CA/Browser Forum
Home » All CA/Browser Forum Posts » 2019-10-03 Minutes of the Server Certificate Working Group

2019-10-03 Minutes of the Server Certificate Working Group

Attendees (in alphabetical order)

Ben Wilson (Digicert), Bruce Morton (Entrust Datacard), Chris Kemmerer (SSL.com), Daniela Hood (GoDaddy), Dimitris Zacharopoulos (HARICA), Doug Beattie (GlobalSign), Dustin Hollenback (Microsoft), Enrico Entschew (D-TRUST), Gordon Bock (Microsoft), Inaba Atsushi (GlobalSign), India Donald (US Federal PKI Management Authority), Janet Hines (SecureTrust), Jos Purvis (Cisco Systems), Kenneth Myers (US Federal PKI Management Authority), Kirk Hall (Entrust Datacard), Li-Chun Chen (Chunghwa Telecom), Mads Henriksveen (Buypass AS), Michelle Coon (OATI), Mike Reilly (Microsoft), Neil Dunbar (TrustCor Systems), Niko Carpenter (SecureTrust), Rich Smith (Sectigo), Ryan Sleevi (Google), Shelley Brewer (Digicert), Timo Schmitt (SwissSign), Tobias Josefowitz (Opera Software AS), Trevoli Ponds-White (Amazon), Wayne Thayer (Mozilla), Wendy Brown (US Federal PKI Management Authority).

Minutes

1. Roll Call

The Chair took attendance.

2. Read Antitrust Statement

The Antitrust Statement was read.

3. Review Agenda

No changes to the agenda.

4. Approval of minutes from previous teleconference

The minutes from the previous teleconference were approved and will be circulated to the public list.

5. Validation Subcommittee Update

The subcommittee did not meet since the last meeting so there was no update.

6. NetSec Subcommittee Update

Ben reported that SC21 is in the final stage of voting. He mentioned that some of the sub-groups met last week and they continue drafting ballots. Dimitris asked about SC20 and if there is any further progress and Ben said the sub-group is working on that and will update the ballot soon.

Ryan expressed some concerns about the reporting and communication of these sub-groups and the NetSec subcommittee to the larger WG in terms of the broad set of problems they are working on. It seems there were very interesting discussions during the preparation of SC21 which weren’t communicated all the way to the WG. It would be sufficient if these discussions were somehow communicated through the minutes of these subcommittee calls so that Members have a better understanding about the rationale of some recommended changes proposed in ballots. It would be nice if the Subcommittee was able to describe a set of problems they are trying to solve and how they are trying to solve these problems. That would be helpful for any ballot, not just for this subcommittee.

Tobi mentioned that in the introduction of SC20 the subcommittee tried to add language about the motivation and the problems they are working on. Tobi explained some of the difficulties in explaining what it means to have certain requirements for “configurations” and try to add language which attempts to give an “impression” of what constitutes a “configuration” and what does not.

Ryan clarified that he sees value in updates. He would like to see which updates are intentional (and linked to the problem we are trying to solve) and which ones are not and might create additional ambiguities. He gave an example of the ballot that removed validation methods 1 and 5 where Jeremy Rowley from Digicert gave a concrete example of the problem and suggested a solution. In any case, when a topic moves to the Working Group level, any pointers to previous subcommittee or sub-group discussions would be useful so that Members can get a clear understanding of the stated problems and the proposed solutions, in order to avoid possible new ambiguities from being accidentally introduced.

Dimitris recommended that it would be very useful if Ben could collect a summary of updates from the sub-groups that he could use to report back to the larger group. Tobi mentioned that some sub-groups have detailed minutes and Dimitris explained that it would be better to have aggregated minutes to be reported for the larger group teleconferences.

Tobi continued to discuss about SC21 and mentioned that in some cases it is hard to see or understand the angle/point of view of members not participating on the calls. Dimitris reminded that SC21 did not remove any of the previous controls but just added some automation options. Ben mentioned that the language proposed in SC21 was reorganized and that the subcommittee could provide more emphasis on the “continuous monitoring” element that the group had discussed and all the benefits from that. Ben also mentioned that in these meetings, Tim Crawford (auditor) explained how adding language for “f.” around monitoring the archival and retention of logs would require additional review by auditors and preparation by CAs that have processes in place to monitor the archival and retention. The previous language was only about maintaining archival and retention but now it includes the element of “monitoring” which is an additional requirement.

Ryan clarified that the expectation is not to include all the detailed discussions in the ballot introduction. It seems there were fascinating discussions (hearing from auditors, hearing from CAs on the challenges to implement these proposed changes and confusions with their auditors) in the subcommittee around SC21 that should be captured in minutes and these minutes could be referenced as pointers in the ballot introduction. He emphasized that real world cases would be extremely useful to be captured in minutes.

7. Ballot Status

No further discussion.

Ballots in Discussion Period

None

Ballots in Voting Period

SC21 Ballot (NSR 3): Log Integrity Controls (Ben)

Ballots in Review Period

None

Draft Ballots under Consideration

Improvements for Method 6, website control (Tim H.) No additional comments _ SC20 Ballot (NSR 2): System Configuration Management_ No additional comments

LEI Ballot (Tim H.)

Precertificates and OCSP (Wayne) Wayne explained that in order to understand this ballot one would have to go back and read the public discussions in m.d.s.p. mailing list. The problem is that section 7.1.2.5 in the BRs explicitly states that a pre-certificate is not a Certificate and it’s unclear what needs to happen in terms of OCSP. This ballot is trying to clarify the interpretation so that, as Rob Stradling from Sectigo said, some CAs would not be stuck violating certain policies because these policies have a conflict. Wayne mentioned that he has two endorsers and will initiate the review period soon.

8. F2F 48 Agenda

The draft agenda is up on the wiki. Dimitris said that other than the typical slots we have no special topics to discuss. He reminded participants that the F2F meetings are a great opportunity to discuss in person some of the more controversial topics which are difficult to resolve via the mailing lists. Members are requested to check and propose new items to discuss at the F2F.

9. Any Other Business

Dimitris sent out an email to the management list for the photo policy. It would be a topic to discuss at the F2F and hopefully by the end of that meeting the Forum would have a clear way forward.

10. Next call

October 17, 2019 at 11:00 am Eastern Time.

Adjourned

Latest releases
Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.7 - Ballot SMC09 - Nov 25, 2024

This ballot includes updates for the following: • Require pre-linting of leaf end entity Certificates starting September 15, 2025 • Require WebTrust for Network Security for audits starting after April 1, 2025 • Clarify that multiple certificatePolicy OIDs are allowed in end entity certificates • Clarify use of organizationIdentifer references • Update of Appendix A.2 Natural Person Identifiers This ballot is proposed by Stephen Davidson (DigiCert) and endorsed by Clint Wilson (Apple) and Martijn Katerbarg (Sectigo).

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).