CA/Browser Forum
Home » All CA/Browser Forum Posts » 2022-12-08 Minutes of the Server Certificate Working Group

2022-12-08 Minutes of the Server Certificate Working Group

These are the Minutes of the Teleconference described in the subject of this message.

Attendees (in alphabetical order)

Adam Jones (Microsoft), Andrea Holland (SecureTrust), Atsushi INABA (GlobalSign), Ben Wilson (Mozilla), Bruce Morton (Entrust), Cassie L’Heureux (GoDaddy), Chris Clements (Google Chrome), Chris Kemmerer (SSL.com), Clint Wilson (Apple), Corey Bonnell (DigiCert), Corey Rasmussen (OATI), Daryn Wright (GoDaddy), Dean Coclin (DigiCert), Dimitris Zacharopoulos (HARICA), Doug Beattie (GlobalSign), Dustin Hollenback (Microsoft), Enrico Entschew (D-Trust), Fumi Yoneda (Japan Registry Services), Joanna Fox (TrustCor), Luis Cervantes (GoDaddy), Lynn Jeun (VISA), Mads Henriksveen (Buypass), Michelle Coon (OATI), Nargis Mannan (SecureTrust), Paul van Brouwershaven (Entrust), Peter Miskovic (Disig), Rebecca Kelley (Apple), Rollin Yu (TrustAsia), Stephen Davidson (DigiCert), Tadahiko Ito (SECOM), Thomas Zermeno (SSL.com), Tim Hollebeek (DigiCert), Tobias Josefowitz (Opera), Trevoli Ponds-White (Amazon), Tyler Myers (Godaddy), Wendy Brown (FPKI), Yoshiro Yoneya (JPRS)

Minutes

The Chair (Iñigo Barreira) and Vice Chair (Kiran Tummala) where unable to run the meeting and asked Dimitris Zacharopoulos to run the meeting.

1. Roll call

Dimitris Zacharopoulos took attendance

2. Read Antitrust Statement

The antitrust statement was read

3. Review Agenda

Today’s agenda was approved

4. Approval of minutes of last call

The minutes of November 10 were approved.

5. Application of ZT Browser

  • Dean Coclin reviewed the application, IPR agreement has been signed and all questions have been answered.
  • Tobias Josefowitz asked for more time and if this can be postponed to the next meeting.
  • It was agreed to postpone the review of this application until the next meeting as it was also not yet been forwarded to the management list.

6. Validation Subcommittee Update

Corey Bonnell gave the update.

The group discussed three topics during our last meeting:

  • Approval of an update to the certificate profiles ballot that integrates the ballots that have passed over the past year and a half.
  • Discussion about SHOULD in RFC5280 and NOT RECOMMENDED in the profile for the subject key identifier, there was rough consensus on the call to change this to MAY, but the certificate consumers would like to go back and discuss internally before we make any text changes.
  • Policy qualifiers, right now the language in the document says that those are NOT RECOMMENDED, a compromise was agreed to change this to a MAY for CA certificates but keep this NOT RECOMMENDED for subscriber certificates.

7. Ballot Status

  • SCXX – Revival of Debian Weak Keys Ballot – Chris Kemmerer (SSL.com)
  • Chris shared that Martijn Katerbarg (Sectigo) has agreed to endorse and that Tim Hollebeek (DigiCert), who had just left the call has expressed interest to endorse as well. As soon this is confirmed we can proceed with the ballot.
  • SCXX – SLO/Response for CRL & OCSP Responses – David Kluge (Google) / Clint Wilson (Apple): on hold?
  • Clint Wilson confirmed that it’s continuing to be on hold waiting on the proposal from Ryan Dickson to make OCSP optional prior to moving forward with this ballot.
  • SCXX – Incorporation of Mozilla Revocation Reason Codes – Ben Wilson (Mozilla)
  • Ben Wilson made a couple tweaks to the suggestions from Dimitris and asked Dimitris to review.
  • SCXX – Certificate profiles (Digicert)
  • See the validation subcommittee update
  • SCXX – Make OCSP optional, require CRLs
  • Chris Clements confirmed that this is open for discussion and that they are still highly interested in this.

8. Any Other Business

No other business was discussed.

9. Next call

Jan 5, 2023

10. Adjourned

Latest releases
Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.7 - Ballot SMC09 - Nov 25, 2024

This ballot includes updates for the following: • Require pre-linting of leaf end entity Certificates starting September 15, 2025 • Require WebTrust for Network Security for audits starting after April 1, 2025 • Clarify that multiple certificatePolicy OIDs are allowed in end entity certificates • Clarify use of organizationIdentifer references • Update of Appendix A.2 Natural Person Identifiers This ballot is proposed by Stephen Davidson (DigiCert) and endorsed by Clint Wilson (Apple) and Martijn Katerbarg (Sectigo).

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).