Voting Period Begins | NS-008v3: Updates to CA Infrastructure Scope, Trusted Roles, Systems' Applicability, and various other improvements

[Clint Wilson]

Ballot NS-008v3 is proposed by Clint Wilson (Apple) and endorsed by Ben Wilson (Mozilla), Cade Cairns (Google Trust Services), and Daniel Jeffery (Fastly).

Overview

Definition Changes

Added Definitions

• Network Boundary Control: New definition for components that manage network traffic flow; replaces "Network Equipment"
• Principle of Separation of Duties: Added definition describing how tasks are divided among multiple individuals
• Privileged Access: New definition describing access granting administration, configuration, management, or operation capabilities

Modified Definitions

• CA Infrastructure: Simplified to reference only "Certificate System", "Root CA System", and "Security Support System" (removed references to "Certificate Management System", "Delegated Third Party System", and "Issuing System")
• Certificate System: Modified definition to include "store" and "access" in activities list
• Critical Security Event: Restructured with numbered lists and expanded examples
• Security Support System: Changed from a "system or set of systems" to "The System(s)" and removed "network boundary control" from the list of functions
• Trusted Role: Changed from "employee or contractor" to "individual employee or contractor" and reduced scope to those with access to a "Certificate System or Root CA System”
• Workstation: Changed the second bullet to refer to the defined term Privileged Access

Removed Definitions

• Certificate Management System definition has been removed
• Delegated Third Party System definition has been removed
• Issuing System definition has been removed

Structural and Terminology Changes

• Network Equipment → Network Boundary Controls: Throughout the document, references to "Network Equipment" have been replaced with "Network Boundary Controls"
• Inventory requirement moved: Requirement moved from Section 4 to beginning of Section 1: "The CA MUST define an inventory of its CA Infrastructure"
• Section 4 restructuring:
  • Section number changes: 4.2 → 4.1, 4.3 → 4.2, 4.4 → 4.3

Substantive Requirement Changes

Section 1: CA Infrastructure and Network Configuration

• Root CA Systems isolation requirement: Added explicit requirement in section 1.2.1: "Root CA Systems MUST be on physically separate networks from all other CA Infrastructure"
• Network segmentation implementation: Section 1.1.1.1 and 1.1.1.2 have switched places:
  • Network segmentation design principles moved to 1.1.1.1 (previously in 1.1.1.2)
  • Implementation details moved to 1.1.1.2 (previously in 1.1.1.1)
  • "Software-defined networking" moved from MAY to MUST category

Section 2: Access Control

• Trusted Roles scope: Changed from designing/building/maintaining "CA Infrastructure and Network Equipment" to specifically "Certificate Systems and Root CA Systems"
• Separation of Duties: Replaced requirement that Trusted Roles be assigned consistent with requirements of Multi-Party Control with a requirement that Trusted Roles be assigned consistent with "the Principle of Separation of Duties" (section 2.1)
• Access restriction scope: Changed from "CA Infrastructure and/or Network Equipment" to "Certificate Systems and Root CA Systems" in section 2.2.1 and 2.2.1.1
• Multi-Factor Authentication: Modified section 2.2.3 to require MFA "for access to CA Infrastructure" rather than "for accounts on CA Infrastructure and access to CA Infrastructure”
• Privileged Access: Modified section 2.2.6 to use Privileged Access as the metric for determining the application of other requirements in that section

Section 4: Vulnerability Management

• Expanded scope for vulnerability policies:
  • Added Security Support Systems and Network Boundary Controls to recommended scope
  • Added New deadline: "Effective 15-Apr-2026, these policies and procedures MUST apply to Security Support Systems and Network Boundary Controls"

Date

• Date format standardized to DD-MMM-YYYY throughout
• Effective date of NCSSRs version 2.0.x updated from September 17, 2025 to November 12, 2025

Motion

The following motion has been proposed by Clint Wilson (Apple) and endorsed by Ben Wilson (Mozilla), Cade Cairns (Google Trust Services), and Daniel Jeffery (Fastly).

You can view and comment on the Github pull request representing this ballot here. 

Motion Begins

This ballot modifies the Network and Certificate System Security Requirements (NCSSRs), based on Version 2.0.4.

