Minutes of the F2F 58 Meeting in Ottawa, Canada, 28 February – 1 March, 2023
Tuesday, 28 February 2023 – CA/B Forum Meeting (Day 1)
Attendees
Aaron Gable (Let’s Encrypt), Aaron Poulsen (Amazon Trust Services), Adam Jones (Microsoft), Adrian Mueller (SwissSign), Aleksandra Kurosz (Asseco Data Systems S.A. (Certum)), Alison Titus (Entrust), Andrea Holland (VikingCloud), Andreas Henschel (D-TRUST), Aneta Wojtczak-Iwanicka (Microsoft), Anna-Marie Christian (CPA Canada), Arno Fiedler (D-TRUST), Arnold Essing (Telekom Security), Atsushi Inaba (GlobalSign), Ben Dewberry (Keyfactor), Ben Wilson (Mozilla), Brianca Martin (Amazon), Brittany Randall (GoDaddy), Bruce Morton (Entrust), Bruce Wei (TrustAsia Technologies, Inc.), Chad Edhlers (IdenTrust), Chris Bailey (Entrust), Chris Clements (Google), Chris Czajczyc (Deloitte), Chris Kemmerer (SSL.com), Christophe Bonjean (GlobalSign), Clemens Wanko (ACAB’c), Clint Wilson (Apple), Corey Bonnell (DigiCert), Corey Rasmussen (OATI), Daniel Jeffery (Fastly), Daryn Wright (GoDaddy), Dave Chin (CPA Canada), David Kluge (Google), Dimitris Zacharopoulos (HARICA), Don Sheehy (WebTrust), Doug Beattie (GlobalSign), Dre Armeda (GoDaddy), Elaine Bronsther (Sectigo), Ellie Lu (TrustAsia Technologies, Inc.), Enrico Entschew (D-TRUST), Eva Vansteenberge (GlobalSign), Fumihiko Yoneda (Japan Registry Services Co., Ltd. (JPRS)), George Fergadis (HARICA), Georgy Sebastian (Amazon), Hazhar Ismail (MSC Trustgate Sdn Bhd), Henry Birge-Lee (Guest Speaker), Ian McMillan (Microsoft), Ilona Jones (Entrust), Inaba Atsushi (GlobalSign), Inigo Barreira (Sectigo), JP Hamilton (Cisco Systems), Jamie Mackey (US Federal PKI Management Authority), Janet Hines (VikingCloud), Jeremy Rowley (DigiCert), Joanna Fox (TrustCor Systems), John Sarapata (Google Trust Services), Jos Purvis (Fastly), Jozef Nigut (Disig), Karina Sirota Goodley (Microsoft), Kathleen Wilson (Mozilla), Leo Grove (SSL.com), Li-Chun Chen (Chunghwa Telecom), Lisa Marie Barlow (Entrust), Lynn Jeun (Visa), Mads Henriksveen (Buypass AS), Marcelo Silva (Visa), Marco Schambach (IdenTrust), Martijn Katerbarg (Sectigo), Matthias Wiedenhorst (ACAB Council), Michael Slaughter (Amazon), Michał Malinowski (Asseco Data Systems S.A. (Certum)), Michelle Coon (OATI), Nargis Mannan (VikingCloud), Nick France (Sectigo), Nikolaos Soumelidis (ACAB’c), Pankaj Chawla (eMudhra), Paul van Brouwershaven (Entrust), Pedro Fuentes (OISTE Foundation), Pekka Lahtiharju (Telia Company), Peter Miskovic (Disig), Prachi Jain (Fastly), RIch Smith (DigiCert), Raffaela Achermann (SwissSign), Rajesh Raman (eMudhra), Rebecca Kelley (Apple), Rob Stradling (Sectigo), Rollin Yu (TrustAsia Technologies, Inc.), Ryan Dickson (Google Chrome), Samantha Frank (Let’s Encrypt), Sissel Hoel (Buypass), Star Simmons (GoDaddy), Stefan Kirch (Telekom Security), Stephen Davidson (DigiCert), Steven Deitte (GoDaddy), Sven Rajala (Keyfactor), Tadahiko Ito (SECOM Trust Systems), Thomas Zermeno (SSL.com), Tim Callan (Sectigo), Tim Crawford (WebTrust), Tim Hollebeek (DigiCert), Tobias Josefowitz (Opera Software AS), Trevoli Ponds-White (Amazon), Tsung-Min Kuo (Chunghwa Telecom), Tsung-Min Kuo (Chunghwa Telecom), Vijayakumar (Vijay) Manjunatha (eMudhra), Wayne Thayer (Fastly), Wendy Brown (US Federal PKI Management Authority), Xiu Lei (GDCA), Yoshihiko Matsuo (Japan Registry Services Co., Ltd. (JPRS)), Yoshiro Yoneya (Japan Registry Services Co., Ltd. (JPRS)).
Future face to face meeting schedule
Discussion leader: Dimitris Zacharopoulos (HARICA),
Minutes
Presentation link: /uploads/2-CABF_Future-meetings.pdf
Discussion outside the presentation
June 6-8, 2023 meeting will be hosted by Microsoft in Redmond, WA
October 3-5, 2023 will be hosted by Globalsign in Portsmouth, NH
Spring 2024 meeting will be hosted by eMudhra in New Delhi, India
Summer 2024 meeting will be hosted by Actalis in Bergamo, Italy
Fall 2024 meeting will be hosted by Amazon in Seattle, WA
Bylaws topics
Discussion leaders: Dimitris Zacharopoulos (HARICA), Tim Hollebeek (Digicert)
Minutes: Ben Wilson (Mozilla)
Presentation link: /uploads/3-CABF_Bylaws-2.5-updates.pdf
Discussion outside the presentation
Dimitris reviewed proposed bylaw changes.
- The first topic was who must sign the IPR Agreement? If there is a legal entity that is the owner of the CA that is different than the actual operator of the CA, then both entities should sign the IPR Agreement.
- The reading of the Antitrust Statement should not be required for every meeting. There will be Notewell read at the beginning of teleconferences. The full antitrust statement will be read at the beginning of the face-to-face meetings.
- The Associate Member Category currently includes “probational” CAs, so a new category of “Probational Certificate Issuers” will be created. Wayne said that the category is rare and wondered whether it was needed. Dimitris said it is better to have more inclusive rules. Wayne said that the current proposal is too vague. Wayne suggested that a qualifying audit (including a point-in-time) should be the threshold. Dimitris will consider Wayne’s suggestion further.
- We will remove “Root Certificate Issuer” from the bylaws and merge it with “Certificate Issuer”.
- Publication of Subcommittee Minutes. There will be a clarification that they do not need to be published/maintained on the public website. Minutes should be published to the group’s public list. However, there needs to be a process where draft minutes are first sent to the group’s management list, not the public list.
- We discussed what it means to be “actively” issuing certificates. In past discussions, there was not a compelling argument for requiring the applicant to demonstrate that they were “actively” issuing certificates. This is also related to the requirement that they issue certificates to “third party” websites. So “actively” would be removed from the requirement. The requirement for “third party” website will also be removed. Any website would do.
- We discussed the minimum number of days for review of minutes to prevent minutes from being circulated within the day before the meeting in which they are approved. It was suggested that a week be provided for review of minutes. Based on previous conversations, Dimitris recommended setting a minimum threshold of 3 or 5 calendar days for the draft minutes to be distributed before being considered ready for approval, giving some minimum reasonable time for Members to review. There was a quick straw poll if there was a preference between 3 or 5 calendar days and the results were inconclusive so Dimitris will proceed with a doodle poll.
- Review and alignment of WG Charters – we should take a look at the S/MIME WG charter and harmonize charters and revise the template. Dimitris recommended that we do this with a single ballot. Dimitris asked how we should go about adopting the charter template in the Bylaws. There was no objection to moving forward with his plan.
- Ballot quorum. We need to clarify the voting rules on what takes precedence, the Bylaws or the Charter. Martijn said it is slightly unclear and needs work. Further work on this topic is needed.
Updates to Forum public website
Discussion leader: Ben Wilson (Mozilla)
Minutes: Martijn Katerbarg (Sectigo)
Presentation link: No presentation
Discussion outside the presentation
Ben: Minutes from prior to 2019 are not properly tagged within WordPress, this is something we should go back to and set them correctly. Dimitris offered to help with this.
We have made some changes over the last year by changing menus.
Martijn: Should we utilize GitHub for the minutes instead, having them approved through GH, send them automatically to the mailing lists, and point the website to the GH Repository.
Ben: The issue at hand is more for the historic minutes as going forward we seem to have a good process in place.
Concerns were raised that not everyone is comfortable with working in GitHub and writing in MarkDown. Paul added that we could use a default template for this.
There is consensus on looking into that, but not as a high priority item.
BROWSER UPDATES
Mozilla Root Program Update
Presentation by: Ben Wilson (Mozilla)
Minutes: Corey Bonnell (Digicert)
Presentation link: /uploads/5-2023-February-Mozilla-Update-CABF-Ottawa-F2F.pdf
Discussion outside the presentation
Don: When I looked at the root inclusion criteria, I had a concern about “the CA doesn’t already have a root”.
– Fair amount of time to include in Mozilla root store
– Auditor qualifications are provided after an audit engagement
– Seems to discount inclusion in other root programs
Another issue is the use of Internet Freedom Score. This score is developed by a donations-based organization. This would keep out China, Saudi Arabia, and the Middle East. India has a freedom score of 51, which is quite close to the threshold. With a donations-based funding, there is always the risk of bias. Has anyone done an impact study of those existing CAs that may be affected?
Kathleen: “Concerning behavior” is not meant to take each item individually. We use an aggregate approach across these factors to make a determination. For example, a single concern may not be sufficient reason to deny the request, whereas 4 or 5 might. I like your suggestion of considering whether a CA is included in other root programs. We are receptive to ideas of amending the use of Internet Freedom Score.
Kathleen: We could amend the auditor requirement to consider whether this auditor has audited CAs trusted in other root programs.
Clemens: We spent significant time about quality aspects. We didn’t find any areas where one could easily define quality indicators for auditors that can be used as a basis of comparison. Therefore, we suggest dividing the auditor qualification from the CA inclusion items.
Trev: Are the incident categories published anywhere?
Ben: There is a brief breakdown on the Wiki, but also there is documentation on the Wiki. We will make this available.
Google Root Program Update
Presentation by: Ryan Dickson (Google Chrome)
Minutes: Trevoli Ponds-White (Amazon)
Presentation link: /uploads/6-CABF-F2F-58-Chrome-Browser-Update-PUBLIC.pdf
Discussion outside the presentation
THERE WAS ADDITIONAL CONTEXT FROM THE PRESENTATION THAT WAS NOT ON THE SLIDES
Apple Root Program Update
Presentation by: Clint Wilson (Apple)
Minutes: Wayne Thayer (Fastly)
Presentation link: /uploads/7-2023-February-CABFwiki-Apple.pdf
Summary of Clint’s presentation:
Planned effective date for this new policy is midyear, with a plan to share the changes via a CCADB communication in the next month followed by a feedback period.
First change is to the organization of the policy, adding sections and section headings.
Adding requirements for S/MIME BR audits at a future date. Plan to require a period-of-time beginning when the S/MIME BRs go into effect. Expecting S/MIME audits to begin being submitted next year.
Adding clarification of expectation for lifecycle audits for things like parked keys and key destruction.
Adding requirement for audit firm to be licensed in jurisdiction where audit is being conducted.
Adding scenarios that may require further audit engagements when an audit is incomplete or remediation is needed. Apple may request detailed controls reports.
Adding limitation on repeated use of the same audit firm for more than 4 years in a row by the same CA, effective in 2025.
Adding requirement for audit reports to include information on incidents.
Adding requirement to comply with CCADB policy.
Adding requirement that CA’s monitor CCADB public mailing list.
Clarifying format required for IDPs in CRL requirements, similar to Mozilla’s updated policy.
Adding requirement for CAs to be single purpose hierarchies at a future date. First applies to new CA certificates, then at a later date plan to remove existing multi-puropse hierarchies.
Requiring TLS CA providers support one of four specific domain validation methods described in the BRs. These are automation focused methods.
Adding clarifications around issuance of a certificate being authorization by the CA for issuance of the certificate.
Adding some language around incident reporting expectations.
Adding requirement that CA’s notify Apple directly when an incident occurs, but discussion can happen elsewhere on a public forum.
Aligning on using even months except December for effective dates, with the exception of S/MIME BRs which are effective in September.
Working on formally publishing Verified Mark Certificate root program as a separate document.
New CCADB inclusion request process asks for externally hosted documents that describe the CA’s operations in sufficient detail that Apple can answer their own questions.
Discussion outside the presentation
Trevoli Ponds-White asked about Value & Benefits section of the CCADB root inclusion request form and the mention of ‘timely and transpartent reporting of compliance incidents’ – is that consistent with other Browser requirements? Should it have a separate section?
Clint: Think of it as part of Value, but could be split out.
Trev: Please coordinate with other Browsers for consistency on this. Also, CAs will always want to see the questions in advance.
Clint: We can post them on CCADB.org
Don Sheehy: Feedback for requiring for rotation of auditors. You may have mixed up partner versus firm rotation when comparing to financial audits. Firms are not required to be changed in the financial world. It is very costly to change auditors. Also, there are far more qualified financial auditors than in the WebTrust realm. Don also referred to research on this topic that incudes mitigations.
Clint: We have discussed partner versus firm rotation. There is quite a bit of time for the discussion since the new requirement won’t apply until 2025. Apple does believe this is the right direction based on observations of CA audits. Want to balance cost of change with benefit by making required changes infrequent.
Dimitris: Is the goal of requiring auditor rotations to require change just for one year? Permanently?
Clint: Not planning to restrict CA from going back to the same auditor after one year of using a different one.
Tim Crawford: These audits are often part of a large compliance suite (SOC, ISO, PCI), so costs will increase if WebTrust audits are broken out to stand on their own. Where does this idea come from?
