2020-08-20 Minutes of the Server Certificate Working Group
Attendees (In Alphabetical Order)
Present: Amanda Mendieta (Apple) Andrea Holland (SecureTrust) Andreas Hentschel (D-TRUST) Ben Wilson (Mozilla) Bruce Morton (Entrust Datacard) Clint Wilson (Apple) Corey Bonnell (SecureTrust) Chris Kemmerer (SSL.com) Curt Spann (Apple) Daniela Hood (GoDaddy) Dean Coclin (Digicert) Doug Beattie (GlobalSign) Dustin Hollenback (Microsoft) Hazhar Ismail (MSC Trustgate) Inaba Atsushi (GlobalSign) Joanna Fox (GoDaddy) Jos Purvis (Cisco Systems) Karina Sirota (Microsoft) Kirk Hall (Entrust Datacard) Mads Henriksveen (Buypass AS) Mayur Manchanda (Visa) Michelle Coon (OATI) Neil Dunbar (TrustCor Systems) Niko Carpenter (SecureTrust) Patrick Nohe (GlobalSign) Pedro Fuentes (OISTE Foundation) Rae Ann Gonzales (Godaddy) Robin Alden (Sectigo) Ryan Sleevi (Google) Stephen Davidson (Digicert) Tim Callan (Sectigo) Tim Hollebeek (Digicert) Tobias Josefowitz (Opera Software AS) Trevoli Ponds-White (Amazon) Wayne Thayer (Mozilla) Wendy Brown (US Federal PKI Management Authority)
Minutes
1. Roll Call
The Roll Call was taken. Wayne noted that Dimitris was on vacation and that he would chair the call.
2. Read Antitrust Statement
The Antitrust Statement was read.
3. Review Agenda, assign minute taker
No changes to the agenda were noted. Neil Dunbar was assigned as minute taker. In the absence of volunteers, Wayne will take the minutes of the next meeting.
4. Approval of minutes from last teleconference
Wayne had updated the attendee list of the draft minutes, and the updated minutes were approved.
5. Validation Subcommittee Update
Tim Hollebeek provided the subcommittee update. Last Thursday, the team began work on the end-entity certificate profiles, working through the fields one by one in the order they appear in the Baseline Requirements. Some initial discussion was had for several of the fields. That work will continue next week. Tim noted that the details are too long to easily summarize, so that if interested parties wish to examine the work, they should consult the online spreadsheet, or read the minutes of the subcommittee meetings. Wayne noted that the spreadsheet is linked from the wiki, under the Validation Subcommittee page.
6. NetSec Subcommittee Update
Neil provided the subcommittee update. Ballot SC34 on account management is prepared and ready for submission, although has not been submitted to the full working group as yet. We have begun some discussions on future plans for NetSec Requirements – specifically if and how Cloud based CA Architectures can or should be supported; what policies stop them right now, and what would be needed to comply with such policies. This discussion is still preliminary and will go for some time. The Offline CA discussion document has been refined – the exact terminology has been refined so that the pre-ballot is now ready for discussion after agreement reached last meeting. Submission to the main working group is expected in the next few days.
Pain points team has noted the discussion on moz.dev.sec.pol regarding sites discovered to be engaged in phishing – and is discussing whether clarifications on 4.9.1.1 should be sought. No decision has been reached yet. An older proposal to address the remediation of critical vulnerabilities, per NSR Section 4(f) has been brought back. The team is trying to get clarity on when the 96 hour timeframe starts from; which brought up further discussion on what the vulnerability scanning and penetration testing should entail and what systems it needs to touch. More of this matter will be discussed in the meeting today.
7. Ballot Status
Neil reported that SC28 is still on heartbeat until ready to be considered per Dimitris’s request. Wayne asked if it would be opened for consideration in the next few weeks, and Neil replied that he hoped to do so.
There are no ballots in the voting period.
Wayne noted that SC30 (Disclosure of Registration and Incorporation Agencies ) and SC31 (Browser Alignment) have completed their review period. These ballots are now final and the working group will produce new versions of the guidelines. In review is Ballot SC33 (TLS Using ALPN Method), which replaces validation method 10. The review ends on September 17th.
For draft ballots under consideration, Wayne asked Ryan for any comments on this draft. Ryan reported that the ballot was going to be started but there had been a slow trickle of corrections. Clint had provided some typographical corrections which are being integrated and Corey had also submitted some corrections. Ryan wanted to review the new document against the guidelines amended by SC30 and SC31 which Dimitris had attempted to merge in, despite his vacation. After this review, the Spring cleanup ballot should be ready to start voting. Also to be discussed was the updating of BR 6.1.1.3; Wayne thought that the discussion was ballot ready at this point. Chris replied that they have language, but they are reviewing the SC30/SC31 changes; Chris’s ballot has changes to both sections 6.1.1.3 and 4.9.1.1, but that some of the team reviewing the changes is on PTO, and they should be able to push forward once those members can look at the changes. Chris noted that the ballot language changes showed no major deviations between version 1.7.0 and 1.7.1 of the BRs; but the authors wanted to perform final checks – they are confident that the ballot will be ready soon. Wayne noted the Offline CA Security Requirements. Ben was on the call but no update was able to be provided.
8. Any Other Business
There was no additional business.
9. Adjourn
The meeting was adjourned and will reconvene September 3, 2020 11:00 am Eastern Time