CA/Browser Forum
Home » All CA/Browser Forum Posts » 2024-08-29 Minutes of the Server Certificate Working Group

2024-08-29 Minutes of the Server Certificate Working Group

Attendance

Aaron Gable (Let’s Encrypt), Aaron Poulsen (Amazon), Adrian Mueller (SwissSign), Andrea Holland (VikingCloud), Antti Backman (Telia Company), Ben Wilson (Mozilla), Bineesh Ambali Vadakkekandi (Microsoft), Brianca Martin (Amazon), Bruce Morton (Entrust), Chad Dandar (Cisco Systems), Chris Clements (Google), Clint Wilson (Apple), Corey Bonnell (DigiCert), Corey Rasmussen (OATI), Daryn Wright (Apple), Dean Coclin (DigiCert), Dimitris Zacharopoulos (HARICA), Doug Beattie (GlobalSign), Dustin Hollenback (Microsoft), Enrico Entschew (D-TRUST), Gregory Tomko (GlobalSign), Inaba Atsushi (GlobalSign), Iñigo Barreira (Sectigo), Jaime Hablutzel (OISTE Foundation), Ji Eun Seong (MOIS (Ministry of Interior and Safety) of the republic of Korea), Johnny Reading (GoDaddy), Jos Purvis (Fastly), Josselin Allemandou (Certigna (DHIMYOTIS)), Kiran Tummala (Microsoft), Li-Chun Chen (Chunghwa Telecom), Lucy Buecking (IdenTrust), Luis Cervantes (GoDaddy), Lynn Jeun (Visa), Mads Henriksveen (Buypass AS), Mahua Chaudhuri (Microsoft), Marco Schambach (IdenTrust), Michael Slaughter (Amazon), Michelle Coon (OATI), Mrugesh Chandarana (IdenTrust), Nargis Mannan (VikingCloud), Nate Smith (GoDaddy), Nicol So (CommScope), Nome Huang (TrustAsia), Paul van Brouwershaven (Entrust), Rebecca Kelly (SSL.com), Rollin Yu (TrustAsia), Ryan Dickson (Google), Scott Rea (eMudhra), Stephen Davidson (DigiCert), Tadahiko Ito (SECOM Trust Systems), Tathan Thacker (IdenTrust), Thomas Zermeno (SSL.com), Tobias Josefowitz (Opera Software AS), Trevoli Ponds-White (Amazon), Tsung-Min Kuo (Chunghwa Telecom), Wayne Thayer (Fastly), Wendy Brown (US Federal PKI Management Authority), Yamian Quintero (Microsoft)

Roll Call

Inigo started the roll call.

Read Antitrust Statement

Inigo read the Note-well.

Review Agenda

No review.

Approval of minutes

August 1st meeting minutes were approved.

Membership

Reviewed and approved application of SGNR, LLC as an Interested Party.

Discussion

GitHub open issues

450 - Agreed to close issue

451 - Without browser support, CA/B allowance isn’t meaningful. Browser resources are more focused on post-quantum cryptography currently. Firefox may have support for ed25519, however (https://bugzilla.mozilla.org/show_bug.cgi?id=1804788).

452 - While a normative change, should not have any actual impact given contributing requirements and aligns well with most similar definitions in e.g. RFC 5280. Agreed to address in a future clean-up ballot.

453 - Has already been addressed; agreed to close issue.

456 - The phrase “hosting service relationship” is unclear, both in its meaning and intent. Ben clarified that this something partially addressed in SC-071, but it was intended to provide stipulations or coverage where multiple parties are involved in the procurement of certificates. Agreed to wait on the results of SC-071 to pursue this issue further.

457 - Agreed to address in future clean-up ballot.

458 - Discussion confirmed this is still an issue which should be addressed, with potentially multiple areas that should be improved. Changing ‘Applicant’ to ’Subscriber’ had no objection. Altering the interaction between a domain name not being renewed and this requirement that associated certificates be revoked had rough consensus that it can be removed, but further discussion and confirmation (along with a specific proposal) would be the next step. One option would be to simply remove the second and third examples from sub-bullet 9 in Section 4.9.1.1 and to break up the sentence a bit more. Aaron’s proposed language on the issue (https://github.com/cabforum/servercert/issues/458#issuecomment-2318208466) had no objections and seemed to achieve rough consensus of being included in a future clean-up ballot.

PAG

Discussed final actions necessary to close out GoDaddy IPR claim. Ben to send email related to closing out GoDaddy IPR claim.

Current status of ballots

No update

Any Other Business

No other business.

Next call

September 12th.

Adjourn

Meeting adjourned.

Latest releases
Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.7 - Ballot SMC09 - Nov 25, 2024

This ballot includes updates for the following: • Require pre-linting of leaf end entity Certificates starting September 15, 2025 • Require WebTrust for Network Security for audits starting after April 1, 2025 • Clarify that multiple certificatePolicy OIDs are allowed in end entity certificates • Clarify use of organizationIdentifer references • Update of Appendix A.2 Natural Person Identifiers This ballot is proposed by Stephen Davidson (DigiCert) and endorsed by Clint Wilson (Apple) and Martijn Katerbarg (Sectigo).

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).