Clint: Primarily from financial system audits.
Tim: But that is partner rotation, not firm rotation. Also, how does this interact with Mozilla’s concern over using an auditor that hasn’t performed other CAaudits?
Clint: Mozilla’s proposal is just a concerning behavior, so there is no conflict.
Ron Stradling: Sectigo has a WebTrust audit and an ETSI audit. Could we include all operations in both audits and meet this new requirement without changing auditors?
Clint: Yes, I think so.
Rob: Regarding Values and Benefits statement in root inclusion request, does that apply to all CAs applying to add roots, or just new CAs?
Clint: All.
Aaron Poulsen: Value & Benefits posted on an external site – does it need to be publicly accessible?
Clint: No, just need Apple to be able to access it.
Bruce Morton: When will this root store policy update be available?
Clint: Hoping to share draft in the next month for further discussion. Planned effective date for the entire policy is June 15, but could be delayed. Individual requirements also have future effective dates.
Bruce: What is effective date for S/MIME BRs?
Clint: Current draft is that S/MIME issuers need to be in compliance by SMBR effective date (Sept 1), with an initial audit covering Sept-Nov and reports submitted to Apple 90 days later. Will discuss tomorrow during the S/MIME WG session.
Clemens Wanko: What are concerns driving auditor rotation requirements? Let us discuss the fears and see what the existing schemes offer to address these concerns.
Clint: Apple is planning to send a message to the WebTrust Task Force and ACAB’c to open a discussion on the new draft policy at the same time it is sent to CAs.
Trev: Auditors are often more familiar with a CA after the first year and they probe deeper in future years.
Clint: We see more value for a few years and then it tapers off.
Dimitris: We also see what Trev describes.
Don: As you get more familiar with a client, you drill deeper.
Wayne Thayer: In working with the same auditor for a long period of time, they consistently found new areas for improvement each year.
Aaron Gable: The crux of the issue is that it depends on the auditor. In the past year we’ve seen examples of auditors not identifying issues. Changing auditors provides an opportunity to obtain a different perspective.
Daryn Wright: Most people in the room are CAs. None would choose an auditor that is not experienced. There is a limited number of auditors, and they may not be willing to continue to perform these audits if they can’t keep their clients.
Trev: In SOC, it is a red flag to switch auditors because it is considered “opinion shopping”.
Microsoft Root Program Update
Presentation by: Karina Sirota (Microsoft)
Minutes: Ryan Dickson (Google Chrome)
Presentation link
Discussion outside the presentation
Karina shared updates on behalf of the Microsoft Trusted Root Program
Three items on the discussion agenda: malware monitoring initiative, testing reminder, and communications reminder
Malware Monitoring Initiative (applicable to Code Signing, only)
Microsoft continues to engage with CAs on detecting signed malware.
Thank you to those who are working with Microsoft to report and/or investigate malicious software.
Testing Reminder
Root Store updates (i.e., Certificate Trust List Updates) are updated monthly, except in December.
The presentation includes links for testing updated packages. Please confirm testing when requested by the Microsoft Team.
Reminder: deprecations take place on the first of the month
Reminder: Microsoft asks that you test and confirm changes within 5 days of being requested. Intent is to ensure updates are working as expected before they are released.
Reminder: the slides include more detailed testing instructions.
Communications Reminder
The slides include a link to all public webpages and artifacts.
Please use the Microsoft Trusted Root Program email alias (msroot@microsoft.com) on all communications.
Questions
Bruce (Entrust): Related to the Malware Monitoring Initiative: Is there anything CAs can use to search for malware? How can we find instances of malware to do a better job of screening them out? Are there things CAs can do to stop issuing certificates to those who sign/distribute malware?
Response: Telemetry is currently internal to Microsoft. There might be future opportunity to share data, this is a worthy consideration.
Leo (SSL.com): Second what Bruce said. We have a code signing platform, and currently we use “Virus Total” and another source to prevent malware signing. Microsoft’s database is pretty good. If it’s possible for us to gain access to query the Microsoft body of signatures and indicators of malware, that’d be incredibly helpful.
Response: We can certainly investigate this.
Chris (Entrust): Is there a possibility of looking at something, before signing a certificate to better help detect malware? Perhaps, some sort of service?
Response: Important to note, the onus for investigation is currently on our end. We make the request to CAs to revoke concerning certificates. I understand the perspective that the type of service you describe would be helpful. Again, we’ll look into that.
CCADB Update
Presentation by: Chris Clements (Google Chrome, on behalf of the CCADB Steering Committee)
Minutes: Daryn Wright (GoDaddy)
Presentation link:
Discussion outside the presentation
CCADB update minutes.