MODIFY the NCSSRs as specified in the following Redline: https://github.com/cabforum/netsec/compare/521b7778974fb2ecda200f8d1aabf9f7616943b7...168629d5b3b8357c6b82df434b700401947f871d

When approved, this Ballot takes effect on the IPR review completion date.

Motion Ends

Discussion (at least 7 days)

• Start time: Wednesday, April 16, 2025 17:00 UTC (2025-04-16T17:00:00Z)
  
• End time: on or after Wednesday, May 14, 2025 17:00 UTC (2025-05-14T17:00:00Z)

Vote for approval (7 days)

• Start time: Thursday, May 22, 2025 17:00 UTC (2025-05-22T17:00:00Z)
• End time: Thursday, May 29, 2025 17:00 UTC (2025-05-29T17:00:00Z)

[Ponds-White, Trev]

Amazon Trust Services votes yes.

--
You received this message because you are subscribed to the Google Groups "NetSec WG - Public (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to netsec+un...@groups.cabforum.org.
To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/netsec/CB4D47E0-DAD9-4C9C-93F4-6BF5AAE36E5F%40apple.com.

[Daniel Jeffery]

Fastly votes yes.

To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/netsec/c4a5cec1594f4f7a8ab7425b98b3152c%40amazon.com.

--

Daniel Jeffery | TLS

fastly.com | @fastly | LinkedIn

[Ben Wilson]

Mozilla votes "Yes" for Ballot NS-008v3.

Thanks!

Ben

--

[Bruce Morton]

Entrust votes Yes to ballot NS-008v3.

 

 

Bruce.

 

From: 'Clint Wilson' via NetSec WG - Public (CA/B Forum) <net...@groups.cabforum.org>
Sent: Thursday, May 22, 2025 12:58 PM
To: NetSec WG <net...@groups.cabforum.org>
Subject: [EXTERNAL] [netsec] Voting Period Begins | NS-008v3: Updates to CA Infrastructure Scope, Trusted Roles, Systems' Applicability, and various other improvements

 

Ballot NS-008v3 is proposed by Clint Wilson (Apple) and endorsed by Ben Wilson (Mozilla), Cade Cairns (Google Trust Services), and Daniel Jeffery (Fastly).

--

You received this message because you are subscribed to the Google Groups "NetSec WG - Public (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to netsec+un...@groups.cabforum.org.
To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/netsec/CB4D47E0-DAD9-4C9C-93F4-6BF5AAE36E5F%40apple.com.

Any email and files/attachments transmitted with it are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.

[Tathan Thacker]

IdenTrust votes Yes for ballot NS-008v3

 

From: 'Clint Wilson' via NetSec WG - Public (CA/B Forum) <net...@groups.cabforum.org>

Date: Thursday, May 22, 2025 at 10:58
To: NetSec WG <net...@groups.cabforum.org>

--

[蔡家宏(chtsai)]

[Backman, Antti]

Telia votes ’Yes’ on ballot NS-008v3

 

//Antti

 

From: 'Clint Wilson' via NetSec WG - Public (CA/B Forum) <net...@groups.cabforum.org>
Date: Thursday, 22. May 2025 at 19.58
To: NetSec WG <net...@groups.cabforum.org>
Subject: [netsec] Voting Period Begins | NS-008v3: Updates to CA Infrastructure Scope, Trusted Roles, Systems' Applicability, and various other improvements

--

[Jozef Nigut]

 

Disig  votes Yes to ballot NS-008v3.

 

Jozef

 

From: 'Clint Wilson' via NetSec WG - Public (CA/B Forum) <net...@groups.cabforum.org>
Sent: Thursday, May 22, 2025 6:58 PM
To: NetSec WG <net...@groups.cabforum.org>
Subject: [netsec] Voting Period Begins | NS-008v3: Updates to CA Infrastructure Scope, Trusted Roles, Systems' Applicability, and various other improvements

 

Ballot NS-008v3 is proposed by Clint Wilson (Apple) and endorsed by Ben Wilson (Mozilla), Cade Cairns (Google Trust Services), and Daniel Jeffery (Fastly).

