CA/Browser Forum
Home » All CA/Browser Forum Posts » 2020-07-23 Minutes of the Server Certificate Working Group

2020-07-23 Minutes of the Server Certificate Working Group

Attendees (in alphabetical order)

Ben Wilson (Mozilla), Bruce Morton (Entrust Datacard), Chris McMillan (Visa), Clint Wilson (Apple), Corey Bonnell (SecureTrust), Chris Kemmerer (SSL.com), Daniela Hood (GoDaddy), Dean Coclin (Digicert), Dimitris Zacharopoulos (HARICA), Doug Beattie (GlobalSign), Dustin Hollenback (Microsoft), Enrico Entschew (D-TRUST), Hazhar Ismail (MSC Trustgate), Huo Haitao (Halton) (360 Browser), Inaba Atsushi (GlobalSign), India Donald (US Federal PKI Management Authority), Janet Hines (SecureTrust), Jeff Ward (CPA Canada/WebTrust), Joanna Fox (GoDaddy), Johny Reading (GoDaddy), Karina Sirota (Microsoft), Michelle Coon (OATI), Michol Murray (GoDaddy), Mike Reilly (Microsoft), Neil Dunbar (TrustCor Systems), Peter Miskovic (Disig), Rae Ann Gonzales (Godaddy), Rich Smith (Sectigo), Robin Alden (Sectigo), Shelley Brewer (Digicert), Stephen Davidson (Digicert), Thanos Vrachnos (SSL.com), Tim Hollebeek (Digicert), Tobias Josefowitz (Opera Software AS), Travis Graham (GoDaddy), Wayne Thayer (Mozilla), Wendy Brown (US Federal PKI Management Authority).

Minutes

1. Roll Call

The Roll Call was taken.

2. Read Antitrust Statement

The Antitrust Statement was read.

3. Review Agenda

No changes to the agenda were noted. Dimitris will not chair for the next two calls, no volunteers for minute taking.

4. Approval of minutes from last teleconference

Accepted without objections.

5. Validation Subcommittee Update

Tim reports he will not be available in the next SCWG call either and that in turn somebody else may have to report.

Recently, the Validation Subcommittee has spent time going over the Trello board re-assessing issues they have not reviewed for a while. Some were closed, some were moved on the board and some were updated with information.

The Subcommittee has also looked at the Github facilities for managing issues; it is similar to the Trello solution. It looks like Github’s facilities are in line with the Subcommittee’s needs, so the Subcommittee may move from Trello to Github. As a next step somebody needs to actually transfer the issues from Trello to Github, active issues first, backlog later.

The Subcommittee will get back to the certificate profiles in next week’s meeting.

6. NetSec Subcommittee Update

The NetSec Subcommittee has received a request to not currently bring more ballots to vote. The Subcommittee has multiple work items nearly ready to be brought forward as Ballots, but will discuss the request in the meeting later on the same day, as pushing them forward may not make sense if people do not currently have enough capacity for Ballot review.

SC28 will thus for now stay in “heartbeat mode”, SC32 is being worked on more to address input received, the “System Access” Draft Ballot has gone back to the Pain-Points subteam, to improve the explanation/motivation section, but not the Ballot content, the same applies to the “Authentication Controls” Draft Ballot that tries to address the Lockout issue.

The Offline CAs Draft Ballot is still being commented on within the Subcommittee, so there may be one more round of discussions required before we could put it forward.

The Threat Modelling subteam has update the risk analysis document to include further examination of risks posed by CA equipment custody handling.

7. Ballot Status

Ballots in Discussion Period

SC28 (Logging and Log Retention)

Dimitris: SC28 is in heartbeat process Neil: Basically we propose new versions without changes so that the ballot does not expire since we do hold off from calling for a vote

Ballots in Voting Period

None

Ballots in Review Period

SC30 (Disclosure of Registration/Incorporating Agency) SC31 (Browser Alignment)

Dimitris: We have two ballots in the review period, Ballots SC 30 and SC 31, review periods end August 20. I will post the final maintenance guidelines after that. I want to highlight that these ballots contain a few deadlines and effective dates that will become effective not relative to when the ballots themselves become effective, so CAs should be aware of those._ _

Draft Ballots under Consideration

_Spring 2020 cleanup and clarifications (Ryan) _

No updates

Update to BR section 6.1.1.3

Chris: We got some internal discussion about this, including discussion of whether to include compromised as well as weak keys, and we are debating this in-house. In any case, the draft language will be posted this day or the next.

Dimitris: SC 31, which is in review period, also changes Section 6.1.1.3 of the Baseline Requirements, which means this needs to be considered when bringing the Ballot.

_Offline CA Security Requirements _(Ben)

Dimitris invites Ben to share information regarding the Offline CA Security Requirements Draft Ballot.

Ben: We just need to get endorsers, and a Ballot number, and that is what we are working on right now, we will discuss it in the NetSec Subcommittee.

_Updating BR 3.2.2.4.10 _(Wayne)

Wayne: I have not moved any further with this Ballot and I have a question about the request not to bring any more ballots into discussion period, is this meant for all of August, is this specific to some of the more complex Network Security related Ballots?

Dimitris: Since I originally asked for this – I meant the more complex ballots.

Wayne: In that case, the language is about finalized and we just need endorsers to start the Discussion Period.

8. Any Other Business

No other business was discussed.

9. Next call

The next call will take place on August 6, 2020 at 11:00am Eastern Time.

Adjourned

Latest releases
Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.7 - Ballot SMC09 - Nov 25, 2024

This ballot includes updates for the following: • Require pre-linting of leaf end entity Certificates starting September 15, 2025 • Require WebTrust for Network Security for audits starting after April 1, 2025 • Clarify that multiple certificatePolicy OIDs are allowed in end entity certificates • Clarify use of organizationIdentifer references • Update of Appendix A.2 Natural Person Identifiers This ballot is proposed by Stephen Davidson (DigiCert) and endorsed by Clint Wilson (Apple) and Martijn Katerbarg (Sectigo).

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).