[Servercert-wg] RV: [cabfman] 2023-03-30 Server Cert Draft Minutes

Inigo Barreira Inigo.Barreira at sectigo.com
Fri May 12 09:27:34 UTC 2023 

Minutes published in the website

 

De: Management <management-bounces at cabforum.org> En nombre de Clint Wilson
via Management
Enviado el: lunes, 8 de mayo de 2023 22:58
Para: management at cabforum.org
Asunto: [cabfman] 2023-03-30 Server Cert Draft Minutes

 

CAUTION: This email originated from outside of the organization. Do not
click links or open attachments unless you recognize the sender and know the
content is safe.

 

Attendance: Aaron Poulsen - (Amazon), Adam Jones - (Microsoft), Ben Wilson -
(Mozilla), Bruce Morton - (Entrust), Chad Ehlers - (IdenTrust), Chris
Clements - (Google), Chris Kemmerer - (SSL.com
<https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fssl.com%2F
&data=05%7C01%7Cinigo.barreira%40sectigo.com%7C326ad78e5d654938d8f008db5006e
6ac%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638191762790250892%7CUnknow
n%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6
Mn0%3D%7C3000%7C%7C%7C&sdata=CCyi7E9ncUEhAfxpC0CloOO22QVfXe%2FOKgUuapiFi6Q%3
D&reserved=0> ), Clint Wilson - (Apple), Corey Rasmussen - (OATI), Daryn
Wright - (GoDaddy), Dimitris Zacharopoulos - (HARICA), Ellie Lu - (TrustAsia
Technologies, Inc.), Fumi Yoneda - (Japan Registry Services), Inaba Atsushi
- (GlobalSign), Inigo Barreira - (Sectigo), Janet Hines - (VikingCloud),
Joanna Fox - (TrustCor Systems), Johnny Reading - (GoDaddy), Jos Purvis -
(Fastly), Jozef Nigut - (Disig), Kiran Tummala - (Microsoft), Lynn Jeun -
(Visa), Mads Henriksveen - (Buypass AS), Marcelo Silva - (Visa), Martijn
Katerbarg - (Sectigo), Michelle Coon - (OATI), Nargis Mannan -
(VikingCloud), Pedro Fuentes - (OISTE Foundation), Rebecca Kelley - (Apple),
Rollin Yu - (TrustAsia Technologies, Inc.), Stephen Davidson - (DigiCert),
Steven Deitte - (GoDaddy), Tadahiko Ito - (SECOM Trust Systems), Thomas
Zermeno - (SSL.com
<https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fssl.com%2F
&data=05%7C01%7Cinigo.barreira%40sectigo.com%7C326ad78e5d654938d8f008db5006e
6ac%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638191762790250892%7CUnknow
n%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6
Mn0%3D%7C3000%7C%7C%7C&sdata=CCyi7E9ncUEhAfxpC0CloOO22QVfXe%2FOKgUuapiFi6Q%3
D&reserved=0> ), Tobias Josefowitz - (Opera Software AS), Wayne Thayer -
(Fastly)

Inigo confirmed attendance

Inigo confirmed the note-well had been read.

F2F minutes for the Server Certificate Working Group were approved. The
March 16 minutes will be reassigned.

Inigo confirmed no update on the CommScope membership application.