Topic: CCADB.org updates
Added CCADB Public Group
Added Submit a Root Inclusion Request Guidance
Updated CCADB policy to 1.2.
Added CCADB Incident reports.
Topic: Root Inclusion Request
- Intent was to simplify.
- Submit 1 root inclusion request to multiple root stores, currently includes Apple, Google Chrome, and Mozilla
Topic: Add/update Root Requests
- Changed to only allow roots to be updated that have all information populated with them. If a root cannot be selected, it needs to have the information added.
- Meant to Standardize and Streamline process.
Topic: CCADB Groups
- Root stores rotate answering requests from support@ccadb.org
- Reminder of the code of conduct on Public@ccadb – be respectful
Topic: Questions/comments
No additional discussion.
Wednesday, 1 March 2023 – CA/B Forum Meeting (Day 2)
Lessons learned from SC60 and update to Bylaws/Charters
Discussion leaders: Dimitris Zacharopoulos (HARICA), Paul van Brouwershaven (Entrust), Inigo Barreira (Sectigo)
Minutes: Ben Wilson (Mozilla)
**Presentation link: **
Discussion outside the presentation
Dimitris presented slides regarding the Server Certificate WG charter. The provisions regarding membership in the SCWG were reviewed. Previously, there was an issue concerning an audit. There was another case where a CA member still had a root certificate present in an old version of a Consumer Member’s root store. Disagreements over membership should not be discriminating, biased, or anti-competitive.
Trev asked whether the consensus decision should be made more clear that it is based on the criteria that are expressed in the Bylaws more explicitly.
Tim said that for CA members we have more clear guardrails, but on the Certificate Consumer there is a broader hole to drive through.
Aaron noted that a Certificate Consumer applicant has fewer hoops to jump through.
Tobias said that any member can require a vote without restrictions on how that vote is placed. They can vote however they feel. There would have to be some degree of professionalism, but that is not what is written. He also alluded that the process for becoming a certificate consumer member should not be trivial.
Paul said we need to have more objective criteria to base a decision on facts, not for subjective reasons.
Tobias said that we cannot have loopholes that allow entities whatsoever to flood into the Forum. The criteria is whether they create a product to browse the web securely. There is nothing to prevent them from joining the Forum as an interested party.
Trev said the issue is whether an applicant should be allowed to join or not, not whether we all agree that they meet the membership criteria.
Dimitris said that we need to be more clear with objective criteria. Dimitris presented a slide that said “that challenges the Applicant’s adherence to all of the requirements of subsection (a)”. Tobias responded that he thought the current language was fine, but he would not object to amending the membership criteria for certificate consumers because allowing anyone to join without anyone’s ability to challenge is a problem.
Paul asked what if the criteria included something like the “best interests of security of the internet, etc.”? Then, you could ask them about how they meet those criteria. But right now, there are not good criteria.
Tobias said that certificate consumer members of the Forum today have a root program to govern certificates admitted to their root store.
Trev said that there are two questions presented here (1) should we add this requirement put forth by Dimitris, and (2) should we change the requirements for certificate consumers? Trev said that they were separate issues.
Tobias said if we had perfect criteria for certificate consumer members, then that would eliminate the need for the ability to challenge a membership application.
Dimitris said, to wrap up the discussion, we need to work with those who oppose this language and draft mutually agreeable objective language for determining certificate consumer membership.
Aaron said he didn’t think the language accomplishes the goal. It does not require that an applicant meet the requirements. It requires a member to object on those grounds. He put language in chat “has determined by consensus among the members, or upon the request of any member by a ballot among the members, that the applicant meets all of the requirements of subsection (a).
Tim said that there is already objective language in the Charter, “used to browse the web securely”, but we should add more objective criteria.
Inigo said, also, in the case of a “no” decision, we need clear direction on whether the applicant can reapply.
Definitions and Glossary WG
Discussion leader: Clint Wilson (Apple)
Minutes: Daryn Wright (GoDaddy)
Presentation link:
Discussion outside the presentation
@Clint, the recording came up empty for that part of the minutes and Daryn couldn’t keep up with the notes. Can you please add some context from memory so we can have something published regarding this topic?
@Others, feel free to chime in if you took personal notes for this section
Invited Guest Speakers: Multi-vantage point domain validation, protection against BGP hijacking and other network style attacks
Discussion leader: Henry Birge-Lee (Princeton University)
Minutes: –
Presentation link:
Discussion outside the presentation
AUDIT UPDATES
ETSI Update
Presentation by: Nick Pope and Arno Fiedler (Chairs ETSI ESI)
Minutes: Clemens Wanko (TÜV AUSTRIA)
**Presentation link: ** /uploads/14-ETSI-ESI_Standardisation_Update_for_CAB-Forum-03-2023_1.2.pdf
ETSI summary of most important news (see slides for details)
ETSI shall directly incorporate latest version of CA/Browser Forum Baseline, so that any updates are automatically incorporated in ETSI EN 319 411-1 etc.
