CA/Browser Forum
Home » All CA/Browser Forum Posts » 2019-05-02 Minutes of the Server Certificate Working Group

2019-05-02 Minutes of the Server Certificate Working Group

Attendees (in alphabetical order)

Antonio Perez (GoDaddy), Ben Wilson (Digicert), Chris Kemmerer (SSL.com), Dean Coclin (Digicert), Devon O’Brien (Google), Doug Beattie (GlobalSign), Dustin Hollenback (Microsoft), Enrico Entschew (D-TRUST), Frank Corday (SecureTrust), Geoff Keating (Apple), India Donald (US Federal PKI Management Authority), Joanna Fox (GoDaddy), Jos Purvis (Cisco Systems), Kenneth Myers (US Federal PKI Management Authority), Kirk Hall (Entrust Datacard), Li-Chun Chen (Chunghwa Telecom), Mads Henriksveen (Buypass AS), Michael Guenther (SwissSign), Michelle Coon (OATI), Mike Reilly (Microsoft), Neil Dunbar (TrustCor Systems), Niko Carpenter (SecureTrust), Peter Miskovic (Disig), Rich Smith (Sectigo), Robin Alden (Sectigo), Scott Rea (Dark Matter), Shelley Brewer (Digicert), Tim Callan (Sectigo), Tim Hollebeek (Digicert), Tim Shirley (SecureTrust), Timo Schmitt (SwissSign), Trevoli Ponds-White (Amazon), Wayne Thayer (Mozilla), Wendy Brown (US Federal PKI Management Authority).

Minutes

1. Roll Call

The Vice-Chair took attendance

2. Read Antitrust Statement

The Antitrust Statement was read

3. Review Agenda

The Agenda was approved.

4. Approval of minutes from F2F 46 and previous teleconference

The minutes from F2F 46 were approved and will be published on the public web site.

The minutes from the previous teleconference were approved and will be circulated to the public list.

5. Validation Subcommittee Update

Tim H. gave the update. There was a brief discussion for SC17 on the validation subcommittee call. There will be a new version coming up later today or tomorrow trying to resolve some parsing ambiguities due to the “hyphen” character. There will be at least one more version sent out before voting begins. The SC also discussed method 10 and Ryan was going to report on the status of the new ALPN RFC at IETF. The SC is also looking for a volunteer to draft a ballot for improving method 6.

6. NetSec Subcommittee Update

Ben gave the report. The SC is working on a draft ballot to improve the language of 1.h of the network security requirements (the one that discusses about monitoring and detection of issues in logs). Move it in another section that is more suitable for monitoring and alerting.

There was discussion about differences between online and offline CAs which should probably be taken into account and resolved before trying to work on 1.h.

Another ballot which is about log integrity and integrity controls. The SC has concerns about the “human review” factor and try to focus more on automated tools and DE-emphasize the human review element.

Reorganize the framework using for the NetSec requirements, creating some high-level statements and then expanding to some granular statements. 6 major principles that need to be followed:

  1. implementing an information security program (should be based on other industry standards) annotated section which will cross-reference other standards as examples.
  2. discussion about trusted roles (properly vetted) with some expectations
  3. maintain secure networks and CA systems, which has about 10 controls currently associated with it.
  4. strong access control measures, which has about 10-15 controls currently associated with it.
  5. monitoring and testing networks and systems, logging and alerting
  6. vulnerability scanning and patch management, currently in section 4 of the Network Security Requirements.

Wayne asked if this was going to be one big ballot and Ben responded that it would need to be broken down to smaller ballots.

7. Ballot Status

Ballots in Discussion Period

Ballot SC17: Alternative registration numbers for EU certificates (Tim H.): No additional comments were made.

Ballots in Voting Period

None

Ballots in Review Period

Draft Ballots under Consideration

Improvements for Method 6, website control (Tim H.)No additional comments were made.

8. Any Other Business

None.

9. Next call

May 16, 2019 at 11:00 am Eastern Time.

Adjourned

Latest releases
Server Certificate Requirements
SC-081v3: Introduce Schedule of Reducing Validity and Data Reuse Periods - May 21, 2025

BR v2.1.5

Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.9 - Ballot SMC011 - May 14, 2025

This ballot allows the option to use a European Unique Identifier (EUID) as a Registration Reference in the NTR Registration Scheme. The EUID uniquely identifies officially-registered organizations, Legal Entities, and branch offices within the European Union or the European Economic Area. The EUID is specified in chapter 9 of the Annex contained in the Implementing Regulation (EU) 2021/1042 which describes rules for the application of Directive (EU) 2017/1132 “relating to certain aspects of company law (codification)”. The ballot also includes several editorial corrections, (e.g., reordering of References and regrouping of information from Appendix A to Section 7.1.4.2.2 (d)). This ballot is proposed by Stephen Davidson (DigiCert) and endorsed by Adrian Mueller (SwissSign) and Adriano Santoni (Actalis).

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35

Related posts
Tags
Minutes Server Certificates
Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).