[cabf_validation] Draft minutes for the SCWG Validation Subcommittee Teleconference - September 21, 2023
Dimitris Zacharopoulos (HARICA)
dzacharo at harica.gr
Fri Sep 22 11:24:54 UTC 2023
These are the Draft Minutes of the Teleconference described in the
subject of this message, prepared by Dimitris Zacharopoulos (HARICA).
Minutes validation subcommittee 2023-09-21
Aaron Poulsen - (Amazon), Andrea Holland - (VikingCloud), Aneta
Wojtczak-Iwanicka - (Microsoft), Ben Wilson - (Mozilla), Bilal Ashraf -
(SSL.com), Bruce Morton - (Entrust), Chris Clements - (Google), Clint
Wilson - (Apple), Corey Bonnell - (DigiCert), Corey Rasmussen - (OATI),
Daryn Wright - (GoDaddy), Dimitris Zacharopoulos - (HARICA), Doug
Beattie - (GlobalSign), Dustin Hollenback - (Microsoft), Inigo Barreira
- (Sectigo), Janet Hines - (VikingCloud), Joseph Ramm - (OATI), Li-Chun
Chen - (Chunghwa Telecom), Martijn Katerbarg - (Sectigo), Michael
Slaughter - (Amazon), Michelle Coon - (OATI), Nargis Mannan -
(VikingCloud), Nate Smith - (GoDaddy), Paul van Brouwershaven -
(Entrust), Pedro Fuentes - (OISTE Foundation), Rebecca Kelley - (Apple),
Rollin Yu - (TrustAsia Technologies, Inc.), Roman Fischer - (SwissSign),
Ryan Dickson - (Google), Scott Rea - (eMudhra), Thomas Zermeno -
(SSL.com), Tobias Josefowitz - (Opera Software AS), Wayne Thayer - (Fastly).
Approval of minutes
Minutes for the August 24^th and September 7^th were approved.
Review of Agenda
* Update from MPDV team
* Update from domain validation threat modeling team
* F2F planning
* (Time permitting) addressing the final item on the
“Applicant”/”Applicant Representative” todo list
Update from MPDV team
Ryan gave a quick summary about the IPR issue. Princeton's lawyers had a
different interpretation than the other organizations of the Forum. They
counter-proposed signing a Royalty-Free license and some language has
been drafted in that direction as a "backup" plan. The issue is somewhat
on hold. The draft language for the MPDV is currently on GitHub and
ready to go for a ballot.
Dimitris exchanged some emails with the Princeton team and also invited
Members of the CA/B Forum Governance Reform Group who provided insight
to the Princeton team regarding the intent and existing Member's
interpretation of the Forum's IPR Policy. Despite that effort and
clarifications, Princeton's lawyers insist on their interpretation and
Ryan is working with them on that matter.
Tobi asked what is the Princeton lawyers' interpretation of the Forum's
IPR policy. Ryan summarized that their interpretation is that any IP
that the University owns, or professors of that University is at risk by
the MPDV Contributions to the Forum.
Update from domain validation threat modeling team
Michael Slaughter explained that the threat modeling team for domain
validation focused on delegated DNS Domain Validation method, including
when the CA is involved in the process. The group discussed specific
threats and possible mitigations. They also proposed specific guardrails
for the current method 7 that will come with a revision of method 7.
Other more impactful changes will probably be introduced in a new
The team is ready to present their work to the larger group. There will
be two ballots at different timelines.
This will probably be presented at the F2F #60 during the Server
Certificate WG slot on Wednesday.
Corey will discuss with Inigo to possibly have a longer break (more than
15'). Paul mentioned that during breaks, members have the opportunity to
discuss this is very helpful.
What do we want to talk about?
* Threat model for Domain Validation methods
* MPDV (Ryan says he will explore how far we can get with the IPR issue)
* Ryan: The profiles ballot did not include some topics and were
deferred. Perhaps we can identify and list topics that remain
deferred. Clint can help capturing those which are probably in
GitHub issues. Perhaps not enough time to prepare for the F2F but
sometime in October we can start an email thread.
* Paul: Domain Validation methods CAA with account binding (similar to
the method with CNAME). We can discuss the new ACME RFC
(https://www.rfc-editor.org/rfc/rfc8657). Corey reminded that at the
last F2F it was agreed to have a two-stage approach where the first
stage would be a more "surgical" update on existing method 7 and
then work on other improvements. For this F2F, he recommended to
focus on method 7 so we can drive the ballot to success and then
work on the other issues.
* Paul proposed to discuss and cleanup some open GitHub issues if we
have time left.
How long do we need?
Corey will discuss with Inigo about time to be allocated to the
Ryan can present the latest MPDV proposed ballot to the larger group to
solicit feedback, possible implementation challenges and other feedback.
This session could take up to 30'.
Corey suggested that 1 hour and 45 minutes would be a reasonable time to
reserve for the Validation Subcommittee.
Addressing the final item on the “Applicant”/”Applicant
Representative” from the TODO list
Item 7 from the previous TODO list is the clean up in section 9.6.3 (4)
for removal of "install".
The question is related to the Subscriber Agreement (Use of
Certificate). Dimitris proposed to remove that language (first part of
the sentence that includes the word "install") because it doesn't make
much sense to prohibit the installation of a certificate anywhere. Ben
mentioned that this language may have been there to prevent the MiTM
case. He said he was ok with eliminating that language. Ben wondered
what was the threat that we were trying to mitigate with this language
and he could only think of the MiTM. Tobi said that at the time it might
have been added because of services being offered from physical servers
but that probably doesn't make sense now.
The consensus was to remove the first part of the sentence. Corey asked
Ben and Dustin to tackle that in their ballot.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Validation