CA/Browser Forum
Home » All CA/Browser Forum Posts » 2020-10-01 Minutes of the Server Certificate Working Group

2020-10-01 Minutes of the Server Certificate Working Group

Attendees (in alphabetical order)

Adrian Mueller (SwissSign), Amanda Mendieta (Apple), Ben Wilson (Mozilla), Bruce Morton (Entrust), Clint Wilson (Apple), Daniela Hood (GoDaddy), Dean Coclin (Digicert), Dimitris Zacharopoulos (HARICA), Doug Beattie (GlobalSign), Dustin Hollenback (Microsoft), Enrico Entschew (D-TRUST), Hazhar Ismail (MSC Trustgate), Inaba Atsushi (GlobalSign), India Donald (US Federal PKI Management Authority), Janet Hines (SecureTrust), Jeff Ward (CPA Canada/WebTrust), Jos Purvis (Cisco Systems), Julie Olson (GlobalSign), Karina Sirota (Microsoft), Kirk Hall (Entrust), Li-Chun Chen (Chunghwa Telecom), Michelle Coon (OATI), Mike Reilly (Microsoft), Neil Dunbar (TrustCor Systems), Niko Carpenter (SecureTrust), Patrick Nohe (GlobalSign), Pedro Fuentes (OISTE Foundation), Peter Miskovic (Disig), Rae Ann Gonzales (GoDaddy), Rebecca Kelley (Apple), Rich Smith (Sectigo), Ryan Sleevi (Google), Shelley Brewer (Digicert), Stephen Davidson (Digicert), Tadahiko Ito (SECOM Trust Systems), Thanos Vrachnos (SSL.com), Tim Callan (Sectigo), Tim Hollebeek (Digicert), Tobias Josefowitz (Opera Software AS), Trevoli Ponds-White (Amazon), Wayne Thayer (Mozilla), Wendy Brown (US Federal PKI Management Authority).

Minutes

1. Roll Call

The Roll Call was taken.

2. Read Antitrust Statement

Anti-trust statement was read. The working group expressed its gratitude to Robin Alden (“the voice of the anti-trust statement”) for his years of service both to Sectigo and to the CABF and SCWG, as he is retiring this year.

3. Review Agenda

Dimitris reviewed the agenda; no changes were identified. Minute-taker for the next call will be Dimitris.

4. Approval of minutes from last teleconference

Accepted without objections.

5. Validation Subcommittee Update

Tim Hollebeek presented. The committee continued discussion of the SubjectDN field for various certificate types. They’re most of the way through the field, but more discussion is needed around these DNs and other fields in the certificate profile.

Subcommittee minutes: https://lists.cabforum.org/pipermail/validation/2020-September/001564.html

6. NetSec Subcommittee Update

Neil presented. They are still trying to get feedback on SC34 (acct mgt) around GH comments posted a few weeks ago. Threat Modeling group met a few weeks ago to review network zones ballot, looking for feedback from network eng, and got some good feedback from Clint and others around need for comms and protection. Impromptu discussion started around when NCSSRs are considered “complete” and what the end goals might be. Continued discussions around extending CA operations into cloud and what cloud operators might be able to do better (automation, verification, etc.). Not trying to boil the ocean, but instead look at some specific use cases and then develop NCSSR updates around those.

Questions:

Ryan Sleevi (Google): Google is a bit concerned with some of the directions you described. Would it be possible to set out where the group is considering pursuing? In particular, the move from physical to logical security and considerations around cloud security are both interesting and concerning. Could NetSec lay this out during F2F in terms of both agenda and work direction?

Neil: Understood! Yes.

Subcommittee minutes: https://lists.cabforum.org/pipermail/netsec/2020-September/000404.html

7. Ballot Status

Ballots in Discussion Period

None.

Ballots in Voting Period

None.

Ballots in IPR Review Period

SC28: Logging and Log Retention (Review ends October 14, 2020)

SC35: Cleanups and Clarifications (Review ends October 14, 2020)

Draft Ballots under Consideration

Minimum expectations regarding weak keys (Chris)

Chris was not on the call, but Thanos presented updates: We have taken back the community comments thus far and are going to reply with an update/official status very soon. We are not yet ready to provide a final update (need to discuss more with our engineers), but will at least have official update soon.

Offline CA Security Requirements (Ben) No updates

Remove “zone” from NCSSRs and add provisions to BR 5.1 (Ben) No updates

SC34 Account Management (Tobi) No updates

8. Topics for the next virtual F2F

Dimitris sent out draft agenda for F2F to the public and management lists. Dean is discussing guest speakers and will need slots for those to be announced later. Dimitris will send messages to subcommittee chairs to request time estimates for discussions on Tuesday (subcommittee & WG day). We will not be spending full days as with physical-F2F; instead we will try to keep things short as with the previous virtual-F2F. If members have any topics or special challenges, they’re asked to email Dimitris or respond on the list, as they see fit.

Daniela Hood (GoDaddy)> In the past, we have discussed the conference session times. Should we change times for this? Have we discussed it?

Dimitris> The group seems to prefer to keep the same as the last virtual F2F, which was scheduled to try and minimize time-zone issues.

Dean Coclin (DigiCert)> The times for the last F2F were really the only times we could do between members in Asia, Americas, and Europe.

Daniela> Thanks!

Dean> I have 1 guest speaker for 30 minutes; I have another with more of a tech talk on random number generators that will be no more than 30 minutes. We will space these out with no more than 1 per day. Should be interesting!

Dimitris> Dean, how are registrations?

Dean> Pretty good! We’ve merged attendee lists into one (since everyone is virtual). We are at 68 registered attendees now.

9. Any Other Business

No other business was discussed.

10. Next call

The next call will take place on October 15, 2020 at 11:00am Eastern Time.

Adjourned

Latest releases
Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.6 - Ballot SMC08 - Aug 29, 2024

This ballot sets a date by which issuance of certificates following the Legacy generation profiles must cease. It also includes the following minor updates: Pins the domain validation procedures to v 2.0.5 of the TLS Baseline Requirements while the ballot activity for multi-perspective validation is concluded, and the SMCWG determines its corresponding course of action; Updates the reference for SmtpUTF8Mailbox from RFC 8398 to RFC 9598; and Small text corrections in the Reference section

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).