CA/Browser Forum
Home » Posts » 2023-06-22 Minutes of the Server Certificate Working Group

2023-06-22 Minutes of the Server Certificate Working Group

Server Certificate Working Group Meeting June 22, 2023

Attendees

Aaron Poulsen – (Amazon), Abhishek Bhat – (eMudhra), Adam Jones – (Microsoft), Adrian Mueller – (SwissSign), Andrea Holland – (VikingCloud), Ben Wilson – (Mozilla), Brianca Martin – (Amazon), Bruce Morton – (Entrust), Chad Ehlers – (IdenTrust), Chris Clements – (Google), Clint Wilson – (Apple), Corey Rasmussen – (OATI), Dean Coclin – (DigiCert), Dimitris Zacharopoulos – (HARICA), Doug Beattie – (GlobalSign), Dustin Hollenback – (Microsoft), Ellie Lu – (TrustAsia Technologies, Inc.), Fumi Yoneda – (Japan Registry Services), Inaba Atsushi – (GlobalSign), Inigo Barreira – (Sectigo), Jos Purvis – (Fastly), Karina Sirota – (Microsoft), Lynn Jeun – (Visa), Mads Henriksveen – (Buypass AS), Marcelo Silva – (Visa), Marco Schambach – (IdenTrust), Martijn Katerbarg – (Sectigo), Michelle Coon – (OATI), Nargis Mannan – (VikingCloud), Nate Smith – (GoDaddy), Nicol So – (CommScope), Paul van Brouwershaven – (Entrust), Pedro Fuentes – (OISTE Foundation), Peter Miskovic – (Disig), Rebecca Kelley – (Apple), Rollin Yu – (TrustAsia Technologies, Inc.), Roman Fischer – (SwissSign), Ryan Dickson – (Google), Scott Rea – (eMudhra), Stephen Davidson – (DigiCert), Tadahiko Ito – (SECOM Trust Systems), Thomas Zermeno – (SSL.com), Tobias Josefowitz – (Opera Software AS), Trevoli Ponds-White – (Amazon), Wendy Brown – (US Federal PKI Management Authority), Yashwanth TM – (eMudhra), Yoshiro Yoneya – (Japan Registry Services).

The note-well was read in the plenary meeting earlier during this call.

Approval of minutes

  • May 25th, circulated June 7th: approved
  • f2f minutes have not been circulated. Inigo Barreira (Sectigo) will forward to the list.

Updates

Membership – Inigo Barreira (Sectigo)

  • Unsung Limited will be joining as an Interested Party
  • Stephen asked what they do. Inigo said they are a UK based PKI consultancy.
  • No objections were raised and they will be granted membership status and access.

Issues – Inigo Barreira (Sectigo)

  • Certificate Automation
  • Paul van Brouwershaven (Entrust) presented at the f2f meeting
  • Dimitris Zacharopoulos (HARICA) asked if the plan is to use this meeting to continue the automation discussion. Inigo was not sure if the discussion was completed. If not, then he wanted to allow time to discuss in more detail.
  • Mads Henriksveen (Buypass AS) asked in chat if the presentation will be shared. Inigo will upload the presentation to the SCWG minutes by the next call.

New meeting slot – Inigo Barreira (Sectigo)

