CA/Browser Forum posts
Posts by tag Minutes
2023-04-13 Minutes of the Server Certificate Working Group
April 13, 2023 by Iñigo BarreiraServer Certificate Working Group Meeting April 13, 2023Attendees Aaron Poulsen – (Amazon), Adam Jones – (Microsoft), Adrian Mueller – (SwissSign), Ben Wilson – (Mozilla), Brianca Martin – (Amazon), Clint Wilson – (Apple), Corey Bonnell – (DigiCert), Corey Rasmussen – (OATI), David Kluge – (Google), Dean Coclin – (DigiCert), Dimitris Zacharopoulos – (HARICA), Doug Beattie – (GlobalSign), Dustin Hollenback – (Microsoft), Ellie Lu – (TrustAsia Technologies, Inc.), Enrico Entschew – (D-TRUST), Fumi Yoneda – (Japan Registry Services), Inaba Atsushi – (GlobalSign), Inigo Barreira – (Sectigo), Janet Hines – (VikingCloud), Joanna Fox – (TrustCor Systems), Johnny Reading – (GoDaddy), Jos Purvis – (Fastly), Mads Henriksveen – (Buypass AS), Martijn Katerbarg – (Sectigo), Michelle Coon – (OATI), Nargis Mannan – (VikingCloud), Peter Miskovic – (Disig), Rebecca Kelley – (Apple), Rollin Yu – (TrustAsia Technologies, Inc.), Ryan Dickson – (Google), Stephen Davidson – (DigiCert), Tadahiko Ito – (SECOM Trust Systems), Thomas Zermeno – (SSL.com), Tobias Josefowitz – (Opera Software AS), Trevoli Ponds-White – (Amazon), Wayne Thayer – (Fastly), Wendy Brown – (US Federal PKI Management Authority), Yoshiro Yoneya – (Japan Registry Services)
April 13, 2023 by Iñigo BarreiraServer Certificate Working Group Meeting April 13, 2023Attendees Aaron Poulsen – (Amazon), Adam Jones – (Microsoft), Adrian Mueller – (SwissSign), Ben Wilson – (Mozilla), Brianca Martin – (Amazon), Clint Wilson – (Apple), Corey Bonnell – (DigiCert), Corey Rasmussen – (OATI), David Kluge – (Google), Dean Coclin – (DigiCert), Dimitris Zacharopoulos – (HARICA), Doug Beattie – (GlobalSign), Dustin Hollenback – (Microsoft), Ellie Lu – (TrustAsia Technologies, Inc.), Enrico Entschew – (D-TRUST), Fumi Yoneda – (Japan Registry Services), Inaba Atsushi – (GlobalSign), Inigo Barreira – (Sectigo), Janet Hines – (VikingCloud), Joanna Fox – (TrustCor Systems), Johnny Reading – (GoDaddy), Jos Purvis – (Fastly), Mads Henriksveen – (Buypass AS), Martijn Katerbarg – (Sectigo), Michelle Coon – (OATI), Nargis Mannan – (VikingCloud), Peter Miskovic – (Disig), Rebecca Kelley – (Apple), Rollin Yu – (TrustAsia Technologies, Inc.), Ryan Dickson – (Google), Stephen Davidson – (DigiCert), Tadahiko Ito – (SECOM Trust Systems), Thomas Zermeno – (SSL.com), Tobias Josefowitz – (Opera Software AS), Trevoli Ponds-White – (Amazon), Wayne Thayer – (Fastly), Wendy Brown – (US Federal PKI Management Authority), Yoshiro Yoneya – (Japan Registry Services)
2023-04-12 Minutes of the S/MIME Certificate Working Group
April 12, 2023 by Stephen DavidsonMinutes of SMCWG April 12, 2023 These are the Approved Minutes of the Teleconference described in the subject of this message. Corrections and clarifications where needed are encouraged by reply.
April 12, 2023 by Stephen DavidsonMinutes of SMCWG April 12, 2023 These are the Approved Minutes of the Teleconference described in the subject of this message. Corrections and clarifications where needed are encouraged by reply.
2023-04-06 Minutes of the Code Signing Certificate Working Group
April 6, 2023 by Corey BonnellAttendeesAtsushi Inaba (Globalsign), Ben Dewberry (Keyfactor), Brianca Martin (Amazon), Corey Bonnell (DigiCert), Dean Coclin (DigiCert), Dimitris Zacharopoulos (HARICA), Janet Hines (Viking Cloud), Martijn Karterbarg (Sectigo), Mohit Kumar (Globalsign), Tim Crawford (BDO), Tomas Gustavson (Keyfactor) MinutesMinute taker: Dean Coclin The Anti-Trust summary was read Three sets of prior meeting minutes were approved: F2F, March 9 and March 23. Malware based revocation: Martijn stated that this was ready for ballot. The PR on github has been created. CSCWG 18 is the ballot number. Martijn will send out a summary and proposed ballot. Signing Service Update: Bruce was unable to attend, hence this topic was tabled until the next call Removing SSL BR references: Dimitris reviewed some of the changes to the BRs. Martijn agreed to help divide the upcoming work. Various sections were reviewed and updated in the document which Dimitris is maintaining on Git. All the modifications can be found on the Git repository. We expect to consider the import of the BRs at the next meeting. Following this, we will work on the references to the EV guidelines. Next meeting on April 20th.
April 6, 2023 by Corey BonnellAttendeesAtsushi Inaba (Globalsign), Ben Dewberry (Keyfactor), Brianca Martin (Amazon), Corey Bonnell (DigiCert), Dean Coclin (DigiCert), Dimitris Zacharopoulos (HARICA), Janet Hines (Viking Cloud), Martijn Karterbarg (Sectigo), Mohit Kumar (Globalsign), Tim Crawford (BDO), Tomas Gustavson (Keyfactor) MinutesMinute taker: Dean Coclin The Anti-Trust summary was read Three sets of prior meeting minutes were approved: F2F, March 9 and March 23. Malware based revocation: Martijn stated that this was ready for ballot. The PR on github has been created. CSCWG 18 is the ballot number. Martijn will send out a summary and proposed ballot. Signing Service Update: Bruce was unable to attend, hence this topic was tabled until the next call Removing SSL BR references: Dimitris reviewed some of the changes to the BRs. Martijn agreed to help divide the upcoming work. Various sections were reviewed and updated in the document which Dimitris is maintaining on Git. All the modifications can be found on the Git repository. We expect to consider the import of the BRs at the next meeting. Following this, we will work on the references to the EV guidelines. Next meeting on April 20th.
2023-03-30 Minutes of the CA/Browser Forum Teleconference
March 30, 2023 by Ben WilsonAttendance: Aaron Poulsen – (Amazon), Adam Jones – (Microsoft), Ben Wilson – (Mozilla), Bruce Morton – (Entrust), Chad Ehlers – (IdenTrust), Chris Clements – (Google), Chris Kemmerer – (SSL.com), Clint Wilson – (Apple), Corey Rasmussen – (OATI), Daryn Wright – (GoDaddy), Dimitris Zacharopoulos – (HARICA), Ellie Lu – (TrustAsia Technologies, Inc.), Fumi Yoneda – (Japan Registry Services), Inaba Atsushi – (GlobalSign), Iñigo Barreira – (Sectigo), Janet Hines – (VikingCloud), Joanna Fox – (TrustCor Systems), Johnny Reading – (GoDaddy), Jos Purvis – (Fastly), Jozef Nigut – (Disig), Kiran Tummala – (Microsoft), Lynn Jeun – (Visa), Mads Henriksveen – (Buypass AS), Marcelo Silva – (Visa), Martijn Katerbarg – (Sectigo), Michelle Coon – (OATI), Nargis Mannan – (VikingCloud), Pedro Fuentes – (OISTE Foundation), Rebecca Kelley – (Apple), Rollin Yu – (TrustAsia Technologies, Inc.), Stephen Davidson – (DigiCert), Steven Deitte – (GoDaddy), Tadahiko Ito – (SECOM Trust Systems), Thomas Zermeno – (SSL.com), Tobias Josefowitz – (Opera Software AS), Wayne Thayer – (Fastly).
March 30, 2023 by Ben WilsonAttendance: Aaron Poulsen – (Amazon), Adam Jones – (Microsoft), Ben Wilson – (Mozilla), Bruce Morton – (Entrust), Chad Ehlers – (IdenTrust), Chris Clements – (Google), Chris Kemmerer – (SSL.com), Clint Wilson – (Apple), Corey Rasmussen – (OATI), Daryn Wright – (GoDaddy), Dimitris Zacharopoulos – (HARICA), Ellie Lu – (TrustAsia Technologies, Inc.), Fumi Yoneda – (Japan Registry Services), Inaba Atsushi – (GlobalSign), Iñigo Barreira – (Sectigo), Janet Hines – (VikingCloud), Joanna Fox – (TrustCor Systems), Johnny Reading – (GoDaddy), Jos Purvis – (Fastly), Jozef Nigut – (Disig), Kiran Tummala – (Microsoft), Lynn Jeun – (Visa), Mads Henriksveen – (Buypass AS), Marcelo Silva – (Visa), Martijn Katerbarg – (Sectigo), Michelle Coon – (OATI), Nargis Mannan – (VikingCloud), Pedro Fuentes – (OISTE Foundation), Rebecca Kelley – (Apple), Rollin Yu – (TrustAsia Technologies, Inc.), Stephen Davidson – (DigiCert), Steven Deitte – (GoDaddy), Tadahiko Ito – (SECOM Trust Systems), Thomas Zermeno – (SSL.com), Tobias Josefowitz – (Opera Software AS), Wayne Thayer – (Fastly).
2023-03-29 Minutes of the S/MIME Certificate Working Group
March 29, 2023 by Stephen DavidsonMinutes of SMCWG March 29, 2023 These are the Approved Minutes of the Teleconference described in the subject of this message. Corrections and clarifications where needed are encouraged by reply.
March 29, 2023 by Stephen DavidsonMinutes of SMCWG March 29, 2023 These are the Approved Minutes of the Teleconference described in the subject of this message. Corrections and clarifications where needed are encouraged by reply.
2023-03-23 Minutes of the Code Signing Certificate Working Group
March 23, 2023 by Corey BonnellAttendeesAtsushi Inaba (GlobalSign), Brianca Martin (Amazon), Bruce Morton (Entrust), Dean Coclin (DigiCert), Dimitris Zacharopoulos (HARICA), Ian McMillan (Microsoft), Inigo Barreira (Sectigo), Martijn Katerbarg (Sectigo), Roberto Quinones (Intel), Tim Hollebeek (DigiCert) MinutesAdministration Attendance and requests a minute taker Reads antitrust statement Waiting on minutes for two meeting prior to face to face Face to face minutes will be approved at next meeting Malware Based Revocation Ballot Ballot summary Taking approach BRs and SBRs are taking on revocation Removing CS specific suspect code reference Discuss 5 day revocation window, consider a 5 day and/or 7 day Bruce noted good to sync with the SSL BRs at 24 hours and 5 days, but ok with suspect code at 5 days and 7 days Discussion if we should have requirements defining a misused certificate compared to private key misuse Additional discussion of misused keys, compared to compromised keys, and signed code that is suspect Action point to consider defining misuse Discussion on proper time limit for known compromise and signing malware Discussion of the difference in timing requirements between key compromise and singing suspect code and back dating revocation Discussed the consideration that signing suspect code should be treated as a potential compromise of key and/or the subscriber does not have practices in place to detect suspect code Discussion of asking Microsoft as the main certificate consumer to weigh in on complicated use cases. This is a practice now and not an overly common practice, this would take place after revocation and there is an open period to back date revocation Mentioned the RFC does not allow back dating, but it is an important tool for code signing Need to cover the loophole for certificate problem reports for expired or revoked certificates Potential wording is being drafted and will be included in GitHub and distributed Other topics It was determined singing service did not have much to discuss at this time and we should focus on the revocation topic A couple of points on removing the SSL BR reference were mentioned and would be discussed on future calls
March 23, 2023 by Corey BonnellAttendeesAtsushi Inaba (GlobalSign), Brianca Martin (Amazon), Bruce Morton (Entrust), Dean Coclin (DigiCert), Dimitris Zacharopoulos (HARICA), Ian McMillan (Microsoft), Inigo Barreira (Sectigo), Martijn Katerbarg (Sectigo), Roberto Quinones (Intel), Tim Hollebeek (DigiCert) MinutesAdministration Attendance and requests a minute taker Reads antitrust statement Waiting on minutes for two meeting prior to face to face Face to face minutes will be approved at next meeting Malware Based Revocation Ballot Ballot summary Taking approach BRs and SBRs are taking on revocation Removing CS specific suspect code reference Discuss 5 day revocation window, consider a 5 day and/or 7 day Bruce noted good to sync with the SSL BRs at 24 hours and 5 days, but ok with suspect code at 5 days and 7 days Discussion if we should have requirements defining a misused certificate compared to private key misuse Additional discussion of misused keys, compared to compromised keys, and signed code that is suspect Action point to consider defining misuse Discussion on proper time limit for known compromise and signing malware Discussion of the difference in timing requirements between key compromise and singing suspect code and back dating revocation Discussed the consideration that signing suspect code should be treated as a potential compromise of key and/or the subscriber does not have practices in place to detect suspect code Discussion of asking Microsoft as the main certificate consumer to weigh in on complicated use cases. This is a practice now and not an overly common practice, this would take place after revocation and there is an open period to back date revocation Mentioned the RFC does not allow back dating, but it is an important tool for code signing Need to cover the loophole for certificate problem reports for expired or revoked certificates Potential wording is being drafted and will be included in GitHub and distributed Other topics It was determined singing service did not have much to discuss at this time and we should focus on the revocation topic A couple of points on removing the SSL BR reference were mentioned and would be discussed on future calls
2023-03-16 Minutes of CA/Browser Forum Teleconference
March 16, 2023 by Ben WilsonFinal Minutes of Teleconference March 16, 2023 Prepared by Tom Zermeno (SSL.com).
March 16, 2023 by Ben WilsonFinal Minutes of Teleconference March 16, 2023 Prepared by Tom Zermeno (SSL.com).
2023-03-15 Minutes of the S/MIME Certificate Working Group
March 15, 2023 by Stephen DavidsonMinutes of SMCWG March 15, 2023 These are the Approved Minutes of the Teleconference described in the subject of this message. Corrections and clarifications where needed are encouraged by reply.
March 15, 2023 by Stephen DavidsonMinutes of SMCWG March 15, 2023 These are the Approved Minutes of the Teleconference described in the subject of this message. Corrections and clarifications where needed are encouraged by reply.
2023-03-09 Minutes of the Code Signing Certificate Working Group
March 9, 2023 by Corey BonnellAttendeesAndrea Holland (SecureTrust), Atsushi Inaba (GlobalSign), Brianca Martin (Amazon), Bruce Morton (Entrust), Corey Bonnell (DigiCert), Dean Coclin (DigiCert), Dimitris Zacharopoulos (HARICA), Ian McMillan (Microsoft), Inigo Barriera (Sectigo), Janet Hines (VikingCloud), Rollin Yu (TrustAsia), Tim Hollebeek (DigiCert), Tomas Gustavsson (Keyfactor) Minutes Assign Minute taker (start recording) Brianca is taking minutes Antitrust Statement Dean reminded all participants that they must comply with the CA/Browser Forum anti-trust policy, code of conduct, and intellectual property rights agreement. Please contact the chair with any comments or concerns about these policies. Meeting Minutes February 9th meeting minutes pending receipt from Trevoli Ponds (Amazon). Martijn took minutes at the F2F Meeting on February 28th. Agenda – Items discussed in the F2F meeting a. Ian provided an overview from Microsoft’s perspective. Subscribers (buy certs, sign code) and consumers (consume the code/application that is signed/application).
March 9, 2023 by Corey BonnellAttendeesAndrea Holland (SecureTrust), Atsushi Inaba (GlobalSign), Brianca Martin (Amazon), Bruce Morton (Entrust), Corey Bonnell (DigiCert), Dean Coclin (DigiCert), Dimitris Zacharopoulos (HARICA), Ian McMillan (Microsoft), Inigo Barriera (Sectigo), Janet Hines (VikingCloud), Rollin Yu (TrustAsia), Tim Hollebeek (DigiCert), Tomas Gustavsson (Keyfactor) Minutes Assign Minute taker (start recording) Brianca is taking minutes Antitrust Statement Dean reminded all participants that they must comply with the CA/Browser Forum anti-trust policy, code of conduct, and intellectual property rights agreement. Please contact the chair with any comments or concerns about these policies. Meeting Minutes February 9th meeting minutes pending receipt from Trevoli Ponds (Amazon). Martijn took minutes at the F2F Meeting on February 28th. Agenda – Items discussed in the F2F meeting a. Ian provided an overview from Microsoft’s perspective. Subscribers (buy certs, sign code) and consumers (consume the code/application that is signed/application).
2023-02-16 Minutes of the Server Certificate Working Group
March 6, 2023 by Iñigo BarreiraMeeting of the Server Certificate Working Group** February 16, 2023 Attendees: Aaron Gable – (Let’s Encrypt), Aaron Poulsen – (Amazon), Adrian Mueller – (SwissSign), Andrea Holland – (SecureTrust), Ben Wilson – (Mozilla), Bruce Morton – (Entrust), Chad Ehlers – (IdenTrust), Chris Clements – (Google), Chris Kemmerer – (SSL.com), Clint Wilson – (Apple), Corey Bonnell – (DigiCert), Daryn Wright – (GoDaddy), David Kluge – (Google), Dimitris Zacharopoulos – (HARICA), Doug Beattie – (GlobalSign), Dustin Hollenback – (Microsoft), Ellie Lu – (TrustAsia Technologies, Inc.), Enrico Entschew – (D-TRUST), Fumi Yoneda – (Japan Registry Services), Inaba Atsushi – (GlobalSign), Inigo Barreira – (Sectigo), Janet Hines – (SecureTrust), Joanna Fox – (TrustCor Systems), Johnny Reading – (GoDaddy), Jos Purvis – (Fastly), Karina Sirota – (Microsoft), Kiran Tummala – (Microsoft), Lynn Jeun – (Visa), Mads Henriksveen – (Buypass AS), Martijn Katerbarg – (Sectigo), Michelle Coon – (OATI), Nargis Mannan – (SecureTrust), Paul van Brouwershaven – (Entrust), Pedro Fuentes – (OISTE Foundation), Peter Miskovic – (Disig), Rebecca Kelley – (Apple), Rollin Yu – (TrustAsia Technologies, Inc.), Roman Fischer – (SwissSign), Ryan Dickson – (Google), Stephen Davidson – (DigiCert), Steve Topletz – (Cisco Systems), Thomas Zermeno – (SSL.com), Tim Hollebeek – (DigiCert), Tobias Josefowitz – (Opera Software AS), Vijayakumar (Vijay) Manjunatha – (eMudhra), Wayne Thayer – (Fastly), Wendy Brown – (US Federal PKI Management Authority), Yoshiro Yoneya – (Japan Registry Services) Next Minute Taker: Chris Kemmerer after the face-to-face meeting. Review of Agenda: Inigo Barreira stated the agenda was published and there were no changes. Approval of Minutes: Approved from the last call on February 2, 2023. Validation Subcommittee update: Corey Bonnell stated the subcommittee discussed two topics at the last meeting. The first was planning for the face-to-face where they decided that they were going to use the hour and a half by splitting the time. In the first half they will discuss multi-perspective domain validation and mitigations against some of the attacks that we’ve seen. Corey thought it was a great idea proposed by Ryan Dickson to take advantage of the guest speakers’ knowledge that they’ll be sharing and seeing how we can apply it within the context of the subcommittee. The second topic will be a continuation of the discussion around applicant representatives and their roles and responsibilities throughout the certificate issuance process. They identified five top level certificate issuance flows or models and there was a call for volunteers to write up each issuance flow. The write ups would look at each flow and identify improvements to the requirements as needed to better accommodate the flows or discuss various security properties. As an administrative note the call next Thursday is canceled, keeping the tradition of canceling before the face-to-face. Inigo suggested discussing restructuring the calls or how the SCWG should manage the validation subcommittee. Corey recalls this conversation occurring in the context of the SCWG. Ballot Status: SC61v4 – Incorporation of Mozilla Revocation Reason Codes is now in the voting period. SC62 – Certificate profiles. Still in discussion period with no end date defined yet. SC59 – Revival of Debian Weak Keys Ballot. Chris Kemmerer stated while working on redline they discovered they need to satisfy some pretty cogent comments from one of their endorsers. They would like to have this as an item for discussion at the face-to-face meeting. SCXX – SLO/Response for CRL & OCSP Responses. Clint stated there is no change. SCXX – Make OCSP optional, require CRLs. Ryan stated this is staged behind the profiles ballot. If people are interested in providing feedback, it’s very welcome. If anyone is interested in becoming an endorser they can email Ryan. Any other business: Tim suggested the SCWG should discuss where we want the working group to go and what it should be working on. The SCWG is in a state where it doesn’t have any clear direction and that’s really dangerous. The SCWG is one of the most important working groups we have. We need to get everybody on the same page about what we think are the important problems in the ecosystem that the group should be addressing and get people to start working on proposals to address those items. It’s a little bit dangerous that we continue to kind of let it continue its current trajectory, where not a lot gets done and the requirements just kind of sit the way they are. Inigo agreed and said even minor changes in the titling of the documents would help as well as updating the EV Guidelines in accordance with RFC 3647. The validation subcommittee was originally created for validation and when there was no working group structure. He plans on sending a list of topics to be included. Inigo stated Dimitris sent an email to the management list regarding algorithms and suggested discussion at the SCWG. Dimitris sent the email already knowing there was a discussion in the S/MIME working group but he felt the email was geared towards TLS. From previous discussions he believes there was no intent of implementing the algorithms by the browsers. Regardless, we need an answer for the questions list. Indigo asked if there was a time limit to respond to the question list. Dimitris is not aware of a time limit. Ben will email Dean. Tim suggested the algorithms in question are a little bit more efficient, a little bit more trustworthy in the nature of how the curves were generated. There are a bunch of small advantages that some people find attractive. Until a browser adopts the algorithm there is a chicken and egg problem. It’s up to the browsers to decide if this is something that they want to support. Aaron Gable stated they continually get requests from applicants and subscribers asking why they don’t support these curves and the answer is always, “we can’t”. There are other questions about the level of HSM support for curves other than the ones they use, but they would love for browsers to support them. Tim stated HSM support is pretty good and that should not be a blocker. Next Meeting: March 16, 2023 **Meeting adjourned.
March 6, 2023 by Iñigo BarreiraMeeting of the Server Certificate Working Group** February 16, 2023 Attendees: Aaron Gable – (Let’s Encrypt), Aaron Poulsen – (Amazon), Adrian Mueller – (SwissSign), Andrea Holland – (SecureTrust), Ben Wilson – (Mozilla), Bruce Morton – (Entrust), Chad Ehlers – (IdenTrust), Chris Clements – (Google), Chris Kemmerer – (SSL.com), Clint Wilson – (Apple), Corey Bonnell – (DigiCert), Daryn Wright – (GoDaddy), David Kluge – (Google), Dimitris Zacharopoulos – (HARICA), Doug Beattie – (GlobalSign), Dustin Hollenback – (Microsoft), Ellie Lu – (TrustAsia Technologies, Inc.), Enrico Entschew – (D-TRUST), Fumi Yoneda – (Japan Registry Services), Inaba Atsushi – (GlobalSign), Inigo Barreira – (Sectigo), Janet Hines – (SecureTrust), Joanna Fox – (TrustCor Systems), Johnny Reading – (GoDaddy), Jos Purvis – (Fastly), Karina Sirota – (Microsoft), Kiran Tummala – (Microsoft), Lynn Jeun – (Visa), Mads Henriksveen – (Buypass AS), Martijn Katerbarg – (Sectigo), Michelle Coon – (OATI), Nargis Mannan – (SecureTrust), Paul van Brouwershaven – (Entrust), Pedro Fuentes – (OISTE Foundation), Peter Miskovic – (Disig), Rebecca Kelley – (Apple), Rollin Yu – (TrustAsia Technologies, Inc.), Roman Fischer – (SwissSign), Ryan Dickson – (Google), Stephen Davidson – (DigiCert), Steve Topletz – (Cisco Systems), Thomas Zermeno – (SSL.com), Tim Hollebeek – (DigiCert), Tobias Josefowitz – (Opera Software AS), Vijayakumar (Vijay) Manjunatha – (eMudhra), Wayne Thayer – (Fastly), Wendy Brown – (US Federal PKI Management Authority), Yoshiro Yoneya – (Japan Registry Services) Next Minute Taker: Chris Kemmerer after the face-to-face meeting. Review of Agenda: Inigo Barreira stated the agenda was published and there were no changes. Approval of Minutes: Approved from the last call on February 2, 2023. Validation Subcommittee update: Corey Bonnell stated the subcommittee discussed two topics at the last meeting. The first was planning for the face-to-face where they decided that they were going to use the hour and a half by splitting the time. In the first half they will discuss multi-perspective domain validation and mitigations against some of the attacks that we’ve seen. Corey thought it was a great idea proposed by Ryan Dickson to take advantage of the guest speakers’ knowledge that they’ll be sharing and seeing how we can apply it within the context of the subcommittee. The second topic will be a continuation of the discussion around applicant representatives and their roles and responsibilities throughout the certificate issuance process. They identified five top level certificate issuance flows or models and there was a call for volunteers to write up each issuance flow. The write ups would look at each flow and identify improvements to the requirements as needed to better accommodate the flows or discuss various security properties. As an administrative note the call next Thursday is canceled, keeping the tradition of canceling before the face-to-face. Inigo suggested discussing restructuring the calls or how the SCWG should manage the validation subcommittee. Corey recalls this conversation occurring in the context of the SCWG. Ballot Status: SC61v4 – Incorporation of Mozilla Revocation Reason Codes is now in the voting period. SC62 – Certificate profiles. Still in discussion period with no end date defined yet. SC59 – Revival of Debian Weak Keys Ballot. Chris Kemmerer stated while working on redline they discovered they need to satisfy some pretty cogent comments from one of their endorsers. They would like to have this as an item for discussion at the face-to-face meeting. SCXX – SLO/Response for CRL & OCSP Responses. Clint stated there is no change. SCXX – Make OCSP optional, require CRLs. Ryan stated this is staged behind the profiles ballot. If people are interested in providing feedback, it’s very welcome. If anyone is interested in becoming an endorser they can email Ryan. Any other business: Tim suggested the SCWG should discuss where we want the working group to go and what it should be working on. The SCWG is in a state where it doesn’t have any clear direction and that’s really dangerous. The SCWG is one of the most important working groups we have. We need to get everybody on the same page about what we think are the important problems in the ecosystem that the group should be addressing and get people to start working on proposals to address those items. It’s a little bit dangerous that we continue to kind of let it continue its current trajectory, where not a lot gets done and the requirements just kind of sit the way they are. Inigo agreed and said even minor changes in the titling of the documents would help as well as updating the EV Guidelines in accordance with RFC 3647. The validation subcommittee was originally created for validation and when there was no working group structure. He plans on sending a list of topics to be included. Inigo stated Dimitris sent an email to the management list regarding algorithms and suggested discussion at the SCWG. Dimitris sent the email already knowing there was a discussion in the S/MIME working group but he felt the email was geared towards TLS. From previous discussions he believes there was no intent of implementing the algorithms by the browsers. Regardless, we need an answer for the questions list. Indigo asked if there was a time limit to respond to the question list. Dimitris is not aware of a time limit. Ben will email Dean. Tim suggested the algorithms in question are a little bit more efficient, a little bit more trustworthy in the nature of how the curves were generated. There are a bunch of small advantages that some people find attractive. Until a browser adopts the algorithm there is a chicken and egg problem. It’s up to the browsers to decide if this is something that they want to support. Aaron Gable stated they continually get requests from applicants and subscribers asking why they don’t support these curves and the answer is always, “we can’t”. There are other questions about the level of HSM support for curves other than the ones they use, but they would love for browsers to support them. Tim stated HSM support is pretty good and that should not be a blocker. Next Meeting: March 16, 2023 **Meeting adjourned.