7.6.1 Server Key Certificate Chains

When a client i joins a meeting, the Zoom server signs a statement Sigi Server indicating that the client’s userID, hardwareID, and IVK are authorized. userID and hardwareID are non-cryptographic identifiers used by the Zoom server to distinguish between users and devices. We use certificate pinning to strengthen the security of the server signature. Zoom clients will ship with a DigiCert root certificate and they only trust certificates authorized for a specific Zoom domain via a certificate chain originating from the pinned DigiCert root. Hardware Security Modules (HSMs) are used to manage keys for an internal intermediate CA, which will in turn attest to the servers’ signing keys. Server keys are valid for a week and are rotated daily. In order to detect certificate revocation in the event of CA or server compromise, clients require stapled OCSP responses on the intermediate certificates they receive. These signatures help protect against MitMs injecting users into the meeting. This feature was released in version 5.7.0 (see Appendix A).