Other requirements to be addressed by CA/the auditors in the ETSI ecosystem shall be included into ETSI TS 119 403-2 in a timely manner (next update to be released by March 10th, 2023). CA/B Forum and Browsers are encouranged to interface with ETSI to support timely adoption.
Discussion outside the presentation:
Kathleen Wilson (Mozilla) asked about the timely integration of BRG into ETSI applicable standards. ETSI replied that BRG will be referenced into the ETSI standards in the future “by the latest version to be applied” instead of referencing the latest BRG version available at time of ETSI approval as we have it today. That fact was highly appreciated as it removes issues in keeping track between ETSI and BRG versions.
ACAB’c Update
Presentation by: Clemens Wanko (TÜV AUSTRIA)
Minutes: Nikolaos Soumelidis (QMSCert)
Presentation link: https://cabforum.org/uploads/15-CAB-Forum_58_ACABc_presentation.pdf
ACAB’C summary of most important news (see slides for details):
Increased number of members and coverage, THE auditor’s representative organization, new board
Updated Code of Conduct and Charter
Working Groups started, covering CA/B Forum, ETSI ESI, eIDAS, CAB accreditation
Upcoming eIDAS 2: Introduction of European Citizens Wallet, 4 new trust services
Updated TSP supervision because of the adoption of EU Cybersecurity Directive (NIS2)
Upcoming ETSI TS 119 403-2 V1.2.6: amendments
Multi-root Audit Attestation Letter template made available at
Active collaboration with CCADB team on ALV tool improvements
Discussion outside the presentation
Kathleen liked the update in ETSI TS 119 403-2.
Dimitris highlighted that under NIS2 Directive, TSPs will be treated as what is called ‘essential entities’, together with power plants, transporation, etc, which means that they will be put under additional supervision for Cybersecurity.
WebTrust Update
Presentation by: Tim Crawford, Don Sheehy, Dave Chin, (CPA Canada)
Minutes: Bruce Morton (Entrust)
Presentation link:
Discussion outside the presentation
WETSI
Plan to have a meeting in late 2023.
Issues outsourcing, subservice arrangements, root inclusion changes, and chaning of auditors
WebTrust
NetSec Requirements
Created version 1 of WebTrust for Network Security Principle and Criteria
Limited to the controls in Network Security (based on Version 1.7 of NSRs)
Effective date of July 1, 2023 or thereabouts to allow for changes by Browser systems later in year
Will also allow for update when new CAB Network Security guidelines are put in place
Reporting guidance has been developed
TLS BRs
Effective April 1, 2023
Incorporated all changes to Forum BR 1.8.6 in WebTrust for Baseline with Network Security Vs 2.7.
With separation is NetSec audit, there will be another update for TLS BR to be stand alone.
Code Signing BRs
Effective April 1, 2023
Incorporates all changes to CSBR vs 3.2
There were 4 sets of changes including the changes to reflect RFC 3647
Incorporate Network Security Requirements by reference as an additional principle as clarified by CAB Forum CSCWG yesterday.
EV Guidelines
Effective April 1, 2023
Incorporated all changes to Forum EV 1.8 in WebTrust for EV Vs 1.8
S/MIME BRs
CA/B S/MIME project vs 1.0 approved January 1, 2023, effective September 1, 2023
WebTrust TF has developed WebTrust Principles and Criteria for Certification Authorities – S/MIME Certificates vs 1.0 effective on or after April 1, 2023
Audit requirements similar to TLS BRs
Requires meeting NetSec by reference – included as separate principle
Developed criteria as well as audit templates for use by practitioners
Approved by TF in January 2023
Change from COVID-19 To Force Majeure Engagements
2020 issued practitioner guidance on COVID-19 dealing with areas that might impact auditors and CAs
Maintained for 2021 and 2022 – no relevant changes needed
Potential for scope limitations in certain areas caused by inability to physically be onsite
Provides examples of tools and approaches as best practices
Provides examples of potential audit reports
Provided electronically to registered WebTrust practitioners
Permanent guidance to deal with unexpected [catastrophic, government mandated, etc.] Force Majeure events out of the control of client and practitioner that prevent the practitioner (and the client) from being onsite
Will be issued as separate guidance document and will eventually be added as Appendix to practitioner Guide
COVID-19 – No current seals and no more expected under this program
COVID-19 being removed from Website
Revised project expected completion April 2023
Temporary WebTrust Seal, which an be awarded in a limited circumstance
All controls tested are ok, but scope limitation exists due to government mandated restrictions
Good for 6 months – expectation that scope limitation will be eliminated at that point
Seal is removed once the “clean” opinion is issued, when it is determined a report will be qualified/modified, OR six months, whatever happens first
If after 6 months no ability to remove issue, seal is removed and report stands – advise report users
If ability to solve issue and “clean” opinion is issued, remove seal and issue regular WebTrust seal
VMC Requirements
