[cabf_validation] Approved minutes of the Validation Subcommittee Meeting 2024-02-08
Corey Bonnell
Corey.Bonnell at digicert.com
Fri Mar 1 00:03:00 UTC 2024
These minutes taken by Aaron Gable were approved during this week’s validation-sc meeting at the F2F.
Attendees: Aaron Gable (Let's Encrypt), Aaron Poulsen (Amazon), Abhishek Bhat (eMudhra), Ben Wilson (Mozilla), Bruce Morton (Entrust), Cade Cairns (Google), Chris Clements (Google), Clint Wilson (Apple), Corey Bonnell (DigiCert), Corey Rasmussen (OATI), David Kluge (Google), Dimitris Zacharopoulos (HARICA), Doug Beattie (GlobalSign), Enrico Entschew (D-TRUST), Eva Vansteenberge (GlobalSign), Gregory Tomko (GlobalSign), Inigo Barreira (Sectigo), Johnny Reading (GoDaddy), Keshava Nagaraju (eMudhra), Mads Henriksveen (Buypass AS), Martijn Katerbarg (Sectigo), Michael Slaughter (Amazon), Michelle Coon (OATI), Miguel Sanchez (Google), Nargis Mannan (VikingCloud), Nate Smith (GoDaddy), Paul van Brouwershaven (Entrust), Pedro Fuentes (OISTE Foundation), Roman Fischer (SwissSign), Scott Rea (eMudhra), Thomas Zermeno (SSL.com), Tobias Josefowitz (Opera Software AS), Wayne Thayer (Fastly), Wendy Brown (US Federal PKI Management Authority)
Administrivia
- Notewell read by Corey Bonnell
- Minutes from 2024-01-25 approved.
- The 2024-02-22 meeting will be cancelled due to the upcoming F2F
Status update on MPIC (Chris Clements):
- Plan to start official public discussion at beginning of March
- Draft ballot and Princeton IP disclosure provided to endorsers and met with approval
- Will provide extended discussion period for legal teams to provide feedback on IP
Status update on EV automation (Eva Van Steenberge):
- No update, no additional questions at this time
- Next step, forward upwards to ServerCert WG
- Dmitris Zacharopoulos: Confirming that the ultimate goal is to allow automatic issuance of EV certificates? Some CAs believe that automated issuance is already allowed, so clarity is good.
- Paul van Brouwershaven: Likely need to clarify the "Certificate Approver" and "Pre-Authorized Certificate Approver" language.
- Corey Bonnell: Maybe the next step is to improve EV 11.8.4 language before moving discussion to ServerCert.
- Eva: Let's continue here.
- Mads Henriksveen: Buypass is really looking forward to this work.
Status update on DNS Delegation to the CA (Michael Slaughter):
- Feedback has been received on the GitHub PR, working on addressing those comments now.
- Aim to move to voting fairly soon.
Face-to-Face Planning:
- Next meeting is in Delhi in about 3 weeks; Validation WG has ~1.5hr for discussion.
- Potential primary topic: what does or does not count as a Delegated Third Party for DCV?
- Obviously can continue discussion on MPIC, EV automation, and DNS delegation as well.
- Chris: Will not be in attendance. Other Chrome members will be, but do not plan to give an MPIC update.
- Eva: Will present the EV automation problem statement.
- Dmitris: Ensure there's also time for others to bring up concerns they have.
- Ben Wilson: Is the plan to discuss automation within the context of the *whole* EV guidelines?
- Dmitris: Yes, the concern is that there may still be sections in the EV guidelines that end up forbidding automation.
- Corey: Does 45 minutes for this discussion seem good? Yes
- Paul: Due to scheduling, it may be possible to begin discussion even earlier, on Tuesday of the F2F
- Michael: Happy to give a status update on DNS delegation.
- Corey: Does 15 minutes seem sufficient? Yes
- Corey: Last big topic is better defining DTPs with respect to DCV. Only half an hour for this discussion seems too short.
- Aaron: If we need to move something, seems most appropriate to move discussion of EV automation to ServerCert.
- Dmitris: Would still prefer that EV automation remain in Validation at least for now.
- Corey: Instead, let's move DNS delegation update to Tuesday, leaving 45 minutes each for EV automation and DTP discussions.
DTP discussion:
- Corey: We have some time, so let's start this discussion now.
- Discussion period on SC-070 has begun on the mailing list.
- Clint Wilson: Keeping the focus on domain validation, where CAs are forbidden to delegate actions to third parties, is the highest priority.
- Aaron: Next step is do develop an inventory of all places (e.g. email sending) where we think DCV delegation might be happening. Then can address those one by one.
- Mads: Note that Eva has raised a question on SC-070 on the mailing list -- we need to be careful about the definition of "service". For example: a validation specialist using a browser to look up WHOIS information from a registrar website.
- Dimitris: The BRs strictly define how WHOIS information can be obtained, and specifically include lookup on an HTTPS website.
- Dimitris: We also need to think bigger: networking, storage, cloud compute, etc. Need to think about the practical effects and threat model of delegation in each case.
- Aaron: Maybe an approach here is to use the protocol layer model. We don't need CAs to run their own TCP/IP layers, but they do need to control their own application layer endpoints, for example.
- Dimitris: We can also try to pull in the QIIS vetting model.
- Aaron: For example, running email infrastructure is meaningfully hard, and it may be against our best interests to continue forbidding delegating email.
- Tobias: We should remove email-based validation entirely, and then this problem goes away.
- Clint: This would be a hard, but worthwhile, endeavour.
- Dimitris: Some people consider email/sms contact to WHOIS the only way to actually reach the domain owner.
- Clint: Yes, but the domain owner isn't actually what DCV is trying to validate.
- Corey: Plan for F2F is to go down the list of domain control validation methods and identify potential DTPs within each
- Mads: Agreed, and seconding the idea of using the layer model to draw a clear line.
- Dimitris: Also important to look at which methods we want to get rid of entirely
- Aaron: Maybe we should have one or more people pre-process the list of DCV methods and present their findings?
- Corey: Will put together a framework to guide the discussion and circulate it ahead of time so that subcommittee members can begin to formulate their own feedback.
Meeting adjourned
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20240301/a62a090e/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5231 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20240301/a62a090e/attachment-0001.p7s>
More information about the Validation
mailing list