[cabf_validation] June 21 Validation WG Meeting Notes

[Wayne Thayer]

Notes from the June 21 Validation WG Meeting:

Attendees: Tim Hollebeek, Ben Wilson, Corey Bonnell, Shelley Brewer, Frank
Corday, Joanna Fox, Li-Chun Chen, Tim Shirley, Doug Beattie, Cecilia Cam,
Rich Smith, Wayne Thayer

   1. Tim updated the Trello board based on discussions at the F2F
   2. Tim recommended against having a ballot in discussion or voting
   during the governance transition- hold on ballots until July 3.
   3. Tim is ready to move forward with IP address ballot to remove “any
   other method”. He’ll draft it and prepare to move forward in July.
   4. EV Guidelines ballot - still pending, no updates.
   5. DNS alternative to WHOIS for domain validation - ballot is
   progressing - expect to see a draft ballot soon.
   6. Validation method OIDs - Wayne proposed putting this info into the
   certificatePolicies extension, but that has a fatal flaw - a strict reading
   of RFC 5280 requires the OID to be present in the intermediate, and that
   would hobble improvements to validation methods. Wayne said he will propose
   a new unique extension. Tim would still like to be able to log this
   information outside of the certificate, but agreed that a future ballot
   could add that capability. Ben asked why we need this info in the
   certificate. Wayne answered that it provides relying parties more
   information about the trustworthiness of the certificate, and it is very
   useful to the ecosystem when confronted with issues like the weaknesses
   found in methods 1, 5, 9, and 10.
   7. CAA expression of permitted domain validation methods. Tim said that
   ACME has defined and implemented a method for this. Tim expects this to be
   discussed at the IETF meeting in Montreal. Tim questioned the scope -
   should it be standardized as a “top level” CAA tag, or part of the “issue”
   syntax? Doug said it would be more flexible at the “issue” tag level. Tim
   Shirley said that the flexibility probably wouldn’t be used. Rich agreed.
   Tim said it’s better to take the time to define a new tag. Corey said that
   CAs might have different identifiers for validation methods. For instance,
   ACME uses an IANA registry. Tim said that’s a problem with ACME doing their
   own thing. The confusion is already there. Wayne said that we do want
   friendly names, so there will be some type of “registry” for mapping
   OIDs/method numbers to names. Tim said that we should register names with
   IANA if we create a new top-level CAA tag. Rich said “let’s do it right”.
   Tim will start a discussion about adding a new top-level tag on the IETF
   LAMPS mailing list.
   8. New ACME TLS-ALPN method - ACME is testing this. It currently falls
   under 3.2.2.4.10. Is there interest in replacing 10 with the ALPN method?
   Wayne and Tim agreed to work together on a ballot.
   9. Revocation ballot - Wayne said that he is leaning toward leaving the
   proposed changes to address revocation for “misuse” to a separate ballot
   because the issue is complex and contentious. Others agreed. Wayne said
   that he would publish a ballot and ask for endorsers.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20180621/bbe86393/attachment.html>