[cabf_validation] Minutes of the Validation Subcommittee Call on July 16, 2020

Thu Jul 16 17:04:16 MST 2020

# Minutes from the Validation Subcommittee Meeting of 16 July 2020.

## Attendees:
Tim Hollebeek, Ryan Sleevi, Daniela Hood, Clint Wilson, Andrea Holland, Ben
Wilson, Bruce Morton, Corey Bonnell, Enrico Entschew, Janet Hines, Joanna
Fox, Johnny Reading, Julie Olson, Kirk Hall, Li-Chun CHen, Niko Carpenter,
Robin Alden, Shelley Brewer, Trev, Wayne Thayer

## Agenda:
Look at the Trello board
Consider transitioning Trello to GitHub
Certificate profiles

The antitrust statement was read by Wayne, and a minute taker was assigned.

## Agenda review
Daniela asked to add a question about ballot SC30.
Tim - Go ahead now
Daniela - for Government Entities we can use EV section 6. For Business
Entities we can validate via direct contact with the registration agency.
These are normally one-off validations.
Ryan - sounds like for Business Entities the case is where you contact the
registration agency directly?
Daniela - correct, we call them to validate documentation. It’s a
jurisdiction that we wouldn’t normally use, so wouldn’t normally be
disclosed. Sounds like the source should be disclosed before the cert is
issued.
Ryan - correct for Business Entities. On Government Entities, for example,
there was a question on which source to use. One CA cited an act of
parliament, but upon later review found that later acts had invalidated it.
Government entities don’t always have that. This ballot is focused on
Business Entities where agency of registration or incorporation is used.
Would be nice to have data for government entities, but that’s not required
by SC30.
Daniela - that clarifies it
Tim - there is no clear line between what is a government agency and what
isn’t. Something we might want to think about in the future.

