CA/Browser Forum
Home » All CA/Browser Forum Posts » 2023-01-05 Minutes of the Server Certificate Working Group

2023-01-05 Minutes of the Server Certificate Working Group

ServerCert Meeting: January 5, 2023

Attendance (in alphabetical order)

Aaron Gable (ISRG), Aaron Poulsen (Amazon Trust Services), Adam Jones (Microsoft), Andrea Holland (VikingCloud), Atsushi Inaba (GlobalSign), Ben Wilson (Mozilla), Bruce Morton (Entrust), Chris Clements (Google Chrome), Chris Kemmerer (SSL.com), Clint Wilson (Apple), Corey Bonnell (DigiCert), Corey Rasmussen (OATI), Daryn Wright (GoDaddy), Dean Coclin (DigiCert), Dimitris Zacharopoulos (HARICA), Dustin Hollenback (Microsoft), Ellie (TrustAsia), Enrico Entschew (D-TRUST), Eva Van Steenberge (GlobalSign), Fumi Yoneda (JPRS), Hazhar Ismail (MSC Trustgate), Inigo Barreira (Sectigo), Jamie Mackey (FPKI), Janet Hines (VikingCloud), Joanna Fox (TrustCor), Jos Purvis (Fastly), Karina Sirota Goodley (Microsoft), Kiran Tummala (Microsoft), Lynn Jeun (Visa), Mads Henriksveen (Buypass), Marcelo Silva (Visa), Marco Schambach (IdenTrust), Michelle Coon (OATI), Mrugesh Chandarana (IdenTrust), Nargis Mannan (VikingCloud), Peter Miskovic (Disig), Rich Smith (DigiCert), Rollin Yu (Trust Asia), Sissel Hoel (Buypass), Stephen Davidson (DigiCert), Steve Topletz (Cisco), Tadahiko Ito (SECOM), Tim Hollebeek (DigCert), Tobias Josefowitz (Opera), Trevoli Ponds-White (Amazon Trust Services), Wayne Thayer (Fastly), Wendy Brown (FPKI), Yoshiro Yoneya (JPRS)

