CA/Browser Forum posts
Posts by tag Face-to-Face
2023-10-05 Minutes of the F2F Code Signing Certificate Working Group
October 5, 2023 by Corey BonnellAttendeesAdam Jones – (Microsoft), Aleksandra Kurosz – (Asseco Data Systems SA (Certum)), Andrea Holland – (VikingCloud), Arvid Vermote – (GlobalSign), Ashish Dhiman – (GlobalSign), Ben Dewberry – (Keyfactor), Ben Wilson – (Mozilla), Brianca Martin – (Amazon), Bruce Morton – (Entrust), Christophe Bonjean – (GlobalSign), Clemens Wanko – (ACAB Council), Corey Bonnell – (DigiCert), Dave Chin – (CPA Canada/WebTrust), Dean Coclin – (DigiCert), Don Sheehy – (CPA Canada/WebTrust), Doug Beattie – (GlobalSign), Ellie Lu – (TrustAsia Technologies, Inc.), Eva Vansteenberge – (GlobalSign), Hannah Sokol – (Microsoft), Inaba Atsushi – (GlobalSign), Inigo Barreira – (Sectigo), Janet Hines – (VikingCloud), John Mason – (Microsoft), Jozef Nigut – (Disig), Kateryna Aleksieieva – (Asseco Data Systems SA (Certum)), Li-Chun Chen – (Chunghwa Telecom), Marcelo Silva – (Visa), Marco Schambach – (IdenTrust), Martijn Katerbarg – (Sectigo), Mohit Kumar – (GlobalSign), Nate Smith – (GoDaddy), Naveen Kumar – (eMudhra), Nikolaos Soumelidis – (ACAB Council), Nitesh Bakliwal – (Microsoft), Paul van Brouwershaven – (Entrust), Pedro Fuentes – (OISTE Foundation), Rebecca Kelley – (Apple), Rich Kapushinski – (CommScope), Rollin Yu – (TrustAsia Technologies, Inc.), Roman Fischer – (SwissSign), Scott Rea – (eMudhra), Stephen Davidson – (DigiCert), Sven Rajala – (Keyfactor), Thomas Zermeno – (SSL.com), Tim Callan – (Sectigo), Tim Crawford – (CPA Canada/WebTrust), Tim Hollebeek – (DigiCert), Trevoli Ponds-White – (Amazon), Tsung-Min Kuo – (Chunghwa Telecom), Vijayakumar (Vijay) Manjunatha – (eMudhra)
October 5, 2023 by Corey BonnellAttendeesAdam Jones – (Microsoft), Aleksandra Kurosz – (Asseco Data Systems SA (Certum)), Andrea Holland – (VikingCloud), Arvid Vermote – (GlobalSign), Ashish Dhiman – (GlobalSign), Ben Dewberry – (Keyfactor), Ben Wilson – (Mozilla), Brianca Martin – (Amazon), Bruce Morton – (Entrust), Christophe Bonjean – (GlobalSign), Clemens Wanko – (ACAB Council), Corey Bonnell – (DigiCert), Dave Chin – (CPA Canada/WebTrust), Dean Coclin – (DigiCert), Don Sheehy – (CPA Canada/WebTrust), Doug Beattie – (GlobalSign), Ellie Lu – (TrustAsia Technologies, Inc.), Eva Vansteenberge – (GlobalSign), Hannah Sokol – (Microsoft), Inaba Atsushi – (GlobalSign), Inigo Barreira – (Sectigo), Janet Hines – (VikingCloud), John Mason – (Microsoft), Jozef Nigut – (Disig), Kateryna Aleksieieva – (Asseco Data Systems SA (Certum)), Li-Chun Chen – (Chunghwa Telecom), Marcelo Silva – (Visa), Marco Schambach – (IdenTrust), Martijn Katerbarg – (Sectigo), Mohit Kumar – (GlobalSign), Nate Smith – (GoDaddy), Naveen Kumar – (eMudhra), Nikolaos Soumelidis – (ACAB Council), Nitesh Bakliwal – (Microsoft), Paul van Brouwershaven – (Entrust), Pedro Fuentes – (OISTE Foundation), Rebecca Kelley – (Apple), Rich Kapushinski – (CommScope), Rollin Yu – (TrustAsia Technologies, Inc.), Roman Fischer – (SwissSign), Scott Rea – (eMudhra), Stephen Davidson – (DigiCert), Sven Rajala – (Keyfactor), Thomas Zermeno – (SSL.com), Tim Callan – (Sectigo), Tim Crawford – (CPA Canada/WebTrust), Tim Hollebeek – (DigiCert), Trevoli Ponds-White – (Amazon), Tsung-Min Kuo – (Chunghwa Telecom), Vijayakumar (Vijay) Manjunatha – (eMudhra)
2023-10-05 (F2F#60) Minutes of the S/MIME Certificate Working Group
October 5, 2023 by Stephen DavidsonMinutes of SMCWG October 5, 2023 These are the Approved Minutes of the meeting described in the subject of this message. Corrections and clarifications where needed are encouraged by reply.
October 5, 2023 by Stephen DavidsonMinutes of SMCWG October 5, 2023 These are the Approved Minutes of the meeting described in the subject of this message. Corrections and clarifications where needed are encouraged by reply.
Minutes of the F2F 60 Meeting in Portsmouth, NH, October 3-4, 2023
October 4, 2023 by Ben WilsonMeeting 60 minutesCABF Face-to-Face Meeting 60: Day 1 October 3, 2023CA/Browser Forum level Meeting Attendance Aaron Gable – (Let’s Encrypt), Aaron Poulsen – (Amazon), Abhishek Bhat – (eMudhra), Adam Jones – (Microsoft), Adrian Mueller – (SwissSign), Adriano Santoni – (Actalis S.p.A.), Aleksandra Kurosz (Asseco Data Systems S.A.), Andrea Holland – (VikingCloud), Andreas Henschel (D-Trust), Aneta Wojtczak-Iwanicka – (Microsoft), Anna-Marie Christian (WebTrust / CPA Canada), Antti Backman – (Telia Company), Arno Fiedler – (ETSI), Arnold Essing (Telekom Security), Arvid Vermote – (GlobalSign), Ben Wilson – (Mozilla), Brianca Martin – (Amazon), Brittany Randall – (GoDaddy), Bruce Morton – (Entrust), Chris Clements – (Google), Christophe Bonjean – (GlobalSign), Clemens Wanko – (ACAB’c / TUV Austria), Clint Wilson – (Apple), Corey Bonnell – (DigiCert), Corey Bonnell (DigiCert), Corey Rasmussen – (OATI), Daryn Wright – (GoDaddy), Dave Chin – (CPA Canada/WebTrust), Dean Coclin (DigiCert), Dimitris Zacharopoulos – (HARICA), Don Sheehy (WebTrust), Doug Beattie – (GlobalSign), Ellie Lu – (TrustAsia Technologies Inc.), Enrico Entschew (D-Trust), Eva Vansteenberge – (GlobalSign), Hannah Sokol – (Microsoft), Hogeun Yoo – (NAVER Cloud), Ian McMillan – (Microsoft), Inaba Atsushi – (GlobalSign), Inigo Barreira – (Sectigo), Janet Hines – (VikingCloud), Jeremy Rowley – (DigiCert), Joanna Fox – (TrustCor Systems), Jochem van den Berge – (Logius PKIoverheid), John Mason (Microsoft), John Sarapata (Google Trust Services), Joseph Ramm – (OATI), Jozef Nigut – (Disig), Kateryna Aleksieieva – (Asseco Data Systems SA (Certum)), Keshava Nagaraju – (eMudhra), Kiran Tummala – (Microsoft), Leo Grove (SSL.com), Li-Chun Chen (ChungHwa Telecom), Lynn Jeun – (Visa), Mads Henriksveen – (Buypass AS), Marcelo Silva – (Visa), Marco Schambach – (IdenTrust), Martijn Katerbarg – (Sectigo), Michael Guenther – (SwissSign), Michael Slaughter – (Amazon), Michelle Coon – (OATI), Mohit Kumar (GlobalSign), Nargis Mannan – (VikingCloud), Nate Smith – (GoDaddy), Naveen Kumar – (eMudhra), Nicol So – (CommScope), Nikolaos Soumelidis (QMSCERT), Nitesh Bakliwal (Microsoft), Paul van Brouwershaven – (Entrust), Pedro Fuentes – (OISTE Foundation), Pekka Lahtiharju – (Telia Company), Raffaela Achermann – (SwissSign), Rebecca Kelley – (Apple), Rich Kapushinski – (CommScope), Rob Brand (Ministry of Economic Affairs and climate Policy (NL)), Rob Stradling – (Sectigo), Rollin Yu – (TrustAsia Technologies Inc.), Roman Fischer (SwissSign AG), Ryan Dickson – (Google), Scott Rea – (eMudhra), Sissel Hoel – (Buypass AS), Stephen Davidson – (DigiCert), Steven Deitte – (GoDaddy), Sven Rajala – (Keyfactor), Tadahiko Ito – (SECOM Trust Systems), Tim Callan (Sectigo), Tim Crawford – (CPA Canada/WebTrust), Tim Hollebeek (DigiCert), Tobias Josefowitz – (Opera Software AS), Tom Zermeno (SSL.com), Trevoli Ponds-White – (Amazon), Tsung-Min Kuo – (Chunghwa Telecom), Vijayakumar (Vijay) Manjunatha – (eMudhra), Wayne Thayer – (Fastly), Wen-Chun Yang (ChungHwa Telecom), Wendy Brown – (US Federal PKI Management Authority), Xiu Lei – (GDCA).
October 4, 2023 by Ben WilsonMeeting 60 minutesCABF Face-to-Face Meeting 60: Day 1 October 3, 2023CA/Browser Forum level Meeting Attendance Aaron Gable – (Let’s Encrypt), Aaron Poulsen – (Amazon), Abhishek Bhat – (eMudhra), Adam Jones – (Microsoft), Adrian Mueller – (SwissSign), Adriano Santoni – (Actalis S.p.A.), Aleksandra Kurosz (Asseco Data Systems S.A.), Andrea Holland – (VikingCloud), Andreas Henschel (D-Trust), Aneta Wojtczak-Iwanicka – (Microsoft), Anna-Marie Christian (WebTrust / CPA Canada), Antti Backman – (Telia Company), Arno Fiedler – (ETSI), Arnold Essing (Telekom Security), Arvid Vermote – (GlobalSign), Ben Wilson – (Mozilla), Brianca Martin – (Amazon), Brittany Randall – (GoDaddy), Bruce Morton – (Entrust), Chris Clements – (Google), Christophe Bonjean – (GlobalSign), Clemens Wanko – (ACAB’c / TUV Austria), Clint Wilson – (Apple), Corey Bonnell – (DigiCert), Corey Bonnell (DigiCert), Corey Rasmussen – (OATI), Daryn Wright – (GoDaddy), Dave Chin – (CPA Canada/WebTrust), Dean Coclin (DigiCert), Dimitris Zacharopoulos – (HARICA), Don Sheehy (WebTrust), Doug Beattie – (GlobalSign), Ellie Lu – (TrustAsia Technologies Inc.), Enrico Entschew (D-Trust), Eva Vansteenberge – (GlobalSign), Hannah Sokol – (Microsoft), Hogeun Yoo – (NAVER Cloud), Ian McMillan – (Microsoft), Inaba Atsushi – (GlobalSign), Inigo Barreira – (Sectigo), Janet Hines – (VikingCloud), Jeremy Rowley – (DigiCert), Joanna Fox – (TrustCor Systems), Jochem van den Berge – (Logius PKIoverheid), John Mason (Microsoft), John Sarapata (Google Trust Services), Joseph Ramm – (OATI), Jozef Nigut – (Disig), Kateryna Aleksieieva – (Asseco Data Systems SA (Certum)), Keshava Nagaraju – (eMudhra), Kiran Tummala – (Microsoft), Leo Grove (SSL.com), Li-Chun Chen (ChungHwa Telecom), Lynn Jeun – (Visa), Mads Henriksveen – (Buypass AS), Marcelo Silva – (Visa), Marco Schambach – (IdenTrust), Martijn Katerbarg – (Sectigo), Michael Guenther – (SwissSign), Michael Slaughter – (Amazon), Michelle Coon – (OATI), Mohit Kumar (GlobalSign), Nargis Mannan – (VikingCloud), Nate Smith – (GoDaddy), Naveen Kumar – (eMudhra), Nicol So – (CommScope), Nikolaos Soumelidis (QMSCERT), Nitesh Bakliwal (Microsoft), Paul van Brouwershaven – (Entrust), Pedro Fuentes – (OISTE Foundation), Pekka Lahtiharju – (Telia Company), Raffaela Achermann – (SwissSign), Rebecca Kelley – (Apple), Rich Kapushinski – (CommScope), Rob Brand (Ministry of Economic Affairs and climate Policy (NL)), Rob Stradling – (Sectigo), Rollin Yu – (TrustAsia Technologies Inc.), Roman Fischer (SwissSign AG), Ryan Dickson – (Google), Scott Rea – (eMudhra), Sissel Hoel – (Buypass AS), Stephen Davidson – (DigiCert), Steven Deitte – (GoDaddy), Sven Rajala – (Keyfactor), Tadahiko Ito – (SECOM Trust Systems), Tim Callan (Sectigo), Tim Crawford – (CPA Canada/WebTrust), Tim Hollebeek (DigiCert), Tobias Josefowitz – (Opera Software AS), Tom Zermeno (SSL.com), Trevoli Ponds-White – (Amazon), Tsung-Min Kuo – (Chunghwa Telecom), Vijayakumar (Vijay) Manjunatha – (eMudhra), Wayne Thayer – (Fastly), Wen-Chun Yang (ChungHwa Telecom), Wendy Brown – (US Federal PKI Management Authority), Xiu Lei – (GDCA).
Minutes of the F2F 59 Meeting in Redmond, WA, USA, 6-8 June 2023 – Validation SC (8 June)
July 21, 2023 by Iñigo BarreiraValidation SubcommitteeDate: June 08, 2023 Minute Taker: Michael Slaughter (Amazon Trust Services) Validation WG Chair: Corey Bonnell (DigiCert) Introduction Corey proposed not performing another roll-call. – No Objections Corey proposed approving the minutes from 5/18 Validation Sub-Committee sent by Chris Clements . – No Objections Corey provided update on progress made since Spring 2023. Corey recapped the discussion on issues with current language in EV Guidelines surrounding acceptable registration sources to address concerns raised by Pedro Fuentes about the suitability of QGISs to provide registration/incorporation information . Next step is to draft ballot and the discussion has now moved to server cert working group.. Corey summarized the analysis of three certificate issuance workflows: “Bring your own host”, CDN Issuance and ACME. The analysis exposed multiple ways the BRs can be improved surrounding the delegation of pre-issuance activities. Corey reviewed the agenda for today’s working session. Update on Multi-Perspective Domain Validation (Ryan and Chris) Ryan explained the origins of the MPDV working group and the progress the 20 participants have made since F2F 58. The current proposal calls for March 15th 2025 to be the point in time when multi-perspective domain validation will be required for all public certificate issuance that utilize specific domain validation methods. The plan is to share the draft ballot more broadly, collect feedback, work with the community and ultimately find a way for all to benefit from the new approach. Corey asked for questions. – No questions. Changes to the Subscriber Agreement requirements (Ben and Dustin) Dustin provided background on the subscriber agreement and the terms of use. The original intent was that the subscriber agreement was not “legally” enforceable within an organization but Terms of Use might be enforceable within an organization depending on corporate rules. Across multiple revisions to the baseline requirements, those concepts started to merge together and now there is language in the BRs that states that both of them must be legally enforceable which is incorrect. Dimitris suggested that if you want to provide something equivalent then you would need to have another statement that says the CA MUST implement a process to ensure that each Terms of Use is enforceable against the applicant. Jeremy replied that if you make the terms enforceable then you are basically stating that CAs can’t issue their own certs. Jeremy continued to explain that the Terms of Use was added historically to support Wells Fargo and suggested that the terms can be consolidated to make them clearer. Ben suggested that you could phrase it as the subscriber has accepted or acknowledged the terms of use which Dimitris agreed with. Ben explained that historically, Wells Fargo couldn’t sign a legally enforceable agreement within an organization so the Wells Fargo legal department suggested introducing a concept called the Terms of Use as a path forward. Dustin suggested that we consolidate and have some language around enforcement and acceptance. Dustin presented some example language and asked for comment. Martijn read the definition of Subscriber Agreement aloud and asked if that definition already describes the terms of use. Ben replied that yes cleaning up the definition of Subscriber Agreement may have been missed when Terms of Use was added which has led to the current state. Ben provided more examples and suggested that the word “executed” should be replaced with the word “accepted”. This change in terminology originates with the Validation Working Group discussion on how to better integrate the subscriber agreement into various certificate issuance flow. Dustin explained various forms of acceptance with different degrees of automation. Ben proposed that “if Terms of Use aren’t “legally enforceable” what do we gain/lose from acceptance via a flag set on an automated certificate request?” Dimitris replied that I think we had a very nice discussion about one of these issues and restated that nothing is configured out of thin air and scripts are executed, configured and/or created by humans. David agreed and added that someone must have configured the system. David went on to say that is the nature of how software works on the modern web. There is very clear consensus that implicit agreements are legally enforceable as long as someone configures the system and would take the logged consent as valid. Dustin replied that if you have automation via a true or false flag, there is no mechanism to force the user to actually read or view the agreement as they would have with a click-through on a website David replied that it would depend on if the ACME workflow was the only place that a subscriber or applicant can view the Subscriber Agreement. As an example, his CA hosts the document on the website. Dustin asked if the Subscriber agreement is on a website could the user accept it once when registering an account or is it something that must be done with each request. Martijn commented that if it’s done automatically by script then someone has written the script. We have to be careful about accepting the agreement since a developer might say “yes” without understanding what exactly they are agreeing to. Tobias added that this sounds like a legal question and we should ask an expert. What we need it is to be binding and whether a human is required is a secondary question Trev asked for clarity on what problem we are trying to solve? I don’t think people want to do it for every certificate and frankly that is just not going to happen. As we have discussed in the validation committee, we need to build this for the automation use case who are going to just accept the agreement. When you pick a CA you pick a business so must subscribers will have expected the subscriber agreement to have been agreed upon during account registration or set-up. Trev went on to ask why is there even a need for Terms of Use? What is that we are asking the auditors to actually check? Reporting compromise for example is more commonly considered a security policy. Jeremy: In my experience, they do check for an agreement for each certificate. Having the consistency and agreement is important. Ben: One agreement can serve for multiple certificates but I do see your point Trev. What are we trying to solve by having this requirement? Revocation is a security requirement. How do we know that a different party will follow a security policy that is not your own? Jeremy added that one of the reasons that we have this policy is to prevent any CA from using customer expectations as a reason for slowing down progress. Dustin: Couple of things: Look and see if we can we merge terms of use and subscriber agreement and modify language to clarify legal enforceability? It is up to the CA to determine how often they want the subscriber agreement to be agreed to. Dimitris concurred with Trev that there are some parts of the BRs that make more sense to a subscriber account but also called out that we have section 9.6.3 that has specific clauses for each individual certificate. Dimitris added that we could be ok with one subscriber for a customer that covers multiple certificates but we will need to review and update the entire baseline requirements document for consistency. Trev noted that the take-away from today’s discussion is that the conclusion of the meeting is that we believe it is possible that acceptance can be accomplished with automation. Jeremy suggested that the topic should be moved to the Server Cert WG instead. Dustin and Dimitris agreed that the topic should move to the SCWG. Discussion on Applicant Delegation of Domain Validation (Corey) 2:26 Corey introduced the topic of application delegation of domain validation. This specifically describes when an applicant wants to assert control of a domain name on a certificate, they have to use an underscore prefixed domain name called an authorization domain name that is delegated to another domain name where the controller has added a TXT record that contains the random token used for domain validation. Corey noted that this could be done for HTTP validation using HTTP Redirects but most often applies to DNS validation. The domain owner has a mechanism to opt-out by removing the CNAME record. Corey then recapped the history of the topic. (Links are in slides) Jeremy added that it looks like the customer has put the order in. If you go too far in enforcing who is taking an action then the validation action resembles OV more so than DV. Corey reviewed the conclusions from the discussion within the Validation Working Group. 