[Servercert-wg] Final minutes of the SCWG call of April 11th
Inigo Barreira
Inigo.Barreira at sectigo.com
Fri Apr 26 07:47:51 UTC 2024
These are the Final Minutes of the Teleconference described in the subject
of this message.
Dimitris is leading the call at Inigo's request due to a medical
appointment. Note-well read before Roll-call (but preserved normal order for
the minutes structure here).
1. Roll Call
Aaron Gable (Let's Encrypt), Aaron Poulsen (Amazon), Abhishek Bhat
(eMudhra), Adam Jones (Microsoft), Adriano Santoni (Actalis), Aggie Wang
(TrustAsia), Alvin Wang (SHECA), Andrea Holland (VikingCloud), Brianca
Martin (Amazon), Bruce Morton (Entrust), Chris Clements (Google), Ben Wilson
(Mozilla), Clint Wilson (Apple), Corey Bonnell (DigiCert), Corey Rasmussen
(OATI), David Kluge (Google), Dimitris Zacharopoulos (HARICA), Doug Beattie
(GlobalSign), Dustin Hollenback (Microsoft), Gregory Tomko (GlobalSign),
Inaba Atsushi (GlobalSign), Janet Hines (VikingCloud), Jaime Hablutzel
(OISTE Foundation), Jay Wilson (Sectigo), Johnny Reading (GoDaddy), Jos
Purvis (Fastly), Karina Sirota (Microsoft), Keshava Nagaraju (eMudhra),
Kiran Tummala (Microsoft), Llewellyn Curran (GoDaddy), Lynn Jeun (Visa),
Mads Henriksveen (Buypass AS), Mahua Chaudhuri (Microsoft), Marcelo Silva
(Visa), Marco Schambach (IdenTrust), Martijn Katerbarg (Sectigo), Michelle
Coon (OATI), Miguel Sanchez (Google), Mrugesh Chandarana (IdenTrust), Nargis
Mannan (VikingCloud), Nate Smith (GoDaddy), Naveen Kumar (eMudhra), Paul van
Brouwershaven (Entrust), Peter Miskovic (Disig), Rich Kapushinski
(CommScope), Rich Smith (DigiCert), Rollin Yu (TrustAsia), Ryan Dickson
(Google Chrome), Sandy Balzer (SwissSign), Scott Rea (eMudhra), Sissel Hoel
(Buypass), Stephen Davidson (DigiCert), Tadahiko Ito (SECOM Trust Systems),
Tathan Thacker (IdenTrust), Tim Hollebeek (DigiCert), Thomas Zermeno
(SSL.com), Tobias Josefowitz (Opera Software AS), Wayne Thayer (Fastly),
Yashwanth TM (eMudhra), Yoshihiko Matsuo (Japan Registry Services).
2. Read note-well
The note-well was read by Dimitris.
3. Review of Agenda
The Agenda as provided by Inigo was followed for the call.
4. Minutes
a. Approval of minutes from the February 15, 2024 Teleconference
(minutes have been distributed just prior to the call)
* The minutes approval is delayed until next meeting due to their very
recent posting.
b. Approval of minutes from the March 28, 2024 Teleconference (minutes
have NOT yet been distributed)
* The minutes approval is deferred until after posting.
.
5. Membership
* No current Applications to review.
6. Issues/Topics
* Revocation is topic listed for today, Kiran is invited to comment,
but is having audio issues.
Dimitris had previously prepared a spreadsheet of some revocation reasons
that were under consideration to extend period to more than 5 days with
appropriate justification.
Clint indicated that a draft document had been prepared and circulated to a
small group of folks to review ReasonCode and timelines and some discussion
had ensued but it's not yet ready for main stream.
* PAG - Discussion on where it should be instatiated. It was agreed it
should be handled in the WG where it arose, which is here. Decision to cover
it after Ballot Review on today's call.
7. Ballots update
Review of the current ballots situation as per the agenda.
