[cabf_validation] Minutes from the Validation Subcommittee meeting of 25 October 2018

Wayne Thayer wthayer at mozilla.com
Thu Oct 25 15:22:30 MST 2018


Attendees: Tim Hollebeek, Ben Wilson, Doug Beattie, Shelley Brewer, Bruce
Morton, Frank Corday, Joanna Fox, Rich Smith, Li-Chun Chen, Tim Shirley

Tim: today we’ll review the things we talked about at the F2F last week and
decide if we want to change any priorities on our Trello board. In the
future I will probably ask for more than 2 hours for the Validation
Subcommittee meeting. We had to cut off some good discussion last week.

1. Proposal to limit validation methods via CAA - Tim said this was met
with skepticism at the F2F, but he has customers that are interested.
Interest is lukewarm. Bruce and Doug said they don’t have a need for this.
Doug agreed and suggested that the group focus on finishing other work.

Tim mentioned that he won’t be able to attend the next Validation
Subcommittee call due to the IETF meeting.

2. BGP hijacking - Tim forwarded an IETF draft on ACME domain validation
vulnerabilities to the list. Time said that it is not specific to ACME, but
one of the attacks it covers is BGP hijacking. Wayne asked if we are going
to try to do something about it. Wayne said that he’s not convinced that
multiple perspectives are an effective mitigation. Let’s Encrypt is
experimenting with this. Maybe we can get insight from them. Tim said that
multiple perspectives are costly and perhaps BGP monitoring is a more
practical response. Wayne asked how we would write a policy around BGP
monitoring - require CAs to review certs issued during detected BGP
anomalies. Tim said it would take a lot of work to figure out how to
operationalize that. He is paranoid that it will be exploited and we’ll be
blamed for not doing anything. Wayne said the problem is what, and maybe
we’re not the right group to address it. Tim agreed and said that maybe the
issue should be raised with the IETF. Wayne agreed.

3. SC4 - TXT records for CAA - after the discussion at the F2F, Tim feels
that there is general support for TXT records, so he is planning to revert
back to the ballot that includes both TXT and CAA records - any objections?
No objections.

4. Underscores in DNSNames - Wayne said that he just wants to make it clear
that the practice is not acceptable, and the way to do that is to make it
clear in the BRs. CAs not following this discussion shouldn’t have trouble
learning that this is a forbidden practice. Wayne said that he is inclined
to go ahead with the current proposal because he doesn’t think the practice
will end just because we had a lengthly discussion on the list. Bruce asked
what the current proposal is? Wayne said that it’s an immediate move to
30-day durations, revocation on December 1st, and no further issuance on
April 1st. Bruce said that Dec 1st is less than 6 weeks away - no
implementation time. Tim said that Dec is a time of change freezes. Wayne
said he understands, but the other side is asking why we should allow this
at all. Bruce asked why it is an emergency? Wayne said it’s not an
emergency, it’s a debate between principled and pragmatic views of the
issue, and reconciling those views is nearly impossible. Rich said that he
has no opinion on whether underscores should be allowed, but they currently
are not allowed and the failure of ballot 202 made that clear. Rich is not
opposed to a ballot permitting underscores. Tim said that 202 was a
complicated ballot. When a ballot fails, requirements don’t change, so you
can’t use that as a basis for deriving requirements. Wayne said that 202
failed for 3 or 4 reasons and it appeared that it would be modified and
balloted again, so it’s not so obvious that 202 changed anything. Rich said
that it’s not fair to say that CAs should have known all along because it’s
not obvious, but in the discussion of 202 it became clear that underscores
are not allowed by the RFCs. Tim said that the reason browsers allow this
because the industry has been unclear on this. Rich said that someone
should have brought forth another ballot permitting underscores after 202
failed, and without that, there is no excuse for continued issuance. Tim
said that he supports Wayne’s efforts to clarify the situation. Wayne said
that he just wants to make this clear so we don’t have to deal with this in
the future and he doesn’t really care how we get there. Tim agreed, but
said that December is a bad time. Wayne said that he thinks it’s valuable
to find consensus. Tim said change freezes make this impossible. Wayne said
that he thinks the argument is overblown. There are only a handful of
companies, and there are always exceptions to change freezes. Doug said
that CAs issuing certs with underscores should start issuing 30-45 day
duration certs now. Wayne asked if anyone on the call supports the ballot
or wants to propose something different. Bruce said Entrust supports
getting rid of underscores, but revocation should be moved into the new
year rather than during the IPR review period. Wayne asked in Jan 15 would
be acceptable? Tim said yes. Strong preference for Jan 15. Rich said that
the argument for not punishing subscribers has convinced him that an
immediate revocation is not appropriate and he would support a revocation
date in the new year. Wayne said that he would consider the suggestion and
planned to move forward with the ballot. Wayne asked for endorsers. Rich
said he would consider it but asked Wayne to first post the latest version.
Frank also said that he’d review it.

5. IP address ballot - Tim will find time to work on this ballot and SC4.
Doug asked how the sunset of the old methods will be handled. Tim said that
transition dates make a ballot complicated. Doug suggested including “any
other method” as a numbered method with a sunset date. Tim said he might do
that. The date we agreed to was June 1.

6. Method 6 - Tim said we should discuss on the next call and asked
everyone to prepare by reviewing the validation summit notes. That is going
to be a complicated ballot.

Any other business?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20181025/3d5fd967/attachment.html>


More information about the Validation mailing list