CA/Browser Forum
Home » All CA/Browser Forum Posts » 2021-02-04 Minutes of the Server Certificate Working Group

2021-02-04 Minutes of the Server Certificate Working Group

Attendees (in alphabetical order)

Ali Gholami (Telia), Andrea Holland (SecureTrust), Arno Fiedler (D-TRUST), Ben Wilson (Digicert), Bruce Morton (Entrust), Chris Kemmerer (SSL.com), Chris McMillan (Visa), Clint Wilson (Apple), Corey Bonnell (DigiCert), Daniela Hood (GoDaddy), David Kluge (Google), Dean Coclin (Digicert), Dimitris Zacharopoulos (HARICA), Doug Beattie (GlobalSign), Dustin Hollenback (Microsoft), Enrico Entschew (D-TRUST), Eusebio Herrera (AC Camerfirma), Hazhar Ismail (MSC Trustgate), Inaba Atsushi (GlobalSign), Jeff Ward (CPA Canada/WebTrust), Jim Gorz (GoDaddy), Johnny Reading (GoDaddy), Jos Purvis (Cisco Systems), Juan-Angel Martin (AC Camerfirma SA), Karina Sirota (Microsoft), Mads Henriksveen (Buypass AS), Michelle Coon (OATI), Mike Reilly (Microsoft), Neil Dunbar (TrustCor Systems), Niko Carpenter (SecureTrust), Noorul Halimin Mansol (PoS Digicert), Patrick Nohe (GlobalSign), Paul van Brouwershaven (Entrust), Pedro Fuentes (OISTE Foundation), Peter Miskovic (Disig), Rebecca Kelley (Apple), Ryan Sleevi (Google), Sebastian Schulz (GlobalSign), Shelley Brewer (Digicert), Stephen Davidson (Digicert), Tadahiko Ito (SECOM Trust Systems), Tim Callan (Sectigo), Tobias Josefowitz (Opera Software AS), Wendy Brown (US Federal PKI Management Authority)

Minutes

1. Roll Call

Dean read the roll.

2. Read Antitrust Statement

Jos read the antitrust statement.

3. Review Agenda

No changes were made to the agenda.

4. Approval of minutes from last teleconference

The minutes from the January 21st teleconference were approved without changes.

5. Validation Subcommittee Update

Corey Bonnell said that three topics were discussed. First was the OU field. Paul Van Brouwershaven and Ryan Sleevi discussed Paul’s ballot, with Ryan expressing concerns that the OU information coming from an organization is still fundamentally unvalidated data. The discussion will continue on the list. The second topic was deprecation of the use of HTTP methods for wildcard certificate validation. Ryan repeated his request for data on the frequency of the use of this method from CAs. The third topic was discussion on cleanup of BR language around the applicability of CAA to Onion certificates. The group did not get back to the discussion of certificate profiles last week.

6. NetSec Subcommittee Update

Neil Dunbar reported that the subcommittee met on Tuesday. David Kluge has taken the lead to write two reports from the cloud services subcommittee. First, the Google compliance team has mapped various standards documents to cloud security, such as ISO 21188, and those are being compared with the NCSSRs. This will be the basis for increasing the scope of coverage of the NCSSRs. The other report is an examination of how components of the NCSSRs would help to prevent the DigiNotar breach. This will help determine where to tighten up the NCSSRs to make a recurrence far more difficult. The intention is to present these reports at the upcoming F2F. The rest of the discussion was on ballots. The intention is to withdraw SC38 and split it into 2-3 more tightly scoped ballots to address BR sections 1.3.2 and 4.1.1. Clint WIlson will help with another ballot to tighten up BR 5.4 and 5.5 on audit logging.

7. Ballot Status

Ballots in Discussion Period

SC38v2 – Alignment of Record Archival

Neil said that this ballot will be allowed to fail after the 21-day discussion period ends without updates.

SC40 – Security Requirements for Air-Gapped CA Systems

Ben said that Ryan had some comments about the definition of what an air-gapped CA system is. The definition sentence can be clarified with some “ands”. Ben also suggested that we could rephrase the definition to have subsections to aid clarity. He said that we do want to move forward with this ballot. There is also the issue of how signed content is moved from the air-gapped system to an online system.

Jos said there is a question of transport, and also that some CAs keep air-gapped systems up and running while others only bring the system up when used. For the latter, If the CA can certify that the system has remained off, turning the system on to check its configuration seems backwards. On the other hand, how else do you check the configuration and verify that it hasn’t changed?

Ryan said that this is something that can be resolved. Do we have a tight and unambiguous enough definition of an air-gapped system as both physically and logically separate? If you have a system that is always running but physically disconnected, that’s great. A system plugged in to a network switch connected to other things is an entirely different scenario. If something is kept in a safe offline, then doing something when it is brought online makes sense. If this is the intended direction, then this is a minor issue.

Neil said that both physical and logical separation are the order of the day. A system connected via WiFi would not be logically separate.

Ryan said that a system in a cage with a wire sticking out – is that physically and logically separated? We can resolve this with some ‘ands’ and ‘ors’. However, as discussed on the forum, there is an interest from some CAs to use VLAN separation as logical separation.

Ben said that we can take the discussion back to the list.

SC41 – Reformat the BRs, EVGs, and NCSSRs

Ryan said he will update SC41 with changes to address SC39 succeeding or failing. He has not heard any feedback from review of the documents outside of GitHub comments. Depending on the timing of SC40, SC41 may need to consider the impact of SC40 as well.

Ballots in Voting Period

SC39v2 – Definition of Critical Vulnerability

Jos said that this is in the voting period and reminded members to vote. Voting closes on Tuesday the 9th at 17:00 UTC. We have not hit the quorum yet.

Ballots in Review Period

None

Draft Ballots Under Consideration

Ballot SCXX: Security Requirements for Air-Gapped CA Systems (Ben)

Jos said that this is now SC40, discussed above.

Ballot SCXX: Debian Weak Keys (Chris)

Chris said that they are reviewing Sectigo’s input and are moving toward a proposal but it is still under discussion.

Ballot SC34 Account Management (Tobi)

Tobi said that there has been no progress.

8. Any Other Business

No additional topics were discussed.

9. Next call

18 February at 11AM Eastern

Adjourned

Latest releases
Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.7 - Ballot SMC09 - Nov 25, 2024

This ballot includes updates for the following: • Require pre-linting of leaf end entity Certificates starting September 15, 2025 • Require WebTrust for Network Security for audits starting after April 1, 2025 • Clarify that multiple certificatePolicy OIDs are allowed in end entity certificates • Clarify use of organizationIdentifer references • Update of Appendix A.2 Natural Person Identifiers This ballot is proposed by Stephen Davidson (DigiCert) and endorsed by Clint Wilson (Apple) and Martijn Katerbarg (Sectigo).

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).