CA/Browser Forum
Home » All CA/Browser Forum Posts » 2019-05-02 Minutes of the Server Certificate Working Group

2019-05-02 Minutes of the Server Certificate Working Group

Attendees (in alphabetical order)

Antonio Perez (GoDaddy), Ben Wilson (Digicert), Chris Kemmerer (SSL.com), Dean Coclin (Digicert), Devon O’Brien (Google), Doug Beattie (GlobalSign), Dustin Hollenback (Microsoft), Enrico Entschew (D-TRUST), Frank Corday (SecureTrust), Geoff Keating (Apple), India Donald (US Federal PKI Management Authority), Joanna Fox (GoDaddy), Jos Purvis (Cisco Systems), Kenneth Myers (US Federal PKI Management Authority), Kirk Hall (Entrust Datacard), Li-Chun Chen (Chunghwa Telecom), Mads Henriksveen (Buypass AS), Michael Guenther (SwissSign), Michelle Coon (OATI), Mike Reilly (Microsoft), Neil Dunbar (TrustCor Systems), Niko Carpenter (SecureTrust), Peter Miskovic (Disig), Rich Smith (Sectigo), Robin Alden (Sectigo), Scott Rea (Dark Matter), Shelley Brewer (Digicert), Tim Callan (Sectigo), Tim Hollebeek (Digicert), Tim Shirley (SecureTrust), Timo Schmitt (SwissSign), Trevoli Ponds-White (Amazon), Wayne Thayer (Mozilla), Wendy Brown (US Federal PKI Management Authority).

Minutes

1. Roll Call

The Vice-Chair took attendance

2. Read Antitrust Statement

The Antitrust Statement was read

3. Review Agenda

The Agenda was approved.

4. Approval of minutes from F2F 46 and previous teleconference

The minutes from F2F 46 were approved and will be published on the public web site.

The minutes from the previous teleconference were approved and will be circulated to the public list.

5. Validation Subcommittee Update

Tim H. gave the update. There was a brief discussion for SC17 on the validation subcommittee call. There will be a new version coming up later today or tomorrow trying to resolve some parsing ambiguities due to the “hyphen” character. There will be at least one more version sent out before voting begins. The SC also discussed method 10 and Ryan was going to report on the status of the new ALPN RFC at IETF. The SC is also looking for a volunteer to draft a ballot for improving method 6.

6. NetSec Subcommittee Update

Ben gave the report. The SC is working on a draft ballot to improve the language of 1.h of the network security requirements (the one that discusses about monitoring and detection of issues in logs). Move it in another section that is more suitable for monitoring and alerting.

There was discussion about differences between online and offline CAs which should probably be taken into account and resolved before trying to work on 1.h.

Another ballot which is about log integrity and integrity controls. The SC has concerns about the “human review” factor and try to focus more on automated tools and DE-emphasize the human review element.

Reorganize the framework using for the NetSec requirements, creating some high-level statements and then expanding to some granular statements. 6 major principles that need to be followed:

  1. implementing an information security program (should be based on other industry standards) annotated section which will cross-reference other standards as examples.
  2. discussion about trusted roles (properly vetted) with some expectations
  3. maintain secure networks and CA systems, which has about 10 controls currently associated with it.
  4. strong access control measures, which has about 10-15 controls currently associated with it.
  5. monitoring and testing networks and systems, logging and alerting
  6. vulnerability scanning and patch management, currently in section 4 of the Network Security Requirements.

Wayne asked if this was going to be one big ballot and Ben responded that it would need to be broken down to smaller ballots.

7. Ballot Status

Ballots in Discussion Period

Ballot SC17: Alternative registration numbers for EU certificates (Tim H.): No additional comments were made.

Ballots in Voting Period

None

Ballots in Review Period

Draft Ballots under Consideration

Improvements for Method 6, website control (Tim H.)No additional comments were made.

8. Any Other Business

None.

9. Next call

May 16, 2019 at 11:00 am Eastern Time.

Adjourned

Latest releases
Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.7 - Ballot SMC09 - Nov 25, 2024

This ballot includes updates for the following: • Require pre-linting of leaf end entity Certificates starting September 15, 2025 • Require WebTrust for Network Security for audits starting after April 1, 2025 • Clarify that multiple certificatePolicy OIDs are allowed in end entity certificates • Clarify use of organizationIdentifer references • Update of Appendix A.2 Natural Person Identifiers This ballot is proposed by Stephen Davidson (DigiCert) and endorsed by Clint Wilson (Apple) and Martijn Katerbarg (Sectigo).

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).