Changes effective April 1, 2023
Have incorporated all changes to VMC Requirements 1.4 in WebTrust for VMC 1.4
There were 3 sets of changes approved by the Authindicators Working Group
WebTrust for CA 2.2.2
Continue to monitor changes in ISO docs related to PKI
Some front-end discussion needs to be reworked
WebTrust for RA 1.1
Some front-end discussion needs to be reworked
Review changes to relevant CA/B docs that are used
Practioner Qualifications
After Working with Mozilla, illustrative template has been developed
Versions for Canada, US and International reporting
Some of items have been dealt with in assurance report
Google may have same request so will look at proposed Google requirements as expected to be very similar
Updates to Reporting Guidance
Updated to be effective TBD ( June 1, 2023 latest)
Reporting examples for US, Canadian, and International short-form reports
Reflecting new changes in CPA Canada and IFAC guidance
Updated to reflect wording changes in reporting Canada and International, new S/MIME, same reports for consistency, and correct minor errors
Will be available on CPA Canada website
Short-form RA Reports
In 2022 there has been initial demand for short-form public report for RA with seal
Short-form Report templates (similar to WebTrust for CA) have now been developed and are being published
Detailed Controls Reporting
Current version being updated for changes in relevant criteria
Potential changes in practitioner report and system description based on AICPA changes for SOC 2
Will NOT be primary report for public seal
Short form (current report) will be public facing report with seal
WebTrust Full Lifecycle
Rootkey Generation Ceremony Report (Birth Certificate)
Key Protection (Provides assurance that once a key is created and up to the point it is moved into production, it was properly safeguarded), Key Transportation, Migration & Destruction
Point In Time (As of date for testing the design and implementation of controls)
Period of Time (Same as Point in Time, but also tests transactions over a period between 2-12 months to ensure controls are operating effectively)
Engagement applicability matrix to be updated April 2023–to be published on CPA Canada website
Carveout of Subservice organization controls
Dealing with issue as to whether carve-out reports will be permitted and ramifications thereof
Should they only be allowed in lower- risk scenarios? Is it really a WebTrust report? There are Seal Issues. Is there usefulness of carve-out reports? Is ther an aAbility to obtain alternative reports on carved-out processes?
Preliminary views at this point
NO carveouts to be done at current time per Browsers
Inclusive approach to be followed for audit and reporting
When CAB reached decisions on controls and processes that can be outsourced will re-assess
Will also reach out to other audit schemes for discussion
Project has been parked until cloud and other issues dealt with
Practioner Guidance for Auditors
Version combines US, Canada and International
New US reporting material on direct engagements being addressed
New SOC material being analyzed for impact
Looking at availability of new controls based on COVID experience
Additional specific browser requirements being considered
Browser and delegated WebTrust member to work together to fully develop use of software and IT audit techniques on data base information
Inclusion of Force Majeure being considered as appendix
New Projects
WebTrust for CA Supporting X9
X9 is a standard setting organization for financial institutions and supporting organizations
X9 has identified a long list of PKI use cases in the financial sector
A base CP has been developed and creating a business plan to use WebTrust in the compliance requirements
WebTrust Supporting IoT Programs
A number of smaller IoT programs require a WebTrust engagement for admission
Evaluating other programs and the use of external service providers
CPA Canada
WebTrust Task Force Member Changes
Tim Crawford from BDO US elected new co-Chair to the Task Force effective January 2023
Dave Chin representing CPA Canada as co-Chair
Don Sheehy, continues to support CPA Canada
New member to the Task Force Adam Fiock representing BDO US
Webtrust key players were presented
Enrolled WebTrust practitioners were presented; also showing worldwide coverage
Other Updates
Webiste updates for Change Covid to Force Majeure, Illustrative report updates, and Principle and Criteria version updates
New Seals for S/MIME April 2023, Network Security March 2023, Registration Authority 2023, and Qualified Unhappy Seal TBD
Hosting of qualified and historical reports
Reviewing existing business model
Summary Presentations from Working Groups since last meeting
Server Certificate Working Group Update
Presentation by: Inigo Barreira (Sectigo)
Minutes: Martijn Katerbarg (Sectigo)
**Presentation link: **
Discussion outside the presentation
Where we are going with the Servercert WG:
Validation was created initially for validating information going into certificates. They’ve got a full hour every other week, but have also moved on to other items, such as the Applicant / Applicant Representative effort.
