← CABF Ballot Browser
NS-005 passed

Ballot NS-005 "Clarifications to sections 1, 2 and a definition prior to NS-003 taking effect"

Network Security Working Group

Key dates

Effective date
12 Mar 2025 1 year ago
Voting opened
04 Oct 2024 1 year ago
Voting closed
11 Oct 2024 1 year ago
IPR review ends
11 Nov 2024 1 year ago
Discussion opened
27 Sep 2024 1 year ago
Discussion closed
04 Oct 2024 1 year ago

Resources

GitHub diff https://github.com/cabforum/netsec/compare/7707907628ccebe6818fb6793d1c8a3aa38cf70d...danjeffery:netsec:d28c26261826a60c32e430eedfcd36c5b23b0139 https://github.com/cabforum/netsec/compare/7707907628ccebe6818fb6793d1c8a3aa38cf70d...danjeffery:netsec:d28c26261826a60c32e430eedfcd36c5b23b0139
± Redline https://cabforum.org/posts/2024/2024-11-11-NSWG-Ballot-NS-005/CA-Browser-Forum-NCSSR-2.0.1-redline.pdf https://cabforum.org/posts/2024/2024-11-11-NSWG-Ballot-NS-005/CA-Browser-Forum-NCSSR-2.0.1-redline.pdf
Document https://cabforum.org/posts/2024/2024-11-11-NSWG-Ballot-NS-005/CA-Browser-Forum-FG-NCSSR-2.0.1.pdf Ballot NS-005 “Clarifications to sections 1, 2 and a definition prior to NS-003 taking effect”
Document https://cabforum.org/wp-content/uploads/Template-for-Exclusion-Notice.pdf https://cabforum.org/wp-content/uploads/Template-for-Exclusion-Notice.pdf

AI Summary

Generated 2026-06-23 21:27 UTC

Ballot overview

  • Ballot NS-005 is titled Clarifications to sections 1, 2 and a definition prior to NS-003 taking effect.
  • It is a Network Security Working Group ballot proposing changes to the Network and Certificate System Security Requirements.
  • The ballot page says the ballot has Passed, with all voting Certificate Consumers and Certificate Issuers voting in favor.

Purpose and relationship to NS-003

  • The ballot is intended to address unintended, unclear, or problematic expectations introduced or highlighted by NS-003.
  • It clarifies language in NS-003 to help CAs meet those requirements.
  • It extends the implementation timeline to 12 March 2025 so there is time to identify and create ballots for other concerns with NS-003.
  • The ballot page says it was ideally intended to go into effect on or before 12 November 2024, the date when NS-003 was scheduled to fully take effect.

Main substantive changes

  • Workstation is redefined as a device capable of accessing CA Infrastructure and/or Network Equipment with elevated privileges compared to any given point on the general internet.
  • Connections to and within CA Infrastructure must be authenticated and encrypted, except OCSP and CRL.
  • Shared or group accounts are no longer outright prohibited in the redline; instead, they should not be used, and if used, each use must be attributable to an approved activity and to an individual user or service account.
  • Workstations must be configured to prevent continued access after inactivity, with the inactivity duration selected based on the CA’s risk assessment.
  • Multi-factor authentication based on possession of a cryptographic key is allowed only if the key is stored in a key storage device designed to prevent extraction.
  • Password guidance is updated to reference NIST 800-63B Revision 3 Appendix A, and shared credential access must be limited by least privilege and comply with the shared-credential attribution rule.

Voting and IPR review

  • Start of Review Period: 12 October 2024 22:00 UTC
  • End of Review Period: 11 November 2024 22:00 UTC
  • Discussion Period Start: 2024 Sept 27, 19:30 UTC
  • Discussion Period End: 2024: Oct 4, 19:30 UTC
  • Voting Period Start: 2024 Oct 4, 19:30 UTC
  • Voting Period End: 2024 Oct 11, 19:30 UTC
  • The ballot page states the voting period has ended and the ballot has Passed.
  • The page does not state that any exclusion notices were filed.

Compliance timing

  • Prior to 2025-03-12, CAs must adhere to these Requirements or Version 1.7 of the Network and Certificate System Security Requirements.
  • Effective 2025-03-12, CAs must adhere to these Requirements.
  • The ballot page also says it was intended to go into effect on or before 12 November 2024, but the document text in the supplied artifact sets the operative implementation date at 2025-03-12.
Model: gpt-5.4-mini Confidence: 0.95 Result: passed
Effective date
2025-03-12
Voting opened
2024-10-04
Voting closed
2024-10-11
IPR review ends
2024-11-11
Discussion opened
2024-09-27
Discussion closed
2024-10-04
Applicability and conditions

2025-03-12 — CAs must begin adhering to these Requirements All CAs; prior to this date, CAs may adhere to these Requirements or Version 1.7 of the Network and Certificate System Security Requirements

AI-generated from the CABF ballot page. The official CABF article remains the authoritative source.

Vote result

0 Yes
0 No
0 Abstain

Proposers

Daniel Jeffery of Fastly/Certainly and endorsed by Miguel Sanchez of Google Trust Services and Antti Backman of Telia.

Excerpt

SearchHome » All CA/Browser Forum Posts » Ballot NS-005 "Clarifications to sections 1, 2 and a definition prior to NS-003 taking effect"Ballot NS-005 "Clarifications to sections 1, 2 and a definition prior to NS-003 taking effect"IPR Review of Ballot NS-005 “Clarifications to sections 1, 2 and a definition prior to NS-003 taking effect” This Review Notice is sent pursuant to Section 4.1 of the CA/Browser Forum’s Intellectual Property Rights Policy (v1.3). This Review Period of 30 days is for one Final Maintenance Guidelines. The complete Draft Maintenance Guideline that is the subject of this

View on cabforum.org → Last fetched 15 hours ago

We use only essential cookies and local browser storage for preferences and security. See our Privacy Policy for details.

Confirm action