1) Clarity is needed. 2) Applicants generally delegate the performance of many aspects of operating a website. 3) If done correctly, delegation of domain validation boosts agility and automation. 4) There are reasonable interpretations of the BRs that such delegation is allowed today. Clint suggested that based on the fact that clarity is still needed and that there are differing interpretations of the BRs on whether or not the practice is allowed, we should first establish that clarity before implementing an interpretation of the current BRs. Tim responded that the ship has sailed on that as there is already widespread interpretation that the practice of delegating domain validation is allowed and has been adopted by some parties. Paul asked if this would allow for a CA to allow applicants to add a record and continuously issue certificates until the record is removed and wondered if that is indeed the case then are we doing any validation at all? Corey responded that one thing that was raised in the context of these discussions is that there are numerous service providers that already provide this service for ACME. Jeremy added that the problem already exists for dangling CNAMEs and having a fictitious legal entity doesn’t alter that. Unless you are paying very close attention to the Mozilla discussions you would not have thought this was prohibited which is why we need to get it fixed. Wayne questioned whether we actually know people are doing this. Jeremy responded that we know that something like CNAME based delegation is happening but agreed that we don’t if the exact scenario under discussion is happening. Trev responded to Paul that this is still validation and if a subscriber didn’t want certificates issued any further could they not stop paying you and opt-out. Corey asked the group for next steps towards addressing the ambiguity. Paul suggested that domain delegation would benefit from some rules that bind a certificate request and validation to an account and asked if that needs to be a requirement. Martijn agreed with Paul that there should be rules around the practice and suggested that account locking are probably the best ones to consider. Martin also suggested that limiting it to TXT records may be better but conceded that we may need to support both. Jeremy brought up Cloudflare as an example explaining that they are not a CA but they have their customers insert a CNAME that points to a location where they have inserted the random value. Cloudflare is not a CA but if they became a CA would they have to change their practice? That is the inconsistency that is being removed through this effort. We have landed in a place where you would need two separate legal entities to implement this in a fully supported way that does not provide any security value. Tim recommended that everyone review the validation subcommittee minutes from the Fall of 2021 where account considerations were previously discussed and that we have gone back and forth over the past four years on this topic. Paul added that he was less concerned about the Cloudflare scenario but rather a scenario in which a CA with multiple customers is delegating to itself. Paul then offered that having a customer being able to issue a certificate for a domain they do not control is a security concern. Paul continued that account binding may not fully address the problem because the account could be used by a service provider. Corey responded to Paul that the security concern he raised has been discussed by committee and relate the type of guard-rails that still need to be written. Clint added that he agreed with has been said at a high level but thinks that if we are going to make this a formal practice then we need explicit changes made to the BRs to define this method and establish a reliable security framework around it. Mechanisms such as account locking and MPVD would be a part of that story as well as addressing domain validation reuse or DNS configurations like TTLs. There are also considerations around domain expiry. Clint continued that because this is a fairly large paradigm shift, we should perform a risk analysis and take the time to fully understand the security boundaries. Trev reminded the group again that customers can do this today with a 3rd party and are doing this. CAs are audited and have other mechanisms and controls that third parties may not. We can put some security rules but we need to be careful not to put in so many rules that make this practice, that customers are already doing, so burdensome for CA that they consider it not worth implementing. Wayne commented that if a CNAME can be delegated to a CA and then the CA can generate a random value and stick it in the CNAME then that would basically be security theater. Wayne then suggested an alternative approach of creating a new domain validation method “21” where an applicant can clearly state that they are allowing issuance from a particular CA and account. That approach would make a lot of the nuance go away and would result in more clarity. Paul agreed with Wayne and suggested that CAA records with account URI binding would make sense to use as another mechanism. Paul also added that introducing an account specific CNAME record delegated to the CA would be clearer as another domain validation method. Trev disagreed with Wayne that delegation amounts to security theater adding that the subscriber still has to set up the CNAME so they are still opting into it. Clint added that there is a difference between an opt-in signal that is explicit for the purpose we’re intending and one where the customer is setting up a CNAME record that they may not understand the implications of. He continued that we need to ensure that the domain owner has full understanding of what they are doing and what they are empowering the CA to do. Trev agreed with Clint and added that Wayne clarified to her off of the mic that the security theater part he was referring to was the random value token part. Tobias disagreed that the random value is security theater because it ensures that the CA doesn’t have diverging perspectives of which domains are under its control. Michael asked if we were still talking about whether DNS validation is allowable under Method 7. Michael then commented that delegated DNS domain validation performed under method 7 would mean that an applicant still has to initiate the request, the domain owner has to take an action to approve the request and a CA cannot arbitrarily create certificates on behalf of applicants. Corey agreed with Michael and suggested taking a more surgical approach to improve method 7 and make it explicit that the practice is permitted while adding necessary security constraints. Longer term the group can explore the ideas introduced by Wayne and Paul and work on an alternative method. Corey suggested that bifurcating the conversation would allow us to make progress sooner on the more pressing need to clarify the current practice. Tim agreed and posted the ballot text 1 that was circulated in December of 2021 related to account locking. Corey suggested using that text as the starting point for the ballot to add the clarity that is currently missing. Ben added that he was also in favor of that approach. He asked if we need a straw poll to decide if the group should focus on refining method 7 or introducing a new domain validation method. Dimitris commented there are multiple ways to signal delegation including CAA, TXT and CNAME if we first agree that we can delegate. Michael agreed with Dimitris and added that he thinks a two-track approach makes the most sense. Clint added that if we get to the point where we have a well-defined validation method for DNS delegation then we should look at deprecating or removing the less defined mechanism. Clint also asked for more clarity and examples on what CAs are actually doing with the goal of better understanding the risk these third-parties pose to the eco-system. Wayne answered that the core risk that is currently unaddressed is if you do the CNAME delegation without binding it to an account then you’ve created a very insecure validation system and the need for that account binding isn’t currently specified. Corey concluded the meeting by recapping the next steps. We will be taking a two-prong approach by leveraging Tim’s language as the starting point for a short-term ballot to clarify the current system. Longer term the group will be exploring different validation methods to further enhance automation capability. Tim will be leading the next validation working group call on 6/15. Meeting adjourned. 1 https://lists.cabforum.org/pipermail/validation/2021-December/001734.html
July 21, 2023 by Iñigo BarreiraValidation SubcommitteeDate: June 08, 2023 Minute Taker: Michael Slaughter (Amazon Trust Services) Validation WG Chair: Corey Bonnell (DigiCert) Introduction Corey proposed not performing another roll-call. – No Objections Corey proposed approving the minutes from 5/18 Validation Sub-Committee sent by Chris Clements . – No Objections Corey provided update on progress made since Spring 2023. Corey recapped the discussion on issues with current language in EV Guidelines surrounding acceptable registration sources to address concerns raised by Pedro Fuentes about the suitability of QGISs to provide registration/incorporation information . Next step is to draft ballot and the discussion has now moved to server cert working group.. Corey summarized the analysis of three certificate issuance workflows: “Bring your own host”, CDN Issuance and ACME. The analysis exposed multiple ways the BRs can be improved surrounding the delegation of pre-issuance activities. Corey reviewed the agenda for today’s working session. Update on Multi-Perspective Domain Validation (Ryan and Chris) Ryan explained the origins of the MPDV working group and the progress the 20 participants have made since F2F 58. The current proposal calls for March 15th 2025 to be the point in time when multi-perspective domain validation will be required for all public certificate issuance that utilize specific domain validation methods. The plan is to share the draft ballot more broadly, collect feedback, work with the community and ultimately find a way for all to benefit from the new approach. Corey asked for questions. – No questions. Changes to the Subscriber Agreement requirements (Ben and Dustin) Dustin provided background on the subscriber agreement and the terms of use. The original intent was that the subscriber agreement was not “legally” enforceable within an organization but Terms of Use might be enforceable within an organization depending on corporate rules. Across multiple revisions to the baseline requirements, those concepts started to merge together and now there is language in the BRs that states that both of them must be legally enforceable which is incorrect. Dimitris suggested that if you want to provide something equivalent then you would need to have another statement that says the CA MUST implement a process to ensure that each Terms of Use is enforceable against the applicant. Jeremy replied that if you make the terms enforceable then you are basically stating that CAs can’t issue their own certs. Jeremy continued to explain that the Terms of Use was added historically to support Wells Fargo and suggested that the terms can be consolidated to make them clearer. Ben suggested that you could phrase it as the subscriber has accepted or acknowledged the terms of use which Dimitris agreed with. Ben explained that historically, Wells Fargo couldn’t sign a legally enforceable agreement within an organization so the Wells Fargo legal department suggested introducing a concept called the Terms of Use as a path forward. Dustin suggested that we consolidate and have some language around enforcement and acceptance. Dustin presented some example language and asked for comment. Martijn read the definition of Subscriber Agreement aloud and asked if that definition already describes the terms of use. Ben replied that yes cleaning up the definition of Subscriber Agreement may have been missed when Terms of Use was added which has led to the current state. Ben provided more examples and suggested that the word “executed” should be replaced with the word “accepted”. This change in terminology originates with the Validation Working Group discussion on how to better integrate the subscriber agreement into various certificate issuance flow. Dustin explained various forms of acceptance with different degrees of automation. Ben proposed that “if Terms of Use aren’t “legally enforceable” what do we gain/lose from acceptance via a flag set on an automated certificate request?” Dimitris replied that I think we had a very nice discussion about one of these issues and restated that nothing is configured out of thin air and scripts are executed, configured and/or created by humans. David agreed and added that someone must have configured the system. David went on to say that is the nature of how software works on the modern web. There is very clear consensus that implicit agreements are legally enforceable as long as someone configures the system and would take the logged consent as valid. Dustin replied that if you have automation via a true or false flag, there is no mechanism to force the user to actually read or view the agreement as they would have with a click-through on a website David replied that it would depend on if the ACME workflow was the only place that a subscriber or applicant can view the Subscriber Agreement. As an example, his CA hosts the document on the website. Dustin asked if the Subscriber agreement is on a website could the user accept it once when registering an account or is it something that must be done with each request. Martijn commented that if it’s done automatically by script then someone has written the script. We have to be careful about accepting the agreement since a developer might say “yes” without understanding what exactly they are agreeing to. Tobias added that this sounds like a legal question and we should ask an expert. What we need it is to be binding and whether a human is required is a secondary question Trev asked for clarity on what problem we are trying to solve? I don’t think people want to do it for every certificate and frankly that is just not going to happen. As we have discussed in the validation committee, we need to build this for the automation use case who are going to just accept the agreement. When you pick a CA you pick a business so must subscribers will have expected the subscriber agreement to have been agreed upon during account registration or set-up. Trev went on to ask why is there even a need for Terms of Use? What is that we are asking the auditors to actually check? Reporting compromise for example is more commonly considered a security policy. Jeremy: In my experience, they do check for an agreement for each certificate. Having the consistency and agreement is important. Ben: One agreement can serve for multiple certificates but I do see your point Trev. What are we trying to solve by having this requirement? Revocation is a security requirement. How do we know that a different party will follow a security policy that is not your own? Jeremy added that one of the reasons that we have this policy is to prevent any CA from using customer expectations as a reason for slowing down progress. Dustin: Couple of things: Look and see if we can we merge terms of use and subscriber agreement and modify language to clarify legal enforceability? It is up to the CA to determine how often they want the subscriber agreement to be agreed to. Dimitris concurred with Trev that there are some parts of the BRs that make more sense to a subscriber account but also called out that we have section 9.6.3 that has specific clauses for each individual certificate. Dimitris added that we could be ok with one subscriber for a customer that covers multiple certificates but we will need to review and update the entire baseline requirements document for consistency. Trev noted that the take-away from today’s discussion is that the conclusion of the meeting is that we believe it is possible that acceptance can be accomplished with automation. Jeremy suggested that the topic should be moved to the Server Cert WG instead. Dustin and Dimitris agreed that the topic should move to the SCWG. Discussion on Applicant Delegation of Domain Validation (Corey) 2:26 Corey introduced the topic of application delegation of domain validation. This specifically describes when an applicant wants to assert control of a domain name on a certificate, they have to use an underscore prefixed domain name called an authorization domain name that is delegated to another domain name where the controller has added a TXT record that contains the random token used for domain validation. Corey noted that this could be done for HTTP validation using HTTP Redirects but most often applies to DNS validation. The domain owner has a mechanism to opt-out by removing the CNAME record. Corey then recapped the history of the topic. (Links are in slides) Jeremy added that it looks like the customer has put the order in. If you go too far in enforcing who is taking an action then the validation action resembles OV more so than DV. Corey reviewed the conclusions from the discussion within the Validation Working Group. 1) Clarity is needed. 2) Applicants generally delegate the performance of many aspects of operating a website. 3) If done correctly, delegation of domain validation boosts agility and automation. 4) There are reasonable interpretations of the BRs that such delegation is allowed today. Clint suggested that based on the fact that clarity is still needed and that there are differing interpretations of the BRs on whether or not the practice is allowed, we should first establish that clarity before implementing an interpretation of the current BRs. Tim responded that the ship has sailed on that as there is already widespread interpretation that the practice of delegating domain validation is allowed and has been adopted by some parties. Paul asked if this would allow for a CA to allow applicants to add a record and continuously issue certificates until the record is removed and wondered if that is indeed the case then are we doing any validation at all? Corey responded that one thing that was raised in the context of these discussions is that there are numerous service providers that already provide this service for ACME. Jeremy added that the problem already exists for dangling CNAMEs and having a fictitious legal entity doesn’t alter that. Unless you are paying very close attention to the Mozilla discussions you would not have thought this was prohibited which is why we need to get it fixed. Wayne questioned whether we actually know people are doing this. Jeremy responded that we know that something like CNAME based delegation is happening but agreed that we don’t if the exact scenario under discussion is happening. Trev responded to Paul that this is still validation and if a subscriber didn’t want certificates issued any further could they not stop paying you and opt-out. Corey asked the group for next steps towards addressing the ambiguity. Paul suggested that domain delegation would benefit from some rules that bind a certificate request and validation to an account and asked if that needs to be a requirement. Martijn agreed with Paul that there should be rules around the practice and suggested that account locking are probably the best ones to consider. Martin also suggested that limiting it to TXT records may be better but conceded that we may need to support both. Jeremy brought up Cloudflare as an example explaining that they are not a CA but they have their customers insert a CNAME that points to a location where they have inserted the random value. Cloudflare is not a CA but if they became a CA would they have to change their practice? That is the inconsistency that is being removed through this effort. We have landed in a place where you would need two separate legal entities to implement this in a fully supported way that does not provide any security value. Tim recommended that everyone review the validation subcommittee minutes from the Fall of 2021 where account considerations were previously discussed and that we have gone back and forth over the past four years on this topic. Paul added that he was less concerned about the Cloudflare scenario but rather a scenario in which a CA with multiple customers is delegating to itself. Paul then offered that having a customer being able to issue a certificate for a domain they do not control is a security concern. Paul continued that account binding may not fully address the problem because the account could be used by a service provider. Corey responded to Paul that the security concern he raised has been discussed by committee and relate the type of guard-rails that still need to be written. Clint added that he agreed with has been said at a high level but thinks that if we are going to make this a formal practice then we need explicit changes made to the BRs to define this method and establish a reliable security framework around it. Mechanisms such as account locking and MPVD would be a part of that story as well as addressing domain validation reuse or DNS configurations like TTLs. There are also considerations around domain expiry. Clint continued that because this is a fairly large paradigm shift, we should perform a risk analysis and take the time to fully understand the security boundaries. Trev reminded the group again that customers can do this today with a 3rd party and are doing this. CAs are audited and have other mechanisms and controls that third parties may not. We can put some security rules but we need to be careful not to put in so many rules that make this practice, that customers are already doing, so burdensome for CA that they consider it not worth implementing. Wayne commented that if a CNAME can be delegated to a CA and then the CA can generate a random value and stick it in the CNAME then that would basically be security theater. Wayne then suggested an alternative approach of creating a new domain validation method “21” where an applicant can clearly state that they are allowing issuance from a particular CA and account. That approach would make a lot of the nuance go away and would result in more clarity. Paul agreed with Wayne and suggested that CAA records with account URI binding would make sense to use as another mechanism. Paul also added that introducing an account specific CNAME record delegated to the CA would be clearer as another domain validation method. Trev disagreed with Wayne that delegation amounts to security theater adding that the subscriber still has to set up the CNAME so they are still opting into it. Clint added that there is a difference between an opt-in signal that is explicit for the purpose we’re intending and one where the customer is setting up a CNAME record that they may not understand the implications of. He continued that we need to ensure that the domain owner has full understanding of what they are doing and what they are empowering the CA to do. Trev agreed with Clint and added that Wayne clarified to her off of the mic that the security theater part he was referring to was the random value token part. Tobias disagreed that the random value is security theater because it ensures that the CA doesn’t have diverging perspectives of which domains are under its control. Michael asked if we were still talking about whether DNS validation is allowable under Method 7. Michael then commented that delegated DNS domain validation performed under method 7 would mean that an applicant still has to initiate the request, the domain owner has to take an action to approve the request and a CA cannot arbitrarily create certificates on behalf of applicants. Corey agreed with Michael and suggested taking a more surgical approach to improve method 7 and make it explicit that the practice is permitted while adding necessary security constraints. Longer term the group can explore the ideas introduced by Wayne and Paul and work on an alternative method. Corey suggested that bifurcating the conversation would allow us to make progress sooner on the more pressing need to clarify the current practice. Tim agreed and posted the ballot text 1 that was circulated in December of 2021 related to account locking. Corey suggested using that text as the starting point for the ballot to add the clarity that is currently missing. Ben added that he was also in favor of that approach. He asked if we need a straw poll to decide if the group should focus on refining method 7 or introducing a new domain validation method. Dimitris commented there are multiple ways to signal delegation including CAA, TXT and CNAME if we first agree that we can delegate. Michael agreed with Dimitris and added that he thinks a two-track approach makes the most sense. Clint added that if we get to the point where we have a well-defined validation method for DNS delegation then we should look at deprecating or removing the less defined mechanism. Clint also asked for more clarity and examples on what CAs are actually doing with the goal of better understanding the risk these third-parties pose to the eco-system. Wayne answered that the core risk that is currently unaddressed is if you do the CNAME delegation without binding it to an account then you’ve created a very insecure validation system and the need for that account binding isn’t currently specified. Corey concluded the meeting by recapping the next steps. We will be taking a two-prong approach by leveraging Tim’s language as the starting point for a short-term ballot to clarify the current system. Longer term the group will be exploring different validation methods to further enhance automation capability. Tim will be leading the next validation working group call on 6/15. Meeting adjourned. 1 https://lists.cabforum.org/pipermail/validation/2021-December/001734.html
Minutes of the F2F 59 Meeting in Redmond, WA, USA, 6-8 June 2023 – SCWG (8 June)
July 21, 2023 by Iñigo BarreiraMeeting of the Server Certificate Working GroupThursday, 8 June 2023 – CA/B Forum Meeting (Day 3) Server Certificate Working Group Meeting
July 21, 2023 by Iñigo BarreiraMeeting of the Server Certificate Working GroupThursday, 8 June 2023 – CA/B Forum Meeting (Day 3) Server Certificate Working Group Meeting
Minutes of the F2F 59 Meeting in Redmond, Washington, 6-7 June 2023
June 7, 2023 by Ben WilsonMeeting 59 MinutesCABF Face-to-Face Meeting 59: Day 1 June 6, 2023Attendance Aaron Poulsen – (Amazon), Abhishek Bhat – (eMudhra), Adam Jones – (Microsoft), Adrian Mueller – (SwissSign), An Yin – (iTrusChina), Andreas Henschel – (D-TRUST), Aaron Poulsen – (Amazon), Aneta Wojtczak-Iwanicka – (Microsoft), Antti Backman – (Telia Company), Arno Fiedler – (ETSI), Ben Dewberry – (Keyfactor), Ben Wilson – (Mozilla), Brianca Martin – (Amazon), Bruce Morton – (Entrust), Chris Clements – (Google), Christophe Bonjean – (GlobalSign), Clint Wilson – (Apple), Corey Bonnell – (DigiCert), Corey Rasmussen – (OATI), Daryn Wright – (GoDaddy), Dave Chin – (CPA Canada/WebTrust), David Kluge – (Google), Dean Coclin – (DigiCert), Dimitris Zacharopoulos – (HARICA), Don Sheehy – (CPA Canada/WebTrust), Doug Beattie – (GlobalSign), Dustin Hollenback – (Microsoft), Ellie Lu – (TrustAsia Technologies, Inc.), Enrico Entschew – (D-TRUST), Eva van Steenberge – (GlobalSign), Fumi Yoneda – (Japan Registry Services), Georgy Sebastian – (Amazon Trust Services), Glaucia Young – (Microsoft), Hannah Sokol – (Microsoft), Hogeun Yoo – (NAVER Cloud), Hubert Chao – (Google), Ian McMillan – (Microsoft), Inaba Atsushi – (GlobalSign), Inigo Barreira – (Sectigo), J.P. Hamilton – (Cisco), Jamie Mackey – (US Federal PKI Management Authority), Janet Hines – (VikingCloud), Jeremy Rowley – (DigiCert), Joanna Fox – (TrustCor Systems), John Sarapata – (Google), Jonathan Kozolchyk – (Amazon Trust Services), Jos Purvis – (Fastly), Joseph Ramm – (OATI), JP Hamilton – (Cisco Systems), Karina Sirota – (Microsoft), Keshava Nagaraju – (eMudhra), Kiran Tummala – (Microsoft), Lakshmi Ramalingam – (Microsoft), Leo Grove – (SSL.com), Li-Chun Chen – (Chunghwa Telecom), Mads Henriksveen – (Buypass AS), Mahua Chaudrhi – (Microsoft), Marco Schambach – (IdenTrust), Mark Nelson – (IdenTrust), Martijn Katerbarg – (Sectigo), Matthias Wiedenhorst – (ACAB Council), Michael Guenther – (SwissSign), Michael Slaughter – (Amazon), Michelle Coon – (OATI), Mohit Kumar – (GlobalSign), Nargis Mannan – (VikingCloud), Nate Smith – (GoDaddy), Naveen Kumar – (eMudhra), Nick France – (Sectigo), Nicol So – (CommScope), Nitesh Bakliwal – (Microsoft), Pankaj Chawla – (eMudhra), Paul van Brouwershaven – (Entrust), Pekka Lahtiharju – (Telia Company), Peter Miskovic – (Disig), Raffaela Achermann – (SwissSign), Rebecca Kelley – (Apple), Roberto Quinones – (Intel), Rollin Yu – (TrustAsia Technologies, Inc.), Romain DELVAL – (Certigna), Ryan Dickson – (Google), Scott Rea – (eMudhra), Sissel Hoel – (Buypass AS), Stefan Kirch – (Telekom Security), Stephen Davidson – (DigiCert), Sven Rajala – (Keyfactor), Tadahiko Ito – (SECOM Trust Systems), Tahmina Ahmad – (Microsoft), Thomas Zermeno – (SSL.com), Tim Callan – (Sectigo), Tim Crawford – (CPA Canada/WebTrust), Tim Hollebeek – (DigiCert), Tobias Josefowitz – (Opera Software AS), Trevoli Ponds-White – (Amazon), Tsung-Min Kuo – (Chunghwa Telecom), Vijayakumar (Vijay) Manjunatha – (eMudhra), Vikas Khanna – (Microsoft), Wayne Thayer – (Fastly), Wendy Brown – (US Federal PKI Management Authority), Xiao Qiang – (GDCA), Xiu Lei – (GDCA), Yashwanth TM – (eMudhra), Yoshihiko Matsuo – (Japan Registry Services), Yoshiro Yoneya – (Japan Registry Services).
