Ballot NS-004: "Updating Section 4 - Vulnerability Management - of the NCSSRs"

Ballot overview

• Ballot NS-004 updates Section 4 (Vulnerability Management) of the Network and Certificate System Security Requirements (NCSSRs).
• The ballot states it replaces Section 4 with a more comprehensive vulnerability management approach that is not limited to vulnerability scans and penetration tests.
• The ballot includes minor revisions to clarify some system definitions from Ballot NS-003.

Purpose and rationale (as stated)

• Vulnerability scans and penetration tests are described as useful controls but insufficient unless embedded in broader policies and procedures addressing CA-specific risks.
• CAs are expected to address all vulnerabilities within risk-proportionate timelines, and to disclose remediation timelines in the CA’s CPS.
• The CA’s vulnerability management processes are stated to apply to all systems in the CA’s inventory of Certificate Systems.
• The ballot also describes defining when non-periodic penetration tests are performed, with an example assumption tied to changes that alter data flow between certificate systems or introduce new service integrations.

Voting and adoption status (as stated on the ballot page)

• The ballot page states the voting period has ended and the Ballot has Passed.
• Certificate Consumers: 3 Yes votes (Apple, Google, Mozilla), 0 No, 0 Abstain; 100% voted in favor.
• Certificate Issuers: 14 Yes votes (Amazon Trust Services, Buypass AS, Disig, eMudhra, Entrust, Fastly, GoDaddy, HARICA, OISTE Foundation, SwissSign, Telia Company, TrustAsia, TWCA, VikingCloud), 0 No, 0 Abstain; 100% voted in favor.
• The ballot page states Bylaws version 2.5 requirements were MET, including:
  • Two-thirds (2/3) or more of votes cast in the Certificate Issuer category in favor.
  • At least fifty percent (50%) plus one (1) of votes cast in the Certificate Consumer category in favor.
  • At least one voting member in each category voting in favor.
  • Quorum requirement of 7 was MET.

IPR review and exclusion notices (as stated)

• The page describes an IPR Review Period of 30 days for a final maintenance guideline.
• It states that members with Essential Claim(s) to exclude must submit a written Notice to Exclude Essential Claims to the Working Group Chair and also submit a copy to the CA/B Forum public mailing list before the end of the Review Period.
• The page does not state that any exclusion notices were filed.

Effective date stated in the linked NCSSRs draft

• The linked draft document includes a Requirements section stating:
  • Prior to 2025-03-12, the CA SHALL adhere to Version 1.7.
  • Effective 2025-03-12, the CA SHALL adhere to the updated requirements.
• The draft document also includes a note that an Effective Date is based on completion of a 30-day IPR review without filing of any Exclusion Notices (as indicated in the document history table).