CA/Browser Forum
Home » All CA/Browser Forum Posts » 2021-12-09 Minutes of the Server Certificate Working Group

2021-12-09 Minutes of the Server Certificate Working Group

Attendees

Adrian Mueller (SwissSign), Andrea Holland (SecureTrust), Ben Wilson (Mozilla), Brittany Randall (GoDaddy), Bruce Morton (Entrust), Chris Kemmerer (SSL.com), Chris McMillan (Visa), Clint Wilson (Apple), Corey Bonnell (Digicert), Doug Beattie (GlobalSign), Dustin Hollenback (Microsoft), Fumihiko Yoneda (Japan Registry Services), Inaba Atsushi (GlobalSign), Janet Hines (SecureTrust), Joanna Fox (TrustCor Systems), Jos Purvis (Cisco Systems), Jose Guzman (GoDaddy), Karina Sirota (Microsoft), Kati Davids (GoDaddy), Marcelo Silva (Visa), Martijn Katerbarg (Sectigo), Niko Carpenter (SecureTrust), Pedro Fuentes (OISTE Foundation), Peter Miskovic (Disig), Rae Ann Gonzales (GoDaddy), Rebecca Kelley (Apple), Ryan Dickson (Google), Sebastian Schulz (GlobalSign), Tadahiko Ito (SECOM Trust Systems), Tobias Josefowitz (Opera Software AS), Tyler Myers (GoDaddy), Wayne Thayer (Mozilla), Wendy Brown (US Federal PKI Management Authority), Yosiaki Iida (SECOM Trust Systems), Adam Jones (Microsoft), Pekka Lahtiharju (Telia)

Minutes

1. Read Antitrust Statement

Jos Purvis read the antitrust statement.

2. Roll Call

Reading of the roll was deferred to the Forum call.

3. Review Agenda

No changes were made to the agenda.

4. Approval of Minutes from Last Teleconference

The minutes from the last call were approved without changes.

5. Validation Subcommittee Update

Wayne Thayer said that the following topics were discussed on last week’s call:

  • Tim Hollebeek mentioned that SC52 version 2 was published. There was discussion about the addition of time interval calculations to the ‘conventions’ section of the BRs. Some feel that it is best to comprehensively clarify the definition of time intervals throughout the doc with this change, while others feel that the broad scope of the current ballot places too much of a burden on each CA to verify compliance.
  • Tim said that he hasn’t worked on the profiles recently.
  • Dimitris Zacharopoulos asked about removing Onion V2 address validation from the EV Guidelines. Tim said that V2 addresses are still in use. Dimitris will work with others to prepare a ballot
  • Wayne asked about method 3.2.2.4.7 CNAME delegation to the CA and Tim said that he would send a proposal to the list.

6. NetSec Subcommittee Update

Ben Wilson said that the subcommittee discussed that the risk assessment is currently in Google sheets, but we really need a database for the task. Unfortunately we’re not aware of any inexpensive solution. Then they discussed conversion of the NetSec subcommittee to a working group. Ben has a ballot for this change ready to go into the discussion period. Ben asked if he should begin the discussion period today or wait until after the holidays. When no one responded, he said that he would start the discussion period today and try to complete voting by the 24th.

7. Ballot Status

Ballots in Discussion Period

None

Ballots in Voting Period

None

Ballots in Review Period

  • Ballot SC50: Remove the Requirements of Section 4.1.1

Draft Ballots Under Consideration

  • Ballot SC52 version 2: Specify CRL Validity Intervals in Seconds (Tim)

Wayne said that Tim published a new version of the ballot that incorporates clarifications drafted by Aaron Gable last week. Other than the disagreement mentioned earlier in the call about the scope of the change, there are no open comments, so Wayne said that he expects Tim to begin voting soon.

8. Any Other Business

None

9. Next call (after US Christmas holiday): January 6th, 2022 at 11AM Eastern

Adjourn; Immediately convene meeting of CA Browser Forum(same call)

Latest releases
Server Certificate Requirements
BRs/2.1.2 SC-080 V3: Sunset the use of WHOIS to identify Domain Contacts and relying DCV Methods - Dec 16, 2024

Ballot SC-080 V3: “Sunset the use of WHOIS to identify Domain Contact… (https://github.com/cabforum/servercert/pull/560) Ballot SC-080 V3: “Sunset the use of WHOIS to identify Domain Contacts and relying DCV Methods” (https://github.com/cabforum/servercert/pull/555)

Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.8 - Ballot SMC010 - Dec 23, 2024

This ballot adopts Multi-Perspective Issuance Corroboration (MPIC) for CAs when conducting Email Domain Control Validation (DCV) and Certification Authority Authorization (CAA) checks for S/MIME Certificates. The Ballot adopts the MPIC implementation consistent with the TLS Baseline Requirements. Acknowledging that some S/MIME CAs with no TLS operations may require additional time to deploy MPIC, the Ballot has a Compliance Date of May 15, 2025. Following that date the implementation timeline described in TLS BR section 3.2.2.9 applies. This ballot is proposed by Stephen Davidson (DigiCert) and endorsed by Ashish Dhiman (GlobalSign) and Nicolas Lidzborski (Google).

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35

Related posts
Tags
Minutes Server Certificates
Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).