[cabfpub] Voting Period Begins: Ballot FORUM-17: Create Network Security Working Group

Inigo Barreira Inigo.Barreira at sectigo.com
Mon Dec 20 08:38:50 UTC 2021

Sectigo votes YES


De: Public <public-bounces at cabforum.org> En nombre de Ben Wilson via Public
Enviado el: jueves, 16 de diciembre de 2021 19:40
Para: CA/Browser Forum Public Discussion List <public at cabforum.org>
Asunto: [cabfpub] Voting Period Begins: Ballot FORUM-17: Create Network
Security Working Group


CAUTION: This email originated from outside of the organization. Do not
click links or open attachments unless you recognize the sender and know the
content is safe.


Ballot FORUM-17, Create Network Security Working Group, is proposed by Ben
Wilson of Mozilla and endorsed by Tim Hollebeek of DigiCert and David Kluge
of Google.

The Voting Period for Ballot FORUM-17 begins today at 19:00 UTC and ends on
23-Dec-2021 at 19:00 UTC. 


In January 2013 the CA/Browser Forum's "Network and Certificate System
Security Requirements" (NCSSRs) became effective. In June 2017, the Forum
chartered a Network Security Working Group to re-visit the NCSSRs. That
charter expired on June 19, 2018, and in October 2018, the Server
Certificate Working Group (SCWG) established a Network Security Subcommittee
(NetSec Subcommittee) to continue work on the NCSSRs.

This ballot proposes to charter a new Network Security Working Group (NetSec
WG) to replace the NetSec Subcommittee, to continue work on the NCSSRs, and
to conduct any and all business related to improving the security of
Certification Authorities. 

Following the passage of this ballot:

1. A new NetSec WG will be chartered under the CA/B Forum, pursuant to
section 5.3.1 of the Bylaws;
2. The Charter of the SCWG will be amended to remove the NCSSRs from within
the scope of the SCWG Charter; 
3. The existing mailing list and other materials developed for the NetSec
Subcommittee will be repurposed for use by the NetSec WG; 
4. The NetSec WG will produce and maintain versions of the NCSSRs; and
5. The NetSec WG will make security-related recommendations to other Forum
WGs for requirements or guidelines that are within their purview, i.e. the
BRs/EVGs of the SCWG, the Baseline Requirements for Code Signing
Certificates of the Code Signing Certificate Working Group (CSCWG) or
guidelines adopted by the S/MIME Certificate Working Group (SMCWG). 


The Charter of the Server Certificate Working Group, currently version 1.1,
is amended by deleting references to the Network and Certificate System
Security Requirements, so that the Scope section of the Charter will now
read as follows:

SCOPE: The authorized scope of the Server Certificate Working Group shall be
as follows:

1. To specify Baseline Requirements, Extended Validation Guidelines, and
other acceptable practices for the issuance and management of SSL/TLS server
certificates used for authenticating servers accessible through the

2. To update such requirements and guidelines from time to time, in order to
address both existing and emerging threats to online security, including
responsibility for the maintenance of and future amendments to the current
CA/Browser Forum Baseline Requirements and Extended Validation Guidelines.
3. To perform such other activities that are ancillary to the primary
activities listed above.


The CA/Browser Forum creates the Network Security Working Group and adopts
the following Charter:

Network Security Working Group Charter

The Network Security Working Group ("NetSec WG") is hereby created to
perform the activities as specified in this Charter, subject to the terms
and conditions of the CA/Browser Forum Bylaws (https://cabforum.org/bylaws
w%3D&reserved=0> /) and Intellectual Property Rights (IPR) Policy
%2Bib%2Bb1dlWU%3D&reserved=0> ), as such documents may change from time to
time. This charter for the NetSec WG has been created according to CAB Forum
Bylaw 5.3.1. In the event of a conflict between this Charter and any
provision in either the Bylaws or the IPR Policy, the provision in the
Bylaws or IPR Policy shall take precedence. The definitions found in the
Forum's Bylaws shall apply to capitalized terms in this Charter.

1. Scope - The scope of work performed by the NetSec WG includes:

    1. To modify and maintain the existing Network and Certificate System
Security Requirements or a successor requirements document (NCSSRs);
    2. To make recommendations for improvements to security controls in the
requirements or guidelines adopted by other Forum WGs (e.g. see sections 5
and 6 of the Baseline Requirements);
    3. To create new requirements, guidelines, or recommended best practices
related to the security of CA operations;
    4. To perform risk analyses, security analyses, and other types of
reviews of threats and vulnerabilities applicable to CA operations involved
in the issuance and maintenance of publicly trusted certificates (e.g.
server certificates, code signing certificates, SMIME certificates, etc.);
    5. To perform other activities ancillary to the primary activities
listed above.

2. Out of Scope - The NetSec WG shall not adopt requirements, Guidelines, or
Maintenance Guidelines concerning certificate profiles, validation
processes, certificate issuance, certificate revocation, or subscriber
obligations, which are within the purview of the Server Certificate Working
Group (SCWG), the Code Signing Certificate Working Group (CSCWG), or the
S/MIME Certificate Working Group (SMCWG).

3. End Date - The NetSec WG shall continue until it is dissolved by a vote
of the CA/B Forum.

4. Deliverables - The NetSec WG shall be responsible for delivering and
maintaining the NCSSRs (version 1.7 shall remain valid until it is replaced
by a subsequent version) and any other documents the group may choose to
develop and maintain.

5. Courtesy Notice of Proposed Amendments to the NCSSRs - Discussion and
voting on any ballot to change the NCSSRs shall proceed within the NetSec WG
in accordance with sections 2.3 and 2.4 of the Bylaws. Additionally, a
courtesy notice of the proposed ballot and NetSec WG's discussion period
shall be given to the SCWG, the CSCWG, and the SMCWG via their Public Mail

6. Participation and Membership - Membership in the NetSec WG shall be
limited to organizations that are Certificate Issuer Members or Certificate
Consumer Members of the SCWG, the CSCWG, or the SMCWG, who may join the
NetSec WG only with such status or class as they hold in such other working

In accordance with the IPR Policy, Members that choose to participate in the
NetSec WG must declare their participation, and class of membership
(Certificate Issuer or Certificate Consumer), and shall do so prior to
participating. A Member must declare its participation in the NetSec WG by
requesting to be added to the mailing list. The Chair of the NetSec WG shall
establish a list for declarations of participation and manage it in
accordance with the Bylaws, the IPR Policy, and the IPR Agreement.

The NetSec WG shall include Interested Parties and Associate Members as
defined in the Bylaws.

Resignation from the NetSec WG does not prevent a participant from
potentially having continuing obligations under the Forum's IPR Policy or
any other document.

7. Voting Structure

The NetSec WG shall consist of two classes of voting members, Certificate
Issuers and Certificate Consumers. In order for a ballot to be adopted by
the NetSec WG, two-thirds or more of the votes cast by the Certificate
Issuers must be in favor of the ballot and more than 50% of the votes cast
by the Certificate Consumers must be in favor of the ballot. At least one
member of each class must vote in favor of a ballot for it to be adopted.
Quorum is the average number of Member organizations (cumulative, regardless
of Class) that have participated in the previous three NetSec WG Meetings or
Teleconferences (not counting subcommittee meetings thereof). For transition
purposes, if three meetings have not yet occurred, then quorum is ten (10).

8. Leadership

Chair - Clint Wilson shall be the initial Chair of the NetSec WG.

Vice-Chair - David Kluge shall be the initial Vice-Chair of the NetSec WG.

Term. The Chair and Vice-Chair will serve until October 31, 2022, or until
they are replaced, resign, or are otherwise disqualified. Thereafter,
elections shall be held for chair and vice chair every two years in
coordination with the Forum's election process and in conjunction with its
election cycle. Voting shall occur in accordance with Bylaw 4.1(c). In the
event of a midterm vacancy, the NetSec WG will hold a special election and
the selected candidate will serve the remainder of the existing term.

9. Communication - NetSec WG communications and documents, including minutes
of meetings, shall be posted on mailing-lists where the mail-archives are
publicly accessible or on the Forum's website.

10. IPR Policy - The CA/Browser Forum Intellectual Rights Policy, v. 1.3 or
later, shall apply to all Working Group activity.

11. Other Organizational Matters


Effect of Forum Bylaws Amendment on Working Group - In the event that Forum
Bylaws are amended to add or modify general rules governing Forum Working
Groups and how they operate, such provisions of the Bylaws take precedence
over this charter.



The procedure for approval of this ballot is as follows:

 Discussion (7+ days)

 Start Time: 2021-12-09 18:00:00 UTC

 End Time: 2021-12-16 19:00:00 UTC

Vote for approval (7 days)

Start Time: 2021-12-16 19:00 UTC

End Time: 2021-12-23 19:00:00 UTC


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20211220/bc9d1953/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6853 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20211220/bc9d1953/attachment-0001.p7s>

More information about the Public mailing list