[Servercert-wg] Final minutes from SCWG 5/1/2023

Inigo Barreira Inigo.Barreira at sectigo.com
Thu Feb 2 18:06:48 UTC 2023


ServerCert Meeting: January 5, 2023

 

Attendance (in alphabetical order):

Aaron Gable (ISRG), Aaron Poulsen (Amazon Trust Services), Adam Jones
(Microsoft), Andrea Holland (VikingCloud), Atsushi Inaba (GlobalSign), Ben
Wilson (Mozilla), Bruce Morton (Entrust), Chris Clements (Google Chrome),
Chris Kemmerer (SSL.com), Clint Wilson (Apple), Corey Bonnell (DigiCert),
Corey Rasmussen (OATI), Daryn Wright (GoDaddy), Dean Coclin (DigiCert),
Dimitris Zacharopoulos (HARICA), Dustin Hollenback (Microsoft),  Ellie
(TrustAsia), Enrico Entschew (D-TRUST), Eva Van Steenberge (GlobalSign),
Fumi Yoneda (JPRS), Hazhar Ismail (MSC Trustgate), Inigo Barreira (Sectigo),
Jamie Mackey (FPKI), Janet Hines (VikingCloud), Joanna Fox (TrustCor), Jos
Purvis (Fastly), Karina Sirota Goodley (Microsoft), Kiran Tummala
(Microsoft), Lynn Jeun (Visa), Mads Henriksveen (Buypass), Marcelo Silva
(Visa), Marco Schambach (IdenTrust), Michelle Coon (OATI), Mrugesh
Chandarana (IdenTrust), Nargis Mannan (VikingCloud), Peter Miskovic (Disig),
Rich Smith (DigiCert), Rollin Yu (Trust Asia), Sissel Hoel (Buypass),
Stephen Davidson (DigiCert), Steve Topletz (Cisco), Tadahiko Ito (SECOM),
Tim Hollebeek (DigCert), Tobias Josefowitz (Opera), Trevoli Ponds-White
(Amazon Trust Services), Wayne Thayer (Fastly), Wendy Brown (FPKI), Yoshiro
Yoneya (JPRS) 

 

Minutes

 