## Trello board
Tim - (sharing Trello board, which is linked from the wiki) how do we want
to do this? Go through all the cards?
Wayne - there aren’t that many, we should be able to review them all.
Tim - ‘Require DNSSEC validation for CAA records when the domain is DNSSEC
enabled’.
Ryan - this helps distinguish malicious attacks from benign failures. This
would require CAs to check DNSSEC if the domain has it enabled.
Tim - will we get to this soon? Since no one responded, remains in backlog.
Tim - ‘Improve CAA logging’ - not many requirements around what CAs must
log. Remains in backlog
Tim - ‘Definition of Applicant is different for 3.2.2.4 that it is for the
rest of the document’. This is interesting. Tim will work on this - moving
to ‘on-deck’.
Ryan - there are considerations beyond 3.2.2.4. Worked with a CA that also
provides hosting services - e.g. Google, Amazon, GoDaddy, Microsoft. There
is inconsistency that makes this scenario challenging. Need to make sure
Applicant/Subject/Subscriber terms are used consistently throughout the doc.
Tim - another case is a CA issuing a cert for its own website. Some
language is problematic when Applicant and CA are the same. Key generation
is an interesting issue.
Tim - ‘Independent subjects with independent SANS. X500 from Peter’. Not
sure what this is.
Ryan - having a CDN as the named Subject of a cert with a bunch of
unrelated domains in the SAN is the issue. E.g. ‘Cloudflare’ in the O
field. Is that desirable?
Tim - not sure this is useful
Ryan - agree
Tim - moved this item to ‘closed’
Tim - ‘Define CAA extensions for validation methods’. Got hung up around
how to specify methods. This is not a near term work item.
Ryan - agree, this requires a concrete proposal.
Tim - ‘Require domain validations to be performed from multiple network
perspectives…’. This needs a concrete proposal.
Ryan - agree, the devil is in the details
Tim - ‘IP address DNS txt. Validation’. Propose we close this due to
insufficient detail
Tim - Require validation method OIDs in certs Leave in backlog
Tim - ‘Workaround for DNS fragmentation attacks’.
Ryan - Workaround proposed by academic paper and implemented by Let’s
Encrypt. Proposal was to add it to the BRs. Would prefer to see a normative
requirement that requires a bunch of specification work.
Tim - leave in backlog
Tim - ‘Bygone SSL’. Tie cert validity to domain registration period.
Ryan - Wouldn’t want to lump this together with registration lifetimes.
Bygone SSL is really domain reuse. Roots stores are looking at reducing
information reuse period rather than tie to registration period.
Tim - high priority. Move to ‘in progress’.
Ryan - second priority after cert profiles for us
Tim - ‘Peter’s registrar challenge-response validation method’.
Interesting, needs a champion to write a proposal.
Ryan - this is somewhat ameliorated by the newer DNS methods. Addresses
case where whois data can’t be modified or isn’t public.
Trev - is this the same as method 12 that Dave Blunt was going to work on?
Ryan - yes
Tim - ‘Backdating notBefore'
Ryan - this fits into the profile work. Also, in SC31 (browser alignment),
validity period is aligned with the RFC 5280 definition. This proposal was
to clarify the relationship between notBefore and issuance time for
end-entity certs. And probably OCSP responder certs.
Tim - in the validation requirements of the notBefore section of the
profile.
Ryan - yes, a rule on what the contents can be.
Tim - ‘Delegating DNS to the CA’. Did the m.d.s.p. thread reach a
conclusion?
Ryan - in order to make progress, need to sort out
Applicant/Subscriber/Subject definitions, and need concrete proposals that
we can use to reason about the security properties of the implementation,
which is easy to get wrong. Also relates to CA protection of Subscriber
accounts. This moves threat of DNS compromise from Subscriber to the CA.
Need more discussion about what CA controls are needed.
Tim - Also related to granting CAs permission to use specific validation
methods so Subscribers can opt-in. In backlog pending a concrete proposal.
Tim - ‘Validation requirements for .arpa domains’. Lots of sketchy stuff
going on under .arpa
Ryan - we could just prohibit it
Tim - Agree, but lots of web servers are running under .arpa
Ryan - under .arpa, or using an IP address?
Tim - could be the IP, but people are getting certificates for the .arpa
domain. All that I’ve seen are from Let’s Encrypt so maybe the certs are
being automatically created.
Ryan - in Caddy V1 (off by default in V2), it automatically tries to get a
cert.
Corey - a couple of web servers are running at a class B network, meaning
someone explicitly created an A record pointing to a web server. This looks
intentional. Those certs are coming from a large CDN.
Tim - this may break something. Moving to “on deck” and maybe we can make
some progress
Tim - ‘Defining specific redirect response codes for HTTP’. This has been
discussed a fair amount.
Ryan - draft language has been circulated. Would like to get this out in
the next few weeks.
Corey - should there be more discussion of the security properties on a
future call?
Tim - yes, should be discussed again. Moving to VWG review column.
Tim - Moving to the ‘on deck’ column. ’Validation Summit method 8 Ballot’.
Thinking we were done with Validation summit methods.
Wayne - we removed ‘any other method’ for IP addresses, but haven’t gone
back and reviewed the IP validation methods
Ryan - there was a question if method 8 was even appropriate. We could
propose forbidding it.
Tim - ‘Standardize State and Province names’.
Tim - ‘Define standard CAA semantics for limiting issuance to DV/OV/EV’. On
the back burner now. Move to backlog.
Tim - ‘Information reuse’ can stay - just added
Tim - Looking at the ‘in-process’ list. Should ‘Create Allow-list of
Registration agencies…’ be here? Moved to backlog.
Tim - ‘Clarify requirements for the SubjectOU field in BR 7.1.4.2.2’. We
need to get back to this. Will put it on the agenda for next time.
Tim - move ‘Permit the inclusion of LEIs’ to backlog
Tim - ‘Validation Summit method 10 - ALPN’. Wayne was going to work on this
Wayne - still planning to move this forward.

## Certificate Profiles
Tim - We’re out of time. Any quick updates on certificate profiles? No.

## Transitioning from Trello to GitHub
Tim - on to the topic of moving from Trello to GitHub. Tim created a
‘validation subcommittee’ label in GitHub that can be attached to issues.
Wayne - we can create a project and then a board very similar to Trello to
organize those issues. We just need someone to do the grunt work of moving
them from Trello to GitHub
Tim - we can discuss on the next call after everyone has had a chance to
consider moving to GitHub projects.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20200716/8d6457e0/attachment.html>