Ballot NS-003: Restructure the NCSSRs
Network Security Working Group
Key dates
- Effective date
- 12 Nov 2024 1 year ago
- Voting opened
- 23 Apr 2024 2 years ago
- Voting closed
- 30 Apr 2024 2 years ago
- IPR review ends
- 05 Jun 2024 2 years ago
- Discussion opened
- 09 Apr 2024 2 years ago
- Discussion closed
- 23 Apr 2024 2 years ago
Resources
AI Summary
Ballot overview
- Ballot NS-003, Restructure the NCSSRs, proposes a comprehensive restructuring of the Network and Certificate System Security Requirements, excepting Section 4.
- The ballot says the current structure has been challenging for creating ballots, contains duplicated requirements, and separates similar requirements across the document.
- The stated goals are to streamline the document structure, eliminate redundancies, improve comprehensibility, and enhance clarity and coherence.
Voting and approval
- The voting period ended and the ballot passed.
- Voting results:
- 4 Certificate Consumer votes, all yes
- 18 Certificate Issuer votes, all yes
- The bylaws requirements were met for both Certificate Issuers and Certificate Consumers.
- Quorum was met with 22 votes received.
- The evidence text includes an IPR Review Notice with a 30-day review period ending 5 June 2024 18:00 UTC.
Main compliance change
- The updated requirements state that prior to 2024-11-12, a CA SHALL adhere to either the new Requirements or Version 1.7 of the Network and Certificate System Security Requirements.
- Effective 2024-11-12, the CA SHALL adhere to the new Requirements.
Notable restructuring and content changes
- The document title is updated to Version 2.0.
- The scope and overview are rewritten to emphasize CA responsibility for Delegated Third Parties and Trusted Roles, and to define expected security outcomes.
- The definitions section is expanded and revised, including new or revised terms such as:
- Air-Gapped
- CA Infrastructure
- Certificate System
- Key Pair
- Multi-Party Control
- Network Equipment
- Physically Secure Environment
- Principle of Least Privilege
- Root CA Certificate
- Root CA Private Key
- Root CA System
- Security Support System
- Workstation
- The requirements are reorganized into sections including:
- CA Infrastructure and Network Equipment Configuration
- Access Control
- Monitoring, Logging, Auditing, and Incident Response
- Vulnerability Detection and Patch Management
- The new text includes requirements for network segmentation, physical security, authenticated and encrypted connections, and other CA Infrastructure controls.
Document history
- The document history table adds Version 2.0, Ballot NS-003, Restructure NCSSRs.
- The document notes that the effective date is based on completion of the 30-day IPR review without filing of any Exclusion Notices.
- Effective date
- 2024-11-12
- Voting opened
- 2024-04-23
- Voting closed
- 2024-04-30
- IPR review ends
- 2024-06-05
- Discussion opened
- 2024-04-09
- Discussion closed
- 2024-04-23
2024-11-12 — CAs must fully comply with the new Network and Certificate System Security Requirements All CAs; the ballot text says that prior to this date a CA may follow either the new Requirements or Version 1.7, and effective on this date the CA SHALL adhere to the new Requirements
AI-generated from the CABF ballot page. The official CABF article remains the authoritative source.
Vote result
Proposers
Clint Wilson of Apple and endorsed by Trevoli Ponds-White of Amazon and David Kluge of Google Trust Services.
Excerpt
SearchHome » All CA/Browser Forum Posts » Ballot NS-003: Restructure the NCSSRsBallot NS-003: Restructure the NCSSRsIPR Review of Ballot NS-003: Restructure the NCSSRs This Review Notice is sent pursuant to Section 4.1 of the CA/Browser Forum’s Intellectual Property Rights Policy (v1.3). This Review Period of 30 days is for one Final Maintenance Guidelines. The complete Draft Maintenance Guideline that is the subject of this Review Notice is: