Attendees (in alphabetical order)
Adrian Mueller (SwissSign), Amanda Mendieta (Apple), Ben Wilson (Mozilla), Bruce Morton (Entrust), Clint Wilson (Apple), Daniela Hood (GoDaddy), Dean Coclin (Digicert), Dimitris Zacharopoulos (HARICA), Doug Beattie (GlobalSign), Dustin Hollenback (Microsoft), Enrico Entschew (D-TRUST), Hazhar Ismail (MSC Trustgate), Inaba Atsushi (GlobalSign), India Donald (US Federal PKI Management Authority), Janet Hines (SecureTrust), Jeff Ward (CPA Canada/WebTrust), Jos Purvis (Cisco Systems), Julie Olson (GlobalSign), Karina Sirota (Microsoft), Kirk Hall (Entrust), Li-Chun Chen (Chunghwa Telecom), Michelle Coon (OATI), Mike Reilly (Microsoft), Neil Dunbar (TrustCor Systems), Niko Carpenter (SecureTrust), Patrick Nohe (GlobalSign), Pedro Fuentes (OISTE Foundation), Peter Miskovic (Disig), Rae Ann Gonzales (GoDaddy), Rebecca Kelley (Apple), Rich Smith (Sectigo), Ryan Sleevi (Google), Shelley Brewer (Digicert), Stephen Davidson (Digicert), Tadahiko Ito (SECOM Trust Systems), Thanos Vrachnos (SSL.com), Tim Callan (Sectigo), Tim Hollebeek (Digicert), Tobias Josefowitz (Opera Software AS), Trevoli Ponds-White (Amazon), Wayne Thayer (Mozilla), Wendy Brown (US Federal PKI Management Authority).
1. Roll Call
The Roll Call was taken.
2. Read Antitrust Statement
Anti-trust statement was read. The working group expressed its gratitude to Robin Alden (“the voice of the anti-trust statement”) for his years of service both to Sectigo and to the CABF and SCWG, as he is retiring this year.
3. Review Agenda
Dimitris reviewed the agenda; no changes were identified. Minute-taker for the next call will be Dimitris.
4. Approval of minutes from last teleconference
Accepted without objections.
5. Validation Subcommittee Update
Tim Hollebeek presented. The committee continued discussion of the SubjectDN field for various certificate types. They’re most of the way through the field, but more discussion is needed around these DNs and other fields in the certificate profile.
Subcommittee minutes: https://lists.cabforum.org/pipermail/validation/2020-September/001564.html
6. NetSec Subcommittee Update
Neil presented. They are still trying to get feedback on SC34 (acct mgt) around GH comments posted a few weeks ago. Threat Modeling group met a few weeks ago to review network zones ballot, looking for feedback from network eng, and got some good feedback from Clint and others around need for comms and protection. Impromptu discussion started around when NCSSRs are considered “complete” and what the end goals might be. Continued discussions around extending CA operations into cloud and what cloud operators might be able to do better (automation, verification, etc.). Not trying to boil the ocean, but instead look at some specific use cases and then develop NCSSR updates around those.
Ryan Sleevi (Google): Google is a bit concerned with some of the directions you described. Would it be possible to set out where the group is considering pursuing? In particular, the move from physical to logical security and considerations around cloud security are both interesting and concerning. Could NetSec lay this out during F2F in terms of both agenda and work direction?
Neil: Understood! Yes.
Subcommittee minutes: https://lists.cabforum.org/pipermail/netsec/2020-September/000404.html
7. Ballot Status
Ballots in Discussion Period
Ballots in Voting Period
Ballots in IPR Review Period
SC28: Logging and Log Retention (Review ends October 14, 2020)
SC35: Cleanups and Clarifications (Review ends October 14, 2020)
Draft Ballots under Consideration
Minimum expectations regarding weak keys (Chris)
Chris was not on the call, but Thanos presented updates: We have taken back the community comments thus far and are going to reply with an update/official status very soon. We are not yet ready to provide a final update (need to discuss more with our engineers), but will at least have official update soon.
Offline CA Security Requirements (Ben)
Remove “zone” from NCSSRs and add provisions to BR 5.1 (Ben)
SC34 Account Management (Tobi)
8. Topics for the next virtual F2F
Dimitris sent out draft agenda for F2F to the public and management lists. Dean is discussing guest speakers and will need slots for those to be announced later. Dimitris will send messages to subcommittee chairs to request time estimates for discussions on Tuesday (subcommittee & WG day). We will not be spending full days as with physical-F2F; instead we will try to keep things short as with the previous virtual-F2F. If members have any topics or special challenges, they’re asked to email Dimitris or respond on the list, as they see fit.
Daniela Hood (GoDaddy)> In the past, we have discussed the conference session times. Should we change times for this? Have we discussed it?
Dimitris> The group seems to prefer to keep the same as the last virtual F2F, which was scheduled to try and minimize time-zone issues.
Dean Coclin (DigiCert)> The times for the last F2F were really the only times we could do between members in Asia, Americas, and Europe.
Dean> I have 1 guest speaker for 30 minutes; I have another with more of a tech talk on random number generators that will be no more than 30 minutes. We will space these out with no more than 1 per day. Should be interesting!
Dimitris> Dean, how are registrations?
Dean> Pretty good! We’ve merged attendee lists into one (since everyone is virtual). We are at 68 registered attendees now.
9. Any Other Business
No other business was discussed.
10. Next call
The next call will take place on October 15, 2020 at 11:00am Eastern Time.