[cabf_validation] Notes from Meeting October 11, 2018

Ben Wilson ben.wilson at digicert.com
Mon Oct 15 17:48:30 MST 2018

Here are my draft minutes from our Validation Subcommittee Meeting of

Roll Call:  Ben Wilson, Tim Hollebeek, Bruce Morton, Daymion Reynolds, Doug
Beattie, Frank Corday, Li-Chun Chen, Rich Smith, Robin Alden, Tim Shirley,
Wayne Thayer


CAA Records

On the last call we had discussed CAA records.  The ballot is out for CAA
using email (CAA contact - Ballot SC4).  There was concern that DNS TXT was
removed.  It was unclear about the status  of Ryan's work on DNS TXT.
Previously he had objected to the DNS TXT proposal, but those objections had
been addressed in version 3 of the ballot.  As some people have pointed out
this is the way that DNS TXT records work in practice, but this was removed
so that the non-controversial parts would pass first. The DNS TXT record
approach has strong support and it should be discussed during the meeting in
Shanghai and if no one can present good reasons why not, then it should be
put forth as a ballot.

Bruce was concerned about why the ballot wasn't updated. There are more
people that can use DNS TXT than can use CAA.  We don't want to be adopting
things that don't have an upside just because they are non-controversial.
Entrust's position is it should be left in until someone demonstrates or
gives data showing it should be taken out.  Doug agreed, but noted that the
discussion in Shanghai should provide further clarity. Tim said he was open
to either approach of amending the ballot and resetting the voting period or
presenting another ballot, which the majority would prefer.  Large
enterprises with their own DNS infrastructures don't have CAA support
either, and hence TXT records are far more valuable.

IP Address validation

The only issue on that one is when the date was going to be.  For encoding
validation methods in a certificate extension, there is some interplay with
this ballot because IP validation methods are included in that other ballot.
There will need to be coordination with the timing and wording of the two
ballots as they go forward.

EV Validation Sources 

That will be discussed in Shanghai.

Phone Ballot

Doug recirculated a draft asking for comments.  He is suggesting that we do
it as one ballot instead of two, but would like input from others. On of the
issues is whether the proposed modifications to the procedures for voice
messages and call forwarding need to have a different effective date.  There
may be logistical questions that CAs will have, so it would be good to have
more than the normal 30 days. The modification to the methods will likely
require specification as a new/different validation method. Doug would like
to have the DNS TXT method addressed at the same time.

Tim will create a GitHub how-to page on the CA/Browser Forum wiki site.

IETF - CAA Extensions for Validation Methods

Tim would like to get an RFC about CAA Extensions specifying validation
methods.  The first draft of RFC 6844 bis was just published. Tim will look
into it with Jacob. There will be a problem keeping track of methods when
they are specified in the CAA record.  Tim will start a discussion on the
LAMPS mailing list.  Tim is looking for feedback

ALPN Ballot

Ryan was talking about having one that follows the RFC and one that covers
everyone who isn't following the RFC. 

Multi-perspective DNS 

On the agenda for Tuesday

Method 6 Ballot

On the agenda for Tuesday


Wayne mentioned that it would be good to discuss underscores and Wayne's
proposal. His email discussed problems departing from the RFCs on
underscores. There have been plenty of emails on this topic. Another idea
introduced was the support for SRV names. These things could be discussed at
Tuesday's meeting.  One issue is how do we migrate customers away from using
underscores in their server names.  SRV names allow underscores, but they
have an Achilles heel with the way name constraints work.  So they are
difficult to transition to.  Wayne suggested that we introduce a sunset
period.  Tim will anonymize some use cases of customers and get them out.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20181016/aa1889ca/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4934 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/validation/attachments/20181016/aa1889ca/attachment.p7s>

More information about the Validation mailing list