CA/Browser Forum
Home » All CA/Browser Forum Posts » 2023-06-22 Minutes of the CA/Browser Forum Teleconference

2023-06-22 Minutes of the CA/Browser Forum Teleconference

Attendees

Aaron Poulsen – (Amazon), Abhishek Bhat – (eMudhra), Adam Jones – (Microsoft), Adrian Mueller – (SwissSign), Andrea Holland – (VikingCloud), Ben Wilson – (Mozilla), Brianca Martin – (Amazon), Bruce Morton – (Entrust), Chad Ehlers – (IdenTrust), Chris Clements – (Google), Clint Wilson – (Apple), Corey Rasmussen – (OATI), Dean Coclin – (DigiCert), Dimitris Zacharopoulos – (HARICA), Doug Beattie – (GlobalSign), Dustin Hollenback – (Microsoft), Ellie Lu – (TrustAsia Technologies, Inc.), Fumi Yoneda – (Japan Registry Services), Inaba Atsushi – (GlobalSign), Inigo Barreira – (Sectigo), Jos Purvis – (Fastly), Karina Sirota – (Microsoft), Lynn Jeun – (Visa), Mads Henriksveen – (Buypass AS), Marcelo Silva – (Visa), Marco Schambach – (IdenTrust), Martijn Katerbarg – (Sectigo), Michelle Coon – (OATI), Nargis Mannan – (VikingCloud), Nate Smith – (GoDaddy), Nicol So – (CommScope), Paul van Brouwershaven – (Entrust), Pedro Fuentes – (OISTE Foundation), Peter Miskovic – (Disig), Rebecca Kelley – (Apple), Rollin Yu – (TrustAsia Technologies, Inc.), Roman Fischer – (SwissSign), Ryan Dickson – (Google), Scott Rea – (eMudhra), Stephen Davidson – (DigiCert), Tadahiko Ito – (SECOM Trust Systems), Thomas Zermeno – (SSL.com), Tobias Josefowitz – (Opera Software AS), Trevoli Ponds-White – (Amazon), Wendy Brown – (US Federal PKI Management Authority), Yashwanth TM – (eMudhra), Yoshiro Yoneya – (Japan Registry Services). Dimitris read the note-well

Approval of minutes

  • May 25th, circulated June 7th: approved

Updates

Server Cert Working Group Update – Iñigo Barreira (Sectigo)

  • Last meeting was during f2f and the following topics were discussed:

    • Membership applications
    • WebTrust automation
    • Validation Subcommittee will continue discussion on MPDV proposed by Google
    • Subscriber Agreements/Terms of Use
  • Ballots in process

    • Weak Keys Guidance – Tom Zermeno (SSL.com) is about to send for a vote
    • OCSP is optional – Still under discussion

Code Signing Certificate Working Group – Bruce Morton (Entrust)

  • Last meeting was during f2f and the following topics were discussed:

    • Certificate Transparency discussion
    • SCITT presentation
    • Time stamp change and time stamp requirements
    • Will try to remove High Risk changes language – generating keys in hardware will mitigate the issues
  • EV – Not much value for EV certificates for Code Signing. Discussed if it should be removed or pieces blended with OV certs.

    • Dimitris asked what happens with individuals who want to request Code Signing Certificates.
    • Bruce responded that Code Signing does not have a specific IV certificate. DV and OV allow individuals. EV does not. We do not have an IV policy, but we do allow certificates to be issued for individuals. We never broke it up into non-EV. As an example, S/MIME BRs have org ID in subject. This has multiple pieces of information within one field rather than multiple fields and includes org ID. This was applied to OV certificates. For an individual, we would need to have separate definitions for individuals and organizations since individuals do not have an org ID.

S/MIME Working Group – Stephen Davidson (Digicert)

  • Proceeding to create a ballot in the next week or so. Clint suggested that when CA/B Forum has new requirements, the transition arrangements should be stipulated in the requirement. One thing that will be included in ballot is new defined term for extent CA (existing or legacy). Giving another year for those to be rebuilt with fully compliant subordinate CAs. Defines what is ineligible and other items to parameters of practice. Email with Diff of text will be going to S/MIME list. Goal is to get through ballot and IP in advance of effective date so clarifications are fully available from effective date.

Forum Infrastructure Subcommittee – Jos Purvis (Fastly)

  • Meeting last week. Discussed wiki and other issues related to site. Establishment of new page in wiki – Infrastructure – Current Issues and Projects. The issues section of GitHub was too difficult to track, so this page will be easier for the group to follow.
  • Process to be member of Forum and Working Group. It currently gets muddled between requesting to join and when they get membership.
  • Attendance tracking improvements. Voting and participation in meetings and ballots that does not require a spreadsheet.
  • Adjusting Markdown assembly with tables. Section 7 of BR has large tables.
  • Trying to track person who raised the question, plus who is working on it.

Bylaws changes – Dimitris Zacharopoulos (HARICA)

  • Discussion period for Ballot 18 is under discussion. Ends June 26th. If no questions or comments, voting period will start immediately afterwards.

Network Security Working Group – Ben Wilson (Mozilla)

  • Ballot change proposed to adopt portions of Cloud Control Matrix language that referred to organizationally managed assets language and how we can adopt those CCM requirements as part of Network Security Requirements. This will include verbatim adoption of CCM language with an additional notes section to include interpretation of phrases and language. We will hopefully eventually get to common terminology to avoid this problem where CCM and NSRs use different terms or definitions.

  • Trev (Amazon Trust Services) and Wendy (FPKI) talked with Clint (Apple) about splitting up items from his presentation into 3 separate ballots

    • Section 4 – Vulnerability Detection and Patch Management
    • Introduce Section 5 – Offline or Air Gapped CAs
    • Restructuring of some of the language

Server Cert Working Group charter update – Ben Wilson (Mozilla)

  • There is focus on the Membership tool and membership tracking to reduce overhead for chairs to track participation criteria.
  • Dimitris asked about the timeline for charter updates. Ben said moratorium expires on December 1st and will work towards completing by then.

Any Other Business – Dimitris Zacharopoulos (HARICA)

  • F2F Minutes

    • There are still missing presentations. Recordings have been sent to minute takers. All etherpad notes have been moved to draft minutes on wiki. He asked presenters to ensure minutes are accurate.
    • Dean asked if the minutes posted include the working group minutes. Working Group minutes are still in etherpad or validation subcommittee. Those are still there and need to be posted separately.
  • Future f2f meetings

    • Possible hosting of f2f for Spring 2025. Secom will confirm meeting in Japan. Also received confirmed proposal for Summer 2025 for CPA Canada in Toronto.

Next meeting is July 6, 2023 Meeting Adjourned

Latest releases
Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.7 - Ballot SMC09 - Nov 25, 2024

This ballot includes updates for the following: • Require pre-linting of leaf end entity Certificates starting September 15, 2025 • Require WebTrust for Network Security for audits starting after April 1, 2025 • Clarify that multiple certificatePolicy OIDs are allowed in end entity certificates • Clarify use of organizationIdentifer references • Update of Appendix A.2 Natural Person Identifiers This ballot is proposed by Stephen Davidson (DigiCert) and endorsed by Clint Wilson (Apple) and Martijn Katerbarg (Sectigo).

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).