Inigo shared an overview of open GitHub Issues. There are 76 open and 88
closed, some have not been touched in 4 years.
There are two open issues related to updating the name of the BRs to specify
their relevance to TLS certificates. It was agreed this change should be
made and will be included in a future ballot.
Another open issue (https://github.com/cabforum/servercert/issues/370
<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.co
m%2Fcabforum%2Fservercert%2Fissues%2F370&data=05%7C01%7Cinigo.barreira%40sec
tigo.com%7C326ad78e5d654938d8f008db5006e6ac%7C0e9c48946caa465d96604b6968b49f
b7%7C0%7C0%7C638191762790250892%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAi
LCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=8pSnT%2
BCJXepqKAihFs5ouHUeXCG5Xox3zCkRQOSmPoI%3D&reserved=0> ) requests changing
"annual" CP/CPS updates to instead reference 365 days. Chris commented that
their root program had received feedback on their related use of 365 days
and will be updating the language to account for leap years. Since audits
are also required annually, the scope of discussion includes anywhere we
talk about something occurring annually and the document should be
consistent in its language. Ben shared that one motivation is to align the
CCADB with the BRs, so that the CCADB can flag when things are out of date
and programmatically help CAs to keep things updated. To ensure the math the
CCADB is doing is consistent with requirements, it would help to have more
specific language in the BRs. Dimitris brought up that we're trying to align
on having at least 2 major updates per year, so the frequency of CP/CPS
updates may decrease in the future compared to historical frequency. Wayne
brought up that whether the 365 day vs 398 day "grace period" makes sense is
dependent on what's being updated. An audit makes sense to have the extra
time because it's once a year, involving an external party, whereas a CP/CPS
update requirement makes less sense to have extra time since it happens
multiple times per year and is under the control of the CA. Ben also brought
up that CAs have argued "annually" means each calendar year and Wayne
highlighted that "12 months" has similar issues of January 1 on year 1 vs
January 31 on year 2. Discussion will continue on how to formulate language
that accounts for leap years and provides the needed level of granularity.
Inigo highlighted an issue
(https://github.com/cabforum/servercert/issues/417
<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.co
m%2Fcabforum%2Fservercert%2Fissues%2F417&data=05%7C01%7Cinigo.barreira%40sec
tigo.com%7C326ad78e5d654938d8f008db5006e6ac%7C0e9c48946caa465d96604b6968b49f
b7%7C0%7C0%7C638191762790250892%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAi
LCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=r8oaIyc
bmSWhBnlphUv4yVs%2FMYAX6ZvE%2FK0vQaYAIVo%3D&reserved=0> ) which requests we
clarify audit requirements for "Parked" CA Keys. Ben clarified that some CAs
may generate large numbers of keys, not knowing specifically which ones will
be used for CAs. Some audit statements or key generation ceremony reports
address parked keys, showing many parked keys so there should be discussion
by CAs describing what their practices are so they can be accommodated and
it can be assured they're adequately protected. It may not be a very good
practice to bundle a bunch of keys and then later on decide what's used with
a CA or not. Ben clarified that all parked keys should be disclosed in audit
reports, which aligns with the expectation of cradle-to-grave audit coverage
of keys. Inigo requested that Ben put together more specific language
regarding what is expected and desired, and Ben agreed. Bruce brought up a
desire to have a discussion around the models for how and when pre-generated
keys can be used. It's not clear what's being added with this change.

Inigo brought up the future of the EV Guidelines, and requested confirmation
of whether there is rough consensus to convert the EVGs to RFC3647 format.
Dimitris highlighted that the EVGs are very validation focused, so section 3
would be quite large and others may be very small. An alternative approach
would be to incorporate the EVGs into the BRs as an appendix. This approach
would require changes to the CSBRs to ensure they're incorporated correctly.
Bruce raised the question of whether we should be incorporating the EVGs
into other documents, instead of having EV stand alone; if we only
incorporate the EVGs into other documents, then we'll have no EV standard,
but rather TLS EV and S/MIME EV and Code Signing EV, etc. No clear consensus
was reached, as time ran out, but discussion will continue.

SSL.com
<https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fssl.com%2F
&data=05%7C01%7Cinigo.barreira%40sectigo.com%7C326ad78e5d654938d8f008db5006e
6ac%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638191762790407111%7CUnknow
n%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6
Mn0%3D%7C3000%7C%7C%7C&sdata=PKHU3dGCEZDUg4dTs56kUEgGoX0Ot7ovumYCTvDh5e8%3D&
reserved=0>  confirmed that the "Weak Keys" ballot will continue with Thomas
Zermeno driving that ballot. 

The meeting was adjourned.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20230512/f4340af7/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3621 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20230512/f4340af7/attachment-0002.p7s>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ATT00001.txt
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20230512/f4340af7/attachment-0001.txt>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6853 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20230512/f4340af7/attachment-0003.p7s>

More information about the Servercert-wg mailing list