CA/Browser Forum
Home » All CA/Browser Forum Posts » 2023-07-06 Minutes of the Server Certificate Working Group

2023-07-06 Minutes of the Server Certificate Working Group

Server Certificate Working Group Meeting July 6, 2023

Attendees

Iñigo: For the attendance, Rich Smith of Digicert and Daryn of GoDaddy joined the call.

Abdul Hakeem Putra – (MSC Trustgate Sdn Bhd), Abhishek Bhat – (eMudhra), Adam Jones – (Microsoft), Andrea Holland – (VikingCloud), Ben Wilson – (Mozilla), Brianca Martin – (Amazon), Chris Clements – (Google), Clint Wilson – (Apple), Corey Bonnell – (DigiCert), Corey Rasmussen – (OATI), Daryn Wright – (GoDaddy), Dimitris Zacharopoulos – (HARICA), Dustin Hollenback – (Microsoft), Enrico Entschew – (D-TRUST), Eva Vansteenberge – (GlobalSign), Fumi Yoneda – (Japan Registry Services), Inaba Atsushi – (GlobalSign), Inigo Barreira – (Sectigo), Janet Hines – (VikingCloud), Jos Purvis – (Fastly), Keshava Nagaraju – (eMudhra), Lynn Jeun – (Visa), Mads Henriksveen – (Buypass AS), Marcelo Silva – (Visa), Marco Schambach – (IdenTrust), Martijn Katerbarg – (Sectigo), Michelle Coon – (OATI), Nargis Mannan – (VikingCloud), Nate Smith – (GoDaddy), Nicol So – (CommScope), Paul van Brouwershaven – (Entrust), Pedro Fuentes – (OISTE Foundation), Peter Miskovic – (Disig), Rebecca Kelley – (Apple), RIch Smith – (DigiCert), Rollin Yu – (TrustAsia Technologies, Inc.), Roman Fischer – (SwissSign), Ryan Dickson – (Google), Scott Rea – (eMudhra), Stephen Davidson – (DigiCert), Tadahiko Ito – (SECOM Trust Systems), Thomas Zermeno – (SSL.com), Tobias Josefowitz – (Opera Software AS), Trevoli Ponds-White – (Amazon), Wayne Thayer – (Fastly), Yashwanth TM – (eMudhra)

Read Antitrust Statement

Iñigo: Read during the forum call part

Review Agenda

Iñigo: Agenda approved

Minutes

    • 22 June: circulated

Iñigo: Minutes approved.

    • F2F: not ready yet

Iñigo: Sent out this morning. The validation SC minutes were also sent out this week. Will be approved in 2 weeks during the next call. And then published on the website.

Membership

    • No new applications

Iñigo: no new applications in these 2 weeks

Issues to discuss

    • Label GitHub open tickets

Iñigo: We have about 70ish open issues in GitHub and would like to ask to their owners to label those that are not yet labelled in order to get them organized. We´d like to have a clean up ballot in the fall and will use those labelled as “clean-up” to recognize easily and then work on those specific ones and therefore not reviewing the others. With that, we´ll create the clean-up ballot and also will reduce the number of open issues in GitHub.

Ben: that´s good. To have the issues labelled. Need to go through and look and see what´s marked as clean up.

Iñigo: But I´m asking the owners to review and label accordingly. Once done, start on the ballot. I asked Corey in the past F2F to work on this possible cleanup ballot.

Ben: How do you want to label backburner? Those with very low priority.

Trev: we just want to keep them as reminder

Iñigo: yes, we´ll focus on those labelled as cleanup. For the others, you can label generic.

Ben: Ok, we can sort and choose the cleanup label and for the others I´ll sort of.

Iñigo: yes, correct.

Trev: I have not clear for what you said. Some are labelled, and Corey and you and someone are going to make a clean up ballot

Iñigo: yes, that´s the idea

Trev: So, you´re making a clean up ballot and you´re just saying that someone is making a clean up ballot

Iñigo: Well, we´re preparing the ballot but I´m not saying that I´ll be the owner or proposer of the ballot, but yes, we can also make the proposal.

Trev: you need to figure out an owner of the cleanup ballot and then for the issues not labelled you want this person to open and label them?

Iñigo: the owners of the open issues need to check their own issues and label accordingly those that are not labelled. I´m not going to do it but the owners. Those labelled as validation for example is ok.

Trev: so owners like Ryan, Clint, Tim, Dimitris, Aaron, Stephen, … are you going to email people or are you just telling them in this call?

Iñigo: I emailed some of these people some time ago to review their open tickets, open issues because some were fixed and need to be removed, etc. For example, Tim told me that he was going to review his open tickets

Trev: Are you giving a due date to do this?

Iñigo: No, I´d like to have this done asap and to have it ready for the fall to work on that cleanup ballot. Maybe by the end of September. It´s not needed to do it this week, we´re in summer holidays, so when people have time.

Trev: are you taking ownership of those? Items that were opened in the past by people that are not in the group. Are you going to assign them into someone else? How about those belonging to Ryan Sleevi?

Iñigo: I asked Ryan Dickson to take ownership as they are from Google.

Trev: Thanks Ryan. Ok, if that´s enough of a label, then that´s great. I don´t think I have any other question, that was ok. Thank you.

Ballot Status – see list below

Iñigo: Regarding ballots, both ongoing have finished the discussion period. I´d like to ask the promoters what´s next step.

Tom: yes, we´ve discussed and put a lot of effort into the ballot and want to wrap it up. If changes come later that may be something we can further discuss. So, yes, we´re moving to voting

Ryan: Yes, the voting period will begin in 15 minutes. I´ll send out an email.

Any Other Business

Iñigo: Paul sent a link with the presentation given in the F2F that has gone to the IETF for discussion.

draft-vanbrouwershaven-acme-auto-discovery-00 – Auto-discovery mechanism for ACME client configuration (ietf.org)

Paul: Review the proposal, provide feedback and maybe express your support if you like the idea. I think this is key for an opportunity to move to shorter certificates validity. The proposal is based on the CAA record, and also contains some guidance for establishing an account binding, etc. I just wanted to share with the working group because I think it´s important for everyone here on the call. Your feedback is really appreciated. Thank you.

Next call: 20 July

Adjourn

CURRENT STATUS OF BALLOTS

  • Passed
  • None
  • Failed
  • None
  • Voting Period
  • None
  • Discussion Period
  • SC63 – Make OCSP optional, require CRLs. Finished on the 29/6
  • SC59 – Weak Keys. Finishes today 3/7
  • Review Period
  • None
  • Draft / Under Consideration
  • SCXX – SLO/Response for CRL & OCSP Responses – David Kluge (Google) / Clint Wilson (Apple): on hold
  • SCXX – Clean-up ballot
Latest releases
Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.7 - Ballot SMC09 - Nov 25, 2024

This ballot includes updates for the following: • Require pre-linting of leaf end entity Certificates starting September 15, 2025 • Require WebTrust for Network Security for audits starting after April 1, 2025 • Clarify that multiple certificatePolicy OIDs are allowed in end entity certificates • Clarify use of organizationIdentifer references • Update of Appendix A.2 Natural Person Identifiers This ballot is proposed by Stephen Davidson (DigiCert) and endorsed by Clint Wilson (Apple) and Martijn Katerbarg (Sectigo).

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).