2019-05-02 Minutes of the Server Certificate Working Group

Attendees (in alphabetical order)

Antonio Perez (GoDaddy), Ben Wilson (Digicert), Chris Kemmerer (SSL.com), Dean Coclin (Digicert), Devon O’Brien (Google), Doug Beattie (GlobalSign), Dustin Hollenback (Microsoft), Enrico Entschew (D-TRUST), Frank Corday (SecureTrust), Geoff Keating (Apple), India Donald (US Federal PKI Management Authority), Joanna Fox (GoDaddy), Jos Purvis (Cisco Systems), Kenneth Myers (US Federal PKI Management Authority), Kirk Hall (Entrust Datacard), Li-Chun Chen (Chunghwa Telecom), Mads Henriksveen (Buypass AS), Michael Guenther (SwissSign), Michelle Coon (OATI), Mike Reilly (Microsoft), Neil Dunbar (TrustCor Systems), Niko Carpenter (SecureTrust), Peter Miskovic (Disig), Rich Smith (Sectigo), Robin Alden (Sectigo), Scott Rea (Dark Matter), Shelley Brewer (Digicert), Tim Callan (Sectigo), Tim Hollebeek (Digicert), Tim Shirley (SecureTrust), Timo Schmitt (SwissSign), Trevoli Ponds-White (Amazon), Wayne Thayer (Mozilla), Wendy Brown (US Federal PKI Management Authority).

Minutes

1. Roll Call

The Vice-Chair took attendance

2. Read Antitrust Statement

The Antitrust Statement was read

3. Review Agenda

The Agenda was approved.

4. Approval of minutes from F2F 46 and previous teleconference

The minutes from F2F 46 were approved and will be published on the public web site.

The minutes from the previous teleconference were approved and will be circulated to the public list.

5. Validation Subcommittee Update

Tim H. gave the update. There was a brief discussion for SC17 on the validation subcommittee call. There will be a new version coming up later today or tomorrow trying to resolve some parsing ambiguities due to the “hyphen” character. There will be at least one more version sent out before voting begins. The SC also discussed method 10 and Ryan was going to report on the status of the new ALPN RFC at IETF. The SC is also looking for a volunteer to draft a ballot for improving method 6.

6. NetSec Subcommittee Update

Ben gave the report. The SC is working on a draft ballot to improve the language of 1.h of the network security requirements (the one that discusses about monitoring and detection of issues in logs). Move it in another section that is more suitable for monitoring and alerting.

There was discussion about differences between online and offline CAs which should probably be taken into account and resolved before trying to work on 1.h.

Another ballot which is about log integrity and integrity controls. The SC has concerns about the “human review” factor and try to focus more on automated tools and DE-emphasize the human review element.

Reorganize the framework using for the NetSec requirements, creating some high-level statements and then expanding to some granular statements. 6 major principles that need to be followed:

1. implementing an information security program (should be based on other industry standards) annotated section which will cross-reference other standards as examples.
2. discussion about trusted roles (properly vetted) with some expectations
3. maintain secure networks and CA systems, which has about 10 controls currently associated with it.
4. strong access control measures, which has about 10-15 controls currently associated with it.
5. monitoring and testing networks and systems, logging and alerting
6. vulnerability scanning and patch management, currently in section 4 of the Network Security Requirements.

Wayne asked if this was going to be one big ballot and Ben responded that it would need to be broken down to smaller ballots.

7. Ballot Status

Ballots in Discussion Period

Ballot SC17: Alternative registration numbers for EU certificates (Tim H.): No additional comments were made.

Ballots in Voting Period

None

Ballots in Review Period

Draft Ballots under Consideration

Improvements for Method 6, website control (Tim H.)No additional comments were made.

8. Any Other Business

None.

9. Next call

May 16, 2019 at 11:00 am Eastern Time.

Adjourned