CA/Browser Forum
Home » All CA/Browser Forum Posts » 2023-01-03 Minutes of the Network Security Working Group

2023-01-03 Minutes of the Network Security Working Group

Antitrust statement was read by Clint Wilson

Attendance: Clint Wilson, Ben Wilson, Dustin Hollenback, Rollin Yu, Tim Crawford, Adam Jones, Corey Rasmussen, Josef Nigut, Wendy Brown, Prachi Jain, Jamie Mackey, and Rebecca Kelley

  1. Straw Poll – The straw poll to determine a better meeting time closed on Jan. 2 with 17 votes. Twelve voted against changing the time (only five said that they could still consistently attend the meeting if the time were changed). Clint asked whether the polling period should be extended. Ben suggested that we close the poll and base it on the current information available. Clint will send out the results and see if there are any further discussion on the list.

Moving on to the two topics / emails sent by Ben on December 6th.

  1. Air-Gapped CAs (offline, powered off, air-gapped/but powered on, etc.) – We were hoping that people would have time to consider their own configurations and operations. On the call, not many people could think of situations where root CAs were kept powered on, so why does NCSSR section 1.c. say, “in an offline state or air-gapped from all other networks”? Alternative language suggested was “in an offline state, and when powered on, then Air-Gapped from all other networks.”

Another issue is how we should handle other air-gapped (non-root) CA systems. It was suggested that we change our approach to “online” and “offline”. Then we could refer to systems as being online, offline, or online and air-gapped. (Some intermediate CAs are online, while others are maintained offline.) In the NCSSRs, we define and refer to “Certificate Systems” and “Issuing Systems”, but we need to define our CA systems reference model better. Developing / using our own NetSec WG terminology can be just as good or better than anything else out there.

  1. Document Organization/Structure – Rather than use RFC 3647 as a framework for the NCSSRs (we can always provide a mapping), Ben was suggesting that we have high level objectives at the start of each of the sections, re-organized into eight different categories, because he didn’t think it would work for the first section. Clint suggested that for Section 1 it would still work. We could have a statement to give readers a context for the requirements, but without adding new requirements. For instance, in Section 1, we could add at the beginning something like, “We expect all CAs to have a very high level of security for their infrastructure and systems because they play a vital role in the security of the Internet, the delivery of code and application systems, and the security of email.” Most of these requirements aren’t necessarily CA-specific. They are things that any company with an Internet presence should be doing-we should be encouraging CAs to follow best practices.

Adjourned

Latest releases
Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.7 - Ballot SMC09 - Nov 25, 2024

This ballot includes updates for the following: • Require pre-linting of leaf end entity Certificates starting September 15, 2025 • Require WebTrust for Network Security for audits starting after April 1, 2025 • Clarify that multiple certificatePolicy OIDs are allowed in end entity certificates • Clarify use of organizationIdentifer references • Update of Appendix A.2 Natural Person Identifiers This ballot is proposed by Stephen Davidson (DigiCert) and endorsed by Clint Wilson (Apple) and Martijn Katerbarg (Sectigo).

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).