CURRENT STATUS OF BALLOTS
* Passed
* SC72: Delete exception to policyQualifiers in EVGs; align with BRs
by making them NOT RECOMMENDED.
* Under PAG
* SC70: Clarify the use of DTPs for Domain Control Validation
* This Ballot was rescinded.
* Failed
* None
* Voting Period
* None
* Discussion Period
* SC67 v1: Require domain validation and CAA checks to be performed
from multiple Network Perspectives. Ends on 17/4/24.
* Ryan indicated that they are adjudicating comments in GitHub and
anticipate a 2nd round of discussions
* Dimitris highlighted interesting discussion surrounding use of VPNs
for MPIC which is worth reviewing by the group. Also, on the security
question, there should perhaps be some discussion regarding security
controls required for the VPN usage
* Ryan - there is no intention of limiting the usage of VPN for this
aspect
* SCXX - Compromised/weak keys
* This item was categorized incorrectly in the Agenda as it is
currently pre-ballot and thus it was discussed here instead.
* Wayne confirmed it is pre-Ballot still and indicated there has been
some discussion on whether to provide a list of resources or let CA's manage
their own. Wayne indicated he was leaning more to leaving up to the CA
responsibility, but still looking for feedback. Expectation is that weak key
check should be made regardless of key size as requested by Clint.
* Tim was ambivalent on Clint's request. Suggested we just pick a
reasonable proposal and proceed.
* Dimitris indicated that during the early versions of the ballot, the
WG had tried to describe the set of parameters that each CA needs to take
into account in order to generate the proper set of Debian weak keys and it
didn't work out so well. It was quite complicated to understand and
implement
* Aaron G suggested why not go with a ".repository or equivalent" in
the language and then you could cover both scenarios. The 2nd question is -
what happens when a new group of weak keys is discovered? An explicit
enumeration has its benefits.
* Wayne said we just need the bar to stop moving.
* Tim indicated the burden is when definitions change, because then we
have to re-prove to our auditors that we still meet it under new definition.
* There was general agreement that this particular point of repository
vs CA responsibility has been discussed waaaaay too much. Suggestion from
Aaron G that a simple list of keys to incorporate from a repository is the
easiest path forward.
* Debate about which repository to use will be had on the list.
* Review Period
* SCXX - Compromised/weak keys
* This item is categorized wrong in the Agenda, it is currently
pre-Ballot, see above for discussion
* Draft / Under Consideration
* SCXX - Profiles cleanup ballot - on hold
* SC71 - Subscriber agreement and terms of use consolidation
* Dustin indicated they are behind on this item since he has been on
leave and will seek to make progress shortly
* SC73 - Introduce linting in the TLS BRs
* Dimitris (who has also been on leave) committed to sending something
to the list on this in the next week
* SC74 - Clarify CP/CPS structure according to RFC 3647
* Dimitris indicated that this ballot is ready to go and should start
discussion period shortly
* PAG - Discussion regarding SC70
* Ben indicated a time limit for joining the PAG had been set to
reduce potential of rework or re-discussion. The cut off for that nomination
is tomorrow. A Doodle Poll was sent out interested parties to try to
establish an appropriate time for the PAG.
* Dimitris suggested we use the mailing list instead to distribute the
Poll
* Dimitris explained the implications of the Bylaws as related to the
PAG. The key element is that the Draft Maintenance Guideline should remain
in draft state until the PAG process is complete, because this essential
claim came in before the end of the IPR review period.
* There is not stipulations on how long the PAG should take. The PAG
chooses its own Chair and Vice Chair.
* Aaron G indicated he could sign into the PAG mailing list but was
not getting any messages.
* Ben indicated they would test and work out the mailing list issues
8. Any other business
None.
9. Next Call
Next call is April 25th, 2024.
10. Meeting Adjournment
Meeting adjourned.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240426/186b1265/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6630 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240426/186b1265/attachment-0002.p7s>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ATT00001.txt
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240426/186b1265/attachment-0001.txt>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6630 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240426/186b1265/attachment-0003.p7s>
More information about the Servercert-wg
mailing list