[cabf_validation] Minutes of the Validation Subcommittee call on Dec 5th, 2019

Wayne Thayer wthayer at mozilla.com
Thu Dec 5 11:03:55 MST 2019


Minutes of the Validation Subcommittee call on Dec 5th, 2019

Attendees: Tim Hollebeek, Bruce Morton, Mike Reilly, Joanna Fox, Shelly
Brewer, Vincent Lynch, Daniela Hood, Doug Beattie, Ryan Sleevi, Wendy Brown

The Antitrust Statement was read by Tim.

Agenda: Method 6 and validation sources. Also, subject attributes in CAs

Method 6 -

Tim: Where are we?

Doug: Sent out an update one month ago. Still need to get it into GitHub.
Didn’t receive any comments.

Validation Sources -

Tim: Discussed idea in Greece of developing a list of validation sources

Ryan: DigiCert has been helpful by publishing their existing sources

Robin: Happy to help in principle. See benefit of getting this info out
there

Ryan: We can put it on the wiki or in a collaborative spreadsheet.
Particularly helpful to get input from regional CAs

Doug: Can we reuse the Validation Summit Google doc?

Wayne: prefer a new doc, happy to create one

Doug: What about discussion of issues, which is easier in a Word-style doc?

Tim: Might need both a spreadsheet with the list and a doc with the
discussion

Ryan: Include a column indicating which CAs are using the source. The
initial list can include all sources in use, even if there are concerns
about some of them. After the list is compiled, we can challenge/dispute
individual sources. This preserves the status quo.

Tim: Wayne will create and share the docs as we’ve discussed

Subject Attributes in CAs -

Tim: I’ve seen different proposed approaches

Ryan: Had started work on a ballot. Looking at existing set of
publicly-trusted CA certificates. Trying to account for everything that has
been done. There are requirements from relying parties on certificate size
that lead to the desire to sunset fields that aren’t essential. Sunset can
be years away, and exceptions can be discussed. Moving to a world where
only required information is included is the goal.

Tim: Sunsetting fields is going to be controversial. Ryan, do you have a
list of the field currently found in CA certs?

Ryan: Yes, planning to share with the ballot. Expect to make progress on
the ballot this week.

Tim: I think the discussion of the current requirements (versus future
rules) now makes sense. Clarifying the current requirements is urgent
because it is blocking the issuance of ICAs.

Ryan: Agree, need to get something out that unblocks the creation of ICAs,
but can’t support that ballot without agreeing to a sunset in, say, 3
years. Then we can discuss changes that exempt fields from the sunset
later. Trying to find a middle ground

Tim: Concerned about setting up sunsets for fields that are later found to
be permissible.

Doug: Good to allow other fields for now. We create CAs for organizations
that could be confused without the additional fields, so we need the
discussion.

Doug: Will the ballot discuss cross-certificates?

Ryan: Scope is certificates with isCA=True. Not tackling the clarity issue
discussed on the list.

Doug: Concerned that it wouldn’t allow creation of cross-certs with a
subset of the 3 required fields.

Ryan: If we want to make any of those 3 fields not required, I think we
should treat that as a separate issue.

Tim: It would be a regression to stop requiring those 3 fields.

Ryan: Intent is to not restrict one CA from cross-signing another CA’s root

Doug: Issue is roots created before this requirement that don’t contain
those 3 fields.

Ryan: Unique case there is how to grandfather in legacy roots

Tim: We would support grandfathering

Any Other Business -

Wayne: TOR folks are interested in DV Onion certs. I plan to propose a
ballot

Ryan: we can probably remove the EV Onion extension as well. They’ve
adopted x25519 keys so the public keys aren’t truncated anymore, and thus
the EV extension is redundant.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20191205/88173c93/attachment.html>


More information about the Validation mailing list