[cabf_validation] DRAFT Minutes of Meeting Held 6-Dec-2018

Ben Wilson ben.wilson at digicert.com
Tue Dec 18 13:18:27 MST 2018


6-Dec-2018

Validation Subcommittee of the Server Certificate Working Group

Present:  Bruce, Dimitris, Ryan, Doug, Ben, Frank, Joanna, Li-Chun, Nick, Rich, Robin, Shelley, Tim S., Wayne, Devon, Gordon

Antitrust statement was read by Ben.

Agenda Review:

1.      Ballot SC 13
2.      Organization identifier
3.      EV Certificate for individuals
4.      Work Item 6 - random number posted to web page



1.      Ballot SC 13

A question arose on wording of the ballot that might cause confusion as to whether it intended to allow a single email to multiple recipients or separate emails.  It appeared that the more permissive interpretation was the intent.  More consistency is needed with the language and wording. This is could be an issue as well for the rest of the Baseline Requirements, not just the wording proposed by Ballot SC 13.  It was suggested that a page linked under the Resources page could help. It was recommended that normative provisions be stated explicitly in the guideline documents and not elsewhere.  If needed, additional documentation could be placed as an appendix in the guideline document.  One example is CAA where some additional implementation guidance might be needed.



2.      Registered Organization Identifier

See Validation email thread from 4-Dec-2018, titled "Support for registered organisation identifier of EU payment service providers".  It was argued that section 9.2.8 of the EV Guidelines is not clear when it states that CAs "SHALL NOT include any Subject Organization Information except as specified in Section 9.2."  ETSI's position is that an organization identifier is allowed.  Ryan said that the ETSI standard does not comply with CAB Forum requirements and that we need to work on our liaison relationship between CABF and ETSI. Nick said that ETSI was flexible, and asked for details on the discrepancy, but also stated that time was running out (March 2019) from a regulatory-deadline perspective.



Nick said that banks must have web site certificates that meet regulatory requirements.  The regulation specifies a unique identifier that links into national government databases.  The registered identifier must be in the certificate to be used to access certain databases, and a CA would have to interact with certain databases to ensure that the subject is a registered financial institution. The ETSI group working on this assumed that the organization identifier was the best approach and they didn't want it to get confused with the incorporation identifier. So Nick asked about requirements needed to put an organization identifier, or this unique identifier elsewhere, in certificates.



Ryan said that the certificate must meet the requirements of the Baseline Requirements or the EV Guidelines, and the subject should contain only validated data.  One question to answer is whether the identifier is a subject identifier in line with other CAB Forum requirements.  If not in the subject information, could it be placed in Subject Alt Names or in other Extensions? Another question is whether LEI is a more specific form of naming that would fit into the hierarchical naming in subject information?  The PSD2 number mentioned by Nick identifies the database, the country, and the identifier, but it is a separate thing from the subject.  Ryan said that while we are discussing this issue in the context of ETSI,  the broader question is whether the Forum wants to allow more information to be shoved into the subject field. If so, then we should look at the goals of that effort. Conversely, an extension or a subject alternative name could be used.



Nick's position is that this is subject information and not alternative information because it is a basic key to the security.  Ryan said that the sole unique key comes from the database as an alternative identifier and does not need to be an intrinsic part of the subject name. Nick said that the best thing would be for the Forum to tell ETSI what the Forum wants, and then ETSI can go off and come up with a solution.



Wayne explained that the guidelines don't prohibit extensions to certificates and that would  be a solution. ETSI could take an OID and create an extension to contain the registered identifier-not in the extension--similar to the QC statement extension.  Nick asked about the rules to meet in order to  put it in subject name-provided it is validated.



If there are technical reasons why this information has to be in the subject field, then ETSI should articulate the specific reasons and provide those to the Forum. That will allow us to weigh one set of technical reasons against another set of technical reasons. From there we could look at a ballot to amend the EV Guidelines and/or Baseline Requirements.  This would be precedent setting for how the Forum deals with these kinds of issues in the future. The remainder of the discussion dealt with options for how an identifier might be incorporated into serial number under section 9.2.6 of the EV Guidelines and other potential solutions.



The meeting concluded with the suggestion that an actual ballot proposal be made if the intent is to include it as part of the subject or that an extension be used to contain the information.



The meeting adjourned without covering agenda items 3 and 4.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20181218/d443eb2e/attachment.html>


More information about the Validation mailing list