2019-05-02 Minutes of the Server Certificate Working Group
Attendees (in alphabetical order)
Antonio Perez (GoDaddy), Ben Wilson (Digicert), Chris Kemmerer (SSL.com), Dean Coclin (Digicert), Devon O’Brien (Google), Doug Beattie (GlobalSign), Dustin Hollenback (Microsoft), Enrico Entschew (D-TRUST), Frank Corday (SecureTrust), Geoff Keating (Apple), India Donald (US Federal PKI Management Authority), Joanna Fox (GoDaddy), Jos Purvis (Cisco Systems), Kenneth Myers (US Federal PKI Management Authority), Kirk Hall (Entrust Datacard), Li-Chun Chen (Chunghwa Telecom), Mads Henriksveen (Buypass AS), Michael Guenther (SwissSign), Michelle Coon (OATI), Mike Reilly (Microsoft), Neil Dunbar (TrustCor Systems), Niko Carpenter (SecureTrust), Peter Miskovic (Disig), Rich Smith (Sectigo), Robin Alden (Sectigo), Scott Rea (Dark Matter), Shelley Brewer (Digicert), Tim Callan (Sectigo), Tim Hollebeek (Digicert), Tim Shirley (SecureTrust), Timo Schmitt (SwissSign), Trevoli Ponds-White (Amazon), Wayne Thayer (Mozilla), Wendy Brown (US Federal PKI Management Authority).
Minutes
1. Roll Call
The Vice-Chair took attendance
2. Read Antitrust Statement
The Antitrust Statement was read
3. Review Agenda
The Agenda was approved.
4. Approval of minutes from F2F 46 and previous teleconference
The minutes from F2F 46 were approved and will be published on the public web site.
The minutes from the previous teleconference were approved and will be circulated to the public list.
5. Validation Subcommittee Update
Tim H. gave the update. There was a brief discussion for SC17 on the validation subcommittee call. There will be a new version coming up later today or tomorrow trying to resolve some parsing ambiguities due to the “hyphen” character. There will be at least one more version sent out before voting begins. The SC also discussed method 10 and Ryan was going to report on the status of the new ALPN RFC at IETF. The SC is also looking for a volunteer to draft a ballot for improving method 6.
6. NetSec Subcommittee Update
Ben gave the report. The SC is working on a draft ballot to improve the language of 1.h of the network security requirements (the one that discusses about monitoring and detection of issues in logs). Move it in another section that is more suitable for monitoring and alerting.
There was discussion about differences between online and offline CAs which should probably be taken into account and resolved before trying to work on 1.h.
Another ballot which is about log integrity and integrity controls. The SC has concerns about the “human review” factor and try to focus more on automated tools and DE-emphasize the human review element.
Reorganize the framework using for the NetSec requirements, creating some high-level statements and then expanding to some granular statements. 6 major principles that need to be followed:
- implementing an information security program (should be based on other industry standards) annotated section which will cross-reference other standards as examples.
- discussion about trusted roles (properly vetted) with some expectations
- maintain secure networks and CA systems, which has about 10 controls currently associated with it.
- strong access control measures, which has about 10-15 controls currently associated with it.
- monitoring and testing networks and systems, logging and alerting
- vulnerability scanning and patch management, currently in section 4 of the Network Security Requirements.
Wayne asked if this was going to be one big ballot and Ben responded that it would need to be broken down to smaller ballots.
7. Ballot Status
Ballots in Discussion Period
Ballot SC17: Alternative registration numbers for EU certificates (Tim H.): No additional comments were made.
Ballots in Voting Period
None
Ballots in Review Period
Draft Ballots under Consideration
Improvements for Method 6, website control (Tim H.)No additional comments were made.
8. Any Other Business
None.
9. Next call
May 16, 2019 at 11:00 am Eastern Time.