
<div dir="ltr">


<p class="MsoNormal" style="margin:0in 0in 12pt;line-height:115%;font-size:11pt;font-family:"Arial",sans-serif"><span lang="EN">The following

ballot is proposed by Ben Wilson of Mozilla and endorsed by Tim Hollebeek of

DigiCert and David Kluge of Google.<span></span></span></p>


<p class="MsoNormal" style="margin:0in 0in 12pt;line-height:115%;font-size:11pt;font-family:"Arial",sans-serif"><span lang="EN"><b>Ballot Forum-17:

Create Network Security Working Group</b><span></span></span></p>


<p class="MsoNormal" style="margin:0in 0in 12pt;line-height:115%;font-size:11pt;font-family:"Arial",sans-serif"><b><span style="font-size:18pt;line-height:115%;font-family:"Times New Roman",serif" lang="EN">Overview<span></span></span></b></p>


<p class="MsoNormal" style="margin:12pt 0in;line-height:115%;font-size:11pt;font-family:"Arial",sans-serif"><span style="font-size:12pt;line-height:115%;font-family:"Times New Roman",serif" lang="EN">In

January 2013 the CA/Browser Forum’s “Network and Certificate System Security

Requirements” (NCSSRs) became effective. In June 2017, the Forum chartered a

Network Security Working Group to re-visit the NCSSRs. That charter expired on

June 19, 2018, and in October 2018, the Server Certificate Working Group (SCWG)

established a Network Security Subcommittee (NetSec Subcommittee) to continue

work on the NCSSRs.<span></span></span></p>


<p class="MsoNormal" style="margin:12pt 0in;line-height:115%;font-size:11pt;font-family:"Arial",sans-serif"><span style="font-size:12pt;line-height:115%;font-family:"Times New Roman",serif" lang="EN">This

ballot proposes to charter a new Network Security Working Group (NetSec WG) to

replace the NetSec Subcommittee, to continue work on the NCSSRs, and to conduct

any and all business related to improving the security of Certification

Authorities. </span><span style="font-size:8pt;line-height:115%" lang="EN"><span></span></span></p>


<p class="MsoNormal" style="margin:12pt 0in;line-height:115%;font-size:11pt;font-family:"Arial",sans-serif"><span style="font-size:12pt;line-height:115%;font-family:"Times New Roman",serif" lang="EN">Following

the passage of this ballot:<span></span></span></p>


<ol style="margin-top:0in;margin-bottom:0in" type="1" start="1"><li class="MsoNormal" style="margin:12pt 0in 0in;line-height:115%;font-size:11pt;font-family:"Arial",sans-serif"><span style="font-size:12pt;line-height:115%;font-family:"Times New Roman",serif" lang="EN">A new NetSec WG will be

     chartered under the CA/B Forum, pursuant to section 5.3.1 of the Bylaws;</span><span lang="EN"><span></span></span></li><li class="MsoNormal" style="margin:0in;line-height:115%;font-size:11pt;font-family:"Arial",sans-serif"><span style="font-size:12pt;line-height:115%;font-family:"Times New Roman",serif" lang="EN">The Charter of the SCWG will be

     amended to remove the NCSSRs from within the scope of the SCWG Charter; </span><span lang="EN"><span></span></span></li><li class="MsoNormal" style="margin:0in;line-height:115%;font-size:11pt;font-family:"Arial",sans-serif"><span style="font-size:12pt;line-height:115%;font-family:"Times New Roman",serif" lang="EN">The existing mailing list and

     other materials developed for the NetSec Subcommittee will be repurposed

     for use by the NetSec WG; </span><span lang="EN"><span></span></span></li><li class="MsoNormal" style="margin:0in;line-height:115%;font-size:11pt;font-family:"Arial",sans-serif"><span style="font-size:12pt;line-height:115%;font-family:"Times New Roman",serif" lang="EN">The NetSec WG will produce and

     maintain versions of the NCSSRs; and</span><span lang="EN"><span></span></span></li><li class="MsoNormal" style="margin:0in 0in 12pt;line-height:115%;font-size:11pt;font-family:"Arial",sans-serif"><span style="font-size:12pt;line-height:115%;font-family:"Times New Roman",serif" lang="EN">The NetSec WG will make

     security-related recommendations to other Forum WGs for requirements or

     guidelines that are within their purview, i.e. the BRs/EVGs of the SCWG,

     the Baseline Requirements for Code Signing Certificates of the Code

     Signing Certificate Working Group (CSCWG) or guidelines adopted by the

     S/MIME Certificate Working Group (SMCWG). <span></span></span></li></ol>


<p class="MsoNormal" style="margin:12pt 0in;line-height:115%;font-size:11pt;font-family:"Arial",sans-serif"><b><span style="font-size:12pt;line-height:115%;font-family:"Times New Roman",serif" lang="EN">--- MOTION BEGINS ---<span></span></span></b></p>


<p class="MsoNormal" style="margin:12pt 0in;line-height:115%;font-size:11pt;font-family:"Arial",sans-serif"><span style="font-size:12pt;line-height:115%;font-family:"Times New Roman",serif" lang="EN">The

Charter of the Server Certificate Working Group, currently version 1.1, is

amended by deleting references to the Network and Certificate System Security

Requirements, so that the Scope section of the Charter will now read as

follows:<span></span></span></p>


<p class="MsoNormal" style="margin:0in 0in 12pt;line-height:115%;font-size:11pt;font-family:"Arial",sans-serif"><b><span style="font-size:12pt;line-height:115%;font-family:"Times New Roman",serif" lang="EN">SCOPE:</span></b><span style="font-size:12pt;line-height:115%;font-family:"Times New Roman",serif" lang="EN"> The authorized scope of the Server

Certificate Working Group shall be as follows:<span></span></span></p>


<ol style="margin-top:0in;margin-bottom:0in" type="1" start="1"><li class="MsoNormal" style="margin:12pt 0in 0in;line-height:115%;font-size:11pt;font-family:"Arial",sans-serif"><span style="font-size:12pt;line-height:115%;font-family:"Times New Roman",serif" lang="EN">To specify Baseline

     Requirements, Extended Validation Guidelines, and other acceptable

     practices for the issuance and management of SSL/TLS server certificates

     used for authenticating servers accessible through the Internet.<br>

     <br>

     <span></span></span></li><li class="MsoNormal" style="margin:0in;line-height:115%;font-size:11pt;font-family:"Arial",sans-serif"><span style="font-size:12pt;line-height:115%;font-family:"Times New Roman",serif" lang="EN">To update such requirements and

     guidelines from time to time, in order to address both existing and

     emerging threats to online security, including responsibility for the

     maintenance of and future amendments to the current CA/Browser Forum

     Baseline Requirements and Extended Validation Guidelines.<br>

     <br>

     <span></span></span></li><li class="MsoNormal" style="margin:0in 0in 12pt;line-height:115%;font-size:11pt;font-family:"Arial",sans-serif"><span style="font-size:12pt;line-height:115%;font-family:"Times New Roman",serif" lang="EN">To perform such other

     activities that are ancillary to the primary activities listed above.<br>

     </span></li></ol><div>See <a href="https://github.com/cabforum/forum/commit/a55fd7d3939f4f24aa26e88399069afede2a1edf">https://github.com/cabforum/forum/commit/a55fd7d3939f4f24aa26e88399069afede2a1edf</a></div>


<p class="MsoNormal" style="margin:12pt 0in;line-height:115%;font-size:11pt;font-family:"Arial",sans-serif"><span style="font-size:12pt;line-height:115%;font-family:"Times New Roman",serif" lang="EN">The

CA/Browser Forum creates the Network Security Working Group and adopts the

following Charter:<b><span></span></b></span></p>


<p class="MsoNormal" style="margin:12pt 0in;line-height:115%;font-size:11pt;font-family:"Arial",sans-serif"><b><span style="font-size:18pt;line-height:115%;font-family:"Times New Roman",serif" lang="EN">Network Security Working Group Charter<span></span></span></b></p>


<p class="MsoNormal" style="margin:12pt 0in;line-height:115%;font-size:11pt;font-family:"Arial",sans-serif"><span style="font-size:12pt;line-height:115%;font-family:"Times New Roman",serif" lang="EN">The

Network Security Working Group (“NetSec WG”) is hereby created to perform the

activities as specified in this Charter, subject to the terms and conditions of

the CA/Browser Forum Bylaws (<a href="https://cabforum.org/bylaws/">https://cabforum.org/bylaws/</a>) and Intellectual

Property Rights (IPR) Policy (<a href="https://cabforum.org/ipr-policy/">https://cabforum.org/ipr-policy/</a>), as such

documents may change from time to time. This charter for the NetSec WG has been

created according to CAB Forum Bylaw 5.3.1. In the event of a conflict between

this Charter and any provision in either the Bylaws or the IPR Policy, the

provision in the Bylaws or IPR Policy shall take precedence. The definitions

found in the Forum’s Bylaws shall apply to capitalized terms in this Charter.<span></span></span></p>


<p class="MsoNormal" style="margin:12pt 0in;line-height:115%;font-size:11pt;font-family:"Arial",sans-serif"><b><span style="font-size:12pt;line-height:115%;font-family:"Times New Roman",serif" lang="EN">1. Scope</span></b><span style="font-size:12pt;line-height:115%;font-family:"Times New Roman",serif" lang="EN"> – The scope of work performed by

the NetSec WG includes:<span></span></span></p>


<p class="MsoNormal" style="margin:12pt 0in;line-height:115%;font-size:11pt;font-family:"Arial",sans-serif"><span style="font-size:12pt;line-height:115%;font-family:"Times New Roman",serif" lang="EN">1.<span>   </span>To modify and maintain the existing Network

and Certificate System Security Requirements or a successor requirements

document (NCSSRs);<span></span></span></p>


<p class="MsoNormal" style="margin:12pt 0in;line-height:115%;font-size:11pt;font-family:"Arial",sans-serif"><span style="font-size:12pt;line-height:115%;font-family:"Times New Roman",serif" lang="EN">2.<span>   </span>To make recommendations for improvements to

security controls in the requirements or guidelines adopted by other Forum WGs

(e.g. see sections 5 and 6 of the Baseline Requirements);<span></span></span></p>


<p class="MsoNormal" style="margin:12pt 0in;line-height:115%;font-size:11pt;font-family:"Arial",sans-serif"><span style="font-size:12pt;line-height:115%;font-family:"Times New Roman",serif" lang="EN">3.<span>   </span>To create new requirements, guidelines, or

recommended best practices related to the security of CA operations;<span></span></span></p>


<p class="MsoNormal" style="margin:12pt 0in;line-height:115%;font-size:11pt;font-family:"Arial",sans-serif"><span style="font-size:12pt;line-height:115%;font-family:"Times New Roman",serif" lang="EN">4.<span>   </span>To perform risk analyses, security analyses,

and other types of reviews of threats and vulnerabilities applicable to CA

operations involved in the issuance and maintenance of publicly trusted

certificates (e.g. server certificates, code signing certificates, SMIME

certificates, etc.); and<span></span></span></p>


<p class="MsoNormal" style="margin:12pt 0in;line-height:115%;font-size:11pt;font-family:"Arial",sans-serif"><span style="font-size:12pt;line-height:115%;font-family:"Times New Roman",serif" lang="EN">5.<span>   </span>To perform other activities ancillary to the

primary activities listed above.<span></span></span></p>


<p class="MsoNormal" style="margin:12pt 0in;line-height:115%;font-size:11pt;font-family:"Arial",sans-serif"><b><span style="font-size:12pt;line-height:115%;font-family:"Times New Roman",serif" lang="EN">2. Out of Scope</span></b><span style="font-size:12pt;line-height:115%;font-family:"Times New Roman",serif" lang="EN"> – The NetSec WG shall not adopt

requirements, Guidelines, or Maintenance Guidelines concerning certificate

profiles, validation processes, certificate issuance, certificate revocation,

or subscriber obligations, which are within the purview of the Server

Certificate Working Group (SCWG), the Code Signing Certificate Working Group

(CSCWG), or the S/MIME Certificate Working Group (SMCWG).<span></span></span></p>


