[cabf_validation] Draft Minutes of Meeting Held April 20, 2023

Doug Beattie doug.beattie at globalsign.com
Wed May 3 10:55:03 UTC 2023

Validation Subcommittee – Minutes for Thursday, April 20, 2023

Minute Taker: Doug Beattie

Attendees:  Aaron Poulsen - (Amazon), Aneta Wojtczak-Iwanicka - (Microsoft), Ben Wilson - (Mozilla), Chris Clements - (Google), Clint Wilson - (Apple), Corey Bonnell - (DigiCert), Daryn Wright - (GoDaddy), Dimitris Zacharopoulos - (HARICA), Doug Beattie - (GlobalSign), Dustin Hollenback - (Microsoft), Ellie Lu - (TrustAsia Technologies, Inc.), Georgy Sebastian - (Amazon), Inigo Barreira - (Sectigo), Janet Hines - (VikingCloud), Johnny Reading - (GoDaddy), Joseph Ramm - (OATI), Kiran Tummala - (Microsoft), Martijn Katerbarg - (Sectigo), Michael Slaughter - (Amazon), Nargis Mannan - (VikingCloud), Nate Smith - (GoDaddy), Paul van Brouwershaven - (Entrust), Pedro Fuentes - (OISTE Foundation), Rebecca Kelley - (Apple), Rollin Yu - (TrustAsia Technologies, Inc.), Ryan Dickson - (Google), Thomas Zermeno - (SSL.com), Tim Hollebeek - (DigiCert), Tobias Josefowitz - (Opera Software AS), Wayne Thayer - (Fastly), Wendy Brown - (US Federal PKI Management Authority)

Corey Bonnell read the attendance.

Corey read the note well statement.

The following minutes were approved.

*       March 23 meeting
*       April 6th meeting

Today’s Agenda

1.      Status report from the MPDV work team from Ryan and Chris, Multi domain.
2.      Pedro to discuss some unclear areas in EVGL
3.      Finish discussion of the ACME certificate issuance flow

   a.   Any other flows that are provided by Thursday can also be discussed

4.      Discussion on delegation of domain validation (as was identified and briefly discussed on previous call), (ACME issuance flows)

1) Ryan provided an update on the Multi-perspective domain validation (MPDV)

*       Had their last active meeting yesterday.
*       Working on draft to review with this group.
*       The simplest way to define diversity is based on geographic location.
*       Quorum requirements: The number of sites needed to agree with the primary CA check must be considerate to agility and resilience such that issuance is not blocked.
*       The group is working on action items and will work on this for prep before the next F2F and then have a discussion during the F2F.

2) ACME Issuance flow

Pedro and Jeremy had discussions on the list leading up to the call today. Pedro said that the requirements related to the Validation of JOI is confusing and that we should look into making some definition updates.

*       The JOI definition links to Government entities which causes some issues.
*       The definition makes a hard link between JOI and private orgs.  It’s his understanding that private orgs are incorporated only once and can be registered in different agencies multiple times in different jurisdictions. But apparently this is not the case in 8.5.2.


*       Makes sense. There is confusion in this area and the requirements are not great.
*       It would be good if there was just one single source of incorporation that everything pointed to, but some countries are complicated. Existing rules were created to clamp down on wild west to set some standards.
*       JOI Incorporation and JOI registration are different and there are mistakes in the requirements confusing the 2 terms. This is not happening here though, there is intended flexibility in this area about being able to use registration numbers even for private organizations in certain cases
*       One of the points in disclosing these sources publicly is to help clean up and normalize these sources. DigiCert thinks it would be useful if the registration source of a cert was listed in the cert to help others.

Pedro:  Recommend we update definitions. Later in the document the definition is a bit different, and this causes confusion.  Wants to remove link between private orgs and JOI.

Tim prefers to keep this link and fix the “or similar” references which is vague. More than happy to work on cleaning up the language.

Pedro:  For example, 8.5.2, #2 makes no sense.  There is no verb

Tim – need to make language more clear.  All of 8.5.2 is just one sentence with 6 subclauses and that is confusing and complex.

Dimitris totally agrees with challenges for non-native English speakers. There is still a lot of text that is hard to understand. EGVL was written mainly by lawyers which makes this more complicated.

Pedro: moving onto the second topic. When we talk about JOI, this is related to where the applicant is incorporated or where the applicant is registered.

Tim: There are lots of countries where they actually register at both levels.  Registrations are Unique nationally, but the agency is the local office, and it’s unclear which of those you should use.  It’s not clear from the guidelines which of these you should use.    This is really hard to get right and we need the CAs to agree on the approach.

Pedro – has not found that, but has noticed that Once the CA concluded search for JOI, we find discrepancies between different applicants for the same type.

Tim: It would help if CAs reviewed their disclosure notices and align on which ones to use when there are multiple sources that may meet the EVGLs.

Pedro, final point:

*       Discloser of verification sources. Section 11.1.3, Disclosure of verification sources.  This tells us that we need disclose Incorporation agencies or registration agencies.
*       Many of these agencies do not have this info online, but, there are qualified government sources we could use. There is no requirement to disclose QGIS.
*       Quick example was provided using QGIS and noted that the company is registered in Geneva and can obtain all info necessary for validation.  But that is not an incorporating agency but rather a government source that consolidates information  from multiple different regional sources.
*       Why is there no mention of disclosure of GQIS?

Tim: Looking at official source for country level which is intended to coordinate organizations in the country.  Requirements should say that this source is an official source for this info, but the requirements do not clearly state that.   If we all agree that these country level sources are ok to use for sublocations, that would be a great clarification.

Ben: should add QIIS as well.

Tim: we explicitly decided to not do this initially but adding them is a great next step.

Dimitris: When we introduced disclosure of sources, we knew this was a hard job.  We went for the lowest hanging fruit and went with agencies of incorporate or registration. QGIS is not the incorporating agency.  It is a list of those agencies. Need to disclose where the legal entity is created the first time – that is the source.  Every CA needs to use and identify  these and then can use other databases for addresses and POCs, but before we do that, we need to disclose these agencies.  We first need digest what is out there today and collect the sources and see what we do with these sources

Pedro: In many cases we cannot use the registration or incorporation agencies because they do not provide a tool to extract that information but it is extracted by GQGIS.

Tim: In many cases we can disclose the list of registration sources (sub-registration sources).  If Country has national discloser source – isn’t it better that we permit the official country level aggregator?  Do we want to recognize these country level sources as legitimate?

Pedro: We should disclose the verification source

Tim: Must disclose what you use now, but it’s unclear if the national source is allowed or not. The US does not have a national source.  Going to each jurisdiction is necessary because the same company name can be used in different states, so the local level is important to uniquely identify the company.  Need to be sure we identify the jurisdiction level to assure that each organization is uniquely identified.

Pedro: Need more discussion to put this in perspective so it works in all countries.

Ben: 8.5.2 has been there forever.  It’s very “legalistic” and should be simplified.  Can be incorporated in DE and have a registration number in a different state, show which one do we use?

Tim: That happens internationally as well. Swedish multinational company registered there and then a French registration can be pointed to that Swedish registration, and sometimes even with slightly different names.

Next steps: Continue to point out unclear wording on the list and work from there.

Corey: Inigo wants to reformat EGVL to align to the 3647 format with BRs, so maybe this should be done as part of that.

Cory: Let’s adjourn early and dive into ACME next time.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: winmail.dat
Type: application/ms-tnef
Size: 78578 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20230503/d7c3dbb8/attachment-0001.bin>

More information about the Validation mailing list