CA/Browser Forum
Home » All CA/Browser Forum Posts » 2018-07-26 Server Certificate Working Group Minutes

2018-07-26 Server Certificate Working Group Minutes

Attendees: Arno Fiedler (D-TRUST), Atsushi Inaba (GlobalSign), Ben Wilson (DigiCert), Bruce Morton (Entrust), Cecilia Kam, (GlobalSign), Christopher Kemmerer (SSL.com), Corey Bonnell (Trustwave), Daymion Reynolds (GoDaddy), Dean Coclin (DigiCert), Dimitris Zacharopoulos (HARICA), Doug Beattie (GlobalSign), Frank Corday (Trustwave), India Donald (FPKI), Joanna Fox (GoDaddy), Jos Purvis (Cisco), Kirk Hall (Entrust), Li-Chun Chen (Chunghwa Telecom), Marcelo Silva (Visa), Michele Coon (OATI), Neil Dunbar (Trustcor), Patrick Tronnier (OATI), Peter Miscovic (Disig), Rich Smith (ComodoCA), Shelley Brewer (DigiCert), Tim Hollebeek (DigiCert), Tim Shirley (Trustwave), Trevoli Ponds-White (Amazon), Virginia Fournier (Apple), Wendy Brown (Federal PKI).

  1. Roll Call. The roll call occurred on the previous Forum teleconference.
  2. Read Antitrust Statement. Reading of the Antitrust Statement occurred on the previous Forum teleconference.
  3. Review Agenda. Agenda was approved.
  4. Approval of Minutes of teleconference of July 12, 2018. The Minutes were approved, and will be posted to the Public list.
  5. Confirmation of new SCWG Members, Associate Members, and Interested Parties since July 12 SCWG teleconference. Kirk noted that the SCWG had approved an initial list of Members, etc. during its July 12 teleconference, and that he had sent an email to Members on July 24 listing additional Members and Interested Parties who appear to qualify for the SCWG and now asked if there were any objections. There were no objections. Accordingly, the current list of Members, Associate Members, and Interested Parties of the Server Certificate Working Group is as follows:
  • CA MEMBERS:* AC Camerfirma, AC Firmaprofessional, Actalis, Amazon, ASSECO, Buypass, Certigna, Certinomis , certSIGN , CFCA, Chunghwa Telecom, Comodo CA Ltd., Comsign (Comda), D-Trust, DigiCert, Digidentity, Disig, a.s., E-Tugra, Entrust Datacard, GDCA, GlobalSign, GoDaddy, HARICA, Izenpe, Kamu Sertifikasyon Merkezi, KPN, Let’s Encrypt, Logius PKIoverheid, NCDC, Network Solutions, OATI CA, První certifikační autorita, a.s., QuoVadis, Secom Trust Systems, SHECA, SK ID Solutions AS, SSC, SSL.com, SwissSign , TrustCor Systems, Trustwave, TURKTRUST Inc., TWCA, Visa
  • BROWSER MEMBERS:* Apple, Brave, Cisco, Comodo Security Solutions, Inc., Google, Microsoft, Mozilla, Opera Software AS, 360,
  • ASSOCIATE MEMBERS:* ACAB’c, CPA Canada, ETSI (Letter of cooperation), ICANN, tScheme, U.S. Federal PKI Management Authority
  • *INTERESTED PARTIES: ** Individuals: Andrew Ayer, James Burton, Christopher Czajczyc, Arno Fiedler, Benedikt Heintel, Carl Mehner, Eric Mill, Patrick Nohe, Scott Rea, Jonathan Rudenberg, Quirin Scheitle
  • Organizations,* Accredited Conformity Assessment Bodies’ Council (ACAB’C), Certizen, CloudFlare, Dark Matter, Electronic Frontier Foundation (EFF), K Software LLC, KPMG AG, Leader Telecom BV, PrimeKey, PSW Group GmbH
  1. Term of Office for new SCWG officers. This topic was covered in the preceding Forum teleconference. New two-year SCWG officer terms will begin Nov. 1, 2018, and there may be a ballot to extend the current SCWG officer terms by 10 days, through Oct. 31, 2018, so there is no gap. Nominations for SCWG Chair will be open on August 9.
  2. Procedure for creating Subcommittees; Drafting Ballots to establish Validation, Network Security, and Certificate Policy (aka Policy Review) Subcommittees. Kirk said that the Doodle poll had favored creation of new Subcommittees by SCWG ballot, and asked Ben, Dimitris, and Tim if they could formulate ballots for the Validation, Network Security, and Policy Review Subcommittees. Wendy asked if Network Security issues should be in a SCWG Subcommittee or instead in a new Working Group that covered all other Working Groups. Tim said this had been discussed in the Governance Change Working Group when drafting Ballot 206, including options such as working on Network Security issues at the new Forum level itself, or in its own Working Group. Dimitris said that at the London F2F the tentative decision was to handle Network Security issues first in a Subcommittee of the SCWG, and then later move the Network Security work to its own working group when needed. Tim and Ben agreed to set up a Doodle poll to check the preference of the Members – putting Network Security issues in a Subcommittee of the SCWG or its own new Working Group.
