[Servercert-wg] Draft minutes of the SCWG call - March 16th, 2023

Inigo Barreira Inigo.Barreira at sectigo.com
Tue Apr 11 16:41:13 UTC 2023


Server Certificate Working Group Meeting
March 16, 2023

 

Attendees: Attendees: Aaron Poulsen (Amazon), Adam Jones (Microsoft), Adrian
Mueller (SwissSign), Atsushi Inaba (GlobalSign), Ben Wilson (Mozilla),
Brianca Martin (Amazon), Bruce Morton (Entrust), Chad Ehlers (IdenTrust),
Chris Clements (Google), Chris Kemmerer (SSL.com), Christophe Bonjean
(GlobalSign), Clint Wilson (Apple), Dustin Hollenback (Microsoft), Dimitris
Zacharopoulos (HARICA), Ellie Lu (TrustAsia), Inigo Barreira (Sectigo),
Janet Hines (VikingCloud), Jos Purvis (Fastly), Karina Sirota Goodley
(Microsoft), Mads Henriksveen (Buypass), Martijn Katerbarg (Sectigo),
Michelle Coon (OATI), Nargis Mannan (VikingCloud), Peter Miskovic (Disig),
Ryan Dickson (Google),  Sissel Hoel (Buypass), Steven Deitte (GoDaddy),
Steve Topletz (Cisco), Tim Hollenbeek (DigiCert), Tobias Josefowitz (Opera
Software AS), Trevoli Ponds-White (Amazon), Vijay Kumar (eMudhra), Wayne
Theyar (Fastly)

Antitrust: not required, as it was read before

Agenda:

1.	Roll Call and Begin Recording (* not needed)
2.	Read Antitrust Statement  (* not needed)
3.	Review Agenda 
4.	Minutes of last call (16 February) were approved
5.	CommScope membership application
6.	Issues to discuss:

0.	GitHub issues (76 open and 88 closed, some are more than 4 years
old)

1.	#337 and #420 --> changing of the document title: BRs to TLS BRs
2.	#370 --> "annual" audits. Considering recent change done by the
Chrome program
3.	#417 --> Parked CA keys

1.	Future for the EV Guidelines: 

1.	Fix inconsistencies between BRs and EVGs
2.	Convert it into RFC 3647 format
3.	Integrate it into TLS BRs and therefore be RFC 3647 compatible and
follow other WGs (CS) style and have only one document to maintain

7.	Ballot Status - see list below
8.	Any Other Business
9.	Next call: 30 March
10.	Adjourn

Review Agenda: Nothing to be added

Minutes of last call: The minutes from the last call (February 16) were
approved and have been published. Minutes from the Face to Face have not
been submitted at the time of the meeting. 

CommScope membership application: CommScope has met the requirements and
submitted responses to all questions.  Inigo called for discussion about
what to do.  CommScope is not trusted in any browsers, but are in discussion
under Mozilla.  Ben asked if the category for them would be Associate Member
for 1 year, at which time they would be reassessed.  Ben felt that they were
good candidates for the Mozilla Program, so that he has no problem adding
them as associate members. 

Tim mentioned that the only other concern was confirmation that the person
who signed the application was actually authorized to sign the IPR policy on
behalf of the company.  This is a common sticking point with applications
and not a concern specifically about CommScope. 

Dimitris asked if the application was sent to the management list.  Inigo
had the email and read from it, indicating that CommScope sent a letter of
inquiry that Jos replied to, informing them that they needed to be in the
process of being added to a root store program in order to become associate
members.  

Wayne added that the letter was signed by a senior vice president at the
organization, which indicates that it is very likely that the signatory had
signing authority. 

Trevoli asked if additional validation was performed, other than reading the
title that the signer used on the form.  Tim mentioned that historically
that the forum would ask the signer if they had authority.  Admittedly it
was not the most secure method, but that is what the forum has done in the
past.  Trevoli went on to suggest that a stricter confirmation might be a
positive addition to the bylaws, relating that not all VPs at Amazon are
authorized to sign on behalf of the company. Dimitris said that he would
take a note for future consideration of the bylaws.  Dean Coclin said that
in cases where the title was engineer or something like that he would have
the signer provide confirmation of authority, but SVP would normally be
trusted. However, he had no problem with asking for confirmation of
authority. 

Dimitris mentioned that the primary issue with the application is the lack
of a third-party website.  He doesn't want to object on those grounds, but
that the issue should be highlighted.  Tim suggested that we table the
application for now and give them a chance to amend the application and add
the third-party website. Tobias felt that this was inconsistent with
previous actions, but Tim pointed out that the case was slightly different.
Ben clarified that they applicant could become an associate member and then
the threshold to full membership was the certificate on a third party
website. 

Tobias mentioned that he understood that last time the third party website
requirement was only there to insure that the issuance process was regular
and that there was no way to truly confirm that the website was not run by
the applicant.  Tim conceded that Tobias was correct that there are flaws in
the existing requirement, but that it is still a requirement that must be
enforced.  

Discussion about a previous application and the exact nature of the
third-party website that was presented.  There were concerns that the CT
logs indicated that it was not a third-party website. Tobias felt that
preventing this applicant but allowing the other was inconsistent handling
of membership candidates. Tim pointed out that CommScope did not submit any
website, which is completely different than submitting a website with
dubious third-party status. 

Trevoli asked if CommScope has 2 options, resubmit the application or wait a
couple of months for the bylaws to change. Dean said that we could just
reply to them, let them know that the website was missing and that they
would only be associate members until that information was presented. It was
then added that they would still only be associate members because they were
not trusted in a root program.  Jos read the bylaws aloud, which indicated
that the associate member status could only be applied when the candidate
had submitted a complete application, but were still waiting on trust in a
root store.  Jos went on to posit the conclusion that regardless of trust,
the incomplete application was preventing CommScope from holding any level
of membership.  Ben suggested that while this is the letter of the bylaw
that it is not the intent of the bylaw. They both agreed that the bylaws
need clarification. 

After much discussion it was clarified that CommScope needs to submit the
third-party website and be trusted in a browser root program in order to
become a full member of the organization. However, since the signatory of
the original application has retired, a new IPR document should be submitted
and signed by someone with authority.  Dean will generate a reply and
provide it to the list for approval before sending to CommScope. 

Issues to Discuss: Inigo said that there were 76 open issues and 88 closed
issues on GitHub. Open issue owners should review the issue and possibly
close them.  There is concern that there may be duplicate issues or some
that are no longer a major concern. An email should be send to the public
list to inform the issue owners to review the list and make the
determination.  Inigo will draft a message and submit it for review.
Dimitris suggested using an inventory of the issues could help to prioritize
them. 

Inigo gave a list of ballots up for review (SC 61, SC-62 and SC-59).

 

End of meeting. 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20230411/23aee6e9/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6853 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20230411/23aee6e9/attachment-0001.p7s>


More information about the Servercert-wg mailing list