  • Time allocated in this meeting is usually less than needed and usually unable to complete agenda. Inigo is proposing a new time slot for Server Cert meeting times. Inigo will send a Doodle to gather information on potential days / times for a separate meeting. This also includes more time at the f2f.
  • Bruce Morton (Entrust) mentioned that on Thursday we could potentially schedule a two hour window with meetings at 11 am and noon Eastern time. Maybe this meeting can be moved to the 9 am Pacific time slot. Trevoli Ponds-White (Amazon) mentioned that she always has meetings at 9 am Pacific time. And, noon Eastern time would cause people to skip lunch. Trev suggested to use the Doodle poll to see what options the group will want to go with.
  • Dimitris Zacharopoulos (HARICA) wants to identify what topics to discuss in this meeting. Many of these topics are already covered by Subcommittee meetings. With this new topic of certificate automation, he thought that this could be created as a new Subcommittee to focus on this work. Paul van Brouwershaven (Entrust) did not think there is enough to discuss as a Subcommittee at this time. He said it is good to get input from members, but not full dedicated time. Paul said there are other topics that do not fit into existing subcommittees and would need to be discussed in this meeting. Trev agreed that we do not need another subcommittee.
  • Trev suggested that this current day/time be used only for Server Cert Working Group and move the Forum Plenary meeting to a separate 30 minute time slot as it is focused on updates that have been able to be completed within 30 minutes. Dimitris will send a Doodle poll for proposed time slots for the CA/B Forum Plenary meeting. Jos Purvis (Fastly) added that a noon Eastern Time may be a problem for people on east coast eating lunch. Inigo suggested extending this current time slot and extending an additional 15 minutes so that the two meetings are combined and extend to 12:15 Eastern time. Trev mentioned using the Doodle poll to get feedback.
  • Trev mentioned that Paul had suggested the Plenary meeting should be once per month. Trev liked that option as well as just moving the Plenary meeting updates to email.
  • Bruce said that validation subcommittee does not always have accurate scope and sometimes includes items that should be in Server Cert meeting. Ryan Dickson (Google) agreed that Validation subcommittee does most of work, but Server Cert WG should be where most work is accomplished. There is a GitHub repository with 70+ issues being tracked. The Server Cert meeting could be where we rank issues and then collectively work together to address them and produce ballots. Trev agreed that a full hour would allow those discussions to occur instead of being limited by the existing 30 minute meeting.
  • Clint Wilson (Apple) said that he is hearing that it would be better to make the existing time slot dedicated to the Server Certificate Working Group meeting. And, to move the Forum Plenary call as a 30 minute meeting to a different time slot. The Doodle poll should be where to put that 30 minute Forum Plenary meeting. Dimitris agreed with that approach. Scott Rea (eMudhra) asked if we still need that 30 minute meeting or if Forum updates from the Forum Plenary meeting can be moved to email. Dimitris mentioned that it is not just updates and that there is sometimes discussion such as updates to the charters and bylaws, as well as f2f preparation. It could be possible to remove updates from WG chairs from the Forum Plenary meeting and move those to email so that the meeting is more productive. Martijn Katerbarg (Sectigo) asked if we can take other half hour from Infrastructure to fill in full hour. Dimitris said that people can use the mailing list to propose additional time slots in the Doodle poll.

Ballots – Inigo Barreira (Sectigo)

  • SC-64 Moratorium for certificate consumers – Passed
  • SC-59 Weak Keys – Thomas Zermeno (SSL.com) sent for voting period that starts today
  • Mads Henriksveen (BuyPass AS) asked if Debian can be removed from the ballot. This limits the number of key sizes that can be used. Clint Wilson (Apple) said that the ballot will keep Debian in, but if someone wants to propose removal, they should propose that change.
  • SC-XX OCSP is Optional – Ryan Dickson (Google) will send an update based on the suggestions through the mailing list that include language and formatting changes. Next round of discussion will start later today.

Any Other Business – Inigo Barreira (Sectigo)

  • None

Next meeting is July 6, 2023

Meeting Adjourned

Latest releases
Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed

Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.6 - Ballot SMC08 - Aug 29, 2024

This ballot sets a date by which issuance of certificates following the Legacy generation profiles must cease. It also includes the following minor updates:

  • Pins the domain validation procedures to v 2.0.5 of the TLS Baseline Requirements while the ballot activity for multi-perspective validation is concluded, and the SMCWG determines its corresponding course of action;
  • Updates the reference for SmtpUTF8Mailbox from RFC 8398 to RFC 9598; and
  • Small text corrections in the Reference section

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).