CA/Browser Forum
Home » All CA/Browser Forum Posts » 2021-04-01 Minutes of the Server Certificate Working Group

2021-04-01 Minutes of the Server Certificate Working Group

Attendance

Adrian Mueller (SwissSign), Ali Gholami (Telia), Andrea Holland (SecureTrust), Atsushi Inaba (GlobalSign), Ben Wilson (Mozilla), Bruce Morton (Entrust), Chris Kemmerer (SSL.com), Clint Wilson (Apple), Corey Bonnell (DigiCert), Curt Spann (Apple), Daniela Hood (GoDaddy), Dean Coclin (DigiCert), Dimitris Zacharopoulos (HARICA), Doug Beattie (GlobalSign), Dustin Hollenback (Microsoft), Hazhar Ismail (MSC Trustgate), Janet Hines (SecureTrust), Jos Purvis (Cisco), Leo Grove (SSL.com), Michelle Coon (OATI), Mike Reilly (Microsoft), Neil Dunbar (TrustCor Systems), Niko Carpenter (SecureTrust), Paul van Brouwershaven (Entrust), Peter Miskovic (Disig), Rae Ann Gonzales (GoDaddy), Rebecca Kelley (Apple), Ryan Sleevi (Google), Tadahiko Ito (SECOM Trust Systems), Tim Hollebeek (DigiCert), Tobias Josefowitz (Opera Software AS), Trev Ponds-White (Amazon), Wendy Brown (US Federal PKI)

Minutes

Review of Agenda

No agenda changes were noted

Minutes Approval

  • The minutes from Face-to-Face 52 were reviewed and approved after being posted on the wiki and announced on the list. Dean said there was one change noted on the list, but that had already been fixed.
  • The minutes from the previous call were reviewed (toward the end of the call) but the attendance had not been included when the draft minutes were published on the list. The group therefore felt it important to hold off approving those minutes until the attendance list was attached and the minutes re-published.

Validation Subcommittee

Tim said last week’s was a short call. Corey and Tim had discussed some of Ryan’s updates to the certificate profile information, which is in the subcommittee minutes. They’ll be re-reviewing that in a week when Ryan is able to attend the next meeting.

NetSec Subcommittee

Neil said the committee met on Tuesday. They ran through the cloud services updates at their meeting: there was no meeting of that group last week but there will be in a few weeks’ time. They also reviewed updates on SC40, which is being dropped in place of a replacement ballot later on-mainly running out of time to mangle some of the text. Clint then introduced his text for three ballots that will flow out of the withdrawal of SC38, which the group reviewed together, particularly around the retention of a database of compromised keys. This would introduce a permanent duty for CAs to maintain a database of compromised keys. They then went through the restructure of 5.4 and 5.5 around audit log retention requirements. Questions came up around what “retaining OCSP queries” really meant–responses? IP addresses? They then went on to some early draft ballots from Neil to mandate file monitoring or system file invariance assurance during CA lifetime, and some improvements to vulnerability patching from the NSRs that are kind of open-ended at the moment (6 hrs for crit and 6mos for everything else) to try and tighten those up.

Ballot Status

Ballots in Discussion

  • SC42 (398) has a week and then Ben will start voting on it if there are no controversial comments or objections to it.
  • SC43 (Acceptable Status) – Niko will be starting voting on this right after the call, incorporating the comments from the discussions provided by Bruce and Ryan (among others). Bruce noted he approves of the changes as incorporated.

Ballots in Voting

None

Ballots in Review

SC41 is nearly complete on review period; SC39 came out of review period and will be published right after the call.

Draft Ballots

  • Debian Weak Keys (Chris Kemmerer): Chris is reviewing the language in the thread and stands by recommendations for CAs. What we’d discussed previously was placing this in an alternative location such as an appendix or annex; one question that needs resolution is what to do with resources made available by CAs (such as the work here by HARICA and others), how these would be integrated or offered by the CABF. These are useful, but the question is how these would be maintained or hosted going forward if they’re considered useful. Jos noted that this question has come up before around CA resources for the community. CAs are welcome to make those available themselves, but there’s been discussion about whether or not to centralize it or encourage self-hosting. No conclusions were reached, so it’s still an open question. Chris noted that they’ll be hosting these resources themselves for now.
  • SC34 Account Management (Tobias Josefowitz): No updates, still revising.

Other Business

No other business was raised on the call.

Adjourned and handed to the Forum Plenary

Latest releases
Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.7 - Ballot SMC09 - Nov 25, 2024

This ballot includes updates for the following: • Require pre-linting of leaf end entity Certificates starting September 15, 2025 • Require WebTrust for Network Security for audits starting after April 1, 2025 • Clarify that multiple certificatePolicy OIDs are allowed in end entity certificates • Clarify use of organizationIdentifer references • Update of Appendix A.2 Natural Person Identifiers This ballot is proposed by Stephen Davidson (DigiCert) and endorsed by Clint Wilson (Apple) and Martijn Katerbarg (Sectigo).

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).