CA/Browser Forum
Home » All CA/Browser Forum Posts » 2021-04-29 Minutes of the Server Certificate Working Group

2021-04-29 Minutes of the Server Certificate Working Group

Attendees

Aaron Gable (Let’s Encrypt), Abdul Hakeem Putra (MSC Trustgate), Adrian Mueller (SwissSign), Ali Gholami (Telia), Andrea Holland (SecureTrust), Ben Wilson (Mozilla), Bruce Morton (Entrust), Chris Kemmerer (SSL.com), Clint Wilson (Apple), Corey Bonnell (DigiCert), Curt Spann (Apple), Dean Coclin (Digicert), Dimitris Zacharopoulos (HARICA), Doug Beattie (GlobalSign), Dustin Hollenback (Microsoft), Enrico Entschew (D-TRUST), Hazhar Ismail (MSC Trustgate), Inaba Atsushi (GlobalSign), Inigo Barreira (Sectigo), Janet Hines (SecureTrust), Johnny Reading (GoDaddy), Jos Purvis (Cisco Systems), Karina Sirota (Microsoft), Mike Reilly (Microsoft), Neil Dunbar (TrustCor Systems), Niko Carpenter (SecureTrust), Paul van Brouwershaven (Entrust), Pedro Fuentes (OISTE Foundation), Peter Miskovic (Disig), Rae Ann Gonzales (GoDaddy), Rebecca Kelley (Apple), Ryan Sleevi (Google), Shelley Brewer (Digicert), Stephen Davidson (Digicert), Tadahiko Ito (SECOM Trust Systems), Tim Hollebeek (Digicert), Tobias Josefowitz (Opera Software AS), Trevoli Ponds-White (Amazon), Wayne Thayer (Mozilla), Wendy Brown (US Federal PKI Management Authority), Natalia Kotliarsky (SecureTrust), Maileen Del Rosario (GoDaddy), Brittany Randall (GoDaddy)

1. Read Antitrust Statement

Jos read the antitrust statement.

2. Roll Call

Dean read the roll.

3. Review Agenda

No changes were made to the agenda.

4. Approval of minutes from last teleconference

The minutes from the April 15th teleconference were approved without changes.

5. Validation Subcommittee Update

Tim Hollebeek said that the subcommittee discussed a number of issues on last week’s call. First was the wildcard and ADN ballot. The implementation date has been pushed back to Dec 2021, and some concerns with .onion names were discussed. Ballot SC46 to sunset the CAA DNS operator exception was discussed. The ongoing work on certificate profiles was discussed, including requirements for names constraints (MUST they be marked as critical?) and the path to supporting SRV names. Clarifying cross cert requirements and validity periods were also discussed. Finally, There was some discussion of limiting certificate backdating to a short period of time. Tim pointed to the meeting minutes for details.

Jos noted that Ryan Sleevi posted the following links to issues that were discussed in the chat:

Validity periods – https://github.com/cabforum/servercert/issues/266

Minutes: https://archive.cabforum.org/pipermail/validation/2021-April/001658.html

6. NetSec Subcommittee Update

Neil Dunbar reported that the subcommittee met on Tuesday. They first went through progress on the cloud services document. Work began on identifying CA-specific risks posed by using these services. They also began discussing the format of the document. The call then moved on to Clint Wilson’s ballots – remove BR section 4.1.1 and include a permanent duty to maintain a list of compromised keys, and updates to BR sections 5.4 and 5.5. This is almost ready to ballot. Clint will prepare a document explaining the rationale for the changes. Finally, there was discussion of the patching ballot, requiring CAs to regularly scan for patches, and a ballot to require filesystem change scanning.

7. Ballot Status

Ballots in Discussion Period

  • None

Ballots in Voting Period

  • SC44: Clarify Acceptable Status Codes

Voting ends 30-April 2021 at 19:30 UTC

Ballots in Review Period

  • SC42 – 398-day Re-use Period

Draft Ballots Under Consideration

  • Ballot SC45: Validation methods for Wildcards/ADNs https://archive.cabforum.org/pipermail/validation/2020-December/001607.html

    Ryan said that he will update the draft to account for Tor onion services. He has two endorsers, and will confirm that they support the changes. Then he will start the discussion period next week.

  • Ballot SC46: Sunset the CAA Exception https://archive.cabforum.org/pipermail/servercert-wg/2021-April/002617.html

    Ryan said that he has endorsers and will start the discussion period shortly.

  • Ballot SCXX: Debian Weak Keys (Chris)

    Chris Kemmerer said they are happy with feedback received, and were seeking additional input from stakeholders who maintain external resources. Chris said that he will go ahead and move the ballot into the discussion period.

  • Ballot SC34 Account Management (Tobi)

    Tobi Josefowitz said that he would talk to Jos about updating the pull request.

8. Any Other Business

Ryan raised an issue that was posted to the Management list on April 28th. Members should review the message and discuss on the Management list.

9. Next call: May 13, 2021 at 11AM Eastern

Adjourn; Immediately convene meeting of CA Browser Forum call (same call)

Latest releases
Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.6 - Ballot SMC08 - Aug 29, 2024

This ballot sets a date by which issuance of certificates following the Legacy generation profiles must cease. It also includes the following minor updates: Pins the domain validation procedures to v 2.0.5 of the TLS Baseline Requirements while the ballot activity for multi-perspective validation is concluded, and the SMCWG determines its corresponding course of action; Updates the reference for SmtpUTF8Mailbox from RFC 8398 to RFC 9598; and Small text corrections in the Reference section

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).