CA/Browser Forum
Home » All CA/Browser Forum Posts » 2024-04-25 Minutes of the Server Certificate Working Group

2024-04-25 Minutes of the Server Certificate Working Group

Attendance

Aaron Poulsen (Amazon Trust Services), Adam Jones (Microsoft), Andrea Holland (VikingCloud), Ben Wilson (Mozilla), Bindi Davé (DigiCert), Brianca Martin (Amazon), Chris Clements (Google Chrome), Clint Wilson (Apple), Corey Bonnell (DigiCert), Corey Rasmussen (OATI), Dimitris Zacharopoulos (HARICA), Dong Wha Shin (MOIS), Doug Beattie (GlobalSign), Dustin Hollenback (Microsoft), Enrico Entschew (D-Trust), Gregory Tomko (GlobalSign), Inaba Atsushi (GlobalSign), Inigo Barreira (Sectigo), Jaime Hablutzel (OISTE Foundation), Janet Hines (VikingCloud), Jay Wilson (Sectigo), Johnny Reading (GoDaddy), Keshava Nagaraju (eMudhra), Kiran Tummala (Microsoft), Li-Chun Chen (Chunghwa Telecom), Lynn Jeun (Visa), Mads Henriksveen (Buypass AS), Mahua Chaudhuri (Microsoft), Marco Schambach (IdenTrust), Martijn Katerbarg (Sectigo), Michael Slaughter (Amazon Trust Services), Miguel Sanchez (Google Trust Services), Mrugesh Chandarana (IdenTrust), Nargis Mannan (VikingCloud), Nate Smith (GoDaddy), Nicol So (CommScope), Nome Huang (TrustAsia), Peter Miskovic (Disig), Rollin Yu (TrustAsia), Ryan Dickson (Google Chrome), Scott Rea (eMudhra), Sissel Hoel (Buypass), Stephen Davidson (DigiCert), Steven Deitte - (GoDaddy), Tadahiko Ito (SECOM Trust Systems), Tathan Thacker (IdenTrust), Thomas Zermeno (SSL.com), Tim Hollebeek (DigiCert), Trevoli Ponds-White (Amazon Trust Services), Tsung-Min Kuo (Chunghwa Telecom), Wayne Thayer (Fastly), Wendy Brown (US Federal PKI Management Authority), Yashwanth TM (eMudhra)

Roll Call

The call’s recording was enabled.

Inigo greeted participants and opened the meeting.

Ryan Dickson is taking minutes.

Inigo completed Roll Call (attendees listed above).

Read Antitrust Statement

Inigo read the Note-well.

Review Agenda

Inigo reviewed the agenda.

No additional agenda items were raised for discussion.

Approval of minutes

The following minutes were distributed prior to the call:

Minutes from February 15th circulated on April 11

Minutes from March 28th circulated on April 22

Minutes from April 11th circulated on April 18

There was no discussion on the above sets of minutes, they are considered approved. Inigo will soon publish the approved minutes to the website.

Membership

No current Applications to review.

Discussion

GitHub open issues

On triage approach: Ping issues twice a year. If no update in six months, evaluate the issue and determine whether it should be closed, re-prioritized, or re-assigned. If an issue hasn’t been touched in three years, it might be closed.

We discussed the 10 oldest issues:

153 Update from Corey: Not a high priority, but still should be completed. Collaboration welcome.

Additional discussion: Tim noted this would be an easy “First Ballot" for someone looking to learn the balloting process. We should consider applying that label to issues, where appropriate.

154 Update from Corey: I think this can be closed due to the Profiles Ballot. Additional discussion: Clint mentioned the only action left, as he recalled, was verifying the profile ballot addressed the issue. The group discussed and decided to close the issue, though it can always be reopened if anyone disagrees.

160 Update from Clint: Profiles Ballot helps with some of this, but there’s still some potential improvements we could make. His last thought was to see if it was something we’d address in the Definitions and Glossary Working Group. Still ongoing. We later went back to this discussion, and Clint shared what additional clarifications we might benefit from. Tim recalled the discussion might relate to SRV names (which would need to be addressed first in the IETF). This issue should be left open.

181 Update from Inigo: No clear action owner.

Additional discussion: This should be a clean-up item. Label added.

187 Update from Inigo: Assigned to Pedro (not on call)

Additional discussion: The issue appears to challenge the existing requirements. The described goal of the update would be to reduce opportunity for the existing requirements to be misinterpreted - especially when considering the order of operations that might take place. Trev asked whether we need these types of callouts for Technically-Constrained CAs. Tim thinks the rules are pretty clear today. Dimitris accepts action to also join the review and to help determine next steps.

193

Update from Inigo: This is related to 432 (style guide).

Additional discussion: Tim described the EV Guidelines describe CAs can set a date, but there’s no expected format defined - resulting in inconsistency across EV issuers. This is another example of a good “First Ballot" item. Ben mentioned an open Incident Report related to DigiCert may result in some of this language being updated, and perhaps this could also be considered at that time.

229

Update from Dimitris: We now indicate which Validation methods allow wildcards, this issue can be closed. Clint mentioned there is likely still a useful change to take place in 3.2.2.6 because “an appropriate way" is unclear. As described in Dimitris’ comment, this concern could be remedied (i.e., “appropriate way" needs to point to the actual methods we have defined.) Issue updated to clarify this status.

243

Update from Tim: This is a clean-up item. While some sections should have requirements written, “No stipulation" is more appropriate than blank

148

Discussion: This can be closed.

252

Discussion: This would make a good F2F discussion, let’s consider broader discussion at the F2F. Inigo took action to plan future agenda item.

PAG

Ben shared an invite for a PAG meeting on Monday (4/29) at 11am ET - the claimant of the exclusion (GoDaddy) was not included.

Ben asked if anyone had questions about the process, there were none.

Inigo suggested Ben share an update at the F2F for broader visibility. Ben indicated there might not yet be any updates available at that time, but an update might be worthwhile (depending on the circumstances).

F2F agenda

Send Inigo any discussion ideas for the F2F.

Current status of ballots

Ballots passed

None

Voting Period

None

Discussion Period

SC67: Ryan indicated discussion Round 2 may start as early as tomorrow.

SC71: Dustin and Ben expressed updates are pending, subsequent round of discussion to be opened at a later time.

SC73: Wayne indicated the discussion period ends this afternoon, no feedback so far. Wayne is planning to move for voting later today or tomorrow.

Review Period

SC74 – Clarify CP/CPS structure according to RFC 3647

Dimitris shared a pre-ballot with the list. Aaron from ATS volunteered as an endorser. Tim volunteered to endorse, Dimitris will move forward with Discussion.

Draft / Under Consideration

SCXX – Profiles cleanup ballot – on hold SCXX – Measure all hours and days to the second – on hold- removed SCXX – Introduce linting in the TLS BRs

There are endorsers, draft language is on Wiki, it’s a work in progress.

Any Other Business

None

Next call

Next call: 9 May at 11:00 am Eastern Time

Meeting adjourned

Latest releases
Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.7 - Ballot SMC09 - Nov 25, 2024

This ballot includes updates for the following: • Require pre-linting of leaf end entity Certificates starting September 15, 2025 • Require WebTrust for Network Security for audits starting after April 1, 2025 • Clarify that multiple certificatePolicy OIDs are allowed in end entity certificates • Clarify use of organizationIdentifer references • Update of Appendix A.2 Natural Person Identifiers This ballot is proposed by Stephen Davidson (DigiCert) and endorsed by Clint Wilson (Apple) and Martijn Katerbarg (Sectigo).

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).