CA/Browser Forum
Home » All CA/Browser Forum Posts » 2020-09-03 Minutes of the Server Certificate Working Group

2020-09-03 Minutes of the Server Certificate Working Group

Attendees (in alphabetical order)

Amanda Mendieta (Apple), Ben Wilson (Mozilla), Bruce Morton (Entrust Datacard), Clint Wilson (Apple), Corey Bonnell (SecureTrust), Chris Kemmerer (SSL.com), Curt Spann (Apple), Daniela Hood (GoDaddy), Dean Coclin (Digicert), Dimitris Zacharopoulos (HARICA), Dustin Hollenback (Microsoft), Enrico Entschew (D-TRUST), Hazhar Ismail (MSC Trustgate), Huo Haitao (Halton) (360 Browser), Inaba Atsushi (GlobalSign), Janet Hines (SecureTrust), Joanna Fox (GoDaddy), Johny Reading (GoDaddy), Jos Purvis (Cisco Systems), Karina Sirota (Microsoft), Kirk Hall (Entrust Datacard), Leo Grove (SSL.com), Li-Chun Chen (Chunghwa Telecom), Mads Henriksveen (Buypass AS), Mayur Manchanda (Visa), Michelle Coon (OATI), Mike Reilly (Microsoft), Neil Dunbar (TrustCor Systems), Niko Carpenter (SecureTrust), Peter Miskovic (Disig), Rae Ann Gonzales (Godaddy), Rebecca Kelley (Apple), Robin Alden (Sectigo), Ryan Sleevi (Google), Shelley Brewer (Digicert), Stephen Davidson (Digicert), Tim Hollebeek (Digicert), Tobias Josefowitz (Opera Software AS), Trevoli Ponds-White (Amazon), Wayne Thayer (Mozilla), Wendy Brown (US Federal PKI Management Authority).

Minutes

1. Roll Call

The Roll Call was taken.

2. Read Antitrust Statement

The Antitrust Statement was read.

3. Review Agenda

No changes to the agenda were noted. It was noted that Wayne Thayer volunteered to take minutes for this meeting. Dimitris will take the minutes for the next call.

4. Approval of minutes from last teleconference

Accepted without objections.

5. Validation Subcommittee Update

Wayne said that the subcommittee continued discussions of the end-entity certificate profile on the past call. EKU was discussed, as was the remainder of the profile. Then discussion shifted to remaining work and Subject distinguishedNames. Issues with validating the stateOrProvinceName were discussed, as were concerns over the organizationalUnitName field.

Tim said that he will not be able to attend next week’s call.

6. NetSec Subcommittee Update

Neil said that two ballots are in process. We have feedback from Ryan and Wayne on SC34 (Account Management) on GitHub and are planning to address it. SC28 has just begun voting. We have created a discussion document for using cloud services for hosting CA services. This will not result in any immediate ballots, but will feed into future changes. Meeting today to model threats. This relates to the dropped zones ballot, shifting from physical to logical zones.

Ben said that we’re still trying to finalize the offline CAs ballot. Have replaced ‘offline’ with ‘air gapped’. Bruce commented that we should populate the Trusted Roles section in the BRs with some of the info in the NCSSRs. We’re still trying to determine how to best structure the document. If parts of the NCSSRs are incorporated into the BRs it makes it more difficult for other WGs such as code signing to rely on them. This will also be discussed on the call today.

Dimitris said that the original consensus was for individual WGs to decide to adopt parts of the NCSSRs as they wish, then if we determine that there is seen to be a need for a shared common set of NCSSRs in the future we can discuss it.

Ben: There is a threat modeling group meeting today at 1 PM EST. If anyone with expertise has time to participate, please let us know and they will be invited.

7. Ballot Status

Ballots in Discussion Period

SC28 (Logging and Log Retention)

Neil said that he began voting today.

Ballots in Voting Period

SC35 (Spring 2020 cleanup and clarifications (Ryan)

Voting began yesterday.

Ryan: Ben pointed out that there are more cleanups needed. Went ahead with voting on this knowing that there will be more cleanup ballots. This ballot includes important clarifications to the use of policy OIDs that are needed and that CAs should be aware of

Ballots in Review Period

SC33 (TLS ALPN Method) Review period ends Sept 17.

Draft Ballots under Consideration

Minimum expectations regarding weak keys Chris: Posted proposed ballot language to the list this morning SC32 (Offline CA Security Requirements)

Ben: no updates

SC34 (Account Management)

Toby said that he has no updates beyond what Neil said earlier about the feedback received on GitHub.

8. Any Other Business

No other business was discussed.

9. Next call

The next call will take place on September 17, 2020 at 11:00am Eastern Time.

Adjourned

Latest releases
Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.7 - Ballot SMC09 - Nov 25, 2024

This ballot includes updates for the following: • Require pre-linting of leaf end entity Certificates starting September 15, 2025 • Require WebTrust for Network Security for audits starting after April 1, 2025 • Clarify that multiple certificatePolicy OIDs are allowed in end entity certificates • Clarify use of organizationIdentifer references • Update of Appendix A.2 Natural Person Identifiers This ballot is proposed by Stephen Davidson (DigiCert) and endorsed by Clint Wilson (Apple) and Martijn Katerbarg (Sectigo).

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).