[cabfpub] Voting Period Begins: Ballot FORUM-17: Create Network Security Working Group

Wed Dec 22 16:44:46 UTC 2021

HARICA votes "yes" to FORUM-17 ballot.

Dimitris.

On 16/12/2021 8:39 μ.μ., Ben Wilson via Public wrote:
>
> Ballot FORUM-17, Create Network Security Working Group, is proposed by 
> Ben Wilson of Mozilla and endorsed by Tim Hollebeek of DigiCert and 
> David Kluge of Google.
>
> The Voting Period for Ballot FORUM-17 begins today at 19:00 UTC and 
> ends on 23-Dec-2021 at 19:00 UTC.
>
> *Overview*
>
> In January 2013 the CA/Browser Forum’s “Network and Certificate System 
> Security Requirements” (NCSSRs) became effective. In June 2017, the 
> Forum chartered a Network Security Working Group to re-visit the 
> NCSSRs. That charter expired on June 19, 2018, and in October 2018, 
> the Server Certificate Working Group (SCWG) established a Network 
> Security Subcommittee (NetSec Subcommittee) to continue work on the 
> NCSSRs.
>
> This ballot proposes to charter a new Network Security Working Group 
> (NetSec WG) to replace the NetSec Subcommittee, to continue work on 
> the NCSSRs, and to conduct any and all business related to improving 
> the security of Certification Authorities.
>
> Following the passage of this ballot:
>
> 1. A new NetSec WG will be chartered under the CA/B Forum, pursuant to 
> section 5.3.1 of the Bylaws;
> 2. The Charter of the SCWG will be amended to remove the NCSSRs from 
> within the scope of the SCWG Charter;
> 3. The existing mailing list and other materials developed for the 
> NetSec Subcommittee will be repurposed for use by the NetSec WG;
> 4. The NetSec WG will produce and maintain versions of the NCSSRs; and
> 5. The NetSec WG will make security-related recommendations to other 
> Forum WGs for requirements or guidelines that are within their 
> purview, i.e. the BRs/EVGs of the SCWG, the Baseline Requirements for 
> Code Signing Certificates of the Code Signing Certificate Working 
> Group (CSCWG) or guidelines adopted by the S/MIME Certificate Working 
> Group (SMCWG).
>
> *--- MOTION BEGINS ---*
>
>
> The Charter of the Server Certificate Working Group, currently version 
> 1.1, is amended by deleting references to the Network and Certificate 
> System Security Requirements, so that the Scope section of the Charter 
> will now read as follows:*
>
> SCOPE:* The authorized scope of the Server Certificate Working Group 
> shall be as follows:
>
> 1. To specify Baseline Requirements, Extended Validation Guidelines, 
> and other acceptable practices for the issuance and management of 
> SSL/TLS server certificates used for authenticating servers accessible 
> through the Internet.
>
> 2. To update such requirements and guidelines from time to time, in 
> order to address both existing and emerging threats to online 
> security, including responsibility for the maintenance of and future 
> amendments to the current CA/Browser Forum Baseline Requirements and 
> Extended Validation Guidelines.
>
> 3. To perform such other activities that are ancillary to the primary 
> activities listed above.
>
> See 
> https://github.com/cabforum/forum/commit/a55fd7d3939f4f24aa26e88399069afede2a1edf
>
> The CA/Browser Forum creates the Network Security Working Group and 
> adopts the following Charter:
>
> *Network Security Working Group Charter*
>
> The Network Security Working Group (“NetSec WG”) is hereby created to 
> perform the activities as specified in this Charter, subject to the 
> terms and conditions of the CA/Browser Forum Bylaws 
> (https://cabforum.org/bylaws/) and Intellectual Property Rights (IPR) 
> Policy (https://cabforum.org/ipr-policy/), as such documents may 
> change from time to time. This charter for the NetSec WG has been 
> created according to CAB Forum Bylaw 5.3.1. In the event of a conflict 
> between this Charter and any provision in either the Bylaws or the IPR 
> Policy, the provision in the Bylaws or IPR Policy shall take 
> precedence. The definitions found in the Forum’s Bylaws shall apply to 
> capitalized terms in this Charter.
>
> *1. Scope* – The scope of work performed by the NetSec WG includes:
>
>     1. To modify and maintain the existing Network and Certificate 
> System Security Requirements or a successor requirements document 
> (NCSSRs);
>     2. To make recommendations for improvements to security controls 
> in the requirements or guidelines adopted by other Forum WGs (e.g. see 
> sections 5 and 6 of the Baseline Requirements);
>     3. To create new requirements, guidelines, or recommended best 
> practices related to the security of CA operations;
>     4. To perform risk analyses, security analyses, and other types of 
> reviews of threats and vulnerabilities applicable to CA operations 
> involved in the issuance and maintenance of publicly trusted 
> certificates (e.g. server certificates, code signing certificates, 
> SMIME certificates, etc.); and
>     5. To perform other activities ancillary to the primary activities 
> listed above.