--

[Michael Guenther]

[Kateryna Aleksieieva]

Certum votes YES on NS-008v3

 

Kind regards,
Kateryna Aleksieieva

From: 'Clint Wilson' via NetSec WG - Public (CA/B Forum) <net...@groups.cabforum.org>
Sent: Thursday, May 22, 2025 6:58 PM
To: NetSec WG <net...@groups.cabforum.org>
Subject: [netsec] Voting Period Begins | NS-008v3: Updates to CA Infrastructure Scope, Trusted Roles, Systems' Applicability, and various other improvements

 

Ballot NS-008v3 is proposed by Clint Wilson (Apple) and endorsed by Ben Wilson (Mozilla), Cade Cairns (Google Trust Services), and Daniel Jeffery (Fastly).

--

[陳立群]

Chunghwa Telecom Votes Yes to ballot NS-008v3.

       Li-Chun Chen

       Chunghwa Telecom

To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/netsec/DS0PR11MB7851C0894D87D2488BC18CF28298A%40DS0PR11MB7851.namprd11.prod.outlook.com.

本信件可能包含中華電信股份有限公司機密資訊,非指定之收件者,請勿蒐集、處理或利用本信件內容,並請銷毀此信件. 如為指定收件者,應確實保護郵件中本公司之營業機密及個人資料,不得任意傳佈或揭露,並應自行確認本郵件之附檔與超連結之安全性,以共同善盡資訊安全與個資保護責任.
Please be advised that this email message (including any attachments) contains confidential information and may be legally privileged. If you are not the intended recipient, please destroy this message and all attachments from your system and do not further collect, process, or use them. Chunghwa Telecom and all its subsidiaries and associated companies shall not be liable for the improper or incomplete transmission of the information contained in this email nor for any delay in its receipt or damage to your system. If you are the intended recipient, please protect the confidential and/or personal information contained in this email with due care. Any unauthorized use, disclosure or distribution of this message in whole or in part is strictly prohibited. Also, please self-inspect attachments and hyperlinks contained in this email to ensure the information security and to protect personal information.

[Rollin.Yu]

TrustAsia votes YES on ballot NS-008v3.

Best regards,
Rollin Yu

[Chris Clements]

Google votes Yes on Ballot NS-008v3.

To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/netsec/4F378DC6-C656-4A98-810B-FC1C5B67FD4C%40trustasia.com.

[Tom Zermeno]

SSL.com votes “Yes” on NS-008v3.

 

From: 'Clint Wilson' via NetSec WG - Public (CA/B Forum) <net...@groups.cabforum.org>

Sent: Thursday, May 22, 2025 11:58 AM
To: NetSec WG <net...@groups.cabforum.org>

--

[Clint Wilson]

Apple votes Yes on NS-008v3.

[Tim Hollebeek]

DigiCert votes YES on NS-008v3

 

From: 'Clint Wilson' via NetSec WG - Public (CA/B Forum) <net...@groups.cabforum.org>
Sent: Thursday, May 22, 2025 12:58 PM
To: NetSec WG <net...@groups.cabforum.org>
Subject: [netsec] Voting Period Begins | NS-008v3: Updates to CA Infrastructure Scope, Trusted Roles, Systems' Applicability, and various other improvements

 

Ballot NS-008v3 is proposed by Clint Wilson (Apple) and endorsed by Ben Wilson (Mozilla), Cade Cairns (Google Trust Services), and Daniel Jeffery (Fastly).

--

[sde...@godaddy.com]

GoDaddy votes Yes on Ballot NS-008v3

 

Regards,

Steven Deitte

 

From: 'Clint Wilson' via NetSec WG - Public (CA/B Forum) <net...@groups.cabforum.org>
Date: Thursday, May 22, 2025 at 12:58 PM
To: NetSec WG <net...@groups.cabforum.org>
Subject: [netsec] Voting Period Begins | NS-008v3: Updates to CA Infrastructure Scope, Trusted Roles, Systems' Applicability, and various other improvements

--

[Tim Huff]

Microsoft votes Yes on Ballot NS-008v3.

 

From: 'Clint Wilson' via NetSec WG - Public (CA/B Forum) <net...@groups.cabforum.org>

Sent: Thursday, May 22, 2025 9:58 AM
To: NetSec WG <net...@groups.cabforum.org>

--

[Inigo Barreira]

Sectigo votes yes.

--