*Validation Subcommittee Meeting of September 7, 2023* *Notewell: *
Read by Corey Bonnell *Attendance: * Aaron Gable - ISRG, Aaron Poulsen - Amazon Trust Services, Andrea Holland - VikingCloud, Aneta Wojtczak - Microsoft, Antonis Eleftheriadis - HARICA, Ben Wilson - Mozilla, Bhat Abhishek - eMudhra, Bruce Morton - Entrust, Clint Wilson – Apple, Corey Bonnell - DigiCert, Corey Rasmussen - OATI, Dimitris Zacharopoulos - HARICA, Doug Beattie - GlobalSign, Dustin Hollenback - Microsoft, Gurleen Grewal - Google Trust Services, Inigo Barreira - Sectigo, Joe Ramm - OATI, Johnny Reading - GoDaddy, Keshava Nagaraju - eMudhra, Li-Chun Chen - Chunghwa Telecom, Martijn Katerbarg - Sectigo, Michelle Coon - OATI, Nargis Mannan - VikingCloud, Nate Smith - GoDaddy, Paul van Brouwershaven - Entrust, Q Misell (Speaker/Invited Guest), Rebecca Kelley - Apple, Rollin Yu - TrustAsia, Roman Fischer - SwissSign, Scott Rea - eMudhra, Tobias Josefowitz - Opera, Wayne Thayer - Fastly, Wendy Brown – U.S. Federal PKI, *Previous Minutes:* Minutes for the August 10th meeting prepared by Aneta Wojtczak were circulated August 23rd, and they were approved. August 24th minutes prepared by circulated Andrea Holland on September 6th and will be approved at the next meeting. *Agenda Items:* · Q Misell’s presentation on ACME for Onion/Tor · Review of To-Do List from February 2023 *Q Misell’s “ACME for Onions” and CAA for Onion Domain Names presentation by Q Misell* See https://magicalcodewit.ch/cabf-2023-09-07-slides/ Q is working on defining a CAA extension for .onion domains. See https://datatracker.ietf.org/doc/draft-ietf-acme-onion/ and https://acmeforonions.org/ This will allow automated issuance of certificates to Tor hidden services and make .onion domains act like the DNS from a WebPKI perspective. Implementing with CAA provides consistency and reduces the risk of misissuance. Q reviewed how it works through the various layers of encrypted data. .onion domains aren't in the DNS, so standard CAA records can't be used. Instead, CAA records are encoded in the BIND zone file format in the second layer hidden service descriptor. A new field in the first layer hidden service descriptor signals that there are CAA records in the second layer descriptor. *Reviewed To-Do list from February 2023* See https://lists.cabforum.org/pipermail/validation/2023-February/001860.html We discussed replacing "Applicant" with "Subscriber" in item 9 of section 4.9.1.1. Aaron G. expressed concerns about language in the parentheses (i.e. "no longer legally permitted"). For example, it’s unclear what happens when a registrant for a gTLD fails to renew its assignment with ICANN. How much detail do we want to get into in the parenthetical in this section. And some examples don’t fall into the bucket of “no longer legally permitted”. Aaron was also concerned about why a certificate should have to be revoked if the domain is still valid in the DNS. Aaron might file an issue in GitHub, or Corey may file one for the overall issue. We also discussed replacing “Applicant” or “Subscriber” with “Applicant/Subscriber” in some places of section 9.6.3. Dimitrius proposed that we split up the requirements between those applicable to either “Applicants” or “Subscribers”. Wayne asked that we clarify the renewal scenario and whether the entity is an applicant. Is the relationship transactional (on a per-certificate basis), or does it depend on the relationship between the CA and the entity? (In the BR definition of “Applicant” we say that they are an applicant even when they are renewing a certificate.) Aaron G. said that in the ACME protocol, a subscriber is someone who has agreed to the subscriber agreement, which you do when you create an account, and who has had a certificate issued to them – then you are a subscriber forever more. But also, when you are obtaining new certificates over a ten-year period, you are both a subscriber and an applicant because you are applying for a new certificate now. Ben was concerned that we don’t have sufficient consensus on how these concepts should be expressed, and therefore it was too early to address them in the upcoming “Subscriber Agreement” ballot that he and Dustin are working on. Corey suggested that this issue be added to the agenda for an upcoming meeting, such as a server certificate working group meeting or the face-to-face. Meeting adjourned.
_______________________________________________ Validation mailing list Validation@cabforum.org https://lists.cabforum.org/mailman/listinfo/validation