CA/Browser Forum
Home » All CA/Browser Forum Posts » 2023-04-27 Minutes of the Server Certificate Working Group

2023-04-27 Minutes of the Server Certificate Working Group

Server Certificate Working Group Meeting April 27, 2023

Attendees:

Aaron Gable – (Let’s Encrypt), Adam Jones – (Microsoft), Adrian Mueller – (SwissSign), Bruce Morton – (Entrust), Chad Ehlers – (IdenTrust), Chris Clements – (Google), Clint Wilson – (Apple), Daryn Wright – (GoDaddy), Dimitris Zacharopoulos – (HARICA), Doug Beattie – (GlobalSign), Dustin Hollenback – (Microsoft), Ellie Lu – (TrustAsia Technologies, Inc.), Fumi Yoneda – (Japan Registry Services), Hogeun Yoo – (NAVER Cloud), Inigo Barreira – (Sectigo), Jamie Mackey – (US Federal PKI Management Authority), Janet Hines – (VikingCloud), Joanna Fox – (TrustCor Systems), Jos Purvis – (Fastly), Karina Sirota – (Microsoft), Marco Schambach – (IdenTrust), Martijn Katerbarg – (Sectigo), Nargis Mannan – (VikingCloud), Nate Smith – (GoDaddy), Pedro Fuentes – (OISTE Foundation), Peter Miskovic – (Disig), Rebecca Kelley – (Apple), Ryan Dickson – (Google), Sissel Hoel – (Buypass AS), Sooyoung Eo – (NAVER Cloud), Stephen Davidson – (DigiCert), Tadahiko Ito – (SECOM Trust Systems), Thomas Zermeno – (SSL.com), Tim Hollebeek – (DigiCert), Tobias Josefowitz – (Opera Software AS), Tsung-Min Kuo – (Chunghwa Telecom), Wendy Brown – (US Federal PKI Management Authority), Yoshiro Yoneya – (Japan Registry Services).

Server Certificate Working Group Agenda – 27 April 2023

  1. Roll Call and Begin Recording (* not needed)

  2. Read Antitrust Statement (* not needed)

  3. Review Agenda

  4. Minutes:

  5. 16 March: published

  6. 30 March: not ready yet

  7. 13 April: circulated within management list on 13/4

  8. Certificate consumers moratorium

  9. Update, if needed – Ben was not available to deliver update

  10. Does this mean that any application for consumers will not be discussed?

  11. Once requirements are updated, new applicants will need to re-apply.

  12. BRs format as per SC62 ballot

  13. Potential issues and solutions

  14. Ryan Dickson – increased number of tables in BRs 15 fold to improve readability, but this makes some parts like section 7, in paged pdf difficult to read

  15. Solution is make pageless markdown the default view and offer a pageless pdf as option for download

  16. Example is page 90

  17. Other concern, margins decreased making doc harder to read.

  18. Pagebreaks could be added to make it readable, however this will introduce a manual edit requirement to every ballot.

  19. On each version creation, the manual portion is redlining, everything else is automated

  20. The group agreed that this is a readability issue and will try out several solutions.

  21. Issues to discuss:

  22. GitHub issues

      1. Continue with the review of the open issues
        1. Several have been closed or combined into a ballot Ryan is putting forward.
  1. Ballot Status – see list below
  2. Any Other Business
  3. Next call: 11 May
  4. Adjourn

CURRENT STATUS OF BALLOTS

  1. Passed
  2. None
  3. Failed
  4. None
  5. Voting Period
  6. None
  7. Discussion Period
  8. None
  9. Review Period
  10. None
  11. Draft / Under Consideration
  12. SC59 – Revival of Debian Weak Keys Ballot – Chris Kemmerer (SSL.com)
  13. SCXX – SLO/Response for CRL & OCSP Responses – David Kluge (Google) / Clint Wilson (Apple): on hold
  14. SCXX – Make OCSP optional, require CRLs – Chris (Google). On hold?
  15. Want to change update from 7 days to 24 hours while dropping OCSP
  16. 4.9.7 requires update every 7 days, with next update field to 10 days
  17. Even if you don’t issue short lived certs – this will impact you, so ballot went from some to all CAs
  18. Discussion ended for time – moved to email thread
  19. SCXX – Clean-up ballot
      1. Fix inconsistencies between BRs and EVGs
  1. ISO 3166 (allow 3 characters) in EVG 9.2.8
  2. Typo in section 7.2.2 of the BRs
  3. Changing titles in BRs and EVGs to reflect that are for TLS cert types
Latest releases
Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.7 - Ballot SMC09 - Nov 25, 2024

This ballot includes updates for the following: • Require pre-linting of leaf end entity Certificates starting September 15, 2025 • Require WebTrust for Network Security for audits starting after April 1, 2025 • Clarify that multiple certificatePolicy OIDs are allowed in end entity certificates • Clarify use of organizationIdentifer references • Update of Appendix A.2 Natural Person Identifiers This ballot is proposed by Stephen Davidson (DigiCert) and endorsed by Clint Wilson (Apple) and Martijn Katerbarg (Sectigo).

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).