CA/Browser Forum
Home » All CA/Browser Forum Posts » 2022-12-08 Minutes of the Server Certificate Working Group

2022-12-08 Minutes of the Server Certificate Working Group

These are the Minutes of the Teleconference described in the subject of this message.

Attendees (in alphabetical order)

Adam Jones (Microsoft), Andrea Holland (SecureTrust), Atsushi INABA (GlobalSign), Ben Wilson (Mozilla), Bruce Morton (Entrust), Cassie L’Heureux (GoDaddy), Chris Clements (Google Chrome), Chris Kemmerer (SSL.com), Clint Wilson (Apple), Corey Bonnell (DigiCert), Corey Rasmussen (OATI), Daryn Wright (GoDaddy), Dean Coclin (DigiCert), Dimitris Zacharopoulos (HARICA), Doug Beattie (GlobalSign), Dustin Hollenback (Microsoft), Enrico Entschew (D-Trust), Fumi Yoneda (Japan Registry Services), Joanna Fox (TrustCor), Luis Cervantes (GoDaddy), Lynn Jeun (VISA), Mads Henriksveen (Buypass), Michelle Coon (OATI), Nargis Mannan (SecureTrust), Paul van Brouwershaven (Entrust), Peter Miskovic (Disig), Rebecca Kelley (Apple), Rollin Yu (TrustAsia), Stephen Davidson (DigiCert), Tadahiko Ito (SECOM), Thomas Zermeno (SSL.com), Tim Hollebeek (DigiCert), Tobias Josefowitz (Opera), Trevoli Ponds-White (Amazon), Tyler Myers (Godaddy), Wendy Brown (FPKI), Yoshiro Yoneya (JPRS)

Minutes

The Chair (Iñigo Barreira) and Vice Chair (Kiran Tummala) where unable to run the meeting and asked Dimitris Zacharopoulos to run the meeting.

1. Roll call

Dimitris Zacharopoulos took attendance

2. Read Antitrust Statement

The antitrust statement was read

3. Review Agenda

Today’s agenda was approved

4. Approval of minutes of last call

The minutes of November 10 were approved.

5. Application of ZT Browser

  • Dean Coclin reviewed the application, IPR agreement has been signed and all questions have been answered.
  • Tobias Josefowitz asked for more time and if this can be postponed to the next meeting.
  • It was agreed to postpone the review of this application until the next meeting as it was also not yet been forwarded to the management list.

6. Validation Subcommittee Update

Corey Bonnell gave the update.

The group discussed three topics during our last meeting:

  • Approval of an update to the certificate profiles ballot that integrates the ballots that have passed over the past year and a half.
  • Discussion about SHOULD in RFC5280 and NOT RECOMMENDED in the profile for the subject key identifier, there was rough consensus on the call to change this to MAY, but the certificate consumers would like to go back and discuss internally before we make any text changes.
  • Policy qualifiers, right now the language in the document says that those are NOT RECOMMENDED, a compromise was agreed to change this to a MAY for CA certificates but keep this NOT RECOMMENDED for subscriber certificates.

7. Ballot Status

  • SCXX – Revival of Debian Weak Keys Ballot – Chris Kemmerer (SSL.com)
  • Chris shared that Martijn Katerbarg (Sectigo) has agreed to endorse and that Tim Hollebeek (DigiCert), who had just left the call has expressed interest to endorse as well. As soon this is confirmed we can proceed with the ballot.
  • SCXX – SLO/Response for CRL & OCSP Responses – David Kluge (Google) / Clint Wilson (Apple): on hold?
  • Clint Wilson confirmed that it’s continuing to be on hold waiting on the proposal from Ryan Dickson to make OCSP optional prior to moving forward with this ballot.
  • SCXX – Incorporation of Mozilla Revocation Reason Codes – Ben Wilson (Mozilla)
  • Ben Wilson made a couple tweaks to the suggestions from Dimitris and asked Dimitris to review.
  • SCXX – Certificate profiles (Digicert)
  • See the validation subcommittee update
  • SCXX – Make OCSP optional, require CRLs
  • Chris Clements confirmed that this is open for discussion and that they are still highly interested in this.

8. Any Other Business

No other business was discussed.

9. Next call

Jan 5, 2023

10. Adjourned

Latest releases
Server Certificate Requirements
SC-084: DNS Labeled With ACME Account ID Challenge (#566) - Mar 13, 2025

BRs release version 2.1.4

Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.8 - Ballot SMC010 - Dec 23, 2024

This ballot adopts Multi-Perspective Issuance Corroboration (MPIC) for CAs when conducting Email Domain Control Validation (DCV) and Certification Authority Authorization (CAA) checks for S/MIME Certificates. The Ballot adopts the MPIC implementation consistent with the TLS Baseline Requirements. Acknowledging that some S/MIME CAs with no TLS operations may require additional time to deploy MPIC, the Ballot has a Compliance Date of May 15, 2025. Following that date the implementation timeline described in TLS BR section 3.2.2.9 applies. This ballot is proposed by Stephen Davidson (DigiCert) and endorsed by Ashish Dhiman (GlobalSign) and Nicolas Lidzborski (Google).

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35

Related posts
Tags
Minutes Server Certificates
Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).