CA/Browser Forum
Home » All CA/Browser Forum Posts » 2022-02-15 Minutes of the Network Security Working Group

2022-02-15 Minutes of the Network Security Working Group

Clint Wilson leading the meeting.

Dustin Hollenback volunteered to take minutes.

Clint Wilson read the anti-trust statement

Attendees: Adam Jones (Microsoft), Antti Backman (Telia Company), Ben Wilson (Mozilla), Christophe Bonjean (GlobalSign), Clint Wilson (Apple), Corey Bonnell (DigiCert), Corey Rasmussen (OATI), Curt Spann (Apple), Daniel Jeffery (Fastly), Daryn Wright (GoDaddy), David Kluge (Google), Don Sheehy (WebTrust), Dustin Hollenback (Microsoft), Heather Warnke (Amazon Trust Services), Israel Ventura (US Federal PKI), Jillian Karner (Let’s Encrypt / ISRG), Joanna Fox (TrustCor), Jozef Nigut (Disig), Marcelo Silva (Visa), Thomas Connelly (US Federal PKI), Tim Crawford (WebTrust), Prachi Jain (Fastly), Rebecca Kelley (Apple), Ruben Annemans, Tobias Josefowitz (Opera), Tony Seymour (Comsign), Trevoli Ponds-White (Amazon Trust Services)

Discussion of previous meeting minutes. Daniel Jeffery sent minutes from previous meeting. There were no objections to the 2022-02-01 meeting minutes. Minutes approved.

Discussion of a new recurring meeting time and the Doodle poll

  • Tuesdays at 8 a.m. Pacific time (4 pm UTC) was the most popular option
  • Wednesday at the same time was also popular
  • Clint Wilson asked if there were any objections to setting the meeting time to Tuesdays at 8 a.m. Pacific time (4 pm UTC) and there were no concerns raised by the group. The new time will be Tuesdays at 8 a.m. PST / 4 p.m. UTC. Clint will send an updated meeting invite for the new time slot.

Discussion about upcoming meetings. The next meeting is a week after the f2f. Clint Wilson asked if we should continue to have our scheduled meeting, which is a week after the f2f. There were no objections with keeping the scheduled meeting in 2 weeks on the calendar.

Discussion of Ballot NS-001

  • This is expected to pass and has a few hours before the voting period ends
  • There is a 60 day review period before adopting the NCSSRs
  • There were no questions or comments about the ballot

Cloud Services Subcommittee update

  • The subcommittee is working on risk assessment guidelines
  • https://docs.google.com/spreadsheets/d/1cmiJMnt-elXyi64F-NouJRnUt_ObN_9P0-yIo8i0AOE/edit#gid=93244111
  • Daniel Jeffery mentioned that the methodology has shifted a bit and that it feels like there is good progress.
  • Davide Kluge agreed that the methodology feels good. We’ll continue to make progress.
  • Clint Wilson mentioned that once assets and risks are identified, we’ll reach out to the larger audience for feedback.
  • Dustin Hollenback mentioned a discussion in the most recent subcommittee meeting about the subcommittee scope. The Cloud Services Subcommittee is focusing on the Risk Assessment now. Clint Wilson mentioned that the active work is security related. While the subcommittee has not been formally established yet, Clint will propose a ballot to establish the subcommittee and include a recommended name for the subcommittee. There was agreement among multiple commenters and some suggestions on names.
  • Ben Wilson mentioned that there are 2 ballots that he would still like to work on: 1) Zones ballot and 2) Offline air gapped CA ballot. Clint Wilson asked if these were being introduced now that there has been more progress on the Risk Assessment. Ben said that he did not need to wait for the finalized Risk Assessment. Trevoli Ponds agreed that we do not need to wait for the final Risk Assessment. Clint will add the ballot discussion to the next meeting agenda. Trev and Clint discussed that these could possibly be discussed at the f2f, but can wait until the next meeting if there’s not enough time.

F2F discussion:

  • Clint Wilson mentioned that the NetSec working group meeting was removed from the f2f agenda and the only NetSec presentation will be the Summary presentation about the past year progress and next year plan.
  • Clint asked if he should attempt to get time back at f2f. Daniel Jeffery suggested that we could work on Risk Assessment as an ad hoc discussion on Thursday that won’t have a formal time slot. Daniel will coordinate the ad hoc meeting once we agree to meet. Ben Wilson suggested sending details to NetSec mailing list that includes all group members.
  • There was a short discussion about in-person versus remote attendees and a large majority of the NetSec members attending will be remote.
  • There were no other comments about adding content to the f2f agenda so Clint will not ask for more time.

Meeting adjourned.

Latest releases
Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.7 - Ballot SMC09 - Nov 25, 2024

This ballot includes updates for the following: • Require pre-linting of leaf end entity Certificates starting September 15, 2025 • Require WebTrust for Network Security for audits starting after April 1, 2025 • Clarify that multiple certificatePolicy OIDs are allowed in end entity certificates • Clarify use of organizationIdentifer references • Update of Appendix A.2 Natural Person Identifiers This ballot is proposed by Stephen Davidson (DigiCert) and endorsed by Clint Wilson (Apple) and Martijn Katerbarg (Sectigo).

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).