1.	Antitrust statement read
2.	Approval of minutes: December 8th meeting minutes approved
3.	ZT Browser Application - 

*	Aaron G.: I have some concerns about an organization and a person
who has been proven to be untrustworthy in this domain having voting power
on things that affect everyone else in this domain. I want to make sure we
discuss this.
*	Tobias J.: I think this case illustrates that the current
requirements for membership maybe lax or undefined in a way that may be
problematic. We can't take into account what may have been the motivation or
what has been the motivation for the charter or bylaws. The charter says, if
any member were to request a vote about membership, we would have to vote
about this. 
*	Tim H.: The bylaws are still in effect. When we added this language,
it was because we always did this by consensus and if there wasn't
consensus, we had a vote. So, if there isn't unanimous consensus then some
members should request a vote. If no member is requesting a ballot, and
every member is okay with it, then we approve. Is there a member that is
requesting that we have a ballot on this issue?
*	Dean C.: The bylaws are very clear in this area. If there are people
that want to have a vote, then you can request a vote and have the normal
voting requirements.
*	Aaron G.: I am requesting a vote.
*	Inigo B.: Will this set precedent over any new membership?
*	Trev P.: It is already in the rules. 
*	Dimitris Z.: If we are going to have a vote, then we need to know
what the challenges are and that specific requirements this doesn't meet.
*	Trev P.: That is not in the rules. Anyone can request a ballot for
anything.
*	Tim H.: I don't see any restrictions on why you can't vote no. I
recommend talking to your legal counsel about your vote and the reasoning
for your vote. Companies can vote whichever way they want it's up to them to
make sure that they're complying with applicable laws.
*	Dean C.: The Server Cert Working Group charter says an applicant
becomes a member once the server certificate working group has determined by
consensus among the members during a meeting or teleconference that the
applicant meets all of the requirements of subsection a, or upon the request
of any member by a ballot, among the members. Acceptance by consensus shall
be determined.  Or a ballot of the members shall be held as soon as the
applicant indicates that it has presented all information required and has
responded to all follow up questions from the SCWG and the member has
complied with the requirements of section 55 of the CA/Browser Forum bylaws.
It's either you have the consensus on this call or meeting or upon the
request of a member a ballot.
*	Trev P.: It's in the rules and if we don't think that we should have
ballots, then we should remove it from all of the charters.
*	Tim H.: To Tobias point, if people think the membership criteria are
too lax that is an potential discussion to have. The fact that the
membership criteria for certificate consumers is quite lax has been
discussed in the past, but it is difficult to find better language. We can
have those discussions again if people want to tighten up the rules, but the
tightening up of the rules should not be aimed at helping or preventing a
specific person from joining.
*	Wayne T.: Will the voting be conducted in public or not? I don't see
any rules, but I assume by precedent we would conduct voting in public.
*	Trev P.: Also, does it need two endorsers in addition to the
proposer?
*	Tobias J.: I will endorse.
*	Dean C.: Aaron would be the proposer with Toby as one endorser and
then it would need a second endorser. The ballot platform question is still
open.
*	Inigo B.: And this ballot is only for the ServerCert WG?
*	Tim H.: Aren't membership and charter discussions, Forum level
discussions and not ServerCert level of discussions.
*	Dean C.: No, because I anybody that becomes a member of a working
group is automatically granted Forum membership and those working group
discussions are held within the working groups. 
*	Dimitris Z.: First thing we need to understand is if we're going to
do a ballot then, whether it's going to be in a public or in private mailing
list. Question is if we have to separate the management list of the
ServerCert working group with the management list of the Forum level?
*	Tim H.: On the voting, the bylaws are pretty clear that the voting
has to be public. The only private voting is for the special election
ballots and the bylaws clearly carve out an exception for them to be
private. There are no other carve outs. 
*	Dean C. There's a section 2.3 in the Forum bylaws. It says general
provisions applicable to all ballots and it talks about all the different
ways you can vote.
*	Trev P.: It seems like the consensus is that it has to be on the
public list. Is this sensitive enough to be on the management list?
*	Tim H.: it's more about the documentation in the public archives and
having the votes in one place.
*	Aaron G.: As the proposer I am comfortable with having this ballot
occur in public.
*	Dimitris Z.: I was referring to section 5.1 it discusses that
matters within the opinion of the members require confidentiality. So, if
the consensus is that this does not require confidentiality, it's fine to be
in public. 
*	Dean C.: That is referring to the member mailing list and the member
website. Whereas section 2.3 which says general provisions applicable to all
ballots. That is what takes precedent here.
*	Aaron G.: Bylaws 5.2 sub paragraph 3 which says the following
materials shall be publicly posted to the public mail list 3. messages
formally proposing a Forum ballot, individual votes quorum counts, et
cetera. I think it makes sense for it to be in public.
*	Rich S.: This discussion has demonstrated there are some
shortcomings with the way this process was thought out. The public vs
private is one since the discussion to come to a consensus on membership on
these calls is private, but the ballot calls for a public discussion per the
bylaws. Another is in order to meet the definition of a ballot it must have
a proposer and two endorsers, so if you can't get 2 endorsers, then that
stops the process in its tracks. I don't think that was ever intended.
While the person calling for the ballot doesn't mind it being public, I'm
not sure that applies to everyone who might cast a vote. And hopefully we'll
resolve the issue with the endorsers, but I think going forward we need to
look at adding some verbiage to clarify these matters.  
*	Tim H.: To avoid uncharted territory of a ballot not having enough
endorsers, we will endorse for that purpose.
*	Inigo B.: I am concerned with problematic precedent, but it is in
the charter. So, Aaron will draft up a ballot and seek two endorsers. Then
follow the regular procedure, setting a discussion period and a voting
period and get the results.
*	Aaron G.: If you are willing to be an endorser on this ballot,
please reach out to me. And I will get started on the discussion email
shortly.
*	Tobias J.: I request a 2-week discussion period. There are a lot of
questions that need to be figured out.
*	Tim H.: I wanted to point out that ballot discussion time is
effectively unlimited now. It's up to Aaron to decide when the discussion is
no longer fruitful, and when voting should start. But I agree that we should
not prematurely take this to a vote. We should give members time to
coordinate with their legal counsel and have any discussions publicly or
privately that they need to have.
*	Dimitris Z.: At the same time, we don't want to keep this candidate
open indefinitely. We need a reasonable time frame for the ballot and the
voting period. To Toby's question about the quorum, if the voting begins,
and there is no quorum, then the ballot fails.
*	Tim H.: Same as everybody voting no.
*	Dean C.: There's also a provision in some place that these things
should not be unnecessarily held up.
*	Tim H.: It says that for voting you have to have the vote as soon as
possible. It doesn't say anything about how long the vote can take. I don't
think we're actually restricted on time.
*	Aaron G.: The ballot will state a yes vote means yes add this member
to the group. The proposal will be to add the browser as a member of the
ServerCert working group. 
*	Dean C.: I can respond to the applicant that a decision has been
made to have a ballot based on the charter. 
*	Trev P.: Who is taking the action item to look over the bylaws?
*	Tim H.: Dimitris and I are already looking into the bylaws both
election and non-election related so we can add this item to the queue, but
it will not be a priority. So, if someone has ideas on a solution reach out.

4.	Validation Subcommittee - Corey B. and Tim H.

*	Certificates profiles ballot 

*	New PR that integrates SC56 and SC58 into the text
*	Discussion around ordering of RDNs and Names

*	LEIs in certificates 

*	Focused on EVs, potentially allowing organization ID field like VAT
or trade register information
*	Some discussion about adding it for OV
*	Overall still an open discussion for both OV and EV 

5.	Ballots 

*	Chris K.: SC59 - Debian Weak Keys has two endorsers, just compiling
the redline version
*	Inigo B.: SLO/Response for CRL & OCSP Responses - still on hold
*	Ben W.: Incorporation of Mozilla Revocation Reason Codes - some
changes to be included, but waiting on comments 

*	Dimitris Z.: I like the changes. I prefer your 1st version of the
1st option where the subscriber requests in writing "without giving a
reason" compared to "without giving a reason required to be specified by
this section 4.9.1.1". For number 10 I'm fine with your proposed language.

*	Inigo B.: Certificate Profiles - already mentioned
*	Chris C.: Make OCSP optional, require CRLs - still an open
discussion, will reinvigorate next week

6.	Any Other
7.	Next Meeting - January 19th 2023
8.	Adjourned 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20230202/eed85873/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6853 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20230202/eed85873/attachment-0001.p7s>


More information about the Servercert-wg mailing list