2020-04-16 Minutes of the Server Certificate Working Group

Roll call: Arno Fiedler (D-TRUST), Ben Wilson (Mozilla), Bruce Morton (Entrust Datacard), Clint Wilson (Apple), Corey Bonnell (SecureTrust), Chris Kemmerer (SSL.com), Daniela Hood (GoDaddy), Dean Coclin (Digicert), Doug Beattie (GlobalSign), Dustin Hollenback (Microsoft), Enrico Entschew (D-TRUST), Inaba Atsushi (GlobalSign), Janet Hines (SecureTrust), Joanna Fox (GoDaddy), Jos Purvis (Cisco Systems), Li-Chun Chen (Chunghwa Telecom), Michael Guenther (SwissSign), Michelle Coon (OATI), Mike Reilly (Microsoft), Neil Dunbar (TrustCor Systems), Niko Carpenter (SecureTrust), Patrick Nohe (GlobalSign), Pedro Fuentes (OISTE Foundation), Peter Miskovic (Disig), Rich Smith (Sectigo), Robin Alden (Sectigo), Ryan Sleevi (Google), Shelley Brewer (Digicert), Stephen Davidson (Quo Vadis), Thanos Vrachnos (SSL.com), Tim Callan (Sectigo), Tim Hollebeek (Digicert), Timo Schmitt (SwissSign), Tobias Josefowitz (Opera Software AS), Trevoli Ponds-White (Amazon), Wayne Thayer (Mozilla), Wendy Brown (US Federal PKI Management Authority), Taconis Lewis (US Federal PKI Management Authority), Andrea Holland (SecureTrust).

Agenda approved, anti-trust statement was read, roll was taken.

Minute taker: Tim Hollebeek.

Tobi volunteered to take minutes in two weeks.

Previous minutes were approved.

Validation subcommittee discussed two things:

1. Voluntary disclosure of information sources

– a few other CAs said they were going to disclose after DigiCert, but haven’t

– CAs are still encouraged to disclosed, but voluntary doesn’t seem to be working

Ryan has a ballot to mandate disclosure

Discussion about the challenges of not having disclosure block issuance of certificates

Ryan posted a really good summary of the discussion to the mailing list, please read it there

2. Discussed the reorganization of requirements for certificate profiles

Draft skeleton certificate profile wasn’t up until shortly before the meeting, so not much

substantive discussion

Discussing continues on the list and in a Google document

Skeleton will again be reviewed on the next Validation call

NetSec subcommittee:

Discussing SC29 version 3 on the list

Minutes are up for review

SC28 (reducing log retention) is nearly complete

Another ballot (no number yet) for account deactivation

Ballot to replace secure zones and high security zones and replace with clearer structure

Dean: are you intending to start voting on SC29 next week?

Neil: are we allowing ballots due to the covid situation?

Wayne: I’d suggest putting a feeler out and seeing if people are ready to move forward

Ballot status:

Discussion period: SC29 (see above)

Voting period: None

Review period: SC26 (pandoc-friendly markdown changes) – ends Apr 30

Draft ballots:

Ryan – BR alignment

Ryan – Spring cleanup

Ryan – Data source disclosure (discussed on last week’s Validation call)

Chris Kemmerer – updated 6.1.1.3 to clarify requirements around rejecting weak keysServer Certificate Working Group adjourns