CA/Browser Forum
Home » Posts » 2024-04-11 Minutes of the Server Certificate Working Group

2024-04-11 Minutes of the Server Certificate Working Group

Attendance

Aaron Gable (Let’s Encrypt), Aaron Poulsen (Amazon), Abhishek Bhat (eMudhra), Adam Jones (Microsoft), Adriano Santoni (Actalis), Aggie Wang (TrustAsia), Alvin Wang (SHECA), Andrea Holland (VikingCloud), Brianca Martin (Amazon), Bruce Morton (Entrust), Chris Clements (Google), Ben Wilson (Mozilla), Clint Wilson (Apple), Corey Bonnell (DigiCert), Corey Rasmussen (OATI), David Kluge (Google), Dimitris Zacharopoulos (HARICA), Doug Beattie (GlobalSign), Dustin Hollenback (Microsoft), Gregory Tomko (GlobalSign), Inaba Atsushi (GlobalSign), Janet Hines (VikingCloud), Jaime Hablutzel (OISTE Foundation), Jay Wilson (Sectigo), Johnny Reading (GoDaddy), Jos Purvis (Fastly), Karina Sirota (Microsoft), Keshava Nagaraju (eMudhra), Kiran Tummala (Microsoft), Llewellyn Curran (GoDaddy), Lynn Jeun (Visa), Mads Henriksveen (Buypass AS), Mahua Chaudhuri (Microsoft), Marcelo Silva (Visa), Marco Schambach (IdenTrust), Martijn Katerbarg (Sectigo), Michelle Coon (OATI), Miguel Sanchez (Google), Mrugesh Chandarana (IdenTrust), Nargis Mannan (VikingCloud), Nate Smith (GoDaddy), Naveen Kumar (eMudhra), Paul van Brouwershaven (Entrust), Peter Miskovic (Disig), Rich Kapushinski (CommScope), Rich Smith (DigiCert), Rollin Yu (TrustAsia), Ryan Dickson (Google Chrome), Sandy Balzer (SwissSign), Scott Rea (eMudhra), Sissel Hoel (Buypass), Stephen Davidson (DigiCert), Tadahiko Ito (SECOM Trust Systems), Tathan Thacker (IdenTrust), Tim Hollebeek (DigiCert), Thomas Zermeno (SSL.com), Tobias Josefowitz (Opera Software AS), Wayne Thayer (Fastly), Yashwanth TM (eMudhra), Yoshihiko Matsuo (Japan Registry Services).

Roll Call

Roll call read.

Read Antitrust Statement

Dimitris read the note-well statement.

Review Agenda

The Agenda as provided by Inigo was followed for the call.

Approval of minutes

a) Approval of minutes from the February 15, 2024 Teleconference (minutes have been distributed just prior to the call)

• The minutes approval is delayed until next meeting due to their very recent posting.

b) Approval of minutes from the March 28, 2024 Teleconference (minutes have NOT yet been distributed)

• The minutes approval is deferred until after posting.

Membership

No current Applications to review.

Discussion

Revocation

Revocation is topic listed for today, Kiran is invited to comment, but is having audio issues. Dimitris had previously prepared a spreadsheet of some revocation reasons that were under consideration to extend period to more than 5 days with appropriate justification. Clint indicated that a draft document had been prepared and circulated to a small group of folks to review ReasonCode and timelines and some discussion had ensued but it’s not yet ready for main stream.

PAG

Discussion on where it should be instatiated. It was agreed it should be handled in the WG where it arose, which is here. Decision to cover it after Ballot Review on today’s call.

Discussion regarding SC70

  • Ben indicated a time limit for joining the PAG had been set to reduce potential of rework or re-discussion. The cut off for that nomination is tomorrow. A Doodle Poll was sent out interested parties to try to establish an appropriate time for the PAG.
  • Dimitris suggested we use the mailing list instead to distribute the Poll
  • Dimitris explained the implications of the Bylaws as related to the PAG. The key element is that the Draft Maintenance Guideline should remain in draft state until the PAG process is complete, because this essential claim came in before the end of the IPR review period.
  • There is not stipulations on how long the PAG should take. The PAG chooses its own Chair and Vice Chair.
  • Aaron G indicated he could sign into the PAG mailing list but was not getting any messages.
  • Ben indicated they would test and work out the mailing list issues

Current status of ballots

Ballots passed

  • SC72: Delete exception to policyQualifiers in EVGs; align with BRs by making them NOT RECOMMENDED.

Under PAG

  • SC70: Clarify the use of DTPs for Domain Control Validation

This Ballot was rescinded.

Voting Period

  • None

Discussion Period

SC67 v1: Require domain validation and CAA checks to be performed from multiple Network Perspectives. Ends on 17/4/24.

  • Ryan indicated that they are adjudicating comments in GitHub and anticipate a 2nd round of discussions

  • Dimitris highlighted interesting discussion surrounding use of VPNs for MPIC which is worth reviewing by the group. Also, on the security question, there should perhaps be some discussion regarding security controls required for the VPN usage

  • Ryan indicated there is no intention of limiting the usage of VPN for this aspect

SCXX – Compromised/weak keys

  • This item was categorized incorrectly in the Agenda as it is currently pre-ballot and thus it was discussed here instead.

  • Wayne confirmed it is pre-Ballot still and indicated there has been some discussion on whether to provide a list of resources or let CA’s manage their own. Wayne indicated he was leaning more to leaving up to the CA responsibility, but still looking for feedback. Expectation is that weak key check should be made regardless of key size as requested by Clint.

  • Tim was ambivalent on Clint’s request. Suggested we just pick a reasonable proposal and proceed.

  • Dimitris indicated that during the early versions of the ballot, the WG had tried to describe the set of parameters that each CA needs to take into account in order to generate the proper set of Debian weak keys and it didn’t work out so well. It was quite complicated to understand and implement

  • Aaron G suggested why not go with a “…repository or equivalent” in the language and then you could cover both scenarios. The 2nd question is – what happens when a new group of weak keys is discovered? An explicit enumeration has its benefits.

  • Wayne said we just need the bar to stop moving…

  • Tim indicated the burden is when definitions change, because then we have to re-prove to our auditors that we still meet it under new definition.

  • There was general agreement that this particular point of repository vs CA responsibility has been discussed waaaaay too much. Suggestion from Aaron G that a simple list of keys to incorporate from a repository is the easiest path forward.

  • Debate about which repository to use will be had on the list.

Review Period

SCXX – Compromised/weak keys

This item is categorized wrong in the Agenda, it is currently pre-Ballot, see above for discussion

Draft / Under Consideration

  • SCXX – Profiles cleanup ballot
  • SC71 – Subscriber agreement and terms of use consolidation

Dustin indicated they are behind on this item since he has been on leave and will seek to make progress shortly

  • SCXX – Measure all hours and days to the second
  • SC67 - Require MPIC
  • SC73 – Introduce linting in the TLS BRs

Dimitris (who has also been on leave) committed to sending something to the list on this in the next week

  • SC74 – Clarify CP/CPS structure according to RFC 3647

Dimitris indicated that this ballot is ready to go and should start discussion period shortly

Any Other Business

None

Next call

Next call: 25 April at 11:00 am Eastern Time

Meeting adjourned

Latest releases
Code Signing Requirements
v3.7 - Mar 4, 2024

S/MIME Requirements
v1.0.4 - Ballot SMC06 - May 11, 2024

Ballot SMC06: Post implementation clarification and corrections

Related posts
Tags
Minutes Server Certificates
Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).