Re: Validation Summit
Am Montag, 5. Februar 2018 22:31:46 UTC+1 schrieb Wayne Thayer: > Gerv and I have made, and the CA/Browser Forum has accepted a proposal to > convene a "Validation Summit" on Tuesday March 6th during the next > regularly scheduled CA/Browser Forum face-to-face meeting that will be held > in the Washington DC area. > > The intent of this summit is to perform an analysis of each of the "blessed > 10" domain validation methods, identify weaknesses, and determine if each > method needs to be improved or deprecated. You can find a proposed agenda > at [1]. > > The CA/Browser Forum has agreed to invite security experts who have > specialized knowledge of threat analysis and CA operations to participate, > and I would like to extend that invitation to members of the Mozilla > security community. It would be particularly helpful to have participants > who have experience in the following areas: > > > >1. Real-world experience with the validation procedures as they are >currently practiced by public CAs >2. Experience with threat modeling, analyzing a variety of protocols, or >other methods for rigorously analyzing processes and procedures for >potential vulnerabilities >3. Deep technical expertise related to how validation-related >technologies perform and/or fail in the real world (DNS, WHOIS, Domain >Registrars, Reverse IP lookup, and so on) >4. Technical challenges that prevent various validation methods from >being usable by a significant fraction of certificate applicants, and thus >drive users towards less desirable methods >5. Automation of validation protocols (i.e. ACME) > > Those putting their names forward should be prepared to adhere to the Code > of Conduct [2] and to participate in a constructive discussion that remains > focused on the topic at hand. If you would like to participate, you will be > required to become an Interested Party [3] and sign the CA/Browser Forum > IPR Agreement. [4] (Note: if your company is already a CA/Browser Forum > member, please check with your representative) > > If you intend to meet these requirements and attend the summit as an > Interested Party, please email me (wthayer-at-mozilla-dot-com) so that I > can get you added to the list of attendees and provide more information. > > We do expect to have a remote attendance option available; however, given > the size of the group, please be aware that it can be difficult to > participate even when the audio quality is good. If you would like to > attend in-person but require travel/accommodation sponsorship, please > mention that in your email to me, along with a ballpark figure for costs > (estimate the hotel as $122 per night). > > Wayne > > [1] https://cabforum.org/pipermail/public/2018-February/012908.html > [2] > https://cabforum.org/wp-content/uploads/CA-Browser-Forum-Bylaws-v.-1.7.pdf > (Exhibit C) > [3] https://cabforum.org/current-work > [3] https://cabforum.org/ipr-policy/ Hi Wayne, all, we really appreciate this effort to enable us all for a deep-dive into Validation mechanisms and how to proceed here. D-Trust will actively engage in this process and thus will be represented by Enrico Entschew and Arno Fiedler. Thanks, Kim ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Validation Summit
The CA/Browser Forum’s Bylaws at Section 2.3(c) allow the Forum Chair (currently me) to invite Interested Parties to participate in Working Group meetings. I hereby extend an invitation to Forum Interested Parties to participate in person or remotely in the all-day Validation Working Group meeting on Tuesday, March 6, 2018 at Amazon’s offices in Herndon, VA (located near Dulles Airport). If you are employed by a Forum member, please coordinate with your company’s regular Forum representatives. This invitation is for the Tuesday Validation Working Group meeting only, and does not extend to the Forum’s plenary sessions on Wednesday and Thursday. All Interested Parties who want to participate should send their name and contact information (email address and phone, preferably) to Tim Hollebeek and Wayne Thayer, [tim-dot-hollebeek-at-digicert –dot-com and wthayer-at-mozilla-dot-com]. Tim and Wayne will provide you with additional details and logistics for participating in the meeting. To become an Interested Party who is eligible to participate, before the meeting you must sign and return a copy of the Forum’s ”Intellectual Property Rights Agreement-1.2-PKI-enabled” found here: https://cabforum.org/ipr-policy/ https://cabforum.org/wp-content/uploads/Intellectual-Property-Rights-Agreement-1.2-PKI-enabled.pdf Participants must also follow the Forum’s Code of Conduct found at Exhibit C of the Bylaws, https://cabforum.org/wp-content/uploads/CA-Browser-Forum-Bylaws-v.-1.7.pdf Thanks to all for your interest. Kirk Hall, Chair CA/Browser Forum ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Validation Summit
Gerv and I have made, and the CA/Browser Forum has accepted a proposal to convene a "Validation Summit" on Tuesday March 6th during the next regularly scheduled CA/Browser Forum face-to-face meeting that will be held in the Washington DC area. The intent of this summit is to perform an analysis of each of the "blessed 10" domain validation methods, identify weaknesses, and determine if each method needs to be improved or deprecated. You can find a proposed agenda at [1]. The CA/Browser Forum has agreed to invite security experts who have specialized knowledge of threat analysis and CA operations to participate, and I would like to extend that invitation to members of the Mozilla security community. It would be particularly helpful to have participants who have experience in the following areas: 1. Real-world experience with the validation procedures as they are currently practiced by public CAs 2. Experience with threat modeling, analyzing a variety of protocols, or other methods for rigorously analyzing processes and procedures for potential vulnerabilities 3. Deep technical expertise related to how validation-related technologies perform and/or fail in the real world (DNS, WHOIS, Domain Registrars, Reverse IP lookup, and so on) 4. Technical challenges that prevent various validation methods from being usable by a significant fraction of certificate applicants, and thus drive users towards less desirable methods 5. Automation of validation protocols (i.e. ACME) Those putting their names forward should be prepared to adhere to the Code of Conduct [2] and to participate in a constructive discussion that remains focused on the topic at hand. If you would like to participate, you will be required to become an Interested Party [3] and sign the CA/Browser Forum IPR Agreement. [4] (Note: if your company is already a CA/Browser Forum member, please check with your representative) If you intend to meet these requirements and attend the summit as an Interested Party, please email me (wthayer-at-mozilla-dot-com) so that I can get you added to the list of attendees and provide more information. We do expect to have a remote attendance option available; however, given the size of the group, please be aware that it can be difficult to participate even when the audio quality is good. If you would like to attend in-person but require travel/accommodation sponsorship, please mention that in your email to me, along with a ballpark figure for costs (estimate the hotel as $122 per night). Wayne [1] https://cabforum.org/pipermail/public/2018-February/012908.html [2] https://cabforum.org/wp-content/uploads/CA-Browser-Forum-Bylaws-v.-1.7.pdf (Exhibit C) [3] https://cabforum.org/current-work [3] https://cabforum.org/ipr-policy/ ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy