CA/Browser Forum
Home » All CA/Browser Forum Posts » Minutes of the F2F 62 Meeting in Bergamo, Italy, May 28-29, 2024

Minutes of the F2F 62 Meeting in Bergamo, Italy, May 28-29, 2024

Day 1 Tuesday, 28 May 2024

CA/Browser Forum level Meeting

Attendance

Aaron Poulsen - (Amazon), Abhishek Bhat - (eMudhra), Adrian Mueller - (SwissSign), Adriano Santoni - (Actalis S.p.A.), Andrea Holland - (VikingCloud), Andreas Henschel - (D-TRUST), Antti Backman - (Telia Company), An Yin - (iTrusChina), Arno Fiedler - (ETSI), Arvid Vermote - (GlobalSign), Ben Wilson - (Mozilla), Bruce Morton - (Entrust), Christophe Bonjean - (GlobalSign), Chya-Hung Tsai - (TWCA), Clemens Wanko - (ACAB Council), Clint Wilson - (Apple), Corey Bonnell - (DigiCert), Dave Chin - (CPA Canada/WebTrust), Dean Coclin - (DigiCert), Devon O’Brien - (Google), Dimitris Zacharopoulos - (HARICA), Dong Wha Shin - (MOIS (Ministry of Interior and Safety) of the republic of Korea), Doug Beattie - (GlobalSign), Eva Vansteenberge - (GlobalSign), Hannah Sokol - (Microsoft), Hogeun Yoo - (NAVER Cloud Trust Services), Inaba Atsushi - (GlobalSign), Iñigo Barreira - (Sectigo), Janet Hines - (VikingCloud), Jeremy Rowley - (DigiCert), John Sarapata - (Google), Josselin Allemandou - (Certigna (DHIMYOTIS)), Jozef Nigut - (Disig), Kateryna Aleksieieva - (Asseco Data Systems SA (Certum)), Keshava Nagaraju - (eMudhra), Kiran Tummala - (Microsoft), Leo Grove - (SSL.com), Luis Cervantes - (GoDaddy), Mads Henriksveen - (Buypass AS), Mahua Chaudhuri - (Microsoft), Marco Schambach - (IdenTrust), Martijn Katerbarg - (Sectigo), Mats Rosberg - (Keyfactor), Matthias Wiedenhorst - (ACAB Council), Michal Malinowski - (Asseco Data Systems SA (Certum)), Michelle Coon - (OATI), Miguel Sanchez - (Google), Mohit Kumar - (GlobalSign), Mrugesh Chandarana - (IdenTrust), Nargis Mannan - (VikingCloud), Nate Smith - (GoDaddy), Naveen Kumar - (eMudhra), Nick France - (Sectigo), Nicol So - (CommScope), Paul van Brouwershaven - (Entrust), Pedro Fuentes - (OISTE Foundation), Pekka Lahtiharju - (Telia Company), Peter Miskovic - (Disig), Prachi Jain - (Fastly), Puja Sehgal - (Microsoft), Raffaela Achermann - (SwissSign), Rebecca Kelly - (SSL.com), Rob Stradling - (Sectigo), Romain Delval - (Certigna (DHIMYOTIS)), Roman Fischer - (SwissSign), Ryan Dickson - (Google), Sandy Balzer - (SwissSign), Scott Rea - (eMudhra), Sissel Hoel - (Buypass AS), Stephen Davidson - (DigiCert), Tadahiko Ito - (SECOM Trust Systems), Thomas Zermeno - (SSL.com), Tim Callan - (Sectigo), Tim Crawford - (CPA Canada/WebTrust), Tim Hollebeek - (DigiCert), Tobias Josefowitz - (Opera Software AS), Trevoli Ponds-White - (Amazon), Tsung-Min Kuo - (Chunghwa Telecom), Wei-Hao Tung - (Chunghwa Telecom), Xiu Lei - (GDCA), Yoshihiko Matsuo - (Japan Registry Services).

Approval of CABF Minutes from last teleconference

  • Leader: Dimitris Zacharopoulos (HARICA)

The draft minutes have not been distributed yet.

Future face to face meeting schedule

  • Leader: Dimitris Zacharopoulos (HARICA)

  • Presentation link: [Future meetings](1-CABF_Future meetings.pdf)

  • Fall 2024 meeting will be hosted by Amazon in Seattle, WA, USA

  • Spring 2025 meeting will be hosted by SECOM in Tokyo, Japan

  • Summer 2025 meeting will be hosted by CPA Canada in Toronto, Canada

Discussion outside the presentation: No further discussion.

Guest Speaker

Open Mic

  • Discussion leader: Dimitris Zacharopoulos (HARICA)
  • Minutes: Dean Coclin (DigiCert)

Term Limits for Chairs: Can be re-elected for 3 terms according to the new bylaws. Can vacate and come back as chair after a break in a term. The CWG language differs from the Forum level language and is currently a “mess”. This needs to be resolved.

Tim H. suggests making Forum bylaws precedent over CWG. Some WGs have fewer people though and may find it difficult to alternate chairs.

Next topic: Should we merge EV & TLS guidelines?

Paul: Should we have a separate group focused on identity provisions? The primary goal would be to avoid conflicts between documents.

Dimitris: Should merge the docs at some point.

Tim H: Look at the VMC guidelines as an example.

Dimitris: Concern about increased overhead for chairs/officers

Paul: Should CAs be required to bring back to the Forum areas of concern or clarity in the BRs

Dimitris: We need to have someone analyze and provide conclusions to help all CAs and ecosystem.

Should this be added to the BRs? Maybe a subcommittee can do this.

Tim C: Would be hard to enforce having CAs bring it back to the Forum

Trev: There will be pushback to provide best practices in requirements

Dimitris: perhaps a list of issues that CAs can reference illustrative examples or controls

Paul: When is the best time to review bugs? Comments contiuously come in.

Martijn: Once bug is closed, it’s easy to forget about it. CAs shouldn’t be afraid to review/comment on any.

Ben: Should be seen as an Info sharing resource. Anonymous comments from CAs should be allowed.

Martijn: Perhaps put tags on the bugs to help correlate and searching

Paul: Tag & parse the bugs to make access/references easier for action items

Trev: Amazon finds “root cause” very interesting part of the bug reports. Perhaps “bucket” root causes to make them easier to reference.

Paul: Scanning bugs via API is useful. But other parts of bug can also be useful

Dimitris: We are lacking the “action” part in the bugs. Summaries are good.

Paul: How should we facilitate the feedback loop back to the CA/B forum from subscribers and relying parties? Is there a way to collect such feedback?

Ben: Amend the ballot process to add a feedback statement from a relying party or subscriber. Could also add to the incident response form a note about which section of the BRs were the problem

Dimitris: reading the comments sometimes is more important than the summary

Forum Infrastructure Subcommittee

  • Leader: Jos Purvis (Fastly)
  • Minutes: Wayne Thayer (Fastly)
  • Presentation link:
  • Discussion minutes:

Martin Katerbarg presented on the topic of the mailing list migration.

Paul van Brouwershaven said that it is possible to migrate mailing list archives from mailman to Google Groups. Paul said that the PKI Consortium had dealt with issues of members wanting to use a different email address than their corporate account.

Wayne Thayer asked if we need to consider this when migrating? Paul said no, we can migrate corporate email addresses. Then people can also add another email.

Dimitris Zacharopoulos asked about voting automation. Martin said that we need to confirm that the quorum calculation needs to be verified in the member tool.

Paul suggested that we vote in an online tool. Martin said that we re working on 2FA and electronic voting. Dimitris said that we have agreed to do this.

Ben Wilson walked through the new CAB Forum Handbook started by Inigo.

Dimitris asked current Chairs and Vice Chairs to review the document. Ben said that he would ensure they have access to the document.

Browser Updates

Mozilla Root Program Update

  • Leader: Ben Wilson (Mozilla)
  • Minutes: Martijn Katerbarg (Sectigo)
  • Presentation link: Mozilla Update
  • Discussion minutes:
  • Question from Paul: Are there any plans to add ACME for S/MIME support to Thunderbird?
    • It’s not currently listed as a feature request for this, but there’s nothing that should prevent from a feature request from being opened on this.
  • Are you the goto person for these type of bugs?
    • Ben: Yes
  • Dimitris: A question about the charts you showed. The way I read it is that more transparancy from CAs shows more incidents now, where previously we may not have heard about it.
    • Ben: We believe it’s attributable to pkilint and the changes after the certificate profiles ballot.
  • Dimitris: It would be helpful to capture more common root cause issues and track them for the CA community to learn from. A lot of us are already reading all bugs, and may be able to assist in tracking this in a shared repository.
  • Rob: Kathleen retired recently. Are there plans on adding someone in her position or are you a one-man team for now?
    • Ben: A one man team, however I do work closely with people from the security team where we have a peer review process together with them. We’ve not really yet discussed who we want on some internal compliance positions.
  • Paul: Could we perhaps tag a bug where a ballot /requirement change was the reason for this?
    • Ben: Yes this is something we can do with tags.

Google Root Program Update

  • Leader: Chris Clements and Ryan Dickson (Google)
  • Minutes: Miguel Sanchez (GTS)
  • Presentation link: Chrome Browser Update
  • Discussion minutes:

Policy Update

  • V1.5 landed in January
  • Will continue pre-flighting future policy updates
  • Version 1.6 is TBD based on analysis of the above phased approach items
    • Will pre-flight the language and allow for feedback

Moving Forward Together

  • Just a reminder that this is still the vision for the future
  • Considering updating the doc based on recent improvements
  • Phased Approach
    • Remains the same
    • Some items already accomplished (e.g. term limit for roots)
    • Other items currently being discussed (e.g. expectation for linting and phasing out multi-purpose roots)
    • Items are on the roadmap (e.g. MPIC, shorter validity periods for subCAs and leaf certs)

Incident Reporting

  • Demonstrate character and commitment and continuous improvement
  • Incident reporting is crucial for root inclusion requests
  • Numbers is not affected by numbers but of quality (quality > quantity)
  • What is expected from a high quality report
    • Tone and content
    • Do not place blame or deflect responsibility
  • Examples of good incident reporting will be put up on ccadb.org
  • Report content
    • RCA is crucial
    • Holistic and systemic approach to analysis and mitigation
    • Past promises as an indicator for future behavior
  • Dos and Dont list created and published
    • List in the slide
  • Encouragement to participate more broadly in the process even outside your org
  • Opportunity Ahead
    • Working with CCADB Steering Committee to propose update to CCADB IR guidelines
    • Might make these changes part of the template
    • Would like to make the IR process more useful for everyone
  • Chrome is concerned about recent trends in Bugzilla
    • Linting and routine delayed revocation incidents are top of mind
  • Experiment: leaf cert revocations to CRLSet for CRLs disclosed to CCADB
  • Experiment: Enterprise Policies
  • Experiment: Chrome Root Store UI Refresh
    • Idea is to make interface consistent across platforms
  • Experiment: Sunlight logs
    • Stay tuned for more updates on Sunlight

Discussion

  • GTS - trying to be more transparent in Incident Reporting but it’s hard
    • Bugzilla feels more confrontational
    • A lack of vetting on people’s accounts/comments
    • Root program are like written laws whereas comments are like case law/studies
    • Emergent consensus that differ between Bugzilla and BRs/CAB Forum
    • Solutions
      • Have people vetted for conversations
      • Having a changing landscape in Bugzilla discussions vs. what’s written in the BRs
  • Fastly
    • What kind of Leaf revocation will you be publishing?
    • privilegeWithdrawn and keyCompromise are the reason codes that will be honored
  • Amazon
    • Understanding how to phrase ownership and accountability is the hardest for new folks
    • Never say that a person caused a thing to happen
      • Should rather write it like “System allows…”

Mozilla Root Program Update

  • Leader: Ben Wilson (Mozilla)
  • Minutes: Martijn Katerbarg (Sectigo)
  • Presentation link: Mozilla News

Apple Root Program Update

  • Leader: Clint Wilson (Apple)
  • Minutes: Hannah Sokol (Microsoft)
  • Presentation link: May Apple

8/15/24 - Is the deadline for CAs to meet one of the 4 validation methods

12/1/24 - All S/MIME enabled CAs should have an audit updated in CCADB. September 1 is when audit should be started by/done by?

Inclusion Request - A couple slipped from Spring to Fall inclusion due to some software updates, should have them in with the fall update. Thereafter, they should be making changes to timeline for inclusion requests (a couple times a year to a more ad-hoc approach)

Incidents - Clint is centering his time and investigation into investigations around these questions. Have thoughts to share with Clint directly, please feel free to do so. What? What are we trying to get out of these reports? What outcomes do we want as an ecosystem do we gain from these reports? This question does not have a single answers or an answer that can be implemented overnight, which is OK. How? How do we get there? What changes should be made to how we manage incidents as an ecosystem / industry? A lot of value that we can provide to ourselves and to the incident management process. Focusing on the problem space as opposed to the solution space. Understanding everything to do with that problem space, if you want to help reach out to Clint. He would love to hear more about the issues that you are running into.

Policy update with a preview / survey coming up in CCADB, coming from this alias apple@ccadb.org. This should be coming out in the next couple of months, followed up by a publication of the document. Looking to publish 2 policy updates this year.

Please reach out to the Apple Root Program with any questions.

Microsoft Root Program Update

  • Leader: Hanna Sokol (Microsoft)
  • Minutes: Mahua Chaudhuri (Microsoft)
  • Presentation link: [May Apple](6-Microsoft F2F 62 Presentation.pdf)

Summary of the Q&A after the presentation:

  • Surveys from root stores don’t reach a lot of folks as it gets sent to one person. If that person is busy or out of office, it doesn’t get any response. The change requested was to send it to all point of contacts and all aliases listed in CCADB to increase the reach.
  • Clarification about acceptance of new CAs to the Microsoft Root program. Microsoft is not accepting new CAs into their program now but accepting new roots from existing CAs. They are only accepting two types - root rollover and changing a multi purpose root to single purpose root.
  • Does Microsoft require OCSP for TLS certs ? Microsoft has some internal dependencies and they are working internally to see how they can make that optional but don’t have any concrete dates/timelines yet on when that will happen.
  • Some applications don’t accept ECC Code Signing certificates hence Microsoft put out a warning that not all things are compatible with ECC code signing scenario.
  • Why doesn’t Microsoft allow S/MIME policy Oids. Hannah will followup internally and get back.

CCADB Update

  • Leader: Chris Clements (Google)
  • Minutes: Puja Sehgal (Microsoft)
  • Presentation link: CCADB Update

Q&A Root Program discussions

  • Leader: Dimitris Zacharopoulos (HARICA)
  • Minutes: Kateryna Aleksieieva (Certum)

Clint Wilson wanted clarification on using email aliases in the CA owner tab of CCADB, noting inconsistencies in contact methods. Suggestions included linking to group lists, using the Point of Contact object, and sending emails to all available contacts for better communication coverage.

Dimitris addressed issues within the CAB/F and its working groups, particularly linting, and encouraged greater participation in ballot initiatives. He noted that newer CAs should take more initiative and share best practices. Dimitris warned that the forum risks failure if members do not propose changes, as most updates currently come from root programs rather than the community.

A question was raised to Microsoft about the status of ECC keys for code signing and their support in Windows. Hannah explained that there are compatibility issues with some Microsoft programs, although it works with most applications.

Another question was from Martijn and it concerned Microsoft’s potential addition of an S/MIME OID requirement in leaf certificates, specifically regarding item 10 in the program requirements (3.8.10), Hannah promised further clarification.

Discussion on anonymizing Bug Reporters:

  • Tim Callin raised a concern about the trend of publicly naming bug reporters in incident reports. He encourages Browsers to implement a policy to anonymize third-party reporters, arguing that the identity of the reporter is irrelevant to the validity of the report.
  • Tim Hollebeek acknowledged that while naming reporters can be a form of appreciation, the practice could be discontinued if necessary.
  • Trevoli Ponds-White supported the idea of granting anonymity upon request and suggested obtaining explicit consent before disclosing reporters’ identities.
  • Ben Wilson questioned where and how to document this policy, proposing the wiki or CCADB incident reporting guides as potential locations.
  • Trevoli proposed including the anonymity clause in the next policy update.
  • Martijn suggested specific wording for the policy: “CA should not or shall not disclose the name of the reporter unless…” and noted potential GDPR compliance issues.
  • Bruce Morton highlighted the value of knowing how an issue was found for transparency and problem-solving but recognized the challenge in balancing this with reporter anonymity.
  • Tim underlined the difficulty in managing external reporters’ reporting preferences, as they are not a part of the community.
  • Trevoli and Tim agreed on the importance of asking reporters for details on how they found the issue, to enhance incident reports.

ETSI Update

ACAB’C Update

  • Leader: Clemens Wanko (TÜV AUSTRIA, ACAB’c Chair)
  • Minutes: Arvid Vermote (GlobalSign)
  • Presentation link: ACAB’C presentation

Member status: no changes since last F2F, majority of CAB are member

Updates

  • Revision of eIDAS regulation (not eIDAS 2, still called “eIDAS”): into effect May 20 2024, new trust services, digital wallet, QWAC browser recognition etc.
  • NIS2: applicable for all CA operating in Europe, Implementing Act on NIS2 upcoming, requirements for CA/TSP are mainly addressed by updated EN 319 401
  • SMIME BR audit integration: 119 411-6 is interfacing betweek 319 411-1/2 and SMIME BR, certification requirements sed by 319 411-1 (amended by 119 411-6) and 319 411-2 (amended by 119 411-6)
  • Audit attestention letter templates: no updates except new CCADB field about Network Security Audit Statements, since with eiDAS there is no seperate attestion latter on this. Some unclarity in terms of proper scope when it comes to netsec, analysis ongoing to make sure scope of coverage is sufficient. TSPs should make sure that netsec is mentioned in the AAL.

Questions

  • Dimitris asked regarding netsec, CABF has a seperate working group which has updated a new documented, but it is not yet incorporated into the other BR documents. How is it going to work in an audit report when one BR doc is updated to the latest version and another not, which version will the audit report show? Answer: it has been explicitly requested to include version numbers by CCADB committee. Including conflicting version numbers will create issues. Ben Wilson added that CCADB will update the ALV processing for netsec letter to check for the version number. ALV will support netsec version parsing even if there are multiple other BR referring to different versions. ACAB-C expects auditors to audit against versions of netsec referred to in the other BR requirements. AAL letters will refer to the specific netsec versions, so you might have different AAL letters referring to different netsec versions.

WebTrust Update

  • Leader: Tim Crawford (BDO) and Dave Chin (CPA Canada)
  • Minutes: Arvid Vermote (GlobalSign)
  • Presentation link: [Webtrust Presentation](10-Webtrust - CABF Italy Final May 28 2024.pdf)

WebTrust Product Update

  • New versions of the criteria, refer to slide deck
  • Updates for Code Signing and RA planned June 2024
  • Reporting Template updated: VS 3.0, refer to slide deck for details
  • Network security, seperate reporting is recommended effective April 1st 2024. All CAs in-scope should be in that single NSR report. Seperate reporting is targeted to be required 2025
  • SSL use wil be changed to TLS in coming versions
  • VMC has been changed to Mark Certificates (MC)
  • Webtrust continues monitoring ISO 21199 and 27099

Carve-out Approach

  • Carve-out report needed for cloud services providing PKI services to non-CCADB / traditional CA
  • Webtrust does not allow carve-out subservice providers
  • SOC2+ allows the addition of specific external criteria
  • WebTrust task force will crreate criteria for key management so it can be included in a SOC2+
  • WebTrust carve-out report will be created with a description of system boundaries (services in and out of scope)

Other uses of Webtrust

  • WebTrust task force is exploring other isues, a meeting happened with the connectivity standards alliance for WebTrust for IoT.

CPA Canada Updates

  • Update on seal issuance numbers
  • Browsers have an interest in report retention / historical access to WebTrust reports. Browsers seem to be good with 2 years retention. Will be there June 2024.
  • Some structural changes ongoing within CPA Canada (CPA Ontario and CPA Quebec leaving), but WebTrust is not impacted.
  • Qualified reports should have a seal, unqualified MUST have a seal. CPA canada is recommending moving from should to must.
  • Practitionar page is being analyzed for revamping, adding some details of practictioners, especially important for the Big 4 and other large accountant firms

Questions

  • Arvid asked whether the illustrative reports can be shared with CA’s so they can also reflect / review their auditors (draft) reports, CPA canada will review wether that is possible
  • Dimitris asked about the carve-out option, seems the problem is that SOC3 is insufficiently detailed so SOC2(+) is required to do proper carve-out and system descriptions.
  • Ben asked about whether the practicioner listing changes impacts how it affect big firms. CPA Canada responded that it will be refined and for bigger firms it will be detailed granularly per member firm.

Q&A Audits and Standards

  • Discussion Leader: Dimitris Zacharopoulos (HARICA)
  • Minutes: Arvid Vermote (GlobalSign)
  • Dimitris asked about carve-out audits, whether ETSI has similar plans. Nick responded there is “ask” for it, the area is covered by ETSI standards but there certainly seems to be an interest to use cloud services. He also referred to ENISA reports. That report identifies certain issues but does not provide a proper conclusion, Nick said it surely is an interesting read. The ENISA report can be found here: https://www.enisa.europa.eu/publications/trust-services-secure-move-to-the-cloud-of-the-eidas-ecosystem.

ADJURNED Forum Plenary Meeting for Day 1

Day 2 May 29, 2024

CA/Browser Forum Meeting

Attendance

Aaron Poulsen - (Amazon), Abhishek Bhat - (eMudhra), Adrian Mueller - (SwissSign), Adriano Santoni - (Actalis S.p.A.), Andrea Holland - (VikingCloud), Andreas Henschel - (D-TRUST), Antti Backman - (Telia Company), An Yin - (iTrusChina), Arno Fiedler - (ETSI), Arvid Vermote - (GlobalSign), Ben Wilson - (Mozilla), Bruce Morton - (Entrust), Christophe Bonjean - (GlobalSign), Chya-Hung Tsai - (TWCA), Clemens Wanko - (ACAB Council), Clint Wilson - (Apple), Corey Bonnell - (DigiCert), Dave Chin - (CPA Canada/WebTrust), Dean Coclin - (DigiCert), Devon O’Brien - (Google), Dimitris Zacharopoulos - (HARICA), Dong Wha Shin - (MOIS (Ministry of Interior and Safety) of the republic of Korea), Doug Beattie - (GlobalSign), Eva Vansteenberge - (GlobalSign), Hannah Sokol - (Microsoft), Hogeun Yoo - (NAVER Cloud Trust Services), Inaba Atsushi - (GlobalSign), Iñigo Barreira - (Sectigo), Janet Hines - (VikingCloud), Jeremy Rowley - (DigiCert), John Sarapata - (Google), Josselin Allemandou - (Certigna (DHIMYOTIS)), Jozef Nigut - (Disig), Kateryna Aleksieieva - (Asseco Data Systems SA (Certum)), Keshava Nagaraju - (eMudhra), Kiran Tummala - (Microsoft), Leo Grove - (SSL.com), Luis Cervantes - (GoDaddy), Mads Henriksveen - (Buypass AS), Mahua Chaudhuri - (Microsoft), Marco Schambach - (IdenTrust), Martijn Katerbarg - (Sectigo), Mats Rosberg - (Keyfactor), Matthias Wiedenhorst - (ACAB Council), Michal Malinowski - (Asseco Data Systems SA (Certum)), Michelle Coon - (OATI), Miguel Sanchez - (Google), Mohit Kumar - (GlobalSign), Mrugesh Chandarana - (IdenTrust), Nargis Mannan - (VikingCloud), Nate Smith - (GoDaddy), Naveen Kumar - (eMudhra), Nick France - (Sectigo), Nicol So - (CommScope), Paul van Brouwershaven - (Entrust), Pedro Fuentes - (OISTE Foundation), Pekka Lahtiharju - (Telia Company), Peter Miskovic - (Disig), Prachi Jain - (Fastly), Puja Sehgal - (Microsoft), Raffaela Achermann - (SwissSign), Rebecca Kelly - (SSL.com), Rob Stradling - (Sectigo), Romain Delval - (Certigna (DHIMYOTIS)), Roman Fischer - (SwissSign), Ryan Dickson - (Google), Sandy Balzer - (SwissSign), Scott Rea - (eMudhra), Sissel Hoel - (Buypass AS), Stephen Davidson - (DigiCert), Tadahiko Ito - (SECOM Trust Systems), Thomas Zermeno - (SSL.com), Tim Callan - (Sectigo), Tim Crawford - (CPA Canada/WebTrust), Tim Hollebeek - (DigiCert), Tobias Josefowitz - (Opera Software AS), Trevoli Ponds-White - (Amazon), Tsung-Min Kuo - (Chunghwa Telecom), Xiu Lei - (GDCA), Yoshihiko Matsuo - (Japan Registry Services)

2024 CA/Browser Forum Elections

  • Leader: Dimitris Zacharopoulos (HARICA)
  • Minutes: Hannah Sokol (Microsoft)
  • Presentation link: CA/Browser Forum Elections
  • Discussion minutes:

There was a change in the bylaws so that the nomination and all the steps are now being lead by the form chair and vice chair. They will lead all elections for the form as well as all working groups.

6 positions of chair and vice chair to elect between the form and the working groups. All position definitions are in the glossary for each position- 2 year term

Need to start August 12 at the latest - we start nomination for all working groups and form chair Nominations are in mailing list - form level and working group mailing list

When nominations end - depending on number of nominations - elections will be started by the election committee - 1 WebTrust auditor (Dave or Tim) and 1 ETSI auditor (Clemens or Mattias)

One major difference from last elections is that there is no longer a discussion period - management list will be sent ballots - 7 days to vote

Check the table for all dates

Vice chair starts beginning of October - same process as above

All newly elected positions will starts Dec 1 2024

Open Q&A

Dean - why is the form chair, dealing with the elections for the working groups?

Dimitris - this is what we agreed on the last time we updated the bylaws. The hope is that this change will foster better communication - elections are done at the form level

Dean - this process seems like a lots of overhead

Dimitris - This new process will be more consistent and streamlined. In the past, each chair was interpreting the positions differently, this will streamline it. Dimitris posed a questions that would it be easier if all working group voting was done in a single email? Can send one email, one special ballot that has all the nominations for each working group, instead of sending 6 emails for chair, and 6 emails for vice chair, may be less confusing? Strong feelings?

Bruce - This scenario requires that more than one person is nominated to be chair / vice chair in order to have an election. Might want to wait until we find out who wants these jobs first

Dimitris - Good observation, if we have one candidate then election is simple, just need confirmation vote. If we have more then one, then would people prefer one ballot or not?

Martijn - The election committee should have the preference on that. Also, who is allowed to vote? Are all votes done on form membership? If someone, is not a member of S/MIME, are they still allowed to vote on S/MIME chair because they are part of the form?

Dimitris - In order to vote in a working group election the voting party must be a member of working group

Martijn - Voting committee should review and have final say on single email voting

Tim C - It seems like this is going to be a non trivial piece of work, batch it into one email, it is not a burden on voting member for them to combined them into a single email to make it easier

Trev - This literally seems like it will make things easier

Dimitris - What if they are only part of one working group?

Paul - The election committee will have to look into if they can vote or not, and just ignore if member have voted on working groups they are not a part of

Dimitris - but if we send it out separately, then we wont have to check, it will just go to the correct people

Trev - Don’t commit voter fraud

Tim C - Make it one ballot, we are smart and can figure it out.

Ben - thumbs up

Dimitris - OK, it will just be one ballot

BR of BRs

  • Leader: Paul van Brouwershaven (Entrust)
  • Minutes: Arvid Vermote (GlobalSign)
  • Presentation link:
  • The BR of BR’s, Paul has been providing presentations in the last F2F (https://cabforum.org/2024/02/26/minutes-of-the-f2f-61-meeting-in-new-delhi-india-february-26-27-2024/10-20240227%20BR%20of%20BRs.pdf) with the intent of providing an overview of the BR of BR’s. In the last F2F Paul provided some more details about the identified duplications, comparing the sections within the different BR’s, showing that there is a large similarity between the documents, some sections being 90-100% equal. Or sometimes less but the only diff being the key usage / working group / BR name.
  • An additional observation was that different working groups and documents to not follow the relevant RFC structure. Also there are sections that are added on top of the RFC. No alignment there at all so hard to map those / compare the documents. It is hard to identify which section requirements fit in if they differ for each document.
  • Having highlighted that in the last F2F meetings, Paul encourages everyone to look at those presentations again, the intent is to discuss today how we are going to execute this initiative further. There is a proposal to start some aligment ballots.
  • Paul is wondering how we are going to make further progress and whether there is additional members that want to support this initiative. From talking to other members most seem to recognize the need for this initiative / improving misalignments. This will benefit all ofus.
  • Dimitris said he agreed with the approach, these are non-controversial changes. Paul has already created some scripts and tools to demonstrate easy differences to tackle. But more contributions are required from other members. We need to draft the ballots, and it needs to be clear its edge changes and that there is no fundamental impact and changes to requirements. This is call for action / assistance for members to help on this.
  • Paul shared a link in the chat to the tools he created that are showing the misalignments. This tool should make the work easy. Looking further to the idea of BR of BR’s the idea was once everything was better aligned we could then move out sections of the different documents to the BR of BR’s.
  • If we do not take action now we will have the same conversation in the F2F meeting.
  • Dimitris very much liked the proposal for numbered requirements. It is sometimes hard right now to identify (hidden) requirements which are causing pain and unecessary revocations. The clearer the requirements the better for the community and ecosystem.

Revocation timelines

  • Leader: Ben Wilson (Mozilla)
  • Minutes: Puja Sehgal - (Microsoft)
  • Presentation link: Revocation timelines

ADJURNED Forum Plenary Meeting for Day 2

Latest releases
Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.7 - Ballot SMC09 - Nov 25, 2024

This ballot includes updates for the following: • Require pre-linting of leaf end entity Certificates starting September 15, 2025 • Require WebTrust for Network Security for audits starting after April 1, 2025 • Clarify that multiple certificatePolicy OIDs are allowed in end entity certificates • Clarify use of organizationIdentifer references • Update of Appendix A.2 Natural Person Identifiers This ballot is proposed by Stephen Davidson (DigiCert) and endorsed by Clint Wilson (Apple) and Martijn Katerbarg (Sectigo).

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).