CA/Browser Forum
Home » Posts » 2021-08-05 Minutes of the Server Certificate Working Group

2021-08-05 Minutes of the Server Certificate Working Group

Attendees

Ali Gholami (Telia), Andrea Holland (SecureTrust), Ben Wilson (Mozilla), Chris Kemmerer (SSL.com), Clint Wilson (Apple), Corey Bonnell (Digicert), Dean Coclin (Digicert), Dimitris Zacharopoulos (HARICA), Doug Beattie (GlobalSign), Hazhar Ismail (MSC Trustgate), Inaba Atsushi (GlobalSign), Inigo Barreira (Sectigo), Janet Hines (SecureTrust), Johnny Reading (GoDaddy), Jos Purvis (Cisco Systems), Kati Davids (GoDaddy), Mads Henriksveen (Buypass AS), Mike Reilly (Microsoft), Niko Carpenter (SecureTrust), Pedro Fuentes (OISTE Foundation), Peter Miskovic (Disig), Rebecca Kelley (Apple), Ryan Sleevi (Google), Shelley Brewer (Digicert), Stephen Davidson (Digicert), Tadahiko Ito (SECOM Trust Systems), Tobias Josefowitz (Opera Software AS), Trevoli Ponds-White (Amazon), Wayne Thayer (Mozilla), Wendy Brown (US Federal PKI Management Authority), Natalia Kotliarsky (SecureTrust), Brittany Randall (GoDaddy), Tyler Myers (GoDaddy), Fumihiko Yoneda (Japan Registry Services), Yoshiro Yoneya (Japan Registry Services), Mike Min (GoDaddy), Rachel McPherson (Trustcor), Jose Guzman (GoDaddy)

1. Read Antitrust Statement

Jos Purvis read the antitrust statement.

2. Roll Call

Dean Coclin read the roll.

3. Review Agenda

No changes were made to the agenda.

4. Approval of minutes from last teleconference

The minutes from the last call were approved.

5. Validation Subcommittee Update

Clint Wilson said that there has been a lot of feedback on the draft certificate profiles. The subcommittee would like to receive continuous, incremental feedback as concerns are discovered rather than a big batch of feedback after a comprehensive review has been completed because it is more efficient to address feedback in small increments.

CRL distribution points were the main discussion topic on last week’s call, prompted by an email to the list. There are many different ways to encode them. We’d like to agree on a canonical form, but in the initial profile update expect to allow both formats. There was a good discussion around the pros and cons of the different encodings – one CRLDP with multiple URIs or multiple CRLDPs with single URIs.

6. NetSec Subcommittee Update

Ben Wilson said the subcommittee met on Tuesday. They are looking for a replacement for Neil Dunbar as chair. Clint Wilson, David Kluge, and Dustin Hollenback will seek approval to fill this role from their management. Ben will update the WebEx meeting to allow other members to start the WebEx session.

The cloud security subgroup recently shifted focus to audits and is preparing a document describing potential audit models and the component services that would be audited.

Finally, they discussed ballot SC34 which would no longer require annual review of inactive user accounts. Tobi is seeking a new endorser to replace Neil

7. Ballot Status

Ballots in Discussion Period

None

Ballots in Voting Period

None

Ballots in Review Period

  • Ballot SC47: Sunset subject:organizationalUnitName (Completes 2021-Aug-07)
  • Ballot SC48: Domain Name and IP Address Encoding (Completes 2021-08-21)

Draft Ballots Under Consideration

Ballot SCXX: Debian Weak Keys (Chris)

Chris Kemmerer said that he is going to reach out to external resources (Rob Stradling of Sectigo and Dimitris Zacharopoulos of HARICA) to clarify where the lists of weak keys will be hosted.

Ballot SC34 Account Management (Tobi)

Tobi Josefowitz said that it was discussed in the Network Security subcommittee. Neil was an endorser, so Tobi is looking for a new endorser.

8. Any Other Business

None

9. Next call: August 19th, 2021 at 11AM Eastern

Adjourn; Immediately convene meeting of CA Browser Forum (same call)

Latest releases
Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed

Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.6 - Ballot SMC08 - Aug 29, 2024

This ballot sets a date by which issuance of certificates following the Legacy generation profiles must cease. It also includes the following minor updates:

  • Pins the domain validation procedures to v 2.0.5 of the TLS Baseline Requirements while the ballot activity for multi-perspective validation is concluded, and the SMCWG determines its corresponding course of action;
  • Updates the reference for SmtpUTF8Mailbox from RFC 8398 to RFC 9598; and
  • Small text corrections in the Reference section

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).