Ballot NS-008v3: Updates to CA Infrastructure Scope, Trusted Roles, Systems Applicability, and various other improvements
Network Security Working Group
Key dates
- Effective date
- 12 Nov 2025 7 months ago
- Voting opened
- 22 May 2025 1 year ago
- Voting closed
- 29 May 2025 1 year ago
- IPR review ends
- 03 Jul 2025 11 months ago
- Discussion opened
- 16 Apr 2025 1 year ago
- Discussion closed
- 14 May 2025 1 year ago
Resources
AI Summary
Ballot overview
- Ballot NS-008v3 updates the Network and Certificate System Security Requirements based on Version 2.0.4.
- The ballot covers changes to CA Infrastructure scope, trusted roles, systems applicability, definitions, and other improvements.
- The motion states that, when approved, the ballot takes effect on the IPR review completion date.
Voting and adoption
- The voting period ended and the ballot passed.
- Voting results met the bylaws requirements for both Certificate Consumers and Certificate Issuers.
- The quorum was 9 and this requirement was met.
Main content changes
- Updated CA Infrastructure to focus on Certificate Systems, Root CA Systems, and Security Support Systems.
- Removed the definitions for Certificate Management System, Delegated Third Party System, and Issuing System.
- Added or revised definitions including Network Boundary Control, Principle of Separation of Duties, and Privileged Access.
- Changed Trusted Role scope to personnel who design, build, develop, implement, operate, and maintain Certificate Systems and Root CA Systems.
- Replaced Multi-Party Control with the Principle of Separation of Duties for Trusted Role assignment.
- Changed access control language to apply to Certificate Systems and Root CA Systems.
- Updated remote access requirements to refer to Privileged Access and Network Boundary Controls.
- Updated monitoring and logging language to include Network Boundary Controls.
- Updated vulnerability management so the policies and procedures apply to all Certificate Systems, and later also to Security Support Systems and Network Boundary Controls.
Effective dates and phasing
- The document history shows Version 2.0.5 / NS-008 with adopted date 03-Jun-2025 and effective date 03-Jul-2025 in the redline artifact.
- The requirements section states that prior to 12-Nov-2025, CAs may follow these Requirements or Version 1.7, and effective 12-Nov-2025 CAs SHALL adhere to these Requirements.
- Section 4 adds that effective 15-Apr-2026, the vulnerability management policies and procedures MUST apply to Security Support Systems and Network Boundary Controls.
- The redline artifact also states that the effective date is based on completion of the 30-day IPR review without filing any Exclusion Notices.
- Effective date
- 2025-11-12
- Voting opened
- 2025-05-22
- Voting closed
- 2025-05-29
- IPR review ends
- 2025-07-03
- Discussion opened
- 2025-04-16
- Discussion closed
- 2025-05-14
2025-11-12 — CAs SHALL adhere to these Requirements rather than Version 1.7 All CAs; transition from Version 1.7 to these Requirements
2026-04-15 — The vulnerability management policies and procedures MUST apply to Security Support Systems and Network Boundary Controls Security Support Systems and Network Boundary Controls
AI-generated from the CABF ballot page. The official CABF article remains the authoritative source.
Vote result
Proposers
Clint Wilson (Apple) and endorsed by Ben Wilson (Mozilla), Cade Cairns (Google Trust Services), and Daniel Jeffery (Fastly).
Excerpt
SearchHome » All CA/Browser Forum Posts » Ballot NS-008v3: Updates to CA Infrastructure Scope, Trusted Roles, Systems Applicability, and various other improvementsBallot NS-008v3: Updates to CA Infrastructure Scope, Trusted Roles, Systems Applicability, and various other improvementsIPR Review of Ballot NS-008v3: Updates to CA Infrastructure Scope, Trusted Roles, Systems’ Applicability, and various other improvements This Review Notice is sent pursuant to Section 4.1 of the CA/Browser Forum’s Intellectual Property Rights Policy (v1.3). This Review Period of 30 days is for one Final Maintenance