2019-10-03 Minutes of the Server Certificate Working Group
Attendees (in alphabetical order)
Ben Wilson (Digicert), Bruce Morton (Entrust Datacard), Chris Kemmerer (SSL.com), Daniela Hood (GoDaddy), Dimitris Zacharopoulos (HARICA), Doug Beattie (GlobalSign), Dustin Hollenback (Microsoft), Enrico Entschew (D-TRUST), Gordon Bock (Microsoft), Inaba Atsushi (GlobalSign), India Donald (US Federal PKI Management Authority), Janet Hines (SecureTrust), Jos Purvis (Cisco Systems), Kenneth Myers (US Federal PKI Management Authority), Kirk Hall (Entrust Datacard), Li-Chun Chen (Chunghwa Telecom), Mads Henriksveen (Buypass AS), Michelle Coon (OATI), Mike Reilly (Microsoft), Neil Dunbar (TrustCor Systems), Niko Carpenter (SecureTrust), Rich Smith (Sectigo), Ryan Sleevi (Google), Shelley Brewer (Digicert), Timo Schmitt (SwissSign), Tobias Josefowitz (Opera Software AS), Trevoli Ponds-White (Amazon), Wayne Thayer (Mozilla), Wendy Brown (US Federal PKI Management Authority).
Minutes
1. Roll Call
The Chair took attendance.
2. Read Antitrust Statement
The Antitrust Statement was read.
3. Review Agenda
No changes to the agenda.
4. Approval of minutes from previous teleconference
The minutes from the previous teleconference were approved and will be circulated to the public list.
5. Validation Subcommittee Update
The subcommittee did not meet since the last meeting so there was no update.
6. NetSec Subcommittee Update
Ben reported that SC21 is in the final stage of voting. He mentioned that some of the sub-groups met last week and they continue drafting ballots. Dimitris asked about SC20 and if there is any further progress and Ben said the sub-group is working on that and will update the ballot soon.
Ryan expressed some concerns about the reporting and communication of these sub-groups and the NetSec subcommittee to the larger WG in terms of the broad set of problems they are working on. It seems there were very interesting discussions during the preparation of SC21 which weren’t communicated all the way to the WG. It would be sufficient if these discussions were somehow communicated through the minutes of these subcommittee calls so that Members have a better understanding about the rationale of some recommended changes proposed in ballots. It would be nice if the Subcommittee was able to describe a set of problems they are trying to solve and how they are trying to solve these problems. That would be helpful for any ballot, not just for this subcommittee.
Tobi mentioned that in the introduction of SC20 the subcommittee tried to add language about the motivation and the problems they are working on. Tobi explained some of the difficulties in explaining what it means to have certain requirements for “configurations” and try to add language which attempts to give an “impression” of what constitutes a “configuration” and what does not.
Ryan clarified that he sees value in updates. He would like to see which updates are intentional (and linked to the problem we are trying to solve) and which ones are not and might create additional ambiguities. He gave an example of the ballot that removed validation methods 1 and 5 where Jeremy Rowley from Digicert gave a concrete example of the problem and suggested a solution. In any case, when a topic moves to the Working Group level, any pointers to previous subcommittee or sub-group discussions would be useful so that Members can get a clear understanding of the stated problems and the proposed solutions, in order to avoid possible new ambiguities from being accidentally introduced.
Dimitris recommended that it would be very useful if Ben could collect a summary of updates from the sub-groups that he could use to report back to the larger group. Tobi mentioned that some sub-groups have detailed minutes and Dimitris explained that it would be better to have aggregated minutes to be reported for the larger group teleconferences.
Tobi continued to discuss about SC21 and mentioned that in some cases it is hard to see or understand the angle/point of view of members not participating on the calls. Dimitris reminded that SC21 did not remove any of the previous controls but just added some automation options. Ben mentioned that the language proposed in SC21 was reorganized and that the subcommittee could provide more emphasis on the “continuous monitoring” element that the group had discussed and all the benefits from that. Ben also mentioned that in these meetings, Tim Crawford (auditor) explained how adding language for “f.” around monitoring the archival and retention of logs would require additional review by auditors and preparation by CAs that have processes in place to monitor the archival and retention. The previous language was only about maintaining archival and retention but now it includes the element of “monitoring” which is an additional requirement.
Ryan clarified that the expectation is not to include all the detailed discussions in the ballot introduction. It seems there were fascinating discussions (hearing from auditors, hearing from CAs on the challenges to implement these proposed changes and confusions with their auditors) in the subcommittee around SC21 that should be captured in minutes and these minutes could be referenced as pointers in the ballot introduction. He emphasized that real world cases would be extremely useful to be captured in minutes.
7. Ballot Status
No further discussion.
Ballots in Discussion Period
None
Ballots in Voting Period
SC21 Ballot (NSR 3): Log Integrity Controls (Ben)
Ballots in Review Period
None
Draft Ballots under Consideration
Improvements for Method 6, website control (Tim H.) No additional comments _ SC20 Ballot (NSR 2): System Configuration Management_ No additional comments
LEI Ballot (Tim H.)
Precertificates and OCSP (Wayne) Wayne explained that in order to understand this ballot one would have to go back and read the public discussions in m.d.s.p. mailing list. The problem is that section 7.1.2.5 in the BRs explicitly states that a pre-certificate is not a Certificate and it’s unclear what needs to happen in terms of OCSP. This ballot is trying to clarify the interpretation so that, as Rob Stradling from Sectigo said, some CAs would not be stuck violating certain policies because these policies have a conflict. Wayne mentioned that he has two endorsers and will initiate the review period soon.
8. F2F 48 Agenda
The draft agenda is up on the wiki. Dimitris said that other than the typical slots we have no special topics to discuss. He reminded participants that the F2F meetings are a great opportunity to discuss in person some of the more controversial topics which are difficult to resolve via the mailing lists. Members are requested to check and propose new items to discuss at the F2F.
9. Any Other Business
Dimitris sent out an email to the management list for the photo policy. It would be a topic to discuss at the F2F and hopefully by the end of that meeting the Forum would have a clear way forward.
10. Next call
October 17, 2019 at 11:00 am Eastern Time.