2018-12-13 Minutes for Server Certificate Working Group Teleconference
Attendees (in alphabetical order)
Anna Weinberg (Apple), Ben Wilson (Digicert), Bruce Morton (Entrust Datacard), Chris Kemmerer (SSL.com), Daymion Reynolds (GoDaddy), Dimitris Zacharopoulos (HARICA), Doug Beattie (GlobalSign), Janet Hines (Trustwave), Fotis Loukos (SSL.com), Frank Corday (Trustwave), Geoff Keating (Apple), Gordon Bock (Microsoft), Inaba Atsushi (GlobalSign), India Donald (US Federal PKI Management Authority), Iñigo Barreira (360 Browser), Jeff Ward (CPA Canada/WebTrust), Joanna Fox (GoDaddy), Kirk Hall (Entrust Datacard), Mads Henriksveen (Buypass AS), Mahmud Khair (Trustwave), Marcelo Silva (Visa), Michelle Coon (OATI), Mike Reilly (Microsoft), Neil Dunbar (TrustCor Systems), Niko Carpenter (Trustwave), Peter Miskovic (Disig), Robin Alden (Sectigo), Ryan Sleevi (Google), Shelley Brewer (Digicert), Tim Callan (Sectigo), Tim Hollebeek (Digicert), Tim Shirley (Trustwave), Tomasz Nowak (Opera Software AS), Trevoli Ponds-White (Amazon), Wayne Thayer (Mozilla), Wendy Brown (US Federal PKI Management Authority).
Minutes
1. Roll Call
The Chair took attendance.
2. Read Antitrust Statement
The Chair played back the Antitrust Statement.
3. Review Agenda
Today’s Agenda was approved.
4. Approval of Minutes of previous teleconference
The minutes of November 29, 2018 teleconference were approved and will be posted to the Public list and the Public web site.
5. Validation Subcommittee Update
Ben gave the update as he was taking minutes for the last VSC meeting but didn’t have time to compile and send the minutes to the validation SC. He briefly mentioned that the Subcommittee discussed ballot SC13 and the email addresses presented in CAA and TXT DNS records. The organizationIdentifier field requested to be allowed in EV Certificates was also discussed. Nick Pope also participated on that call.
6. NetSec Subcommittee Update
Ben reported that the NetSec Subcommittee met and discussed several topics starting with the Charter. The SC discussed what would be considered minimum standards and what would be considered best practices. The previous work related to Root CA Management Systems was also discussed to see if it this approach can be expanded to other systems. Identifying the scope of work in terms of details was also mentioned, for example details related the supply chain threats or USB sticks being used, etc.
It was also suggested that we go though the variety of types of risks, rank them and see the highest risks (threat, likelihood, potential damage).
There was concern if we should divide layers for Root CAs vs other CAs vs aspects of the system and whether that would be confusing. That work would be reported back to the SCWG, but it might take a while. The SC also plans on starting to build a threat model
7. Ballot Status
Ballots in Discussion Period
Ballot SC13: CAA Contact Property and Associated E-mail Validation Methods (Tim H.) Tim will probably start the voting period on Monday Dec 17th.
Ballots in Review Period None
Draft Ballots under Consideration
Removing “any other method” for IP address (Tim H.) No comments were made.
Improvements for Method 6, website control (Tim H.) No comments were made.
8. Any Other Business
None.
9. Next call
January 10, 2019 at 11:00 am Eastern Time.