CA/Browser Forum posts
Posts by tag Network Security
2022-02-15 Minutes of the Network Security Working Group
February 15, 2022 by Clint WilsonClint Wilson leading the meeting. Dustin Hollenback volunteered to take minutes. Clint Wilson read the anti-trust statement Attendees: Adam Jones (Microsoft), Antti Backman (Telia Company), Ben Wilson (Mozilla), Christophe Bonjean (GlobalSign), Clint Wilson (Apple), Corey Bonnell (DigiCert), Corey Rasmussen (OATI), Curt Spann (Apple), Daniel Jeffery (Fastly), Daryn Wright (GoDaddy), David Kluge (Google), Don Sheehy (WebTrust), Dustin Hollenback (Microsoft), Heather Warnke (Amazon Trust Services), Israel Ventura (US Federal PKI), Jillian Karner (Let’s Encrypt / ISRG), Joanna Fox (TrustCor), Jozef Nigut (Disig), Marcelo Silva (Visa), Thomas Connelly (US Federal PKI), Tim Crawford (WebTrust), Prachi Jain (Fastly), Rebecca Kelley (Apple), Ruben Annemans, Tobias Josefowitz (Opera), Tony Seymour (Comsign), Trevoli Ponds-White (Amazon Trust Services)
February 15, 2022 by Clint WilsonClint Wilson leading the meeting. Dustin Hollenback volunteered to take minutes. Clint Wilson read the anti-trust statement Attendees: Adam Jones (Microsoft), Antti Backman (Telia Company), Ben Wilson (Mozilla), Christophe Bonjean (GlobalSign), Clint Wilson (Apple), Corey Bonnell (DigiCert), Corey Rasmussen (OATI), Curt Spann (Apple), Daniel Jeffery (Fastly), Daryn Wright (GoDaddy), David Kluge (Google), Don Sheehy (WebTrust), Dustin Hollenback (Microsoft), Heather Warnke (Amazon Trust Services), Israel Ventura (US Federal PKI), Jillian Karner (Let’s Encrypt / ISRG), Joanna Fox (TrustCor), Jozef Nigut (Disig), Marcelo Silva (Visa), Thomas Connelly (US Federal PKI), Tim Crawford (WebTrust), Prachi Jain (Fastly), Rebecca Kelley (Apple), Ruben Annemans, Tobias Josefowitz (Opera), Tony Seymour (Comsign), Trevoli Ponds-White (Amazon Trust Services)
Ballot NS-001: Adopt Network and Certificate System Security Requirements
February 8, 2022 by Ben WilsonThis email begins the discussion period for Ballot NS-001: Adopt Network and Certificate System Security Requirements. PURPOSE OF BALLOT The purpose of this ballot is for the Networking Security Working Group to formally adopt version 1.7 of the Network and Certificate System Security Requirements as currently published by the CA/Browser Forum. MOTION The following motion has been proposed by Clint Wilson of Apple and endorsed by Tim Hollebeek of DigiCert and Ben Wilson of Mozilla. -–Motion Begins-– In accordance with the Bylaws and Intellectual Property Rights (IPR) Policy of the CA/Browser Forum, version 1.7 of the Network and Certificate System Security Requirements are adopted in full. -–Motion Ends-– This ballot proposes a Final Guideline. The procedure for approval of this ballot is as follows: Discussion (7+ days) Start Time: January 31 2022 17:00 UTC
February 8, 2022 by Ben WilsonThis email begins the discussion period for Ballot NS-001: Adopt Network and Certificate System Security Requirements. PURPOSE OF BALLOT The purpose of this ballot is for the Networking Security Working Group to formally adopt version 1.7 of the Network and Certificate System Security Requirements as currently published by the CA/Browser Forum. MOTION The following motion has been proposed by Clint Wilson of Apple and endorsed by Tim Hollebeek of DigiCert and Ben Wilson of Mozilla. -–Motion Begins-– In accordance with the Bylaws and Intellectual Property Rights (IPR) Policy of the CA/Browser Forum, version 1.7 of the Network and Certificate System Security Requirements are adopted in full. -–Motion Ends-– This ballot proposes a Final Guideline. The procedure for approval of this ballot is as follows: Discussion (7+ days) Start Time: January 31 2022 17:00 UTC
2022-02-01 Minutes of the Network Security Working Group
February 1, 2022 by Clint WilsonClint Wilson leading the meeting. Request a volunteer for minutes. Dan Jeffery volunteers. Clint reads the antitrust statement Attendees: Adam Jones, Antti Backman, Ben Wilson, Brittany Randal, Christophe Bonjean, Clint Wilson, Corey Bonnell, Corey Rasmussen, Curt Spann, Daniel Jeffery, Daryn Wright, David Kluge, Dustin Hollenback, Israel Ventura, Jillian Karner, Kati Davids, Martjin Katerbarg, Niko Carpenter, Prachi Jain, Roman Fischer, Ruben Annemans, Thomas Connelly, Tim Crawford, Tobias Josefowitz, Tony Seymour, Trevoli Ponds-White
February 1, 2022 by Clint WilsonClint Wilson leading the meeting. Request a volunteer for minutes. Dan Jeffery volunteers. Clint reads the antitrust statement Attendees: Adam Jones, Antti Backman, Ben Wilson, Brittany Randal, Christophe Bonjean, Clint Wilson, Corey Bonnell, Corey Rasmussen, Curt Spann, Daniel Jeffery, Daryn Wright, David Kluge, Dustin Hollenback, Israel Ventura, Jillian Karner, Kati Davids, Martjin Katerbarg, Niko Carpenter, Prachi Jain, Roman Fischer, Ruben Annemans, Thomas Connelly, Tim Crawford, Tobias Josefowitz, Tony Seymour, Trevoli Ponds-White
2022-01-18 Minutes of the Network Security Working Group
January 18, 2022 by Ben WilsonThe following minutes were approved in the February 1, 2022 meeting of the NetSec WG. Net Sec WG – 1st Meeting – Jan. 18, 2022 Present: Ben Wilson – Mozilla, Don Sheehy – WebTrust, Dustin Ward – SSL.com, Martijn Katerbarg – Sectigo, Thomas Connelly – Federal PKI, Brittany Randall – GoDaddy, Clint Wilson – Apple, Kati Davids – GoDaddy, Samantha Frank – Let’s Encrypt, Corey Bonnell – DigiCert, Israel Ventura – Federal PKI, Tim Crawford – WebTrust, Wendy Brown – Federal PKI, Antti Backman – Telia, Jillian Karner – Let’s Encrypt, Prachi Jain – Fastly, Trevoli Ponds-White – Amazon Trust Services, Jozef Nigut – Disig, Christophe Bonjean – GlobalSign, Tobias Josefowitz – Opera, Daniel Jeffery – Fastly, Dustin Hollenback – Microsoft, Janet Hines – SecureTrust, Daryn Wright – GoDaddy, Miguel Sanchez – Google, Adam Jones – Microsoft, Rebecca Kelley – Apple, Tony Seymour – Comsign, Tim Hollebeek – DigiCert, Dean Coclin – DigiCert, Corey Rasmussen – OATI, Ruben Annemans – GlobalSign, Adam Jones – Microsoft, David Kluge – Google, Israel Ventura – Federal PKI
January 18, 2022 by Ben WilsonThe following minutes were approved in the February 1, 2022 meeting of the NetSec WG. Net Sec WG – 1st Meeting – Jan. 18, 2022 Present: Ben Wilson – Mozilla, Don Sheehy – WebTrust, Dustin Ward – SSL.com, Martijn Katerbarg – Sectigo, Thomas Connelly – Federal PKI, Brittany Randall – GoDaddy, Clint Wilson – Apple, Kati Davids – GoDaddy, Samantha Frank – Let’s Encrypt, Corey Bonnell – DigiCert, Israel Ventura – Federal PKI, Tim Crawford – WebTrust, Wendy Brown – Federal PKI, Antti Backman – Telia, Jillian Karner – Let’s Encrypt, Prachi Jain – Fastly, Trevoli Ponds-White – Amazon Trust Services, Jozef Nigut – Disig, Christophe Bonjean – GlobalSign, Tobias Josefowitz – Opera, Daniel Jeffery – Fastly, Dustin Hollenback – Microsoft, Janet Hines – SecureTrust, Daryn Wright – GoDaddy, Miguel Sanchez – Google, Adam Jones – Microsoft, Rebecca Kelley – Apple, Tony Seymour – Comsign, Tim Hollebeek – DigiCert, Dean Coclin – DigiCert, Corey Rasmussen – OATI, Ruben Annemans – GlobalSign, Adam Jones – Microsoft, David Kluge – Google, Israel Ventura – Federal PKI
Ballot Forum-17 – Creation of Network Security Working Group
December 28, 2021 by Ben WilsonThe voting on ballot FORUM-17 has completed, and the ballot has passed. Voting Results Certificate Issuers 22 votes total, with no abstentions: 22 Yes votes: Buypass, Certum (Asseco), D-TRUST, DigiCert, Disig, eMudhra, Entrust, E-TUGRA, GDCA, GlobalSign, GoDaddy, HARICA, JPRS, Let’s Encrypt/ISRG, MSC Trustgate, OISTE, SECOM, Sectigo, SSL.com, SwissSign, Telia Company, SecureTrust, 0 No Votes 0 Abstentions NOTE: A vote placed by GlobalTrust was not received on the public list and will not be counted.
December 28, 2021 by Ben WilsonThe voting on ballot FORUM-17 has completed, and the ballot has passed. Voting Results Certificate Issuers 22 votes total, with no abstentions: 22 Yes votes: Buypass, Certum (Asseco), D-TRUST, DigiCert, Disig, eMudhra, Entrust, E-TUGRA, GDCA, GlobalSign, GoDaddy, HARICA, JPRS, Let’s Encrypt/ISRG, MSC Trustgate, OISTE, SECOM, Sectigo, SSL.com, SwissSign, Telia Company, SecureTrust, 0 No Votes 0 Abstentions NOTE: A vote placed by GlobalTrust was not received on the public list and will not be counted.
Ballot SC40 – Security Requirements for Air-Gapped CA Systems
February 9, 2021 by Ben WilsonThis ballot was withdrawn and/or failed to go to a vote. This is a continuation of discussion on the air-gapped CA ballot. (As noted below, this formally continues the discussion for this ballot, as of 2021-02-08 17:00 UTC. This discussion period will continue until initiation of the Voting Period (TBD) unless extended or as otherwise determined, pursuant to the CA/Browser Forum Bylaws. I renumbered the sections - 5.1 for logical security and 5.2 for physical security. I have not attempted yet to address the comments between Aaron and Ryan re: accessing the air-gapped CA for checking configuration. Maybe that section needs to remain “as is” or with clarification that a desktop review of CA configuration would be satisfactory if the air-gapped CA has not been physically touched.
February 9, 2021 by Ben WilsonThis ballot was withdrawn and/or failed to go to a vote. This is a continuation of discussion on the air-gapped CA ballot. (As noted below, this formally continues the discussion for this ballot, as of 2021-02-08 17:00 UTC. This discussion period will continue until initiation of the Voting Period (TBD) unless extended or as otherwise determined, pursuant to the CA/Browser Forum Bylaws. I renumbered the sections - 5.1 for logical security and 5.2 for physical security. I have not attempted yet to address the comments between Aaron and Ryan re: accessing the air-gapped CA for checking configuration. Maybe that section needs to remain “as is” or with clarification that a desktop review of CA configuration would be satisfactory if the air-gapped CA has not been physically touched.
