Final minutes of the 2024-10-31 validation-sc meeting
Corey Bonnell
These minutes were approved on the 2024-11-14 validation-sc meeting.
Attendees:
Aaron Gable (Let's Encrypt), Aaron Poulsen (Amazon), Adriano Santoni (Actalis S.p.A.), Andrea Holland (VikingCloud), Ben Wilson (Mozilla), Bruce Morton (Entrust), Chris Clements (Google), Corey Bonnell (DigiCert), Corey Rasmussen (OATI), Dimitris Zacharopoulos (HARICA), Doug Beattie (GlobalSign), Dustin Hollenback (Microsoft), Iñigo Barreira (Sectigo), Irene Tan (FPKI), Jaime Hablutzel (OISTE Foundation), Kiran Tummala (Microsoft), Luis Cervantes (SSL.com), Mahua Chaudhuri (Microsoft), Martijn Katerbarg (Sectigo), Michael Slaughter (Amazon), Michelle Coon (OATI), Nargis Mannan (VikingCloud), Nate Smith (GoDaddy), Nome Huang (TrustAsia), Paul van Brouwershaven (Entrust), Rollin Yu (TrustAsia), Roman Fischer (SwissSign), Ryan Dickson (Google), Scott Rea (eMudhra), Thomas Zermeno (SSL.com), Trevoli Ponds-White (Amazon), Wayne Thayer (Fastly), Wendy Brown (US Federal PKI Management Authority)
Trev and Clint are absent from the call, and Scott will take minutes instead.
Note Well:
Read by Corey
Roll Call:
As above as taken from WebEx, Irene Tan identified as new FPKI MA representative
Minutes of Previous Meetings:
• Minutes from Sep 19th 2024 meeting of Validation Working Group and minutes from 2 weeks ago (Oct 17th 2024 meeting of Validation Working Group) have been circulated recently. Call for approval of these will happen at next call.
• Minutes from Validation Working Group meeting at Seattle F2F 63 have been circulated by Ben. These minutes were approved unanimously.
Agenda Items
1. Continue discussion of SC-81 (reduce certificate validity and validation reuse periods)
2. Standard CAA parameters (https://github.com/cabforum/servercert/issues/353#issuecomment-2372420590)
3. STRIDE model for DCV method #7
Discussion
• The initial discussion revolves around SC 81 to reduce certificate validity and validation reuse periods:
• Dimitris Zacharopoulos suggested creating a process to handle the volume of comments on pull requests and analyze the meaningful arguments.
• Aaron shared that he had reviewed all the comments on GitHub and that there were no meaningful “con” arguments provided to date, and it wasn’t necessarily substantive in nature, more reaction and informational rather than concrete actionable data.
• Dimitris suggested we need a process to be able to triage the volume of comments.
• Ryan Dickson suggested considering comments from non-forum members as informal feedback rather than formal contributions, and perhaps Ballot sponsor (Clint) could summarize in the Ballot preamble.
• Ben Wilson suggested there needs to be a balanced consideration of feedback and it shouldn’t be cherrypicked for just one-sided justifications.
• Wayne Thayer suggested that Clint was really looking for feedback from the broader community to help crystalize on an appropriate time frame. What is really needed is some way to solicit more specific logical feedback, rather than vague emotive responses.
• Wendy Brown raises concerns about the impact of shortening certificate lifetimes on subscribers and suggests the need (and value) for input from the subscriber side. It’s not appropriate to just respond to Subscriber community that “hey you haven’t signed the IPR so you don’t get a say in the decision” – that is not helpful. This proposal, unlike most others in BRs, will have a significant impact on Subscribers.
• Dimitris Zacharopoulos suggests waiting for the official ballot discussion and emphasizes the need for a more effective process to address Subscriber challenges and problems.
• Ryan Dickson expresses the need for clearer feedback and understanding of use cases to make informed decisions about certificate validity periods. Some of the feedback seemed unrelated to browser-based TLS Use Cases.
• Aaron Gable suggested the proposal should be turned into an official Ballot before commenting and discussion on GitHub should be considered by the WG, and until that time, it is Clint’s responsibility to manage.
• Some discussion about how to get to best engage community, and the historical precedence and value of pre-ballot discussions. Perhaps this shouldn’t have a Ballot number yet?
• Scott Rea suggested that we may still have a procedural process to address because folks may be participating using the GitHub comments channel thinking their feedback is being considered when in fact we may be tossing them all out or perhaps only the Author will consider them? We should be informing commentors up front on how their feedback will be utilized.
• Trevoli Ponds-White suggested some things are being conflated here because of the nature of the use cases, and we need clarity on that aspect, so we can get the specific feedback we are seeking.
• Wendy Brown still is not clear on what security issue is being solved by the 45 day validity, and that aspect hasn’t been articulated well in the proposal yet.
• Trevoli Ponds-White suggested we may need to introduce a new EKU specifically for browser based Server Auth TLS? This would allow an appropriate differentiation, and allow us to focus on the Use Cases of interest.
• Wayne Thayer thinks Trev’s suggestion is really worth considering and it has several benefits to clarifying and framing the current discussion.
• Corey Bonnell indicated we could consider redirecting the discussion to the Questions mailing list.
• Trevoli Ponds-White suggested we should just let AI summarize the comments.
• Inigo Barreira suggested we should leave the comments in the GitHub but we only really start considering them once the Ballot becomes formal.
• Wayne Thayer suggested the best decision in the short term should be to redirect discussion to CCADB mailing list.
• Micheal Slaughter suggested CAs can develop their own methodology for soliciting feedback on validity periods from their Subscribers citing the DigiCert example on a previous cert lifetimes ballot.
• General discussion around what the motivations are and the expected benefits of reducing certificate lifetimes need to be clearly stated in the ballot. The impact on CAs and their databases due to shorter certificate lifetimes also needs further discussion. Feedback that is not specific is less useful to process.
• Trevoli Ponds-White suggested key security is a more important valuable topic to focus on rather than shorter life times.
• Dimitris Zacharopoulos suggested we need to have consideration and discussion on presented academic research, and will prompt some of that on the lists in future.
• Wayne Thayer wonders whether improving revocation and implementing revocation reason codes should be considered in addition to reduced certificate lifetimes. This should be raised in the server cert WG.
• Aaron Gable suggested we need a clearer statement of the motivations of the ballot before we will get the feedback we are looking for.
Action items
• Corey will inform Clint that the discussion on SC 81 continued without him.
• Trevoli proposed Sever WG to consider creating a different EKU to differentiate browser certs.
• Corey suggested the WG to explore the possibility of using the questions mailing list for community feedback
• Trevoli suggested Investigating the option of generating an AI summary of GitHub comments for easier review and consideration
• Wayne proposed the possibility of using CCADB for discussion and soliciting commentary on the proposed ballot - this will be explored.
• Slaughter suggested CAs develop their own methodology for soliciting feedback to inform their decisions on the ballot.
• Clint Wilson is requested to provide a list of motivations and expected benefits of the ballot.
• Wayne Thayer will post on the server cert list to determine how to channel community discussions.
Next Meeting:
Thursday 14 November, 2024
Adjourned