Proposing to change how we work as the SCWG, and increase the allotted time we have. This is to be discussed on the Server Certificate WG call tomorrow.
Potential alignment / integration of the EVGs into the BRs and make is RFC3647 compliant
Tim added here that the VMC guidelines have done this, with some changes, and it seems like this is possible and not that hard to do.
Dimitris: It would mean we get a very large section 3 in the BRs
Bruce: Maybe we should move the EVGs away from the Server Cert WG and instead have multiple WGs use it. Tim: A Validation WG then?
It’s agreed upon to discuss this during the WG call tomorrow.
Code Signing Certificate Working Group Update
Presentation by: Bruce Morton (Entrust)
Minutes: Bruce Morton (Entrust)
Presentation link:
Discussion outside the presentation
Ballots in progress
Malware based revocation has been expanded to rework the revocation reason section to have it inline with the TLS and S/MIME BRs.
Signing Service requirements update which has changed the name to “Subscriber Key Protection Service” and defined as “An organization that generates the Key Pair and securely manages the Private Key associated with a Subscriber’s Code Signing Certificate.”
Import TLS BR references and aliging the text to meet the requirements of Code Signing.
Future Goals
At the 28 February F2F meeting we had Microsoft discuss Code Signing ecosystem. The CAs also provided their inputs of issues. The goal was to ensite we are discussind the latest issues.
Time-stamp updates to cover TSA key usage period, TSA certificate validity period and a few other items.
Update requirements for High Risk Applicants and High Risk cerificate requests.
Address Open-Source Project Applicants which are having difficulty getting certificates to support their programs.
Code Signing validity period and whether the period should be reduced from 39-months.
Short-lived certificates, which are not the same as TLS short-lived certificates as for code signing we will require CRL/OCSP status.
Certificate Transparency (CT) for code signing certificates.
S/MIME Certificate Working Group Update
Presentation by: Stephen Davidson (DigiCert)
Minutes: Martijn Katerbarg (Sectigo)
Presentation link: /uploads/19-SMCWG-_20230101_F2F-Intro.pdf
Discussion outside the presentation
No discussion outside of presentation bullet points
Network Security Working Group Update
Presentation by: Clint Wilson (Apple)
Minutes: Corey Bonnel (Digicert)
Presentation link:
Discussion outside the presentation
Ben: We need to take this draft document (in Google Docs) and upload it to Github for further collaboration.
Nikolaos: I understand the outcome of this process is that the current NCSSRs are compatible with cloud services, but not in how that they are expressed. My understanding is that the same requirements need to be expressed in more a high-level, outcome-driven way. Is this accurate?
Clint: In regard to cloud services, a CA can use cloud services and technically comply with NCSSRs today. However, in practice, it is very difficult as it requires an audit of the physical cloud infrastructure. The goal of the reformat work is to keep the security bar the same for CAs, but also allow for the practical use of cloud services.
Trev: The problem with the NCSSRs is that they are specific to a single architecture. This architecture is seen in how the requirements are expressed. In the cloud services subgroup, we are looking at the actual security goals. For example, in the NCSSRs, we have rules for hosts. However, if the CA uses serverless services, then technically there are no hard requirements and is up to auditor interpretation.
Nikolaos: My understanding of Clint’s final statement was that the requirements are already there, but are not expressed well.
Trev: I’m not disagreeing with Clint, but am merely stating that we are looking to improve the requirements as written, as there is much room for improvement.
Tim C: This is an interesting take. My understanding is that the current wording of the NCSSRs preclude the use of the cloud.
Clint: The limitation is that the current written requirements would practically preclude the use of the cloud.
Tobias: I agree that it is practically impossible, as the requirements were not written with cloud services in mind.
Wayne: I’m not sure if the high-level goals of the WG have been described. What does the group expect to accomplish in the next 6-12 months?
Clint: The closest term output is adding the high-level goal descriptions to the NCSSRs at the beginning of each section. Then, we will either tackle the Air-gapped CA work or cloud services sub-group work.
Forum Infrastructure Subcommittee Update
Presentation by: Jos Purvis (Fastly), Ben Wilson (Mozilla)
Minutes: Wayne Thayer (Fastly)
Presentation link: No presentation
Discussion outside the presentation
Jos said that we are migrating to new wiki software. The work will proceed after this F2F.
Migration of back end services is also going on. We are moving to containerized hosts on common infrastructure that reduces the number of hosts we need to manage (hopefully 1-2 prod and 1-2 dev hosts).
Ben is updating and reorganizing website content. Ww would welcome help from members. We have also had some preliminary discussion of moving to s static hosting platform instead of WordPress, but we are generally happy with the services provided by our WordPress site that is hosted by GoDaddy.
[Day 3 was devoted to separate Working Group discussions]