CA/Browser Forum
Home » All CA/Browser Forum Posts » 2020-08-20 Minutes of the Server Certificate Working Group

2020-08-20 Minutes of the Server Certificate Working Group

Attendees (In Alphabetical Order)

Present: Amanda Mendieta (Apple) Andrea Holland (SecureTrust) Andreas Hentschel (D-TRUST) Ben Wilson (Mozilla) Bruce Morton (Entrust Datacard) Clint Wilson (Apple) Corey Bonnell (SecureTrust) Chris Kemmerer (SSL.com) Curt Spann (Apple) Daniela Hood (GoDaddy) Dean Coclin (Digicert) Doug Beattie (GlobalSign) Dustin Hollenback (Microsoft) Hazhar Ismail (MSC Trustgate) Inaba Atsushi (GlobalSign) Joanna Fox (GoDaddy) Jos Purvis (Cisco Systems) Karina Sirota (Microsoft) Kirk Hall (Entrust Datacard) Mads Henriksveen (Buypass AS) Mayur Manchanda (Visa) Michelle Coon (OATI) Neil Dunbar (TrustCor Systems) Niko Carpenter (SecureTrust) Patrick Nohe (GlobalSign) Pedro Fuentes (OISTE Foundation) Rae Ann Gonzales (Godaddy) Robin Alden (Sectigo) Ryan Sleevi (Google) Stephen Davidson (Digicert) Tim Callan (Sectigo) Tim Hollebeek (Digicert) Tobias Josefowitz (Opera Software AS) Trevoli Ponds-White (Amazon) Wayne Thayer (Mozilla) Wendy Brown (US Federal PKI Management Authority)

Minutes

1. Roll Call

The Roll Call was taken. Wayne noted that Dimitris was on vacation and that he would chair the call.

2. Read Antitrust Statement

The Antitrust Statement was read.

3. Review Agenda, assign minute taker

No changes to the agenda were noted. Neil Dunbar was assigned as minute taker. In the absence of volunteers, Wayne will take the minutes of the next meeting.

4. Approval of minutes from last teleconference

Wayne had updated the attendee list of the draft minutes, and the updated minutes were approved.

5. Validation Subcommittee Update

Tim Hollebeek provided the subcommittee update. Last Thursday, the team began work on the end-entity certificate profiles, working through the fields one by one in the order they appear in the Baseline Requirements. Some initial discussion was had for several of the fields. That work will continue next week. Tim noted that the details are too long to easily summarize, so that if interested parties wish to examine the work, they should consult the online spreadsheet, or read the minutes of the subcommittee meetings. Wayne noted that the spreadsheet is linked from the wiki, under the Validation Subcommittee page.

6. NetSec Subcommittee Update

Neil provided the subcommittee update. Ballot SC34 on account management is prepared and ready for submission, although has not been submitted to the full working group as yet. We have begun some discussions on future plans for NetSec Requirements – specifically if and how Cloud based CA Architectures can or should be supported; what policies stop them right now, and what would be needed to comply with such policies. This discussion is still preliminary and will go for some time. The Offline CA discussion document has been refined – the exact terminology has been refined so that the pre-ballot is now ready for discussion after agreement reached last meeting. Submission to the main working group is expected in the next few days.

Pain points team has noted the discussion on moz.dev.sec.pol regarding sites discovered to be engaged in phishing – and is discussing whether clarifications on 4.9.1.1 should be sought. No decision has been reached yet. An older proposal to address the remediation of critical vulnerabilities, per NSR Section 4(f) has been brought back. The team is trying to get clarity on when the 96 hour timeframe starts from; which brought up further discussion on what the vulnerability scanning and penetration testing should entail and what systems it needs to touch. More of this matter will be discussed in the meeting today.

7. Ballot Status

Neil reported that SC28 is still on heartbeat until ready to be considered per Dimitris’s request. Wayne asked if it would be opened for consideration in the next few weeks, and Neil replied that he hoped to do so.

There are no ballots in the voting period.

Wayne noted that SC30 (Disclosure of Registration and Incorporation Agencies ) and SC31 (Browser Alignment) have completed their review period. These ballots are now final and the working group will produce new versions of the guidelines. In review is Ballot SC33 (TLS Using ALPN Method), which replaces validation method 10. The review ends on September 17th.

For draft ballots under consideration, Wayne asked Ryan for any comments on this draft. Ryan reported that the ballot was going to be started but there had been a slow trickle of corrections. Clint had provided some typographical corrections which are being integrated and Corey had also submitted some corrections. Ryan wanted to review the new document against the guidelines amended by SC30 and SC31 which Dimitris had attempted to merge in, despite his vacation. After this review, the Spring cleanup ballot should be ready to start voting. Also to be discussed was the updating of BR 6.1.1.3; Wayne thought that the discussion was ballot ready at this point. Chris replied that they have language, but they are reviewing the SC30/SC31 changes; Chris’s ballot has changes to both sections 6.1.1.3 and 4.9.1.1, but that some of the team reviewing the changes is on PTO, and they should be able to push forward once those members can look at the changes. Chris noted that the ballot language changes showed no major deviations between version 1.7.0 and 1.7.1 of the BRs; but the authors wanted to perform final checks – they are confident that the ballot will be ready soon. Wayne noted the Offline CA Security Requirements. Ben was on the call but no update was able to be provided.

8. Any Other Business

There was no additional business.

9. Adjourn

The meeting was adjourned and will reconvene September 3, 2020 11:00 am Eastern Time

Latest releases
Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.7 - Ballot SMC09 - Nov 25, 2024

This ballot includes updates for the following: • Require pre-linting of leaf end entity Certificates starting September 15, 2025 • Require WebTrust for Network Security for audits starting after April 1, 2025 • Clarify that multiple certificatePolicy OIDs are allowed in end entity certificates • Clarify use of organizationIdentifer references • Update of Appendix A.2 Natural Person Identifiers This ballot is proposed by Stephen Davidson (DigiCert) and endorsed by Clint Wilson (Apple) and Martijn Katerbarg (Sectigo).

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).