CA/Browser Forum posts
Posts by tag Network Security
Ballot SC038: Alignment of Record Archival
December 16, 2020 by Ben WilsonThis ballot failed to go to a vote and failed pursuant to the Bylaws. This begins the discussion period for Ballot SC38: Alignment of Record Archival (which I circulated a little while ago). The following ballot is proposed by Neil Dunbar of TrustCor Systems and endorsed by David Kluge of Google Trust Services and Ben Wilson of Mozilla. Purpose of Ballot: After the updated language included in SC28 Sections 5.4.3 and 5.5.2 (of the BRs) could be in conflict. Section 5.5.2 requires all documentation relating to certificate requests and the verification thereof, and all Certificates and revocation thereof be retained for seven years after certificates cease to to be valid. Section 5.4.3 requires all audit logs of Subscriber Certificate lifecycle management event records be maintained for two years after the revocation or expiration of the Subscriber Certificate. These sections intersect at the retention requirements for audit logs and archived records, as they relate to subscriber certificate lifecycle events. The retention periods are in conflict as to the length of retention.
December 16, 2020 by Ben WilsonThis ballot failed to go to a vote and failed pursuant to the Bylaws. This begins the discussion period for Ballot SC38: Alignment of Record Archival (which I circulated a little while ago). The following ballot is proposed by Neil Dunbar of TrustCor Systems and endorsed by David Kluge of Google Trust Services and Ben Wilson of Mozilla. Purpose of Ballot: After the updated language included in SC28 Sections 5.4.3 and 5.5.2 (of the BRs) could be in conflict. Section 5.5.2 requires all documentation relating to certificate requests and the verification thereof, and all Certificates and revocation thereof be retained for seven years after certificates cease to to be valid. Section 5.4.3 requires all audit logs of Subscriber Certificate lifecycle management event records be maintained for two years after the revocation or expiration of the Subscriber Certificate. These sections intersect at the retention requirements for audit logs and archived records, as they relate to subscriber certificate lifecycle events. The retention periods are in conflict as to the length of retention.
Ballot SC032: NCSSRs Zones
July 23, 2020 by Ben WilsonThis ballot failed pursuant to the Bylaws. This email begins the discussion period for Ballot SC32. Purpose of Ballot: To remove ambiguity and delineate requirements for physical security and logical security. The Network and Certificate System Security Requirements (NCSSRs) were drafted with the concept of physical and logical “Zones” (Secure Zones, High Security Zones, and everything else outside those zones). However, the approach did not clearly separate the physical security aspects from the logical security aspects. “Zone” was defined as a “subset of Certificate Systems created by the logical or physical partitioning of systems from other Certificate Systems,” and “Secure Zone” was defined as an “area (physical or logical) protected by physical and logical controls that appropriately protect the confidentiality, integrity, and availability of Certificate Systems.” “High Security Zone” was defined as a physical area- “A physical location where a CA’s or Delegated Third Party’s Private Key or cryptographic hardware is located”.
July 23, 2020 by Ben WilsonThis ballot failed pursuant to the Bylaws. This email begins the discussion period for Ballot SC32. Purpose of Ballot: To remove ambiguity and delineate requirements for physical security and logical security. The Network and Certificate System Security Requirements (NCSSRs) were drafted with the concept of physical and logical “Zones” (Secure Zones, High Security Zones, and everything else outside those zones). However, the approach did not clearly separate the physical security aspects from the logical security aspects. “Zone” was defined as a “subset of Certificate Systems created by the logical or physical partitioning of systems from other Certificate Systems,” and “Secure Zone” was defined as an “area (physical or logical) protected by physical and logical controls that appropriately protect the confidentiality, integrity, and availability of Certificate Systems.” “High Security Zone” was defined as a physical area- “A physical location where a CA’s or Delegated Third Party’s Private Key or cryptographic hardware is located”.
