[cabf_validation] Working Group Minutes for Nov 17, 2016

Jeremy Rowley jeremy.rowley at digicert.com
Wed Nov 23 13:18:58 MST 2016


Attendees: Ben, Tarah, Chris, Peter, Bruce, Jeremy, Tim H., Rick, Tyler, Tim
S, Li Chen, Jeremy, Doug

 

IP address ballot:

Tarah asked for a summary of what we learned on the domain validation ballot
that could apply here. Bruce explained we eliminated the seventh step in
domain validation and added four in. We can replicate this for the IP
ballot. Peter agreed. We struck the any other method by asking people to
contribute all their methods. The ballot should be straight forward - strike
#4 unless someone objects. Jeremy asked everyone to send additional methods
over before the next call. Jeremy offered to start a draft of cleaned-up
language. Peter reminded the group that if you contribute something, you
can't later excluded it. Bruce asked what we should do about practical demo.
Peter said we should look at all the methods and make sure they are similar
to the domain-based validation methods. Jeremy summarized. The first step is
to gather the methods used. Second revise the language. Tarah offered to
assist in the language change. Peter proposed we remove option 1 and 4
completely in the first version. Option 1 is a practical demo on a website
identified by the IP address. This leaves looking up the IP address owner or
do a reverse look up. Peter and Tarah said we should make it as simple as
possible. Doug thinks we should align this ballot with 169. Doug would like
to support a legal opinion method and other manual methods to demonstrate
control. 

 

CNAME record validation:

Jeremy is looking for two endorsers. This adds CNAME to the list of DNS
records permissible for checking control. Rick raised a concern that you
wouldn't be able to have an A record. Peter explained that you can prefix
the domain name with an underscore character. Because we allow the prefix,
you can mix it with the others.  We already allow this for TXT records. This
adds another record type to check for the same data.

 

SRV ballot:

Peter explained that an RFC permits SRV names. You can specify the service
as well as a host name. This has two values. It allows you to specify a cert
that is allowed only for a set service. For protocols that use SRV locator
records, it allows delegation of the services to a provider without
delegating the whole host. This allows boot strapping. Peter said he'd
resend the RFC to the list. Under the BRs, there is a closed set of what can
be included in certs. This is outside of what is allowed. The ballot would
expand the allowed types to include SRV names. Jeremy said he is endorsing.
We're looking for another endorser. Peter is going to check whether he can
propose/endorse. Jeremy will recirculate the ballot

 

OID changes:

Li Chen went through his proposal for fixing how the jurisdiction of
incorporation information in browsers. Peter reminded us that at the face to
face we decided to include ANS-1 syntax explicitly in the EV Guidelines.
Bruce said we should make the subject location information the same between
the BRs and EV Guidelines the same. This was discussed at the face to face.
Bruce volunteered to review the differences between the EV guidelines and
BRs. Peter offered to circulate language about the ANS-1 syntax.

 

Additional Items:

Chris suggested we look at verification databases. Chris will get something
together with Kirk and Bruce and present it.

 

Summary of tasks:

1.       Everyone will look on IP validation and send their methods. Jeremy
and Tarah will work on a draft ballot

2.       Jeremy will recirculate the CNAME ballot.

3.       Jeremy will send the SRV name ballot. Peter will resend the RFC

4.       Bruce will look at making the subject information consistent. Peter
will draft the ANS-1 language.

5.       Chris will look at the validation databases and make a proposal for
the next meeting.

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20161123/e1b5e7c3/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4964 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/validation/attachments/20161123/e1b5e7c3/attachment.bin>


More information about the Validation mailing list