Discussion Period Begins | NS-008: Updates to CA Infrastructure Scope, Trusted Roles, Systems' Applicability, and various other improvements

[Clint Wilson]

Ballot NS-008 is proposed by Clint Wilson (Apple) and endorsed by Ben Wilson (Mozilla), Cade Cairns (Google Trust Services), and Daniel Jeffery (Fastly).

Overview

Definition Changes

Added Definitions

• Network Boundary Control: New definition for components that manage network traffic flow; replaces "Network Equipment"
• Principle of Separation of Duties: Added definition describing how tasks are divided among multiple individuals

Modified Definitions

• CA Infrastructure: Simplified to reference only "Certificate System", "Root CA System", and "Security Support System" (removed references to "Certificate Management System", "Delegated Third Party System", and "Issuing System")
• Certificate System: Modified definition to include "store" and "access" in activities list
• Critical Security Event: Restructured with numbered lists and expanded examples
• Security Support System: Changed from a "system or set of systems" to "The System(s)" and removed "network boundary control" from the list of functions
• Trusted Role: Changed from "employee or contractor" to "individual employee or contractor" and reduced scope to those with access to a "Certificate System or Root CA System"

Removed Definitions

• Certificate Management System definition has been removed
• Delegated Third Party System definition has been removed
• Issuing System definition has been removed

Structural and Terminology Changes

• Network Equipment → Network Boundary Controls: Throughout the document, references to "Network Equipment" have been replaced with "Network Boundary Controls"
• Inventory requirement moved: Requirement moved from Section 4 to beginning of Section 1: "The CA MUST define an inventory of its CA Infrastructure"
• Section 4 restructuring:
  • Section number changes: 4.3 → 4.2, 4.4 → 4.3
  • Former 4.2 "Intrusion Detection and Prevention" moved to 4.1

Substantive Requirement Changes

Section 1: CA Infrastructure and Network Configuration

• Root CA Systems isolation requirement: Added explicit requirement in section 1.2.1: "Root CA Systems MUST be on physically separate networks from all other CA Infrastructure"
• Network segmentation implementation: Section 1.1.1.1 and 1.1.1.2 have switched places:
  • Network segmentation design principles moved to 1.1.1.1 (previously in 1.1.1.2)
  • Implementation details moved to 1.1.1.2 (previously in 1.1.1.1)
  • "Software-defined networking" moved from MAY to MUST category

Section 2: Access Control

• Trusted Roles scope: Changed from designing/building/maintaining "CA Infrastructure and Network Equipment" to specifically "Certificate Systems and Root CA Systems"
• Separation of Duties: Replaced requirement that Trusted Roles be assigned consistent with requirements of Multi-Party Control with a requirement that Trusted Roles be assigned consistent with "the Principle of Separation of Duties" (section 2.1)
• Access restriction scope: Changed from "CA Infrastructure and/or Network Equipment" to "Certificate Systems and Root CA Systems" in section 2.2.1 and 2.2.1.1
• Multi-Factor Authentication: Modified section 2.2.3 to require MFA "for access to CA Infrastructure" rather than "for accounts on CA Infrastructure and access to CA Infrastructure"

Section 4: Vulnerability Management

• Expanded scope for vulnerability policies:
  • Added Security Support Systems and Network Boundary Controls to recommended scope
  • Added New deadline: "Effective 15-Apr-2026, these policies and procedures MUST apply to Security Support Systems and Network Boundary Controls"

Date Format Changes

• Date format standardized to DD-MMM-YYYY throughout

Motion

The following motion has been proposed by Clint Wilson (Apple) and endorsed by Ben Wilson (Mozilla), Cade Cairns (Google Trust Services), and Daniel Jeffery (Fastly).

You can view and comment on the Github pull request representing this ballot here. 

Motion Begins

This ballot modifies the Network and Certificate System Security Requirements (NCSSRs), based on Version 2.0.4.

MODIFY the NCSSRs as specified in the following Redline: https://github.com/cabforum/netsec/compare/521b7778974fb2ecda200f8d1aabf9f7616943b7...13f349c59feb847a544e73c4c896d3dde7fd9f0d

When approved, this Ballot takes effect on the IPR review completion date.