June 7, 2023 by Ben WilsonMeeting 59 MinutesCABF Face-to-Face Meeting 59: Day 1 June 6, 2023Attendance Aaron Poulsen – (Amazon), Abhishek Bhat – (eMudhra), Adam Jones – (Microsoft), Adrian Mueller – (SwissSign), An Yin – (iTrusChina), Andreas Henschel – (D-TRUST), Aaron Poulsen – (Amazon), Aneta Wojtczak-Iwanicka – (Microsoft), Antti Backman – (Telia Company), Arno Fiedler – (ETSI), Ben Dewberry – (Keyfactor), Ben Wilson – (Mozilla), Brianca Martin – (Amazon), Bruce Morton – (Entrust), Chris Clements – (Google), Christophe Bonjean – (GlobalSign), Clint Wilson – (Apple), Corey Bonnell – (DigiCert), Corey Rasmussen – (OATI), Daryn Wright – (GoDaddy), Dave Chin – (CPA Canada/WebTrust), David Kluge – (Google), Dean Coclin – (DigiCert), Dimitris Zacharopoulos – (HARICA), Don Sheehy – (CPA Canada/WebTrust), Doug Beattie – (GlobalSign), Dustin Hollenback – (Microsoft), Ellie Lu – (TrustAsia Technologies, Inc.), Enrico Entschew – (D-TRUST), Eva van Steenberge – (GlobalSign), Fumi Yoneda – (Japan Registry Services), Georgy Sebastian – (Amazon Trust Services), Glaucia Young – (Microsoft), Hannah Sokol – (Microsoft), Hogeun Yoo – (NAVER Cloud), Hubert Chao – (Google), Ian McMillan – (Microsoft), Inaba Atsushi – (GlobalSign), Inigo Barreira – (Sectigo), J.P. Hamilton – (Cisco), Jamie Mackey – (US Federal PKI Management Authority), Janet Hines – (VikingCloud), Jeremy Rowley – (DigiCert), Joanna Fox – (TrustCor Systems), John Sarapata – (Google), Jonathan Kozolchyk – (Amazon Trust Services), Jos Purvis – (Fastly), Joseph Ramm – (OATI), JP Hamilton – (Cisco Systems), Karina Sirota – (Microsoft), Keshava Nagaraju – (eMudhra), Kiran Tummala – (Microsoft), Lakshmi Ramalingam – (Microsoft), Leo Grove – (SSL.com), Li-Chun Chen – (Chunghwa Telecom), Mads Henriksveen – (Buypass AS), Mahua Chaudrhi – (Microsoft), Marco Schambach – (IdenTrust), Mark Nelson – (IdenTrust), Martijn Katerbarg – (Sectigo), Matthias Wiedenhorst – (ACAB Council), Michael Guenther – (SwissSign), Michael Slaughter – (Amazon), Michelle Coon – (OATI), Mohit Kumar – (GlobalSign), Nargis Mannan – (VikingCloud), Nate Smith – (GoDaddy), Naveen Kumar – (eMudhra), Nick France – (Sectigo), Nicol So – (CommScope), Nitesh Bakliwal – (Microsoft), Pankaj Chawla – (eMudhra), Paul van Brouwershaven – (Entrust), Pekka Lahtiharju – (Telia Company), Peter Miskovic – (Disig), Raffaela Achermann – (SwissSign), Rebecca Kelley – (Apple), Roberto Quinones – (Intel), Rollin Yu – (TrustAsia Technologies, Inc.), Romain DELVAL – (Certigna), Ryan Dickson – (Google), Scott Rea – (eMudhra), Sissel Hoel – (Buypass AS), Stefan Kirch – (Telekom Security), Stephen Davidson – (DigiCert), Sven Rajala – (Keyfactor), Tadahiko Ito – (SECOM Trust Systems), Tahmina Ahmad – (Microsoft), Thomas Zermeno – (SSL.com), Tim Callan – (Sectigo), Tim Crawford – (CPA Canada/WebTrust), Tim Hollebeek – (DigiCert), Tobias Josefowitz – (Opera Software AS), Trevoli Ponds-White – (Amazon), Tsung-Min Kuo – (Chunghwa Telecom), Vijayakumar (Vijay) Manjunatha – (eMudhra), Vikas Khanna – (Microsoft), Wayne Thayer – (Fastly), Wendy Brown – (US Federal PKI Management Authority), Xiao Qiang – (GDCA), Xiu Lei – (GDCA), Yashwanth TM – (eMudhra), Yoshihiko Matsuo – (Japan Registry Services), Yoshiro Yoneya – (Japan Registry Services).
Minutes of the F2F 59 Meeting in Redmond, WA, USA, 6-8 June 2023 – CSCWG (6 June)
June 6, 2023 by Corey BonnellAttendeesAttendance: IN THE ROOM (FROM SIGN UP SHEET) Ben Wilson (Mozilla), Dean Coclin (DigiCert), Ian McMillan (Microsoft), Karina Sirota Goodley (Microsoft), Tahmina Ahmad (Microsoft), Hannah Sokol (Microsoft), Nitesh Bakliwal (Microsoft), Brianca Martin (Amazon), Trevoli Ponds-White (Amazon), Jonathan Kozolchyk (Amazon), Blake Hess (Amazon), Aaron Poulsen (Amazon), Michael Slaughter (Amazon), Tim Crawford (WebTrust), Inigo Barreira (Sectigo), Yoshiro Yoneya (JPRS), Martijn Katerbard (Sectigo), Nick France (Sectigo), Tim Callen (Sectigo), Roberto Quinones (Intel), Ben Dewberry (Keyfactor), Sven Rajala (Keyfactor), Leo Grove (SSL.com), Stephen Davidson (DigiCert), Jeremy Rowley (DigiCert), Scott Olsen (Microsoft), Linda Diefendorf (Microsoft), Steve Lasker (Microsoft), Yamian Quinero (Microsoft), Thomas Zermeno (SSL.com), Georgy Sebastian (Amazon), Meha Sharma (Microsoft), Rakia Segeu (Microsoft), Dawn Wang (Microsoft), Eva van Steenberge (Globalsign), Christophe Bonjean (Globalsign), Romain Delval (Certigna), Josselin Allemandou (Certigna), Xiu Lei (GDCA), Xizo Qiang (GDCA), Corey Bonnell (DigiCert), Vikas Khanna (Microsoft), An Yin (iTrus China), Vijay Kumar (eMuhdra), Pankaj Chawla (eMuhdra), Scott Rea (eMuhdra), Paul van Browershaven (Entrust), Bruce Morton (Entrust), Arno Fiedler (ETSI ESI), Dimitris Zacharopoulos (HARICA)
June 6, 2023 by Corey BonnellAttendeesAttendance: IN THE ROOM (FROM SIGN UP SHEET) Ben Wilson (Mozilla), Dean Coclin (DigiCert), Ian McMillan (Microsoft), Karina Sirota Goodley (Microsoft), Tahmina Ahmad (Microsoft), Hannah Sokol (Microsoft), Nitesh Bakliwal (Microsoft), Brianca Martin (Amazon), Trevoli Ponds-White (Amazon), Jonathan Kozolchyk (Amazon), Blake Hess (Amazon), Aaron Poulsen (Amazon), Michael Slaughter (Amazon), Tim Crawford (WebTrust), Inigo Barreira (Sectigo), Yoshiro Yoneya (JPRS), Martijn Katerbard (Sectigo), Nick France (Sectigo), Tim Callen (Sectigo), Roberto Quinones (Intel), Ben Dewberry (Keyfactor), Sven Rajala (Keyfactor), Leo Grove (SSL.com), Stephen Davidson (DigiCert), Jeremy Rowley (DigiCert), Scott Olsen (Microsoft), Linda Diefendorf (Microsoft), Steve Lasker (Microsoft), Yamian Quinero (Microsoft), Thomas Zermeno (SSL.com), Georgy Sebastian (Amazon), Meha Sharma (Microsoft), Rakia Segeu (Microsoft), Dawn Wang (Microsoft), Eva van Steenberge (Globalsign), Christophe Bonjean (Globalsign), Romain Delval (Certigna), Josselin Allemandou (Certigna), Xiu Lei (GDCA), Xizo Qiang (GDCA), Corey Bonnell (DigiCert), Vikas Khanna (Microsoft), An Yin (iTrus China), Vijay Kumar (eMuhdra), Pankaj Chawla (eMuhdra), Scott Rea (eMuhdra), Paul van Browershaven (Entrust), Bruce Morton (Entrust), Arno Fiedler (ETSI ESI), Dimitris Zacharopoulos (HARICA)
Minutes of the F2F 58 Meeting in Ottawa, Canada, 28 February – 1 March, 2023
