CA/Browser Forum
Home » All CA/Browser Forum Posts » 2022-03-29 Minutes of the Network Security Working Group

2022-03-29 Minutes of the Network Security Working Group

2022-03-29 | CABF NetSecWG Minutes

Attendees: Adam Jones, Antti Backman, Ben Wilson, Brittany Randall, Bruce Morton, Clint Wilson, Corey Bonnell, Daniel Jeffery, Daryn Wright, David Kluge, Dustin Hollenback, Inigo Barreira, Jillian Karner, Joanna Fox, Jozef Nigut, Kiran Tumala, Marcelo Silva, Pedro Fuentes, Rebecca Kelley, Ruben Annemans, Thomas Connelly, Tim Crawford, Tobias Josefowitz, Tony Seymour, Trevoli Ponds-White

Minutes

  • Clint Wilson reads anti-trust statement, verifies recording
  • Dan Jeffery volunteers to take minutes
  • Approval of last meeting minutes
  • Settled on Wednesday 9am Pacific time for this meeting
  • Discussion of Ben’s progress on better defining offline and high security zones
  • Ben asked us to follow up with him during the week to help him stay focused
  • Clint offered to ping later in the week
  • Transition to discussing the risk assessment work
  • Dan presents current progress
  • green striped the new assets tab
  • discussed environment definitions
  • discussed the structure of the tabs now
  • explanation of the concept of green-striped tabs
  • next tab to focus is the scoring explanations tab
  • Discussion of whether we should do further work here
  • Marcello asks a question as to whether root CA and offline CA should be different assessments
  • Clarification that root CA and offline CA will be the same
  • Call for questions
  • Clint identifies some internal resources would be happy to engage and help us refine the risk assessment, when should we do that
  • once we have green stripes done would be one good point, once we have the offline/root CA done would be another good point
  • probably within the next week or two
  • discussion of how that will be done, Clint will see how they want to do it
  • David points out that there has been little progress on filling out scenarios that people had volunteered to look at
  • can we pick what to focus on
  • look at the doc and find the pages
  • David looks over the items and suggests picking one
  • Some discussion of which to pick with Trev, David and Dan
  • Trev will take an unassigned category tomorrow
  • Trev points out we don’t have anything else today
  • Agree to discuss the assets tab right now since it’s ‘done’
  • quick recap of what green stripe/done means
  • Sharing of assets tab and discussion of how we got to this list
  • Take five minutes to let everyone read over the current assets
  • Marcello raises concern with the data transfer capabilities and underlying software assets covering too much and us missing things
  • Trev and Dan responds and long discussion with Marcello about why the categories are organised as they are
  • Marcello agrees to make a comment on items on how he thinks they could be broken up so we can review them
  • Trev suggests putting a comment on the column heading to explain the contents and purpose better
  • Marcello raises line 21 to understand why registration is with OCSP and CRL
  • explain the grouping as to why they are set up how they are (to reflect the types of risks and exposure the things in the environment are exposed to)
  • Further question and discussion of the meaning of the OCSP, CRL registration environment
  • discussion of how to best represent the environments and transitions between them
  • discussion of line 9 and where data is included at
  • should we have a different environment for transitions between environments
  • discussion of recombining software fields
  • Clint calls time and agreement to continue discussion in tomorrow’s working group meeting.
  • participants invited to formulate their thoughts and suggestions for that meeting
  • Call ended 2 minutes after the hour.
Latest releases
Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.7 - Ballot SMC09 - Nov 25, 2024

This ballot includes updates for the following: • Require pre-linting of leaf end entity Certificates starting September 15, 2025 • Require WebTrust for Network Security for audits starting after April 1, 2025 • Clarify that multiple certificatePolicy OIDs are allowed in end entity certificates • Clarify use of organizationIdentifer references • Update of Appendix A.2 Natural Person Identifiers This ballot is proposed by Stephen Davidson (DigiCert) and endorsed by Clint Wilson (Apple) and Martijn Katerbarg (Sectigo).

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).