**Session Date/Time:** 04 Nov 2024 17:30 # stir Meeting Minutes ## Summary This meeting covered two main topics: Short-Lived Certificates and Transparency initiatives, including Certificate Transparency (CT) and the Vesper framework. The discussion on short-lived certificates focused on backwards compatibility and the inclusion of the root certificate in the certificate chain. The transparency discussion centered on the Vesper framework, exploring potential use cases, scope creep concerns related to identity vetting, and the applicability of Selective Disclosure JWTs (SDJWTs) in the context of STIR. The area director suggested halting adoption calls and instead, focus on clarifying use cases and revise the charter. ## Key Discussion Points * **Short-Lived Certificates (X5C/X5U):** Debate centered on whether a redundant X5U (URL pointer to the certificate) should be mandatory alongside the now mandatory X5C (certificate by value). Concerns about backwards compatibility with older STIR-Shaken implementations were raised. * **Short-Lived Certificates (Certificate Chain):** Discussion focused on whether the root certificate should be excluded from the certificate chain in X5C. Arguments from TLS (root cert in trust store) were presented. * **Certificate Transparency (CT):** Clarified that verification services do not need to query transparency logs directly. The Signed Certificate Timestamp (SCT) is included in the certificate. Monitors and auditors use logs. Revocation is handled out of band. * **Vesper Framework (General):** Introduced as a potential extension to the STIR architecture focused on vetted identities and consent, addressing the limitations of self-assertion. Concern expressed about potential scope creep, expanding beyond the initial threat model of STIR. * **Vesper Framework (Right to Use Claim):** Separating 'right to use' verification from other Vesper functionality was proposed. This would allow verification that an enterprise can use a number without having to invest in everything else. * **Vesper Framework (Selective Disclosure):** Questioned whether the functionality provided by selective disclosure is a meaningful addition to STIR. Existing use cases around 'call reason' were debated. Selective Disclosure introduces complexity. * **Vesper Framework (SDJWTs):** The role of Selective Disclosure JWTs and the three-party model were heavily debated. ## Decisions and Action Items * **Short-Lived Certificates:** * Update the draft to state that the root certificate SHOULD be excluded from the certificate chain. * Clarify text regarding the interplay of X5C and X5U (non-normative). * Submit the document by tomorrow for last call. * **Vesper Framework/Certificate Transparency:** * Do not make an adoption call now for either document. * Engage in discussion clarifying the use cases, threat model, and requirements being addressed. ## Next Steps * **Short-Lived Certificates:** Submit updated draft for last call. * **Vesper/CT:** Engage in requirements gathering and charter revision efforts. Focus on clarifying the use cases and scope of each initiative. The conversation will be taken to the list.