[cabf_validation] Minutes of the Validation Subcommittee - March 24, 2022
wthayer at gmail.com
Thu Mar 24 17:34:38 UTC 2022
Attendance: Amanda Mendieta, Aneta Wojtczak, Ben Wilson, Clint Wilson,
Bruce Morton, Corey Bonnell, Dimitris Zacharopoulos, Daryn Wright, Doug
Beattie, Heather Warncke, Inigo Barreira, Joanna Fox, Johnny Reading,
Joseph Ramm, Kiran Tummala, Martijn Katerbarg, Michael Slaughter, Rebecca
Kelley, Ryan Dickson, Ryan Sleevi, Stephen Davidson, Thomas Zermeno, Tobias
Josefowitz, Trevoli Ponds-White, Tyler Myers, Wendy Brown, Wayne Thayer
Corey Bonnell read the antitrust statement.
** Minute Takers:
Wayne Thayer agreed to take minutes.
* Discussion on next steps for the Certificate Profiles Ballot
* Migration of Trello Board to Github
Corey mentioned that Tim Hollebeek will be cancelling the recurring meeting
invite on his calendar. No cancellation notices should be sent out because
Wayne is the meeting organizer, but in case that happens please let Wayne
or Corey know. Meeting info is also available on the wiki.
** Next Steps on Certificate Profiles
Corey said that we had a discussion about where the ballot should live.
Ryan Sleevi said that it’s just a matter of sending pull requests to
propose changes that are desired. Also be aware that there are changes to
tooling that need to be landed to improve to appearance of the changes in
the document. The plan is to update the tooling when this gets to the
ballot phase. Ryan said that he continues to document changes in the PR.
The last time Ryan was able to make this call there was discussion about
“any other value” in extensions but there has been no response from
individuals who said that they would review.
Corey said that we will continue to collaborate in Ryan’s repo. Ryan agreed
and mentioned that Tim said that he would work with Amanda Mendieta on
scoping issues but Ryan hasn’t heard anything more.
Corey said that several issues that were discussed in the Fall haven’t
landed in the PR, such as validity periods. Corey said that he would review
the draft for omissions. Ryan said some of those issues may now be
addressed, and offered to work with Corey on any remaining open items. Ryan
referenced the following thread:
Corey said that the proposal was to defer normative changes to small
Ryan asked about concerns with AKI/SKI being a SHOULD in the root profile.
Ryan said that Microsoft and Adobe software prioritizes AKI/SKI over
Subject/Issuer for matching. For example, if SKI is missing from a root,
the path building logic might choose a longer path with AKI/SKI. This was
included in the profiles ballot because changes to new roots should be
relatively quick and easy to implement and this provides reasonable value.
He also said that Windows has “counter” logic to track how many times a
path was built with the same issuer name to prevent a DoS-like attack. The
profiles provide guidance for avoiding both situations, and reduce the need
for CAs to understand arcane client behavior.
Corey said that the logic makes sense, but he questioned if the BRs should
account for non-standard client behavior. He also said that requiring
uniqueness is not enough - you need to specify how to achieve uniqueness.
Ryan said that prior drafts provided a prescriptive approach to uniqueness,
but since RFC 5280 allows more flexibility, the language ended up in the
current state. Ryan said that he is open to changes and has even considered
putting some of this information in an appendix.
Corey said that we could also add this type of info to the CAB Forum
Trevoli Ponds-White said that the idea of placing this information on a
website makes sense and would allow for more context and editing without
Ryan asked if we should keep the changes in the ballot? Trev said that
these are two separate things, but the profile change should be a separate
later ballot. Ryan said that the point of putting this requirement in the
BRs is to avoid the need for all CAs to understand the “why” behind the
requirement. Trev said that we’ve been discussing this for a long time and
should now remove the change from the initial ballot and move forward.
Corey clarified that there is agreement that the explanation should not be
in the BRs.
** Migration of Trello Board to Github
Corey presented the existing Validation WG Trello board. He proposed moving
the work items to issues in a GitHub project. Yesterday Corey shared an
export of the tasks from the Trello board on the mailing list:
proposed closing some items that have been completed rather than migrating
Wayne suggested that Corey allow time for comments on his proposal and then
proceed. Corey said that he would wait until next week and if no one
comments he will move and close issues as he proposed.
The call ended.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Validation