March 2, 2023 by Ben WilsonTuesday, 28 February 2023 – CA/B Forum Meeting (Day 1)Attendees Aaron Gable (Let’s Encrypt), Aaron Poulsen (Amazon Trust Services), Adam Jones (Microsoft), Adrian Mueller (SwissSign), Aleksandra Kurosz (Asseco Data Systems S.A. (Certum)), Alison Titus (Entrust), Andrea Holland (VikingCloud), Andreas Henschel (D-TRUST), Aneta Wojtczak-Iwanicka (Microsoft), Anna-Marie Christian (CPA Canada), Arno Fiedler (D-TRUST), Arnold Essing (Telekom Security), Atsushi Inaba (GlobalSign), Ben Dewberry (Keyfactor), Ben Wilson (Mozilla), Brianca Martin (Amazon), Brittany Randall (GoDaddy), Bruce Morton (Entrust), Bruce Wei (TrustAsia Technologies, Inc.), Chad Edhlers (IdenTrust), Chris Bailey (Entrust), Chris Clements (Google), Chris Czajczyc (Deloitte), Chris Kemmerer (SSL.com), Christophe Bonjean (GlobalSign), Clemens Wanko (ACAB’c), Clint Wilson (Apple), Corey Bonnell (DigiCert), Corey Rasmussen (OATI), Daniel Jeffery (Fastly), Daryn Wright (GoDaddy), Dave Chin (CPA Canada), David Kluge (Google), Dimitris Zacharopoulos (HARICA), Don Sheehy (WebTrust), Doug Beattie (GlobalSign), Dre Armeda (GoDaddy), Elaine Bronsther (Sectigo), Ellie Lu (TrustAsia Technologies, Inc.), Enrico Entschew (D-TRUST), Eva Vansteenberge (GlobalSign), Fumihiko Yoneda (Japan Registry Services Co., Ltd. (JPRS)), George Fergadis (HARICA), Georgy Sebastian (Amazon), Hazhar Ismail (MSC Trustgate Sdn Bhd), Henry Birge-Lee (Guest Speaker), Ian McMillan (Microsoft), Ilona Jones (Entrust), Inaba Atsushi (GlobalSign), Inigo Barreira (Sectigo), JP Hamilton (Cisco Systems), Jamie Mackey (US Federal PKI Management Authority), Janet Hines (VikingCloud), Jeremy Rowley (DigiCert), Joanna Fox (TrustCor Systems), John Sarapata (Google Trust Services), Jos Purvis (Fastly), Jozef Nigut (Disig), Karina Sirota Goodley (Microsoft), Kathleen Wilson (Mozilla), Leo Grove (SSL.com), Li-Chun Chen (Chunghwa Telecom), Lisa Marie Barlow (Entrust), Lynn Jeun (Visa), Mads Henriksveen (Buypass AS), Marcelo Silva (Visa), Marco Schambach (IdenTrust), Martijn Katerbarg (Sectigo), Matthias Wiedenhorst (ACAB Council), Michael Slaughter (Amazon), Michał Malinowski (Asseco Data Systems S.A. (Certum)), Michelle Coon (OATI), Nargis Mannan (VikingCloud), Nick France (Sectigo), Nikolaos Soumelidis (ACAB’c), Pankaj Chawla (eMudhra), Paul van Brouwershaven (Entrust), Pedro Fuentes (OISTE Foundation), Pekka Lahtiharju (Telia Company), Peter Miskovic (Disig), Prachi Jain (Fastly), RIch Smith (DigiCert), Raffaela Achermann (SwissSign), Rajesh Raman (eMudhra), Rebecca Kelley (Apple), Rob Stradling (Sectigo), Rollin Yu (TrustAsia Technologies, Inc.), Ryan Dickson (Google Chrome), Samantha Frank (Let’s Encrypt), Sissel Hoel (Buypass), Star Simmons (GoDaddy), Stefan Kirch (Telekom Security), Stephen Davidson (DigiCert), Steven Deitte (GoDaddy), Sven Rajala (Keyfactor), Tadahiko Ito (SECOM Trust Systems), Thomas Zermeno (SSL.com), Tim Callan (Sectigo), Tim Crawford (WebTrust), Tim Hollebeek (DigiCert), Tobias Josefowitz (Opera Software AS), Trevoli Ponds-White (Amazon), Tsung-Min Kuo (Chunghwa Telecom), Tsung-Min Kuo (Chunghwa Telecom), Vijayakumar (Vijay) Manjunatha (eMudhra), Wayne Thayer (Fastly), Wendy Brown (US Federal PKI Management Authority), Xiu Lei (GDCA), Yoshihiko Matsuo (Japan Registry Services Co., Ltd. (JPRS)), Yoshiro Yoneya (Japan Registry Services Co., Ltd. (JPRS)).
March 2, 2023 by Ben WilsonTuesday, 28 February 2023 – CA/B Forum Meeting (Day 1)Attendees Aaron Gable (Let’s Encrypt), Aaron Poulsen (Amazon Trust Services), Adam Jones (Microsoft), Adrian Mueller (SwissSign), Aleksandra Kurosz (Asseco Data Systems S.A. (Certum)), Alison Titus (Entrust), Andrea Holland (VikingCloud), Andreas Henschel (D-TRUST), Aneta Wojtczak-Iwanicka (Microsoft), Anna-Marie Christian (CPA Canada), Arno Fiedler (D-TRUST), Arnold Essing (Telekom Security), Atsushi Inaba (GlobalSign), Ben Dewberry (Keyfactor), Ben Wilson (Mozilla), Brianca Martin (Amazon), Brittany Randall (GoDaddy), Bruce Morton (Entrust), Bruce Wei (TrustAsia Technologies, Inc.), Chad Edhlers (IdenTrust), Chris Bailey (Entrust), Chris Clements (Google), Chris Czajczyc (Deloitte), Chris Kemmerer (SSL.com), Christophe Bonjean (GlobalSign), Clemens Wanko (ACAB’c), Clint Wilson (Apple), Corey Bonnell (DigiCert), Corey Rasmussen (OATI), Daniel Jeffery (Fastly), Daryn Wright (GoDaddy), Dave Chin (CPA Canada), David Kluge (Google), Dimitris Zacharopoulos (HARICA), Don Sheehy (WebTrust), Doug Beattie (GlobalSign), Dre Armeda (GoDaddy), Elaine Bronsther (Sectigo), Ellie Lu (TrustAsia Technologies, Inc.), Enrico Entschew (D-TRUST), Eva Vansteenberge (GlobalSign), Fumihiko Yoneda (Japan Registry Services Co., Ltd. (JPRS)), George Fergadis (HARICA), Georgy Sebastian (Amazon), Hazhar Ismail (MSC Trustgate Sdn Bhd), Henry Birge-Lee (Guest Speaker), Ian McMillan (Microsoft), Ilona Jones (Entrust), Inaba Atsushi (GlobalSign), Inigo Barreira (Sectigo), JP Hamilton (Cisco Systems), Jamie Mackey (US Federal PKI Management Authority), Janet Hines (VikingCloud), Jeremy Rowley (DigiCert), Joanna Fox (TrustCor Systems), John Sarapata (Google Trust Services), Jos Purvis (Fastly), Jozef Nigut (Disig), Karina Sirota Goodley (Microsoft), Kathleen Wilson (Mozilla), Leo Grove (SSL.com), Li-Chun Chen (Chunghwa Telecom), Lisa Marie Barlow (Entrust), Lynn Jeun (Visa), Mads Henriksveen (Buypass AS), Marcelo Silva (Visa), Marco Schambach (IdenTrust), Martijn Katerbarg (Sectigo), Matthias Wiedenhorst (ACAB Council), Michael Slaughter (Amazon), Michał Malinowski (Asseco Data Systems S.A. (Certum)), Michelle Coon (OATI), Nargis Mannan (VikingCloud), Nick France (Sectigo), Nikolaos Soumelidis (ACAB’c), Pankaj Chawla (eMudhra), Paul van Brouwershaven (Entrust), Pedro Fuentes (OISTE Foundation), Pekka Lahtiharju (Telia Company), Peter Miskovic (Disig), Prachi Jain (Fastly), RIch Smith (DigiCert), Raffaela Achermann (SwissSign), Rajesh Raman (eMudhra), Rebecca Kelley (Apple), Rob Stradling (Sectigo), Rollin Yu (TrustAsia Technologies, Inc.), Ryan Dickson (Google Chrome), Samantha Frank (Let’s Encrypt), Sissel Hoel (Buypass), Star Simmons (GoDaddy), Stefan Kirch (Telekom Security), Stephen Davidson (DigiCert), Steven Deitte (GoDaddy), Sven Rajala (Keyfactor), Tadahiko Ito (SECOM Trust Systems), Thomas Zermeno (SSL.com), Tim Callan (Sectigo), Tim Crawford (WebTrust), Tim Hollebeek (DigiCert), Tobias Josefowitz (Opera Software AS), Trevoli Ponds-White (Amazon), Tsung-Min Kuo (Chunghwa Telecom), Tsung-Min Kuo (Chunghwa Telecom), Vijayakumar (Vijay) Manjunatha (eMudhra), Wayne Thayer (Fastly), Wendy Brown (US Federal PKI Management Authority), Xiu Lei (GDCA), Yoshihiko Matsuo (Japan Registry Services Co., Ltd. (JPRS)), Yoshiro Yoneya (Japan Registry Services Co., Ltd. (JPRS)).