Minutes

  1. Antitrust statement read
  2. Approval of minutes: December 8th meeting minutes approved
  3. ZT Browser Application
    • Aaron G.: I have some concerns about an organization and a person who has been proven to be untrustworthy in this domain having voting power on things that affect everyone else in this domain. I want to make sure we discuss this.
      • Tobias J.: I think this case illustrates that the current requirements for membership maybe lax or undefined in a way that may be problematic. We can’t take into account what may have been the motivation or what has been the motivation for the charter or bylaws. The charter says, if any member were to request a vote about membership, we would have to vote about this.
      • Tim H.: The bylaws are still in effect. When we added this language, it was because we always did this by consensus and if there wasn’t consensus, we had a vote. So, if there isn’t unanimous consensus then some members should request a vote. If no member is requesting a ballot, and every member is okay with it, then we approve. Is there a member that is requesting that we have a ballot on this issue?
      • Dean C.: The bylaws are very clear in this area. If there are people that want to have a vote, then you can request a vote and have the normal voting requirements.
      • Aaron G.: I am requesting a vote.
      • Inigo B.: Will this set precedent over any new membership?
      • Trev P.: It is already in the rules.
      • Dimitris Z.: If we are going to have a vote, then we need to know what the challenges are and that specific requirements this doesn’t meet.
      • Trev P.: That is not in the rules. Anyone can request a ballot for anything.
      • Tim H.: I don’t see any restrictions on why you can’t vote no. I recommend talking to your legal counsel about your vote and the reasoning for your vote. Companies can vote whichever way they want it’s up to them to make sure that they’re complying with applicable laws.
      • Dean C.: The Server Cert Working Group charter says an applicant becomes a member once the server certificate working group has determined by consensus among the members during a meeting or teleconference that the applicant meets all of the requirements of subsection a, or upon the request of any member by a ballot, among the members. Acceptance by consensus shall be determined. Or a ballot of the members shall be held as soon as the applicant indicates that it has presented all information required and has responded to all follow up questions from the SCWG and the member has complied with the requirements of section 55 of the CA/Browser Forum bylaws. It’s either you have the consensus on this call or meeting or upon the request of a member a ballot.
      • Trev P.: It’s in the rules and if we don’t think that we should have ballots, then we should remove it from all of the charters.
      • Tim H.: To Tobias point, if people think the membership criteria are too lax that is an potential discussion to have. The fact that the membership criteria for certificate consumers is quite lax has been discussed in the past, but it is difficult to find better language. We can have those discussions again if people want to tighten up the rules, but the tightening up of the rules should not be aimed at helping or preventing a specific person from joining.
      • Wayne T.: Will the voting be conducted in public or not? I don’t see any rules, but I assume by precedent we would conduct voting in public.
      • Trev P.: Also, does it need two endorsers in addition to the proposer?
      • Tobias J.: I will endorse.
      • Dean C.: Aaron would be the proposer with Toby as one endorser and then it would need a second endorser. The ballot platform question is still open.
      • Inigo B.: And this ballot is only for the ServerCert WG?
      • Tim H.: Aren’t membership and charter discussions, Forum level discussions and not ServerCert level of discussions.
      • Dean C.: No, because I anybody that becomes a member of a working group is automatically granted Forum membership and those working group discussions are held within the working groups.
      • Dimitris Z.: First thing we need to understand is if we’re going to do a ballot then, whether it’s going to be in a public or in private mailing list. Question is if we have to separate the management list of the ServerCert working group with the management list of the Forum level?
      • Tim H.: On the voting, the bylaws are pretty clear that the voting has to be public. The only private voting is for the special election ballots and the bylaws clearly carve out an exception for them to be private. There are no other carve outs.
      • Dean C. There’s a section 2.3 in the Forum bylaws. It says general provisions applicable to all ballots and it talks about all the different ways you can vote.
      • Trev P.: It seems like the consensus is that it has to be on the public list. Is this sensitive enough to be on the management list?
      • Tim H.: it’s more about the documentation in the public archives and having the votes in one place.
      • Aaron G.: As the proposer I am comfortable with having this ballot occur in public.
      • Dimitris Z.: I was referring to section 5.1 it discusses that matters within the opinion of the members require confidentiality. So, if the consensus is that this does not require confidentiality, it’s fine to be in public.
      • Dean C.: That is referring to the member mailing list and the member website. Whereas section 2.3 which says general provisions applicable to all ballots. That is what takes precedent here.
      • Aaron G.: Bylaws 5.2 sub paragraph 3 which says the following materials shall be publicly posted to the public mail list 3. messages formally proposing a Forum ballot, individual votes quorum counts, et cetera. I think it makes sense for it to be in public.
      • Rich S.: This discussion has demonstrated there are some shortcomings with the way this process was thought out. The public vs private is one since the discussion to come to a consensus on membership on these calls is private, but the ballot calls for a public discussion per the bylaws. Another is in order to meet the definition of a ballot it must have a proposer and two endorsers, so if you can’t get 2 endorsers, then that stops the process in its tracks. I don’t think that was ever intended. While the person calling for the ballot doesn’t mind it being public, I’m not sure that applies to everyone who might cast a vote. And hopefully we’ll resolve the issue with the endorsers, but I think going forward we need to look at adding some verbiage to clarify these matters.
      • Tim H.: To avoid uncharted territory of a ballot not having enough endorsers, we will endorse for that purpose.
      • Inigo B.: I am concerned with problematic precedent, but it is in the charter. So, Aaron will draft up a ballot and seek two endorsers. Then follow the regular procedure, setting a discussion period and a voting period and get the results.
      • Aaron G.: If you are willing to be an endorser on this ballot, please reach out to me. And I will get started on the discussion email shortly.
      • Tobias J.: I request a 2-week discussion period. There are a lot of questions that need to be figured out.
      • Tim H.: I wanted to point out that ballot discussion time is effectively unlimited now. It’s up to Aaron to decide when the discussion is no longer fruitful, and when voting should start. But I agree that we should not prematurely take this to a vote. We should give members time to coordinate with their legal counsel and have any discussions publicly or privately that they need to have.
      • Dimitris Z.: At the same time, we don’t want to keep this candidate open indefinitely. We need a reasonable time frame for the ballot and the voting period. To Toby’s question about the quorum, if the voting begins, and there is no quorum, then the ballot fails.
      • Tim H.: Same as everybody voting no.
      • Dean C.: There’s also a provision in some place that these things should not be unnecessarily held up.
      • Tim H.: It says that for voting you have to have the vote as soon as possible. It doesn’t say anything about how long the vote can take. I don’t think we’re actually restricted on time.
      • Aaron G.: The ballot will state a yes vote means yes add this member to the group. The proposal will be to add the browser as a member of the ServerCert working group.
      • Dean C.: I can respond to the applicant that a decision has been made to have a ballot based on the charter.
      • Trev P.: Who is taking the action item to look over the bylaws?
      • Tim H.: Dimitris and I are already looking into the bylaws both election and non-election related so we can add this item to the queue, but it will not be a priority. So, if someone has ideas on a solution reach out.

4. Validation Subcommittee – Corey B. and Tim H.

  • Certificates profiles ballot

    • New PR that integrates SC56 and SC58 into the text
      • Discussion around ordering of RDNs and Names
  • LEIs in certificates

    • Focused on EVs, potentially allowing organization ID field like VAT or trade register information
      • Some discussion about adding it for OV
      • Overall still an open discussion for both OV and EV

5. Ballots

  • Chris K.: SC59 – Debian Weak Keys has two endorsers, just compiling the redline version

  • Inigo B.: SLO/Response for CRL & OCSP Responses – still on hold

  • Ben W.: Incorporation of Mozilla Revocation Reason Codes – some changes to be included, but waiting on comments

    • Dimitris Z.: I like the changes. I prefer your 1st version of the 1st option where the subscriber requests in writing “without giving a reason” compared to “without giving a reason required to be specified by this section 4.9.1.1”. For number 10 I’m fine with your proposed language.
  • Inigo B.: Certificate Profiles – already mentioned

  • Chris C.: Make OCSP optional, require CRLs – still an open discussion, will reinvigorate next week

6. Any Other Business

7. Next Meeting – January 19th 2023

8. Adjourned

Latest releases
Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.7 - Ballot SMC09 - Nov 25, 2024

This ballot includes updates for the following: • Require pre-linting of leaf end entity Certificates starting September 15, 2025 • Require WebTrust for Network Security for audits starting after April 1, 2025 • Clarify that multiple certificatePolicy OIDs are allowed in end entity certificates • Clarify use of organizationIdentifer references • Update of Appendix A.2 Natural Person Identifiers This ballot is proposed by Stephen Davidson (DigiCert) and endorsed by Clint Wilson (Apple) and Martijn Katerbarg (Sectigo).

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).