<p class="MsoNormal" style="margin:12pt 0in;line-height:115%;font-size:11pt;font-family:"Arial",sans-serif"><b><span style="font-size:12pt;line-height:115%;font-family:"Times New Roman",serif" lang="EN">3. End Date</span></b><span style="font-size:12pt;line-height:115%;font-family:"Times New Roman",serif" lang="EN"> – The NetSec WG shall continue

until it is dissolved by a vote of the CA/B Forum.<span></span></span></p>


<p class="MsoNormal" style="margin:12pt 0in;line-height:115%;font-size:11pt;font-family:"Arial",sans-serif"><b><span style="font-size:12pt;line-height:115%;font-family:"Times New Roman",serif" lang="EN">4. Deliverables</span></b><span style="font-size:12pt;line-height:115%;font-family:"Times New Roman",serif" lang="EN"> – The NetSec WG shall be

responsible for delivering and maintaining the NCSSRs (version 1.7 shall remain

valid until it is replaced by a subsequent version) and any other documents the

group may choose to develop and maintain.<span></span></span></p>


<p class="MsoNormal" style="margin:12pt 0in;line-height:115%;font-size:11pt;font-family:"Arial",sans-serif"><b><span style="font-size:12pt;line-height:115%;font-family:"Times New Roman",serif" lang="EN">5. Courtesy Notice of Proposed

Amendments to the NCSSRs </span></b><span style="font-size:12pt;line-height:115%;font-family:"Times New Roman",serif" lang="EN">– Discussion and voting on any ballot to change the NCSSRs

shall proceed within the NetSec WG in accordance with sections 2.3 and 2.4 of

the Bylaws. Additionally, a courtesy notice of the proposed ballot and NetSec

WG’s discussion period shall be given to the SCWG, the CSCWG, and the SMCWG via

their Public Mail Lists. <span></span></span></p>


<p class="MsoNormal" style="margin:12pt 0in;line-height:115%;font-size:11pt;font-family:"Arial",sans-serif"><b><span style="font-size:12pt;line-height:115%;font-family:"Times New Roman",serif" lang="EN">6. Participation and Membership</span></b><span style="font-size:12pt;line-height:115%;font-family:"Times New Roman",serif" lang="EN"> – Membership in the NetSec WG shall

be limited to organizations that are Certificate Issuer Members or Certificate

Consumer Members of the SCWG, the CSCWG, or the SMCWG, who may join the NetSec

WG only with such status or class as they hold in such other working groups.<span></span></span></p>


<p class="MsoNormal" style="margin:12pt 0in;line-height:115%;font-size:11pt;font-family:"Arial",sans-serif"><span style="font-size:12pt;line-height:115%;font-family:"Times New Roman",serif" lang="EN">In

accordance with the IPR Policy, Members that choose to participate in the

NetSec WG must declare their participation, and class of membership

(Certificate Issuer or Certificate Consumer), and shall do so prior to

participating. A Member must declare its participation in the NetSec WG by

requesting to be added to the mailing list. The Chair of the NetSec WG shall

establish a list for declarations of participation and manage it in accordance

with the Bylaws, the IPR Policy, and the IPR Agreement.<span></span></span></p>


<p class="MsoNormal" style="margin:12pt 0in;line-height:115%;font-size:11pt;font-family:"Arial",sans-serif"><span style="font-size:12pt;line-height:115%;font-family:"Times New Roman",serif" lang="EN">The

NetSec WG shall include Interested Parties and Associate Members as defined in

the Bylaws.<span></span></span></p>


<p class="MsoNormal" style="margin:12pt 0in;line-height:115%;font-size:11pt;font-family:"Arial",sans-serif"><span style="font-size:12pt;line-height:115%;font-family:"Times New Roman",serif" lang="EN">Resignation

from the NetSec WG does not prevent a participant from potentially having

continuing obligations under the Forum’s IPR Policy or any other document.<span></span></span></p>


<p class="MsoNormal" style="margin:12pt 0in;line-height:115%;font-size:11pt;font-family:"Arial",sans-serif"><b><span style="font-size:12pt;line-height:115%;font-family:"Times New Roman",serif" lang="EN">7. Voting Structure<span></span></span></b></p>


<p class="MsoNormal" style="margin:12pt 0in;line-height:115%;font-size:11pt;font-family:"Arial",sans-serif"><span style="font-size:12pt;line-height:115%;font-family:"Times New Roman",serif" lang="EN">The

NetSec WG shall consist of two classes of voting members, Certificate Issuers

and Certificate Consumers. In order for a ballot to be adopted by the NetSec

WG, two-thirds or more of the votes cast by the Certificate Issuers must be in

favor of the ballot and more than 50% of the votes cast by the Certificate

Consumers must be in favor of the ballot. At least one member of each class

must vote in favor of a ballot for it to be adopted. Quorum is the average

number of Member organizations (cumulative, regardless of Class) that have

participated in the previous three NetSec WG Meetings or Teleconferences (not

counting subcommittee meetings thereof). For transition purposes, if three

meetings have not yet occurred, then quorum is ten (10).<span></span></span></p>


<p class="MsoNormal" style="margin:12pt 0in;line-height:115%;font-size:11pt;font-family:"Arial",sans-serif"><b><span style="font-size:12pt;line-height:115%;font-family:"Times New Roman",serif" lang="EN">8. Leadership<span></span></span></b></p>


<p class="MsoNormal" style="margin:12pt 0in;line-height:115%;font-size:11pt;font-family:"Arial",sans-serif"><b><span style="font-size:12pt;line-height:115%;font-family:"Times New Roman",serif" lang="EN">Chair</span></b><span style="font-size:12pt;line-height:115%;font-family:"Times New Roman",serif" lang="EN"> – Clint Wilson shall be the initial

Chair of the NetSec WG.<span></span></span></p>


<p class="MsoNormal" style="margin:12pt 0in;line-height:115%;font-size:11pt;font-family:"Arial",sans-serif"><b><span style="font-size:12pt;line-height:115%;font-family:"Times New Roman",serif" lang="EN">Vice-Chair</span></b><span style="font-size:12pt;line-height:115%;font-family:"Times New Roman",serif" lang="EN"> – David Kluge shall be the initial

Vice-Chair of the NetSec WG.<span></span></span></p>


<p class="MsoNormal" style="margin:12pt 0in;line-height:115%;font-size:11pt;font-family:"Arial",sans-serif"><b><span style="font-size:12pt;line-height:115%;font-family:"Times New Roman",serif" lang="EN">Term.</span></b><span style="font-size:12pt;line-height:115%;font-family:"Times New Roman",serif" lang="EN"><span> 

</span>The Chair and Vice-Chair will serve until October 31, 2022, or until

they are replaced, resign, or are otherwise disqualified. Thereafter, elections

shall be held for chair and vice chair every two years in coordination with the

Forum’s election process and in conjunction with its election cycle. Voting

shall occur in accordance with Bylaw 4.1(c). In the event of a midterm vacancy,

the NetSec WG will hold a special election and the selected candidate will

serve the remainder of the existing term.<span></span></span></p>


<p class="MsoNormal" style="margin:12pt 0in;line-height:115%;font-size:11pt;font-family:"Arial",sans-serif"><b><span style="font-size:12pt;line-height:115%;font-family:"Times New Roman",serif" lang="EN">9. Communication</span></b><span style="font-size:12pt;line-height:115%;font-family:"Times New Roman",serif" lang="EN"> – NetSec WG communications and

documents, including minutes of meetings, shall be posted on mailing-lists

where the mail-archives are publicly accessible or on the Forum’s website.<span></span></span></p>


<p class="MsoNormal" style="margin:12pt 0in;line-height:115%;font-size:11pt;font-family:"Arial",sans-serif"><b><span style="font-size:12pt;line-height:115%;font-family:"Times New Roman",serif" lang="EN">10.<span> 

</span>IPR Policy</span></b><span style="font-size:12pt;line-height:115%;font-family:"Times New Roman",serif" lang="EN">

– The CA/Browser Forum Intellectual Rights Policy, v. 1.3 or later, shall apply

to all Working Group activity.<span></span></span></p>


<p class="MsoNormal" style="margin:12pt 0in;line-height:115%;font-size:11pt;font-family:"Arial",sans-serif"><b><span style="font-size:12pt;line-height:115%;font-family:"Times New Roman",serif" lang="EN">11.</span></b><span style="font-size:12pt;line-height:115%;font-family:"Times New Roman",serif" lang="EN"> <b>Other Organizational Matters<span></span></b></span></p>


<p class="MsoNormal" style="margin:12pt 0in;line-height:115%;font-size:11pt;font-family:"Arial",sans-serif"><span style="font-size:12pt;line-height:115%;font-family:"Times New Roman",serif" lang="EN">Reserved.<span></span></span></p>


<p class="MsoNormal" style="margin:12pt 0in;line-height:115%;font-size:11pt;font-family:"Arial",sans-serif"><b><span style="font-size:12pt;line-height:115%;font-family:"Times New Roman",serif" lang="EN">Effect of Forum Bylaws Amendment on

Working Group</span></b><span style="font-size:12pt;line-height:115%;font-family:"Times New Roman",serif" lang="EN">

- In the event that Forum Bylaws are amended to add or modify general rules

governing Forum Working Groups and how they operate, such provisions of the

Bylaws take precedence over this charter.<span></span></span></p>


<p class="MsoNormal" style="margin:12pt 0in;line-height:115%;font-size:11pt;font-family:"Arial",sans-serif"><span lang="EN"><span> See</span></span>  <a href="https://github.com/cabforum/forum/pull/23/files#diff-cf5513a8c4dabce6e3364691537b74a7d2faa1af8dc9e1ee8ce9b2d7759c9406">https://github.com/cabforum/forum/pull/23/files#diff-cf5513a8c4dabce6e3364691537b74a7d2faa1af8dc9e1ee8ce9b2d7759c9406</a><span lang="EN"><span></span><span></span></span></p>


<p class="MsoNormal" style="margin:12pt 0in;line-height:115%;font-size:11pt;font-family:"Arial",sans-serif"><span lang="EN">--- MOTION ENDS ---</span></p><p class="MsoNormal" style="margin:12pt 0in;line-height:115%;font-size:11pt;font-family:"Arial",sans-serif"><span lang="EN"><br><span></span></span></p>


<p class="MsoNormal" style="margin:12pt 0in;line-height:115%;font-size:11pt;font-family:"Arial",sans-serif"><span lang="EN">The procedure for approval of this ballot

is as follows:<span></span></span></p>


<p class="MsoNormal" style="margin:12pt 0in;line-height:115%;font-size:11pt;font-family:"Arial",sans-serif"><span lang="EN"><span> </span>Discussion (7+ days)<span></span></span></p>


<p class="MsoNormal" style="margin:12pt 0in;line-height:115%;font-size:11pt;font-family:"Arial",sans-serif"><span lang="EN"><span> </span>Start

Time: 2021-12-09<span> 18</span>:00:00 UTC<span></span></span></p>


<p class="MsoNormal" style="margin:12pt 0in;line-height:115%;font-size:11pt;font-family:"Arial",sans-serif"><span lang="EN"><span> </span>End Time: after 2021-12-16<span>  18</span>:00:00 UTC<span></span></span></p>


<p class="MsoNormal" style="margin:12pt 0in;line-height:115%;font-size:11pt;font-family:"Arial",sans-serif"><span lang="EN">Vote for approval (7 days)<span></span></span></p>


<p class="MsoNormal" style="margin:12pt 0in;line-height:115%;font-size:11pt;font-family:"Arial",sans-serif"><span lang="EN">Start Time: TBD<span></span></span></p>


<p class="MsoNormal" style="margin:12pt 0in;line-height:115%;font-size:11pt;font-family:"Arial",sans-serif"><span lang="EN">End Time: TBD<span></span></span></p>


<p class="MsoNormal" style="margin:12pt 0in;line-height:115%;font-size:11pt;font-family:"Arial",sans-serif"><b><span style="font-size:12pt;line-height:115%;font-family:"Times New Roman",serif" lang="EN"><span> </span></span></b></p>


</div>