Ballot SC38: Alignment of Record Archival
December 16, 2020 by Ben WilsonThis ballot failed to go to a vote and failed pursuant to the Bylaws. This begins the discussion period for Ballot SC38: Alignment of Record Archival (which I circulated a little while ago). The following ballot is proposed by Neil Dunbar of TrustCor Systems and endorsed by David Kluge of Google Trust Services and Ben Wilson of Mozilla. Purpose of Ballot: After the updated language included in SC28 Sections 5.4.3 and 5.5.2 (of the BRs) could be in conflict. Section 5.5.2 requires all documentation relating to certificate requests and the verification thereof, and all Certificates and revocation thereof be retained for seven years after certificates cease to to be valid. Section 5.4.3 requires all audit logs of Subscriber Certificate lifecycle management event records be maintained for two years after the revocation or expiration of the Subscriber Certificate. These sections intersect at the retention requirements for audit logs and archived records, as they relate to subscriber certificate lifecycle events. The retention periods are in conflict as to the length of retention.
December 16, 2020 by Ben WilsonThis ballot failed to go to a vote and failed pursuant to the Bylaws. This begins the discussion period for Ballot SC38: Alignment of Record Archival (which I circulated a little while ago). The following ballot is proposed by Neil Dunbar of TrustCor Systems and endorsed by David Kluge of Google Trust Services and Ben Wilson of Mozilla. Purpose of Ballot: After the updated language included in SC28 Sections 5.4.3 and 5.5.2 (of the BRs) could be in conflict. Section 5.5.2 requires all documentation relating to certificate requests and the verification thereof, and all Certificates and revocation thereof be retained for seven years after certificates cease to to be valid. Section 5.4.3 requires all audit logs of Subscriber Certificate lifecycle management event records be maintained for two years after the revocation or expiration of the Subscriber Certificate. These sections intersect at the retention requirements for audit logs and archived records, as they relate to subscriber certificate lifecycle events. The retention periods are in conflict as to the length of retention.
Ballot SC32 – NCSSRs Zones
July 23, 2020 by Ben WilsonThis ballot failed pursuant to the Bylaws. This email begins the discussion period for Ballot SC32. Purpose of Ballot: To remove ambiguity and delineate requirements for physical security and logical security. The Network and Certificate System Security Requirements (NCSSRs) were drafted with the concept of physical and logical “Zones” (Secure Zones, High Security Zones, and everything else outside those zones). However, the approach did not clearly separate the physical security aspects from the logical security aspects. “Zone” was defined as a “subset of Certificate Systems created by the logical or physical partitioning of systems from other Certificate Systems,” and “Secure Zone” was defined as an “area (physical or logical) protected by physical and logical controls that appropriately protect the confidentiality, integrity, and availability of Certificate Systems.” “High Security Zone” was defined as a physical area- “A physical location where a CA’s or Delegated Third Party’s Private Key or cryptographic hardware is located”.
July 23, 2020 by Ben WilsonThis ballot failed pursuant to the Bylaws. This email begins the discussion period for Ballot SC32. Purpose of Ballot: To remove ambiguity and delineate requirements for physical security and logical security. The Network and Certificate System Security Requirements (NCSSRs) were drafted with the concept of physical and logical “Zones” (Secure Zones, High Security Zones, and everything else outside those zones). However, the approach did not clearly separate the physical security aspects from the logical security aspects. “Zone” was defined as a “subset of Certificate Systems created by the logical or physical partitioning of systems from other Certificate Systems,” and “Secure Zone” was defined as an “area (physical or logical) protected by physical and logical controls that appropriately protect the confidentiality, integrity, and availability of Certificate Systems.” “High Security Zone” was defined as a physical area- “A physical location where a CA’s or Delegated Third Party’s Private Key or cryptographic hardware is located”.
Ballot SC20: System Configuration Management
March 23, 2020 by Ben WilsonThis ballot failed. Purpose of Ballot Section 1(h) of the Network and Certification Systems Security Requirements provides that CAs shall:
March 23, 2020 by Ben WilsonThis ballot failed. Purpose of Ballot Section 1(h) of the Network and Certification Systems Security Requirements provides that CAs shall: