘air gapped’. Bruce commented that we should populate the Trusted Roles section in the BRs with some of the info in the NCSSRs. We’re still trying to determine how to best structure the document. If parts of the NCSSRs are incorporated into the BRs it makes it more difficult for other WGs such as code signing to rely on them. This will also be discussed on the call today.

Dimitris said that the original consensus was for individual WGs to decide to adopt parts of the NCSSRs as they wish, then if we determine that there is seen to be a need for a shared common set of NCSSRs in the future we can discuss it.

Ben: There is a threat modeling group meeting today at 1 PM EST. If anyone with expertise has time to participate, please let us know and they will be invited.
7. Ballot Status 
Ballots in Discussion Period
SC28 (Logging and Log Retention)

Neil said that he began voting today.

    
Ballots in Voting Period

SC35 (Spring 2020 cleanup and clarifications (Ryan)

Voting began yesterday.

Ryan: Ben pointed out that there are more cleanups needed. Went ahead with voting on this knowing that there will be more cleanup ballots. This ballot includes important clarifications to the use of policy OIDs that are needed and that CAs should be aware of

Ballots in Review Period

SC33 (TLS ALPN Method)
Review period ends Sept 17.
Draft Ballots under Consideration

Minimum expectations regarding weak keys
Chris: Posted proposed ballot language to the list this morning

SC32 (Offline CA Security Requirements)

Ben: no updates

SC34 (Account Management)

Toby said that he has no updates beyond what Neil said earlier about the feedback received on GitHub.

8. Any Other Business
No other business was discussed.
9. Next call
The next call will take place on September 17, 2020 at 11:00am Eastern Time.
Adjourned

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20200918/4d88efe6/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3699 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20200918/4d88efe6/attachment-0001.p7s>

More information about the Servercert-wg mailing list