Minutes of the F2F 58 Meeting in Ottawa, Canada, 28 Feb-2 March 2023 – Validation SC (2 March)
March 2, 2023 by Iñigo BarreiraValidation SubcommitteeCorey noted that the Antitrust Statement had been read and that attendance had been taken. The minutes of the meeting of Feb. 9, 2023, were approved. Corey recapped the status of the work accomplished by the Validation Subcommittee. First, since the Fall 2022 face-to-face meeting, the most notable accomplishment has been progress on the certificate profiles ballot. We also restarted the discussion of including LEIs in certificates, and we continued work on a review of “Applicant” and “Applicant Representative” in the Baseline Requirements (BRs). During the read-through of the BRs, we identified other things to fix as well.
March 2, 2023 by Iñigo BarreiraValidation SubcommitteeCorey noted that the Antitrust Statement had been read and that attendance had been taken. The minutes of the meeting of Feb. 9, 2023, were approved. Corey recapped the status of the work accomplished by the Validation Subcommittee. First, since the Fall 2022 face-to-face meeting, the most notable accomplishment has been progress on the certificate profiles ballot. We also restarted the discussion of including LEIs in certificates, and we continued work on a review of “Applicant” and “Applicant Representative” in the Baseline Requirements (BRs). During the read-through of the BRs, we identified other things to fix as well.
Minutes of the F2F 58 Meeting in Ottawa, Canada, 28 Feb-2 March 2023 – SCWG (2 March)
March 2, 2023 by Iñigo BarreiraMeeting of the Server Certificate Working GroupMarch 2, 2023 Attendees: Aaron Gable – (Let’s Encrypt), Aaron Poulsen – (Amazon), Adam Jones – (Microsoft), Adrian Mueller – (SwissSign), Andrea Holland – (VikingCloud), Andreas Henschel – (D-TRUST), Aneta Wojtczak-Iwanicka – (Microsoft), Ben Dewberry – (Keyfactor), Ben Wilson – (Mozilla), Brianca Martin – (Amazon), Brittany Randall – (GoDaddy), Bruce Morton – (Entrust), Bruce Wei – (TrustAsia Technologies, Inc.), Chris Clements – (Google), Chris Czajczyc – (Chris Czajczyc (Private Person)), Chris Kemmerer – (SSL.com), Christophe Bonjean – (GlobalSign), Clint Wilson – (Apple), Corey Bonnell – (DigiCert), Corey Rasmussen – (OATI), Daniel Jeffery – (Fastly), Daryn Wright – (GoDaddy), Dave Chin – (CPA Canada/WebTrust), David Kluge – (Google), Dimitris Zacharopoulos – (HARICA), Don Sheehy – (CPA Canada/WebTrust), Doug Beattie – (GlobalSign), Dre Armeda – (GoDaddy), Elaine Bronsther – (Sectigo), Ellie Lu – (TrustAsia Technologies, Inc.), Enrico Entschew – (D-TRUST), Eva Vansteenberge – (GlobalSign), George Fergadis – (HARICA), Hazhar Ismail – (MSC Trustgate Sdn Bhd), Hogeun Yoo – (NAVER Cloud), Ian McMillan – (Microsoft), Inaba Atsushi – (GlobalSign), Inigo Barreira – (Sectigo), Jamie Mackey – (US Federal PKI Management Authority), Janet Hines – (VikingCloud), Jeremy Rowley – (DigiCert), Joanna Fox – (TrustCor Systems), Jos Purvis – (Fastly), Jozef Nigut – (Disig), JP Hamilton – (Cisco Systems), Karina Sirota – (Microsoft), Kathleen Wilson – (Mozilla), Li-Chun Chen – (Chunghwa Telecom), Lynn Jeun – (Visa), Mads Henriksveen – (Buypass AS), Marcelo Silva – (Visa), Martijn Katerbarg – (Sectigo), Matthias Wiedenhorst – (ACAB Council), Michael Slaughter – (Amazon), Michelle Coon – (OATI), Nargis Mannan – (VikingCloud), Nick France – (Sectigo), Paul van Brouwershaven – (Entrust), Pedro Fuentes – (OISTE Foundation), Pekka Lahtiharju – (Telia Company), Peter Miskovic – (Disig), Raffaela Achermann – (SwissSign), Rebecca Kelley – (Apple), Renne Rodriguez – (Apple), RIch Smith – (DigiCert), Rollin Yu – (TrustAsia Technologies, Inc.), Ryan Dickson – (Google), Samantha Frank – (Let’s Encrypt), Sissel Hoel – (Buypass AS), Star Simmons – (GoDaddy), Stephen Davidson – (DigiCert), Steven Deitte – (GoDaddy), Tadahiko Ito – (SECOM Trust Systems), Thomas Zermeno – (SSL.com), Tim Callan – (Sectigo), Tim Crawford – (CPA Canada/WebTrust), Tim Hollebeek – (DigiCert), Tobias Josefowitz – (Opera Software AS), Tsung-Min Kuo – (Chunghwa Telecom), Yoshiro Yoneya (JPRS)
March 2, 2023 by Iñigo BarreiraMeeting of the Server Certificate Working GroupMarch 2, 2023 Attendees: Aaron Gable – (Let’s Encrypt), Aaron Poulsen – (Amazon), Adam Jones – (Microsoft), Adrian Mueller – (SwissSign), Andrea Holland – (VikingCloud), Andreas Henschel – (D-TRUST), Aneta Wojtczak-Iwanicka – (Microsoft), Ben Dewberry – (Keyfactor), Ben Wilson – (Mozilla), Brianca Martin – (Amazon), Brittany Randall – (GoDaddy), Bruce Morton – (Entrust), Bruce Wei – (TrustAsia Technologies, Inc.), Chris Clements – (Google), Chris Czajczyc – (Chris Czajczyc (Private Person)), Chris Kemmerer – (SSL.com), Christophe Bonjean – (GlobalSign), Clint Wilson – (Apple), Corey Bonnell – (DigiCert), Corey Rasmussen – (OATI), Daniel Jeffery – (Fastly), Daryn Wright – (GoDaddy), Dave Chin – (CPA Canada/WebTrust), David Kluge – (Google), Dimitris Zacharopoulos – (HARICA), Don Sheehy – (CPA Canada/WebTrust), Doug Beattie – (GlobalSign), Dre Armeda – (GoDaddy), Elaine Bronsther – (Sectigo), Ellie Lu – (TrustAsia Technologies, Inc.), Enrico Entschew – (D-TRUST), Eva Vansteenberge – (GlobalSign), George Fergadis – (HARICA), Hazhar Ismail – (MSC Trustgate Sdn Bhd), Hogeun Yoo – (NAVER Cloud), Ian McMillan – (Microsoft), Inaba Atsushi – (GlobalSign), Inigo Barreira – (Sectigo), Jamie Mackey – (US Federal PKI Management Authority), Janet Hines – (VikingCloud), Jeremy Rowley – (DigiCert), Joanna Fox – (TrustCor Systems), Jos Purvis – (Fastly), Jozef Nigut – (Disig), JP Hamilton – (Cisco Systems), Karina Sirota – (Microsoft), Kathleen Wilson – (Mozilla), Li-Chun Chen – (Chunghwa Telecom), Lynn Jeun – (Visa), Mads Henriksveen – (Buypass AS), Marcelo Silva – (Visa), Martijn Katerbarg – (Sectigo), Matthias Wiedenhorst – (ACAB Council), Michael Slaughter – (Amazon), Michelle Coon – (OATI), Nargis Mannan – (VikingCloud), Nick France – (Sectigo), Paul van Brouwershaven – (Entrust), Pedro Fuentes – (OISTE Foundation), Pekka Lahtiharju – (Telia Company), Peter Miskovic – (Disig), Raffaela Achermann – (SwissSign), Rebecca Kelley – (Apple), Renne Rodriguez – (Apple), RIch Smith – (DigiCert), Rollin Yu – (TrustAsia Technologies, Inc.), Ryan Dickson – (Google), Samantha Frank – (Let’s Encrypt), Sissel Hoel – (Buypass AS), Star Simmons – (GoDaddy), Stephen Davidson – (DigiCert), Steven Deitte – (GoDaddy), Tadahiko Ito – (SECOM Trust Systems), Thomas Zermeno – (SSL.com), Tim Callan – (Sectigo), Tim Crawford – (CPA Canada/WebTrust), Tim Hollebeek – (DigiCert), Tobias Josefowitz – (Opera Software AS), Tsung-Min Kuo – (Chunghwa Telecom), Yoshiro Yoneya (JPRS)