  3. Plan for moving from Public to SCWG list. Kirk noted that Ben, Dimitris, Jos, Tim, Daymion, and Wayne have been working on a plan for creating and populating new mailing lists for the SCWG, and asked for an update and recommendations. Ben said the plan circulated by Dimitris was comprehensive, and Dimitris gave a brief description. Under the proposal, each Member, Associate Member, and Interested Party would be asked to designate its representatives to the Forum with posting privileges, by name and email address, which would be documented somewhere. We would try to do all administration of the list and wiki automatically by writing scripts to centrally manage this and ease the administrative burden. When a request is made to add or remove someone from the list, some form of warning or flag would be sent to the Chair and Vice Chair for review and approval. Kirk liked the automation concept and was already working on getting Associate Members to list their representatives, but asked what extra value would be added by also requiring Members to list their representatives – wouldn’t it be sufficient just to give Members the ability to add or remove their representatives from the list and wiki access directly? He was worried that over time the representatives lists could deviate from the actual access lists. Dimitris said some form of declaration of Member representatives was needed – just because a person posts or votes with an email suffix that looks like a Member’s, it doesn’t mean the person has been authorized by the Member. However, the two lists (the representatives list and the mail/wiki access list) could be linked by automation so changes to either would be automatic and the lists would stay synched. Virginia asked what would happen if the normal Member representatives were on vacation, and the Member wants someone else from the organization who was not on the list to vote on a Ballot or cover a meeting, etc.? Dimitris said an existing Member representative could just send an email notification to the Chair and Vice Chair. If a normal representative were on vacation and wanted other representatives to attend a meeting, they would still have access to the teleconference IDs and WebEx links from their colleague. The proposal addresses only access to the wiki and mailing lists. Ben said that for a new person to get involved, he or she needed to be on the lists already with posting ability, which effectively designates them as representatives. Kirk asked the team if all Member representatives of the SCWG were on the SCWG list now (identical to the Public list), and would receive any message posted to the SCWG list. Ben described what had been done to date, but the answer was no – not every Member representative on the Forum’s Public list would currently receive messages sent to the SCWG list. He needs to know which representatives each Member wants on the new SCWG list, and whether each should have posting ability, or not. Dimitris said his proposal would have a stated effective date, such as September 1 – by then, each Member must document its representatives, and each will be added to the SCWG list. Kirk asked for a present recommendation on where to post matters relevant to the SCWG – on the Forum’s Public list, on the SCWG list, or double-post. Dimitris recommended double-posting for now.
  4. Ballot Status. Kirk noted that the voting period for Ballot SC2 covering new domain validation methods had just closed, and the ballot had failed because only 50% of the voting browsers had voted in favor of the ballot – the Bylaws require more than 50%. However, 20 CAs had voted in favor, and no CAs were opposed. Kirk asked the proponents if they planned to come back with a revised Ballot. Tim said he will propose a new Ballot and will ask Members to state what their security concerns are in an explicit and documented way so they can be publicly addressed in the Ballot. Tim also gave an update on Ballot SC3, and said that Microsoft’s prior concerns had been addressed. He requested that anyone else with questions about Ballot SC3 please post them to the list now.
  5. Any Other Business. There was no other business.
  6. Next call: August 9, 2018
  7. Adjourn
Latest releases
Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.7 - Ballot SMC09 - Nov 25, 2024

This ballot includes updates for the following: • Require pre-linting of leaf end entity Certificates starting September 15, 2025 • Require WebTrust for Network Security for audits starting after April 1, 2025 • Clarify that multiple certificatePolicy OIDs are allowed in end entity certificates • Clarify use of organizationIdentifer references • Update of Appendix A.2 Natural Person Identifiers This ballot is proposed by Stephen Davidson (DigiCert) and endorsed by Clint Wilson (Apple) and Martijn Katerbarg (Sectigo).

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).