CA/Browser Forum
Home » All CA/Browser Forum Posts » 2022-04-26 Minute of the Network Security Working Group

2022-04-26 Minute of the Network Security Working Group

Attendance

  • Adam Jones – Microsoft
  • Antti Backman – Telia
  • Ben Wilson – Mozilla
  • Bruce Morton – entrust
  • Christopher Bonjean – GlobalSign
  • Clint Wilson – Apple
  • Corey Bonnell – DigiCert
  • Corey Rasmussen – OATI
  • David Kluge – Google Trust Services
  • Iñigo Barreira – Sectigo
  • Joanna Fox – TrustCor
  • Jozef Nigut – Disig
  • Paul van Brouwershaven – Entrust
  • Prachi Jain – Fastly
  • Rebecca Kelley – Apple
  • Roman Fischer – SwissSign
  • Ruben Annemans – GlobalSign
  • Tim Crawford – BDO
  • Tobias Josefowitz – Opera
  • Tony Seymour – Comsign
  • Trevoli Ponds – Amazon Trust Services

Minutes

1. Read Antitrust Statement

a.Clint Wilson read the antitrust statement

2. Roll Call

a. No new members in attendance

3. Review Agenda

a. Approved minutes from previous meetings

b. Review rough drafts of ballot proposals (SLO for Cert Info)

c. Update from Ben Wilson (Mozilla)

d. Open for other business

4. Ballot Status

a. David Kluge (Google Trust Services) shared that the ballot proposal document is in a stage to transfer over to the Certificate Working Group (Thursday Meeting) for review and more input before a formal submission.

i. Clint Wilson suggested sharing the ballot by the Public List would be a good introduction for public discussion.

b.David Kluge shared a few comments that are still need a solution. (1) The first being the Availability Targets. There should be some and they should defined in the SLO, but the question remains “Availability measured against what?” (2) Secondly, from a technical standpoint, most agreed that it would be great to have some objective reference point (a location of a measurable point), but there is still the missing problem of what such reference points should be.

i. Trevoli Ponds (Amazon Trust Services) agreed from the comments, that an example would be confusing. There should either be a minimum or no example in the BRs. If there has to be an example, one on the website would be satisfactory.

c. Discussion around the symbols in the examples in the draft ballot are not used by all. Examples were given between different CAs to explain how the symbols and values could be confusing.

i. The discussion focused on how clarification and understanding.

5. Ben Wilson Update

a. Ben Wilson (Mozilla) provided an update on the proposed changes he is currently working on.

**6. Other Business **

a. David Kluge (Google Trust Services) discussed the Risk Assessment that they Cloud Services Sub Group has been working on. A couple of weeks ago it was suggested that they use Microsoft Stride to document risk scenarios. Trevoli Ponds (Amazon Trust Services) has a contact that can assist in helping with this task.

Latest releases
Server Certificate Requirements
BRs/2.1.2 SC-080 V3: Sunset the use of WHOIS to identify Domain Contacts and relying DCV Methods - Dec 16, 2024

Ballot SC-080 V3: “Sunset the use of WHOIS to identify Domain Contact… (https://github.com/cabforum/servercert/pull/560) Ballot SC-080 V3: “Sunset the use of WHOIS to identify Domain Contacts and relying DCV Methods” (https://github.com/cabforum/servercert/pull/555)

Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.8 - Ballot SMC010 - Dec 23, 2024

This ballot adopts Multi-Perspective Issuance Corroboration (MPIC) for CAs when conducting Email Domain Control Validation (DCV) and Certification Authority Authorization (CAA) checks for S/MIME Certificates. The Ballot adopts the MPIC implementation consistent with the TLS Baseline Requirements. Acknowledging that some S/MIME CAs with no TLS operations may require additional time to deploy MPIC, the Ballot has a Compliance Date of May 15, 2025. Following that date the implementation timeline described in TLS BR section 3.2.2.9 applies. This ballot is proposed by Stephen Davidson (DigiCert) and endorsed by Ashish Dhiman (GlobalSign) and Nicolas Lidzborski (Google).

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35

Related posts
Tags
Network Security
Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).