CA/Browser Forum
Home » All CA/Browser Forum Posts » Ballot Forum-17 – Creation of Network Security Working Group

Ballot Forum-17 – Creation of Network Security Working Group

The voting on ballot FORUM-17 has completed, and the ballot has passed.

Voting Results

Certificate Issuers

22 votes total, with no abstentions:

  • 22 Yes votes: Buypass, Certum (Asseco), D-TRUST, DigiCert, Disig, eMudhra, Entrust, E-TUGRA, GDCA, GlobalSign, GoDaddy, HARICA, JPRS, Let’s Encrypt/ISRG, MSC Trustgate, OISTE, SECOM, Sectigo, SSL.com, SwissSign, Telia Company, SecureTrust,
  • 0 No Votes
  • 0 Abstentions

NOTE: A vote placed by GlobalTrust was not received on the public list and will not be counted.

Certificate Consumers

2 votes total, with no abstentions:

  • 2 Yes votes: Google, Mozilla,
  • 0 No votes
  • 0 Abstentions

Bylaw Requirements

  1. Bylaw 2.3(f) requires:

A “yes” vote by two-thirds of Certificate Issuer votes and by 50%-plus-one of Certificate Consumer votes. Votes to abstain are not counted for this purpose. This requirement was MET for Certificate Issuers and MET for Certificate Consumers.

At least one Certificate Issuer and one Certificate Consumer Member must vote in favor of a ballot for the ballot to be adopted. This requirement was MET.

  1. Bylaw 2.3(g) requires that a ballot result only be considered valid when “more than half of the number of currently active Members has participated”. Votes to abstain are counted in determining quorum. Half of the currently active members at the start of voting was 14, so the quorum was 15 for this ballot. This requirement was MET.

-– NEXT STEPS – INSTRUCTIONS FOR CA/BROWSER FORUM MEMBERS -–

Existing CA/Browser Forum members must declare their intent to participate in the NetSec WG by email to questions@cabforum.org, including a statement of the Voting Class by which they qualify and the names/email addresses of their designated representatives who will participate and who will vote. We recommend that this be done by January 15, 2022.

Once declarations of participation have been gathered, the NetSec WG’s acting chair will convene a meeting tentatively scheduled for Tuesday, January 18, 2022, at 2 PM EDT, the agenda for which will include: – Adopting a list of initial members from the list of proposed, qualifying applicants in conformance with the NetSec WG Charter – Appointing a Chair, Vice Chair, and Webmaster for the NetSec WG

– Discuss the WG’s first ballot – adoption of the Network and Certificate System Security Requirements (NCSSRs) and the IPR review period – Outline the goals and deliverables of the NetSec WG

In the interim, the NCSSRs remain a valid guideline of the CA/Browser Forum. Existing members of the working groups that have adopted the current NCSSRs are bound by the IPR Policy’s Royalty-Free license.


Ballot FORUM-17, Create Network Security Working Group

Proposed by Ben Wilson of Mozilla and endorsed by Tim Hollebeek of DigiCert and David Kluge of Google.

The Voting Period for Ballot FORUM-17 begins today at 19:00 UTC and ends on 23-Dec-2021 at 19:00 UTC.

Overview

In January 2013 the CA/Browser Forum’s “Network and Certificate System Security Requirements” (NCSSRs) became effective. In June 2017, the Forum chartered a Network Security Working Group to re-visit the NCSSRs. That charter expired on June 19, 2018, and in October 2018, the Server Certificate Working Group (SCWG) established a Network Security Subcommittee (NetSec Subcommittee) to continue work on the NCSSRs.

This ballot proposes to charter a new Network Security Working Group (NetSec WG) to replace the NetSec Subcommittee, to continue work on the NCSSRs, and to conduct any and all business related to improving the security of Certification Authorities.

Following the passage of this ballot:

  1. A new NetSec WG will be chartered under the CA/B Forum, pursuant to section 5.3.1 of the Bylaws;
  2. The Charter of the SCWG will be amended to remove the NCSSRs from within the scope of the SCWG Charter;
  3. The existing mailing list and other materials developed for the NetSec Subcommittee will be repurposed for use by the NetSec WG;
  4. The NetSec WG will produce and maintain versions of the NCSSRs; and
  5. The NetSec WG will make security-related recommendations to other Forum WGs for requirements or guidelines that are within their purview, i.e. the BRs/EVGs of the SCWG, the Baseline Requirements for Code Signing Certificates of the Code Signing Certificate Working Group (CSCWG) or guidelines adopted by the S/MIME Certificate Working Group (SMCWG).

Motion begins

The Charter of the Server Certificate Working Group, currently version 1.1, is amended by deleting references to the Network and Certificate System Security Requirements, so that the Scope section of the Charter will now read as follows:**

SCOPE:** The authorized scope of the Server Certificate Working Group shall be as follows:

  1. To specify Baseline Requirements, Extended Validation Guidelines, and other acceptable practices for the issuance and management of SSL/TLS server certificates used for authenticating servers accessible through the Internet.

  2. To update such requirements and guidelines from time to time, in order to address both existing and emerging threats to online security, including responsibility for the maintenance of and future amendments to the current CA/Browser Forum Baseline Requirements and Extended Validation Guidelines.

  3. To perform such other activities that are ancillary to the primary activities listed above.

See https://github.com/cabforum/forum/commit/a55fd7d3939f4f24aa26e88399069afede2a1edf

The CA/Browser Forum creates the Network Security Working Group and adopts the following Charter:

Network Security Working Group Charter

The Network Security Working Group (“NetSec WG”) is hereby created to perform the activities as specified in this Charter, subject to the terms and conditions of the CA/Browser Forum Bylaws (/) and Intellectual Property Rights (IPR) Policy (/about/ipr-policy/), as such documents may change from time to time. This charter for the NetSec WG has been created according to CAB Forum Bylaw 5.3.1. In the event of a conflict between this Charter and any provision in either the Bylaws or the IPR Policy, the provision in the Bylaws or IPR Policy shall take precedence. The definitions found in the Forum’s Bylaws shall apply to capitalized terms in this Charter.

1. Scope – The scope of work performed by the NetSec WG includes:

  1. To modify and maintain the existing Network and Certificate System Security Requirements or a successor requirements document (NCSSRs);
  2. To make recommendations for improvements to security controls in the requirements or guidelines adopted by other Forum WGs (e.g. see sections 5 and 6 of the Baseline Requirements);
  3. To create new requirements, guidelines, or recommended best practices related to the security of CA operations;
  4. To perform risk analyses, security analyses, and other types of reviews of threats and vulnerabilities applicable to CA operations involved in the issuance and maintenance of publicly trusted certificates (e.g. server certificates, code signing certificates, SMIME certificates, etc.); and
  5. To perform other activities ancillary to the primary activities listed above.

2. Out of Scope – The NetSec WG shall not adopt requirements, Guidelines, or Maintenance Guidelines concerning certificate profiles, validation processes, certificate issuance, certificate revocation, or subscriber obligations, which are within the purview of the Server Certificate Working Group (SCWG), the Code Signing Certificate Working Group (CSCWG), or the S/MIME Certificate Working Group (SMCWG).

3. End Date – The NetSec WG shall continue until it is dissolved by a vote of the CA/B Forum.

4. Deliverables – The NetSec WG shall be responsible for delivering and maintaining the NCSSRs (version 1.7 shall remain valid until it is replaced by a subsequent version) and any other documents the group may choose to develop and maintain.

5. Courtesy Notice of Proposed Amendments to the NCSSRs – Discussion and voting on any ballot to change the NCSSRs shall proceed within the NetSec WG in accordance with sections 2.3 and 2.4 of the Bylaws. Additionally, a courtesy notice of the proposed ballot and NetSec WG’s discussion period shall be given to the SCWG, the CSCWG, and the SMCWG via their Public Mail Lists. ** 6. Participation and Membership** – Membership in the NetSec WG shall be limited to organizations that are Certificate Issuer Members or Certificate Consumer Members of the SCWG, the CSCWG, or the SMCWG, who may join the NetSec WG only with such status or class as they hold in such other working groups.

In accordance with the IPR Policy, Members that choose to participate in the NetSec WG must declare their participation, and class of membership (Certificate Issuer or Certificate Consumer), and shall do so prior to participating. A Member must declare its participation in the NetSec WG by requesting to be added to the mailing list. The Chair of the NetSec WG shall establish a list for declarations of participation and manage it in accordance with the Bylaws, the IPR Policy, and the IPR Agreement.

The NetSec WG shall include Interested Parties and Associate Members as defined in the Bylaws.

Resignation from the NetSec WG does not prevent a participant from potentially having continuing obligations under the Forum’s IPR Policy or any other document.

7. Voting Structure

The NetSec WG shall consist of two classes of voting members, Certificate Issuers and Certificate Consumers. In order for a ballot to be adopted by the NetSec WG, two-thirds or more of the votes cast by the Certificate Issuers must be in favor of the ballot and more than 50% of the votes cast by the Certificate Consumers must be in favor of the ballot. At least one member of each class must vote in favor of a ballot for it to be adopted. Quorum is the average number of Member organizations (cumulative, regardless of Class) that have participated in the previous three NetSec WG Meetings or Teleconferences (not counting subcommittee meetings thereof). For transition purposes, if three meetings have not yet occurred, then quorum is ten (10).

8. Leadership

Chair – Clint Wilson shall be the initial Chair of the NetSec WG. ** Vice-Chair** – David Kluge shall be the initial Vice-Chair of the NetSec WG.

Term. The Chair and Vice-Chair will serve until October 31, 2022, or until they are replaced, resign, or are otherwise disqualified. Thereafter, elections shall be held for chair and vice chair every two years in coordination with the Forum’s election process and in conjunction with its election cycle. Voting shall occur in accordance with Bylaw 4.1(c). In the event of a midterm vacancy, the NetSec WG will hold a special election and the selected candidate will serve the remainder of the existing term. ** 9. Communication** – NetSec WG communications and documents, including minutes of meetings, shall be posted on mailing-lists where the mail-archives are publicly accessible or on the Forum’s website.

10. IPR Policy – The CA/Browser Forum Intellectual Rights Policy, v. 1.3 or later, shall apply to all Working Group activity.

11. Other Organizational Matters

Reserved.

Effect of Forum Bylaws Amendment on Working Group – In the event that Forum Bylaws are amended to add or modify general rules governing Forum Working Groups and how they operate, such provisions of the Bylaws take precedence over this charter.

See https://github.com/cabforum/forum/pull/23/files#diff-cf5513a8c4dabce6e3364691537b74a7d2faa1af8dc9e1ee8ce9b2d7759c9406

Motion ends

The procedure for approval of this ballot is as follows:

Discussion (7+ days)

Start Time: 2021-12-09 18:00:00 UTC

End Time: 2021-12-16 19:00:00 UTC

Vote for approval (7 days)

Start Time: 2021-12-16 19:00 UTC

End Time: 2021-12-23 19:00:00 UTC

Latest releases
Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.7 - Ballot SMC09 - Nov 25, 2024

This ballot includes updates for the following: • Require pre-linting of leaf end entity Certificates starting September 15, 2025 • Require WebTrust for Network Security for audits starting after April 1, 2025 • Clarify that multiple certificatePolicy OIDs are allowed in end entity certificates • Clarify use of organizationIdentifer references • Update of Appendix A.2 Natural Person Identifiers This ballot is proposed by Stephen Davidson (DigiCert) and endorsed by Clint Wilson (Apple) and Martijn Katerbarg (Sectigo).

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).