Voting Period Begins: Ballot NS-005 "Clarifications to sections 1, 2 and a definition prior to NS-003 taking effect"

[Daniel Jeffery]

Moving to voting on Ballot NS-005

Ballot NS-005 is proposed by Daniel Jeffery of Fastly/Certainly and endorsed by Miguel Sanchez of Google Trust Services and Antti Backman of Telia.

        Purpose of the Ballot

NS-005 is intended to address unintended, unclear or problematic expectations that were introduced or highlighted by the changes in NS-003. 

        Reasons for the Proposal

Changes made in NS-003 altered the application of certain aspects of the NSR, one reason being the move from use of the term Certificate Systems to CA Infrastructure. The reorganization also helped to clarify certain points that may have been less obvious previously. NS-005 has been discussed with the working group, in meetings and on github, to clarify points of confusion and over-specification of industry practices. This includes:

• defining "Workstation" for the purposes of this document by privileges and capability
• limiting scope to connections that must be unencrypted and that are within the CA's control
• recognizing there may be a practical or technical need for shared accounts, but requiring attribution to an individual actor and the approved activity in such cases
• requiring that workstations MUST be secured when inactive, consistent with the CA's risk assessment
• bringing use of hardware tokens for general multi-factor authentication more in line with industry best practices
• removing a limited set of requirements in favor of the NIST recommendations

       Relation to Ballot NS-003

Ballot NS-005 clarifies some of the language in NS-003 for reasons of practical implementation to help CAs meet the requirements of NS-003. It also extends the implementation timeline out to 12 March 2025 so there is some time to identify and create ballots for any other concerns that CAs may have with NS-003. Ideally, IPR review will complete in time that NS-005 can go into effect on or before 12 November 2024, the date when NS-003 is currently scheduled to fully take effect.

       Relation to Ballot NS-004

Ballot NS-005 does not modify any of the text modified by NS-004. Both should be able to be merged complimentarily.

--- Motion Begins ---

This ballot modifies the Network and Certificate System Security Requirements (NCSSRs), based on Version 2.0.

MODIFY the NCSSRs as specified in the following Redline: https://github.com/cabforum/netsec/compare/7707907628ccebe6818fb6793d1c8a3aa38cf70d...danjeffery:netsec:d28c26261826a60c32e430eedfcd36c5b23b0139

When approved, this Ballot takes effect on the IPR review completion date.

--- Motion Ends ---

Discussion Period (at least 7 days)

• Start: 2024 Sept 27, 19:30 UTC
• End: 2024: Oct 4, 19:30 UTC

Voting Period (7 days)

• Start: 2024 Oct 4, 19:30 UTC
• End: 2024 Oct 11, 19:30 UTC

--

Daniel Jeffery | TLS

fastly.com | @fastly | LinkedIn

[Stephen Davidson]

Noting the ballot language below re NS-003’s November date.  The proposed language would undo (for a period) NS-003’s requirement to change from NetSec1.7 to 2.0 on Nov 12.

This section:

 

## Requirements

 

Prior to 2025-03-12, the CA SHALL adhere to these Requirements or Version 1.7 of the Network and Certificate System Security Requirements. Effective 2025-03-12, the CA SHALL adhere to these Requirements.

should probably say

 

## Requirements

 

Prior to 2025-Mar-12, the CA SHOULD implement this updated version of these Requirements. Effective 2025-Mar-12, the CA SHALL implement these Requirements.

 

Sorry for late feedback.

Stephen

Daniel Jeffery | TLS

fastly.com | @fastly | LinkedIn

--
You received this message because you are subscribed to the Google Groups "NetSec WG - Public (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to netsec+un...@groups.cabforum.org.
To view this discussion on the web visit https://groups.google.com/a/groups.cabforum.org/d/msgid/netsec/CAFa_RQD2xkbMMwbH%2B0ehS-4mvUhjrjqORgRE1JpTmKp7wzUEqA%40mail.gmail.com.

[Daniel Jeffery]

This is absolutely intentional and was changed during the voting period at the request of some to allow a little more time for any further adjustments that may be need to NS-003/NSR v2.0.

Thanks for reading closely enough to notice, Stephen!

To view this discussion on the web visit https://groups.google.com/a/groups.cabforum.org/d/msgid/netsec/CH0PR14MB5139867BEC835070F9CC8B0DE5722%40CH0PR14MB5139.namprd14.prod.outlook.com.

--

[Stephen Davidson]

Ah perfect – I see the redline on the wiki page addresses this well.

Thanks Daniel!

 

Regards, Stephen

To view this discussion on the web visit https://groups.google.com/a/groups.cabforum.org/d/msgid/netsec/CAFa_RQAz61XhvQgz_i3yY5o1YJpYXyMHCG9TqENg1nxay7gwqw%40mail.gmail.com.

[Daniel Jeffery]

Fastly votes: YES

[Dimitris Zacharopoulos]

HARICA votes "yes" to ballot NS-005.

DZ.

Oct 4, 2024 22:31:45 'Daniel Jeffery' via NetSec WG - Public (CA/B Forum) <net...@groups.cabforum.org>:

[Bruce Morton]

Entrust votes Yes to ballot NS-005.

 

 

Bruce.

 

From: 'Daniel Jeffery' via NetSec WG - Public (CA/B Forum) <net...@groups.cabforum.org>

Sent: Friday, October 4, 2024 3:30 PM
To: net...@groups.cabforum.org

--

You received this message because you are subscribed to the Google Groups "NetSec WG - Public (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to netsec+un...@groups.cabforum.org.
To view this discussion on the web visit https://groups.google.com/a/groups.cabforum.org/d/msgid/netsec/CAFa_RQD2xkbMMwbH%2B0ehS-4mvUhjrjqORgRE1JpTmKp7wzUEqA%40mail.gmail.com.

Any email and files/attachments transmitted with it are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.

Wellbeing Notice: Receiving this email outside of normal working hours? Managing work and life responsibilities is unique for everyone. I have sent this email at a time that works for me.
Unless this email is specifically marked urgent, please respond at a time that works for you.

[Mads Egil Henriksveen]

Buypass votes YES on ballot NS-005

 

Regards

Mads

--

[Ben Wilson]

Mozilla votes "yes" on Ballot NS-005.

--

[Tom Zermeno]

SSL.com votes “YES” on ballot NS-005.

 

Best regards,

 

Tom

SSL.com

 

From: 'Daniel Jeffery' via NetSec WG - Public (CA/B Forum) <net...@groups.cabforum.org>
Sent: Friday, October 4, 2024 2:30 PM
To: net...@groups.cabforum.org
Subject: [netsec] Voting Period Begins: Ballot NS-005 "Clarifications to sections 1, 2 and a definition prior to NS-003 taking effect"

 

Moving to voting on Ballot NS-005

Daniel Jeffery | TLS

fastly.com | @fastly | LinkedIn

--

[Backman, Antti]

Telia votes ’Yes’ on Ballot NS-005

 

//Antti

 

From: 'Daniel Jeffery' via NetSec WG - Public (CA/B Forum) <net...@groups.cabforum.org>
Date: Friday, 4. October 2024 at 22.31
To: net...@groups.cabforum.org <net...@groups.cabforum.org>
Subject: [netsec] Voting Period Begins: Ballot NS-005 "Clarifications to sections 1, 2 and a definition prior to NS-003 taking effect"

Daniel Jeffery | TLS

fastly.com | @fastly | LinkedIn

--

[Jozef Nigut]

Disig votes Yes on ballot NS-005

 

Regards,

Jozef Nigut

 

 

From: 'Daniel Jeffery' via NetSec WG - Public (CA/B Forum) <net...@groups.cabforum.org>
Sent: Friday, October 4, 2024 9:30 PM
To: net...@groups.cabforum.org
Subject: [netsec] Voting Period Begins: Ballot NS-005 "Clarifications to sections 1, 2 and a definition prior to NS-003 taking effect"

 

Moving to voting on Ballot NS-005

Daniel Jeffery | TLS

fastly.com | @fastly | LinkedIn

--

[Brittany Randall]

GoDaddy votes Yes on ballot NS-005

Best,

Brittany Randall

---

From: 'Daniel Jeffery' via NetSec WG - Public (CA/B Forum) <net...@groups.cabforum.org>

Sent: Friday, October 4, 2024 12:30 PM
To: net...@groups.cabforum.org <net...@groups.cabforum.org>

Subject: [netsec] Voting Period Begins: Ballot NS-005 "Clarifications to sections 1, 2 and a definition prior to NS-003 taking effect"

Moving to voting on Ballot NS-005 Ballot NS-005 is proposed by Daniel Jeffery of Fastly/Certainly and endorsed by Miguel Sanchez of Google Trust Services and Antti Backman of Telia.         Purpose of the Ballot NS-005 is intended to address

ZjQcmQRYFpfptBannerStart

This Message Is From an External Sender

This message came from outside your organization.

 

ZjQcmQRYFpfptBannerEnd

--

[Inigo Barreira]

Sectigo votes yes

 

De: 'Daniel Jeffery' via NetSec WG - Public (CA/B Forum) <net...@groups.cabforum.org>
Enviado el: viernes, 4 de octubre de 2024 12:30
Para: net...@groups.cabforum.org
Asunto: [netsec] Voting Period Begins: Ballot NS-005 "Clarifications to sections 1, 2 and a definition prior to NS-003 taking effect"

 

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.

 

--

[Michael Guenther]

[Chris Clements]

Google votes YES on Ballot NS-005.

--

[Silva, Marcelo]

Visa votes YES on Ballot NS-005.

 

Thanks,

Marcelo

To view this discussion on the web visit https://groups.google.com/a/groups.cabforum.org/d/msgid/netsec/CA%2B1gtaZo1cgV0r_KzrvES1wm_4j5_budCBP8_dmT0h9%3DqTr2Sw%40mail.gmail.com.

[Christophe Bonjean]

GlobalSign votes YES on Ballot NS-005.

 

Daniel Jeffery | TLS

fastly.com | @fastly | LinkedIn

--

 

[Clint Wilson]

Apple votes YES on NS-005.

[Rollin.Yu]

TrustAsia votes YES on Ballot NS-005.

Best regards,
Rollin Yu

[Ponds-White, Trev]

Amazon Trust Services votes yes.

 

From: 'Daniel Jeffery' via NetSec WG - Public (CA/B Forum) <net...@groups.cabforum.org>
Sent: Friday, October 4, 2024 12:30

To: net...@groups.cabforum.org
Subject: [EXTERNAL] [netsec] Voting Period Begins: Ballot NS-005 "Clarifications to sections 1, 2 and a definition prior to NS-003 taking effect"

 

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.

 

--

[Scott Rea]

eMudhra Votes Yes on NS-005

 

From: 'Daniel Jeffery' via NetSec WG - Public (CA/B Forum) <net...@groups.cabforum.org>
Date: Friday, 4 October 2024 at 1:31 PM
To: net...@groups.cabforum.org <net...@groups.cabforum.org>
Subject: [netsec] Voting Period Begins: Ballot NS-005 "Clarifications to sections 1, 2 and a definition prior to NS-003 taking effect"

CAUTION: This email is originated from outside of the organization. Do not open the links or the attachments unless you recognize the sender and know the content is safe.

 

Daniel Jeffery | TLS

fastly.com | @fastly | LinkedIn

--

You received this message because you are subscribed to the Google Groups "NetSec WG - Public (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to netsec+un...@groups.cabforum.org.
To view this discussion on the web visit https://groups.google.com/a/groups.cabforum.org/d/msgid/netsec/CAFa_RQD2xkbMMwbH%2B0ehS-4mvUhjrjqORgRE1JpTmKp7wzUEqA%40mail.gmail.com.

Disclaimer: The email and its contents hold confidential information and are intended for the person or entity to which it is addressed. If you are not the intended recipient, please note that any distribution or copying of this email is strictly prohibited as per Company Policy, you are requested to notify the sender and delete the email and associated attachments with it from your system.