CA/Browser Forum
Home » Working Groups » NetSec WG

Network Security Working Group

Background

In January 2013 the CA/Browser Forum’s “Network and Certificate System Security Requirements” (NCSSRs) became effective. In June 2017, the Forum chartered a Network Security Working Group to re-work the NCSSRs. That charter expired on June 19, 2018, and in October 2018, the Server Certificate Working Group (SCWG) established a Network Security Subcommittee (NetSec Subcommittee) to continue work on the NCSSRs. Since then, the Network Security Working Group (NetSec WG) has replaced the NetSec Subcommittee. The NetSec WG was created in December 2021 by Ballot Forum-17. Existing members of the CA/Browser Forum are eligible to participate in the NetSec WG.

Scope of Work

The NetSec WG was chartered to continue work on the NCSSRs, and to conduct any and all business related to improving the security of Certification Authorities. The NetSec WG makes security-related recommendations to other Forum WGs for requirements or guidelines that are within their purview, i.e. the Baseline Requirements/Extended Validation Guidelines of the Server Certificate WG, the Baseline Requirements for Code Signing Certificates of the Code Signing Certificate Working Group or guidelines adopted by the S/MIME Certificate Working Group.

The primary deliverable of the NetSec WG is the NCSSRs. Other work includes performing risk analyses, security analyses, and other types of reviews of threats and vulnerabilities applicable to CA operations involved in the issuance and maintenance of publicly trusted certificates (e.g. server certificates, code signing certificates, or SMIME certificates).

Charter

Charter of the Network Security Working Group

Officers

Chair: Clint Wilson (Apple)

Vice Chair: David Kluge (Google Trust Services)

Ballots

Network Security Working Group Ballots

Participation

The CA/Browser Forum welcomes existing members with an interest in system security to join the NetSec WG. There is no cost to join. Existing CABF Members should provide their declaration of intent to participate in the NetSec WG and the following information by email to questions@cabforum.org:

  • statement of the Voting Class by which they qualify;
  • names/email addresses of their designated representatives who will participate; and
  • names/email addresses of their designated representatives who will vote.

Mailing List

The NetSec WG provides a public mailing list. See https://groups.google.com/a/groups.cabforum.org/g/netsec

To subscribe, see: https://groups.google.com/a/groups.cabforum.org/g/netsec/about.

Members

Certification Authorities

  • Amazon
  • Asseco Data Systems SA (Certum)
  • Buypass AS
  • Chunghwa Telecom
  • Comsign
  • DigiCert
  • Disig
  • eMudhra
  • Entrust
  • Fastly
  • GDCA
  • GlobalSign
  • GoDaddy
  • HARICA
  • IdenTrust
  • Kamu SM
  • Let's Encrypt
  • OATI
  • OISTE Foundation
  • Sectigo
  • SSL.com
  • SwissSign
  • Telia Company
  • TrustAsia
  • TWCA
  • VikingCloud
  • Visa

Certificate Consumers

  • Apple
  • Google
  • Microsoft
  • Mozilla
  • Opera Software AS

Associates

  • CPA Canada/WebTrust
  • ETSI
  • Keyfactor
  • US Federal PKI Management Authority

Interested Parties

  • SGNR, LLC
Latest releases
Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.7 - Ballot SMC09 - Nov 25, 2024

This ballot includes updates for the following: • Require pre-linting of leaf end entity Certificates starting September 15, 2025 • Require WebTrust for Network Security for audits starting after April 1, 2025 • Clarify that multiple certificatePolicy OIDs are allowed in end entity certificates • Clarify use of organizationIdentifer references • Update of Appendix A.2 Natural Person Identifiers This ballot is proposed by Stephen Davidson (DigiCert) and endorsed by Clint Wilson (Apple) and Martijn Katerbarg (Sectigo).

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).