CA/Browser Forum
Home » All CA/Browser Forum Posts » 2019-04-04 Minutes of the Server Certificate Working Group

2019-04-04 Minutes of the Server Certificate Working Group

Attendees (in alphabetical order)

Arno Fiedler (D-TRUST), Ben Wilson (Digicert), Chris Kemmerer (SSL.com), Daymion Reynolds (GoDaddy), Dean Coclin (Digicert), Dimitris Zacharopoulos (HARICA), Doug Beattie (GlobalSign), Dustin Hollenback (Microsoft), Enrico Entschew (D-TRUST), Fotis Loukos (SSL.com), Frank Corday (SecureTrust), Inaba Atsushi (GlobalSign), India Donald (US Federal PKI Management Authority), Joanna Fox (GoDaddy), Jos Purvis (Cisco Systems), Kirk Hall (Entrust Datacard), Marcelo Silva (Visa), Michael Guenther (SwissSign), Michelle Coon (OATI), Mike Reilly (Microsoft), Neil Dunbar (TrustCor Systems), Rich Smith (Sectigo), Scott Rea (Dark Matter), Shelley Brewer (Digicert), Tim Callan (Sectigo), Tim Hollebeek (Digicert), Tim Shirley (SecureTrust), Trevoli Ponds-White (Amazon), Wayne Thayer (Mozilla), Wendy Brown (US Federal PKI Management Authority).

Minutes

1. Roll Call

The Chair took attendance

2. Read Antitrust Statement

The Antitrust Statement was read

3. Review Agenda

The Agenda was approved.

4. Pending minutes from F2F 46

The minutes from F2F 46 are almost complete. Dimitris sent a reminder to a few minute-takers that haven’t added the minutes of some sessions and will send another reminder on Friday April 5th.

5. Validation Subcommittee Update

The Validation Subcommittee had a quick call and discussed the results of the F2F and priorities. The next two things the SC will work on is Ballot SC5 which is a phone validation method (Doug is working on that), and ballot SC6 (still looking for someone to work on it). Also the TLS ALPN ballot is on hold until the RFC is finalized.

6. NetSec Subcommittee Update

Ben reported that the subcommittee had a call and will have another one after this one. The SC looked at the F2F minutes and focused on the discussions on the pain points and what the process should be to address the 9 items on that list. This sub-group meets every Monday. 2 items will be addressed by the Authentication and Access Control sub-group. There was also another sub-group meeting for the document restructure that went through the PCI-DSS framework. The threat modelling group is planning a call today.

Dimitris proposed that if these sub-groups meet regularly, we should probably add these meeting slots on the wiki section where all meetings are listed. Ben agreed and will follow-up to add this information on the wiki.

7. Ballot Status

Ballots in Discussion Period

_Ballot _SC17: Alternative registration numbers for EU certificates (Tim H.)Dimitris mentioned that there were some comments posted related to ballot SC17 and he and Tim are trying to address those comments. He is working with Tim to create a version 3 addressing as many comments/concerns as possible. Tim has been traveling the past weeks so the ballot update is moving slower than usual.

Some of the changes include: – formatting improvements – moving the alternative encoding of the subject:organizationIdentifier value to an extension instead of a separate subject Distinguished Name field – making the alternative encoding a recommendation (SHOULD) in the beginning and a requirement (SHALL) after 12 months so that CAs have time to properly adjust their CA software to accommodate this extension along with the organizationIdentifier subjectDN attribute.

As soon as Tim is able to review the latest updates, a new version will be distributed to the public list. Finally, the name of the ballot will probably need to be changed because it doesn’t only support “EU” Certificates but identifiers outside EU as well.

Ballots in Voting Period

None

Ballots in Review Period

Ballot SC16: Other Subject Attributes (Wayne)

Draft Ballots under Consideration

Improvements for Method 5, Phone Contact with DNS CAA Phone Contact (Doug) _ No additional comments were made.

Improvements for Method 6, website control_ (Tim H.)No additional comments were made.

8. Harmonization of WebTrust and ETSI with SCWG Guidelines

Dimitris asked if there is an official process to inform WebTrust or ETSI when a new version of the Guidelines is published, so they can be added in the update process of the corresponding standards of these two organizations. Especially the latest BRs version 1.6.4 incorporates 3 ballots and introduces significant changes. It appeared that there is no such process and these organizations monitor the updates of the Forum guidelines and try to incorporate these changes in their next update cycle.

Dimitris recalled having heard about a maximum duration (not expressed as a requirement but as a best effort expectation) for how long it takes for a version of the Guidelines to be incorporated in the relevant standard by WebTrust and ETSI.

Arno responded that there is no official process because it depends on the requirement. ETSI has an update process which may take between days, weeks, months. He believes that defining a timeframe is quite difficult. Dimitris asked if it would be reasonable to set a timeframe based on past experience (e.g 6, 9, 12 months). Arno mentioned that ETSI has been collaborating with the forum for the past 10 years and doesn’t understand why we should put additional burden on WebTrust and ETSI. There is also a chance that a requirement from the Forum is not accepted by WebTrust or ETSI, it is a possibility. He prefers to leave things as they are today.

Wayne recalled some previous conversations on this topic and at one point it was suggested that the BRs are updated in certain times of the year and there were pros and cons on the decision of doing that or not. He recommended that if we want to go down that road, we should look back to previous minutes.

Dimitris clarified that he added this slot to make sure he is following some expected notification process and it seems there is no official notification process which means that WebTrust and ETSI will pick up the latest versions on their own. He still thinks it is a good idea to notify the liaisons whenever a Guideline document is updated.

Mike Reilly recommended that we review the minutes from the Taipei meeting (F2F 42) where this particular topic was discussed.

9. Any Other Business

None.

10. Next call

April 18, 2019 at 11:00 am Eastern Time.

Adjourned

Latest releases
Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.7 - Ballot SMC09 - Nov 25, 2024

This ballot includes updates for the following: • Require pre-linting of leaf end entity Certificates starting September 15, 2025 • Require WebTrust for Network Security for audits starting after April 1, 2025 • Clarify that multiple certificatePolicy OIDs are allowed in end entity certificates • Clarify use of organizationIdentifer references • Update of Appendix A.2 Natural Person Identifiers This ballot is proposed by Stephen Davidson (DigiCert) and endorsed by Clint Wilson (Apple) and Martijn Katerbarg (Sectigo).

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).