Ballot SC020: System Configuration Management
March 23, 2020 by Ben WilsonThis ballot failed. Purpose of Ballot Section 1(h) of the Network and Certification Systems Security Requirements provides that CAs shall:
March 23, 2020 by Ben WilsonThis ballot failed. Purpose of Ballot Section 1(h) of the Network and Certification Systems Security Requirements provides that CAs shall:
Ballot SC010: Establishing the Network Security Subcommittee of the SCWG
October 4, 2018 by Jos PurvisThe voting period for Ballot SC10 has ended and the ballot has passed. Here are the results. Voting by CAs – 18 votes total including abstentions 18 Yes votes: Buypass, Camerfirma, CFCA, Chunghwa Telecom, D-TRUST, DigiCert, Disig, Entrust Datacard, Firmaprofesional, GDCA, GlobalSign, HARICA, QuoVadis, SSL.com, TWCA, TrustCor, Trustwave, Visa 0 No votes: 0 Abstain: 100% of voting CAs voted in favor Voting by browsers – 4 votes total including abstentions 4 Yes votes: Cisco, Microsoft, Mozilla, 360 0 No votes: 0 Abstain: 100% of voting browsers voted in favor
October 4, 2018 by Jos PurvisThe voting period for Ballot SC10 has ended and the ballot has passed. Here are the results. Voting by CAs – 18 votes total including abstentions 18 Yes votes: Buypass, Camerfirma, CFCA, Chunghwa Telecom, D-TRUST, DigiCert, Disig, Entrust Datacard, Firmaprofesional, GDCA, GlobalSign, HARICA, QuoVadis, SSL.com, TWCA, TrustCor, Trustwave, Visa 0 No votes: 0 Abstain: 100% of voting CAs voted in favor Voting by browsers – 4 votes total including abstentions 4 Yes votes: Cisco, Microsoft, Mozilla, 360 0 No votes: 0 Abstain: 100% of voting browsers voted in favor
Ballot 210 – Misc. Changes to the NCSSR
August 31, 2017 by Ben WilsonResults on Ballot 210 – Misc. Changes to the Network and Certificate System Security Requirements The voting period for Ballot 210 has ended and the ballot has passed. Here are the results. Voting by CAs – 18 votes total including abstentions 18 Yes votes: Amazon, Buypass, Chunghwa Telecom, Cisco, D-TRUST, DigiCert, Disig, Entrust, GDCA, GlobalSign, GoDaddy, HARICA, Logius PKIoverheid, SSL.com, SwissSign, Symantec, TrustCor, Trustwave
August 31, 2017 by Ben WilsonResults on Ballot 210 – Misc. Changes to the Network and Certificate System Security Requirements The voting period for Ballot 210 has ended and the ballot has passed. Here are the results. Voting by CAs – 18 votes total including abstentions 18 Yes votes: Amazon, Buypass, Chunghwa Telecom, Cisco, D-TRUST, DigiCert, Disig, Entrust, GDCA, GlobalSign, GoDaddy, HARICA, Logius PKIoverheid, SSL.com, SwissSign, Symantec, TrustCor, Trustwave
Ballot 203 – Formation of Network Security Working Group
June 19, 2017 by Ben WilsonResults on Ballot 203 – Formation of Network Security Working Group The voting period for Ballot 203 has ended. The ballot has passed. Here are the results. Voting by CAs – 19 votes total including abstentions 17 Yes votes: Buypass, CFCA, Comodo, DigiCert, Disig, Entrust, GDCA, GoDaddy, HARICA, Izenpe, SHECA, SSC, SwissSign, Symantec, TrustCor, Trustwave, TurkTrust
June 19, 2017 by Ben WilsonResults on Ballot 203 – Formation of Network Security Working Group The voting period for Ballot 203 has ended. The ballot has passed. Here are the results. Voting by CAs – 19 votes total including abstentions 17 Yes votes: Buypass, CFCA, Comodo, DigiCert, Disig, Entrust, GDCA, GoDaddy, HARICA, Izenpe, SHECA, SSC, SwissSign, Symantec, TrustCor, Trustwave, TurkTrust
Ballot 155 – Convert Network and Certificate System Security Requirements to RFC 3647 Framework and GitHub
November 15, 2015 by Ben WilsonThis ballot was withdrawn.
November 15, 2015 by Ben WilsonThis ballot was withdrawn.
Ballot 76 – Public Review of Network Security Controls
June 12, 2012 by Ben WilsonBallot 76 – Public Review of Network Security Controls (Passed) Motion Ben Wilson made the following motion, and Eddy Nigg and Gerv Markham endorsed it: Motion begins Members of the CAB Forum have drafted Network Security Requirements, dated May 14,2012, and setting a baseline level of network security for all certification authorities that operate or manage a root certificate embedded as a trust anchor in publicly distributed browser software. The document is available for review here:
June 12, 2012 by Ben WilsonBallot 76 – Public Review of Network Security Controls (Passed) Motion Ben Wilson made the following motion, and Eddy Nigg and Gerv Markham endorsed it: Motion begins Members of the CAB Forum have drafted Network Security Requirements, dated May 14,2012, and setting a baseline level of network security for all certification authorities that operate or manage a root certificate embedded as a trust anchor in publicly distributed browser software. The document is available for review here: