[cabf_validation] Draft minutes for the SCWG Validation Subcommittee Teleconference - September 21, 2023

Fri Sep 22 11:24:54 UTC 2023

These are the Draft Minutes of the Teleconference described in the 
subject of this message, prepared by Dimitris Zacharopoulos (HARICA).

  Minutes validation subcommittee 2023-09-21

    Roll call

Aaron Poulsen - (Amazon), Andrea Holland - (VikingCloud), Aneta 
Wojtczak-Iwanicka - (Microsoft), Ben Wilson - (Mozilla), Bilal Ashraf - 
(SSL.com), Bruce Morton - (Entrust), Chris Clements - (Google), Clint 
Wilson - (Apple), Corey Bonnell - (DigiCert), Corey Rasmussen - (OATI), 
Daryn Wright - (GoDaddy), Dimitris Zacharopoulos - (HARICA), Doug 
Beattie - (GlobalSign), Dustin Hollenback - (Microsoft), Inigo Barreira 
- (Sectigo), Janet Hines - (VikingCloud), Joseph Ramm - (OATI), Li-Chun 
Chen - (Chunghwa Telecom), Martijn Katerbarg - (Sectigo), Michael 
Slaughter - (Amazon), Michelle Coon - (OATI), Nargis Mannan - 
(VikingCloud), Nate Smith - (GoDaddy), Paul van Brouwershaven - 
(Entrust), Pedro Fuentes - (OISTE Foundation), Rebecca Kelley - (Apple), 
Rollin Yu - (TrustAsia Technologies, Inc.), Roman Fischer - (SwissSign), 
Ryan Dickson - (Google), Scott Rea - (eMudhra), Thomas Zermeno - 
(SSL.com), Tobias Josefowitz - (Opera Software AS), Wayne Thayer - (Fastly).

    Approval of minutes

Minutes for the August 24^th and September 7^th were approved.

    Review of Agenda

Approved

  * Update from MPDV team
  * Update from domain validation threat modeling team
  * F2F planning
  * (Time permitting) addressing the final item on the
    “Applicant”/”Applicant Representative” todo list

    Update from MPDV team

Ryan gave a quick summary about the IPR issue. Princeton's lawyers had a 
different interpretation than the other organizations of the Forum. They 
counter-proposed signing a Royalty-Free license and some language has 
been drafted in that direction as a "backup" plan. The issue is somewhat 
on hold. The draft language for the MPDV is currently on GitHub and 
ready to go for a ballot.

Dimitris exchanged some emails with the Princeton team and also invited 
Members of the CA/B Forum Governance Reform Group who provided insight 
to the Princeton team regarding the intent and existing Member's 
interpretation of the Forum's IPR Policy. Despite that effort and 
clarifications, Princeton's lawyers insist on their interpretation and 
Ryan is working with them on that matter.

Tobi asked what is the Princeton lawyers' interpretation of the Forum's 
IPR policy. Ryan summarized that their interpretation is that any IP 
that the University owns, or professors of that University is at risk by 
the MPDV Contributions to the Forum.

    Update from domain validation threat modeling team

Michael Slaughter explained that the threat modeling team for domain 
validation focused on delegated DNS Domain Validation method, including 
when the CA is involved in the process. The group discussed specific 
threats and possible mitigations. They also proposed specific guardrails 
for the current method 7 that will come with a revision of method 7.  
Other more impactful changes will probably be introduced in a new 
validation method.

The team is ready to present their work to the larger group. There will 
be two ballots at different timelines.

This will probably be presented at the F2F #60 during the Server 
Certificate WG slot on Wednesday.

    F2F planning

Corey will discuss with Inigo to possibly have a longer break (more than 
15'). Paul mentioned that during breaks, members have the opportunity to 
discuss this is very helpful.

      What do we want to talk about?

  * Threat model for Domain Validation methods
  * MPDV (Ryan says he will explore how far we can get with the IPR issue)
  * Ryan: The profiles ballot did not include some topics and were
    deferred. Perhaps we can identify and list topics that remain
    deferred. Clint can help capturing those which are probably in
    GitHub issues. Perhaps not enough time to prepare for the F2F but
    sometime in October we can start an email thread.
  * Paul: Domain Validation methods CAA with account binding (similar to
    the method with CNAME). We can discuss the new ACME RFC
    (https://www.rfc-editor.org/rfc/rfc8657). Corey reminded that at the
    last F2F it was agreed to have a two-stage approach where the first
    stage would be a more "surgical" update on existing method 7 and
    then work on other improvements. For this F2F, he recommended to
    focus on method 7 so we can drive the ballot to success and then
    work on the other issues.
  * Paul proposed to discuss and cleanup some open GitHub issues if we
    have time left.

      How long do we need?

Corey will discuss with Inigo about time to be allocated to the 
Validation Subcommittee.

Ryan can present the latest MPDV proposed ballot to the larger group to 
solicit feedback, possible implementation challenges and other feedback. 
This session could take up to 30'.

Corey suggested that 1 hour and 45 minutes would be a reasonable time to 
reserve for the Validation Subcommittee.

    Addressing the final item on the “Applicant”/”Applicant
    Representative” from the TODO list

Item 7 from the previous TODO list is the clean up in section 9.6.3 (4) 
for removal of "install".

The question is related to the Subscriber Agreement (Use of 
Certificate). Dimitris proposed to remove that language (first part of 
the sentence that includes the word "install") because it doesn't make 
much sense to prohibit the installation of a certificate anywhere. Ben 
mentioned that this language may have been there to prevent the MiTM 
case. He said he was ok with eliminating that language. Ben wondered 
what was the threat that we were trying to mitigate with this language 
and he could only think of the MiTM. Tobi said that at the time it might 
have been added because of services being offered from physical servers 
but that probably doesn't make sense now.

The consensus was to remove the first part of the sentence. Corey asked 
Ben and Dustin to tackle that in their ballot.

    Adjourned
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20230922/82340024/attachment.html>