>
> *2. Out of Scope* – The NetSec WG shall not adopt requirements, 
> Guidelines, or Maintenance Guidelines concerning certificate profiles, 
> validation processes, certificate issuance, certificate revocation, or 
> subscriber obligations, which are within the purview of the Server 
> Certificate Working Group (SCWG), the Code Signing Certificate Working 
> Group (CSCWG), or the S/MIME Certificate Working Group (SMCWG).
>
> *3. End Date* – The NetSec WG shall continue until it is dissolved by 
> a vote of the CA/B Forum.
>
> *4. Deliverables* – The NetSec WG shall be responsible for delivering 
> and maintaining the NCSSRs (version 1.7 shall remain valid until it is 
> replaced by a subsequent version) and any other documents the group 
> may choose to develop and maintain.
>
> *5. Courtesy Notice of Proposed Amendments to the NCSSRs* – Discussion 
> and voting on any ballot to change the NCSSRs shall proceed within the 
> NetSec WG in accordance with sections 2.3 and 2.4 of the Bylaws. 
> Additionally, a courtesy notice of the proposed ballot and NetSec WG’s 
> discussion period shall be given to the SCWG, the CSCWG, and the SMCWG 
> via their Public Mail Lists.
> *
> 6. Participation and Membership *– Membership in the NetSec WG shall 
> be limited to organizations that are Certificate Issuer Members or 
> Certificate Consumer Members of the SCWG, the CSCWG, or the SMCWG, who 
> may join the NetSec WG only with such status or class as they hold in 
> such other working groups.
>
> In accordance with the IPR Policy, Members that choose to participate 
> in the NetSec WG must declare their participation, and class of 
> membership (Certificate Issuer or Certificate Consumer), and shall do 
> so prior to participating. A Member must declare its participation in 
> the NetSec WG by requesting to be added to the mailing list. The Chair 
> of the NetSec WG shall establish a list for declarations of 
> participation and manage it in accordance with the Bylaws, the IPR 
> Policy, and the IPR Agreement.
>
> The NetSec WG shall include Interested Parties and Associate Members 
> as defined in the Bylaws.
>
> Resignation from the NetSec WG does not prevent a participant from 
> potentially having continuing obligations under the Forum’s IPR Policy 
> or any other document.
>
> *7. Voting Structure*
>
> The NetSec WG shall consist of two classes of voting members, 
> Certificate Issuers and Certificate Consumers. In order for a ballot 
> to be adopted by the NetSec WG, two-thirds or more of the votes cast 
> by the Certificate Issuers must be in favor of the ballot and more 
> than 50% of the votes cast by the Certificate Consumers must be in 
> favor of the ballot. At least one member of each class must vote in 
> favor of a ballot for it to be adopted. Quorum is the average number 
> of Member organizations (cumulative, regardless of Class) that have 
> participated in the previous three NetSec WG Meetings or 
> Teleconferences (not counting subcommittee meetings thereof). For 
> transition purposes, if three meetings have not yet occurred, then 
> quorum is ten (10).
>
> *8. Leadership*
>
> *Chair *– Clint Wilson shall be the initial Chair of the NetSec WG.
> *
> Vice-Chair* – David Kluge shall be the initial Vice-Chair of the 
> NetSec WG.
>
> *Term.* The Chair and Vice-Chair will serve until October 31, 2022, or 
> until they are replaced, resign, or are otherwise disqualified. 
> Thereafter, elections shall be held for chair and vice chair every two 
> years in coordination with the Forum’s election process and in 
> conjunction with its election cycle. Voting shall occur in accordance 
> with Bylaw 4.1(c). In the event of a midterm vacancy, the NetSec WG 
> will hold a special election and the selected candidate will serve the 
> remainder of the existing term.
> *
> 9. Communication* – NetSec WG communications and documents, including 
> minutes of meetings, shall be posted on mailing-lists where the 
> mail-archives are publicly accessible or on the Forum’s website.
>
> *10. IPR Policy* – The CA/Browser Forum Intellectual Rights Policy, v. 
> 1.3 or later, shall apply to all Working Group activity.
>
> *11. Other Organizational Matters*
>
> Reserved.
>
> *Effect of Forum Bylaws Amendment on Working Group* - In the event 
> that Forum Bylaws are amended to add or modify general rules governing 
> Forum Working Groups and how they operate, such provisions of the 
> Bylaws take precedence over this charter.
>
>  See 
> https://github.com/cabforum/forum/pull/23/files#diff-cf5513a8c4dabce6e3364691537b74a7d2faa1af8dc9e1ee8ce9b2d7759c9406
>
> --- MOTION ENDS ---
>
>
> The procedure for approval of this ballot is as follows:
>
>  Discussion (7+ days)
>
>  Start Time: 2021-12-09 18:00:00 UTC
>
>  End Time: 2021-12-16 19:00:00 UTC
>
> Vote for approval (7 days)
>
> Start Time: 2021-12-16 19:00 UTC
>
> End Time: 2021-12-23 19:00:00 UTC
>
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20211222/3fcaf753/attachment.html>