Motion Ends

Discussion (at least 7 days)

• Start time: Wednesday, April 16, 2025 17:00 UTC (2025-04-16T17:00:00Z)
  
• End time: on or after Wednesday, April 23, 2025 17:00 UTC (2025-04-231T17:00:00Z)

Vote for approval (7 days)

• Start time: TBD
• End time: TBD

[Roman Fischer]

Dear Clint,

 

Can we extend the discussion period? Due to Easter holidays (Good Friday and Easter Monday are public holidays in many countries) and the weekend, the 7 day period is actually just 3 working days…

 

I would propose to extend it by one week.

 

Thanks
Roman

--
You received this message because you are subscribed to the Google Groups "NetSec WG - Public (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to netsec+un...@groups.cabforum.org.
To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/netsec/2F888825-7C42-4433-8796-4493B14E36F7%40apple.com.

[Dimitris Zacharopoulos (HARICA)]

+1

To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/netsec/ZRAP278MB017418744B251078326AAACFFABC2%40ZRAP278MB0174.CHEP278.PROD.OUTLOOK.COM.

[Clint Wilson]

The following updates have been made to NS-008, resulting in NS-008v2. The discussion period will continue as outlined below.

1. Fixed a spelling error in Risk Assessment definition (“infrastucture”

2. Remove “critical” from the Principle of Separation of Duties definition

3. Update the effective date of Version 2+ of the NCSSRs from September 17, 2025 to November 12, 2025

Ballot NS-008v2 is proposed by Clint Wilson (Apple) and endorsed by Ben Wilson (Mozilla), Cade Cairns (Google Trust Services), and Daniel Jeffery (Fastly).

• Date format standardized to DD-MMM-YYYY throughout

• Effective date of NCSSRs version 2.0.x updated from September 17, 2025 to November 12, 2025

Motion

The following motion has been proposed by Clint Wilson (Apple) and endorsed by Ben Wilson (Mozilla), Cade Cairns (Google Trust Services), and Daniel Jeffery (Fastly).

You can view and comment on the Github pull request representing this ballot here. 

Motion Begins

This ballot modifies the Network and Certificate System Security Requirements (NCSSRs), based on Version 2.0.4.

MODIFY the NCSSRs as specified in the following Redline: https://github.com/cabforum/netsec/compare/521b7778974fb2ecda200f8d1aabf9f7616943b7...1fd73507def8b77364c3db85f188a6340f03c937

When approved, this Ballot takes effect on the IPR review completion date.

Motion Ends

Discussion (at least 7 days)

• Start time: Wednesday, April 16, 2025 17:00 UTC (2025-04-16T17:00:00Z)
  

• End time: on or after Thursday, May 01, 2025 17:00 UTC (2025-05-011T17:00:00Z)

Vote for approval (7 days)

• Start time: TBD
• End time: TBD

[Backman, Antti]

Hi,

 

I have question on the language in section 1.1.1.2 (as referenced below)

 

“###### 1.1.1.2

 

Network segmentation MUST be designed and implemented using Network Boundary Controls, such as:

 

* firewalls

* network switches

* physically separate networks

* software-defined networking

 

Network segmentation MAY leverage software, such as:

 

* virtual local area networks (VLANs) and VLAN access control lists

* virtual private networks (VPNs)”

 

Just to make sure that I have understood the language correctly,

 

1. Items listed in ‘MUST’ category are examples of options to implement satisfactory network boundary controls, but NOT all need to be implemented to have compliant implementation?
2. Examples in ‘MAY’ category, just wondering what purpose those serve as requirements?

 

Seeking clarity as non-native to English language to make sure that I understand the language correctly to be able to ensure adequate adherence going forward.

 

Just as a comment to the language in 1.1.1.2, to me listing and limiting options by requirements may not be completely unseen of, but I am not sure if we should have such lists in the requirements as those may be interpreted in various ways by different adopters of the requirements.

 

Thanks,

 

//Antti

 

From: 'Clint Wilson' via NetSec WG - Public (CA/B Forum) <net...@groups.cabforum.org>

Date: Thursday, 24. April 2025 at 20.35
To: NetSec WG <net...@groups.cabforum.org>

To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/netsec/2FD0F570-4795-49E1-8161-4A3ABEE64029%40apple.com.

[Karina Sirota Goodley]

Hi all,

We’ve been hearing from some partners customers that this could affect a lot of core infrastructure (given the changes amount of changes between NS-003 and NS-008) and for it to hit just before the holidays could really affect the stability of their systems. Would we be amenable to a Feb 25, 2026 effective date?

 

Best,

Karina

 

Karina Sirota Goodley, MBA, MS

Security Program Manager 2

Trusted Root Program, AEP Trust and Governance

 

My working hours may not look like yours and after-hours responses neither required nor expected.

 

From: 'Clint Wilson' via NetSec WG - Public (CA/B Forum) <net...@groups.cabforum.org>

Sent: Thursday, April 24, 2025 12:35 PM
To: NetSec WG <net...@groups.cabforum.org>

To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/netsec/2FD0F570-4795-49E1-8161-4A3ABEE64029%40apple.com.

[Daniel Jeffery]

Hello Antti. I believe you've understood correctly. 

The MUST section uses "such as" to mean something like "for example" or "similar to". It is neither intended to be a comprehensive list of options nor to require each of the options that are listed. The hope was that providing such a list was more helpful in understanding the requirement than providing no examples at all.

The MAY section attempts to clarify that these items are permitted and considered useful in the general area of network boundary controls, but they do not replace the need for the boundary controls in the MUST section.

Dan

To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/netsec/MM0P280MB0007825EC291866A95A1E95B86842%40MM0P280MB0007.SWEP280.PROD.OUTLOOK.COM.

--

Daniel Jeffery | TLS

fastly.com | @fastly | LinkedIn

[Backman, Antti]

Hi,

 

Thank you Daniel for the confirmation, good then.

 

//Antti

 

Daniel Jeffery | TLS

fastly.com | @fastly | LinkedIn

--

You received this message because you are subscribed to the Google Groups "NetSec WG - Public (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to netsec+un...@groups.cabforum.org.

To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/netsec/CAFa_RQAwsB7GmxTiFxJvDoh90S8LSR3szt6aUP1NodB9d%3DwP_g%40mail.gmail.com.

[Clint Wilson]

Hi Karina,

Can you help us understand which changes in this ballot are causing the most concern or potential instability? I think the general sense I’ve gotten is that folks are happy with the shift from September to November, but if we can understand better the source of your concerns, we may have missed something in our assessment.

Thank you!

-Clint

To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/netsec/SJ0PR00MB1301D8A2839DE8886EECB3E9E3822%40SJ0PR00MB1301.namprd00.prod.outlook.com.

[Clint Wilson]

The following updates have been made to NS-008v2, resulting in NS-008v3. The discussion period will continue as outlined below.

1. Added a definition for “Privileged Access”

2. Updated the definition for “Workstation” to use “Privileged Access” in the second bullet

3. Updated the introductory clause of Section 2.2.6 to use “Privileged Access” instead of "administration of and/or access”

4. Added “2.0.5” as the Document Version number and an entry to the “Document History” table

The following updates were previously made to NS-008, resulting in NS-008v2.

1. Fixed a spelling error in Risk Assessment definition (“infrastucture”

2. Remove “critical” from the Principle of Separation of Duties definition

3. Update the effective date of Version 2+ of the NCSSRs from September 17, 2025 to November 12, 2025

Ballot NS-008v3 is proposed by Clint Wilson (Apple) and endorsed by Ben Wilson (Mozilla), Cade Cairns (Google Trust Services), and Daniel Jeffery (Fastly).

MODIFY the NCSSRs as specified in the following Redline: https://github.com/cabforum/netsec/compare/521b7778974fb2ecda200f8d1aabf9f7616943b7...168629d5b3b8357c6b82df434b700401947f871d

When approved, this Ballot takes effect on the IPR review completion date.

Motion Ends

Discussion (at least 7 days)

• Start time: Wednesday, April 16, 2025 17:00 UTC (2025-04-16T17:00:00Z)
  

• End time: on or after Wednesday, May 14, 2025 17:00 UTC (2025-05-14T17:00:00Z)

Vote for approval (7 days)

• Start time: TBD
• End time: TBD

[Clint Wilson]

I plan on starting the Voting Period for this ballot within the next day.

To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/netsec/E1A565A3-64B6-4D1E-8627-E81633626580%40apple.com.