← CABF Ballot Browser
SC-032 failed

Ballot SC032: NCSSRs Zones

Server Certificate Working Group

Key dates

Voting opened
26 Jun 2020 5 years ago
Voting closed
03 Jul 2020 5 years ago
Discussion opened
26 Jun 2020 5 years ago
Discussion closed
03 Jul 2020 5 years ago

Resources

GitHub diff https://github.com/cabforum/documents/compare/095fc4f7992dbd186503a4b0ec4e643ae4ea1624 https://github.com/cabforum/documents/compare/095fc4f7992dbd186503a4b0ec4e643ae4ea1624

AI Summary

Generated 2026-06-23 21:23 UTC

Ballot overview

  • Ballot SC032: NCSSRs Zones proposed removing the term zone from the NCSSRs and clarifying the split between physical security and logical security.
  • The ballot states that it failed pursuant to the Bylaws.
  • It was presented as a discussion-period email for Ballot SC32 and proposed two Final Maintenance Guidelines.

Main changes described

  • The Baseline Requirements would be amended to add a definition for CA Equipment in section 1.6.1.
  • BR section 5.1 would add physical security requirements for CA Equipment, including lockable enclosures, physical locks with access control devices, and other environmental protections.
  • NCSSRs section 1.c would require Root CA Systems to be maintained in accordance with BR section 5.1 and to be offline or air-gapped from all other networks.
  • NCSSRs section 1.d would require Certificate Systems, Issuing Systems, Certificate Management Systems, Front End / Internal Support Systems, and Security Support Systems to be maintained and protected in accordance with BR section 5.1.
  • NCSSRs section 1.e would require Security Support Systems to secure and protect communications and Certificate Systems from non-trusted networks.
  • NCSSRs section 2.c would limit logical or physical access to the listed systems to persons in Trusted Roles.
  • NCSSRs section 2.g would keep password rules based on whether authentication occurs inside or outside the CA’s network, including MFA outside the network boundary.
  • NCSSRs section 2.n would require MFA for all Trusted Role accounts on Certificate Systems accessible from outside the CA’s or Delegated Third Party’s network.
  • Definitions for Critical Security Event and Trusted Role would be revised, and the terms High Security Zone, Security Zone, and Zone would be deleted.

Approval procedure and dates

  • Discussion period: 2020-06-26 19:00:00 UTC to 2020-07-03 19:00:00 UTC.
  • Vote for approval: start time TBD, end time TBD.
  • The ballot page says the Chair or Vice-Chair is permitted to update the Relevant Dates and version numbers of the Baseline Requirements and NCSSRs.

Outcome

  • The ballot failed pursuant to the Bylaws, so it did not become normative.
Model: gpt-5.4-mini Confidence: 0.99 Result: failed
Discussion opened
2020-06-26
Discussion closed
2020-07-03

AI-generated from the CABF ballot page. The official CABF article remains the authoritative source.

Proposers

Ben Wilson of Mozilla and endorsed by Trev Ponds-White of Amazon and Neil Dunbar of TrustCor Systems.

Excerpt

SearchHome » All CA/Browser Forum Posts » Ballot SC032: NCSSRs ZonesBallot SC032: NCSSRs ZonesThis ballot failed pursuant to the Bylaws.

View on cabforum.org → Last fetched 15 hours ago

We use only essential cookies and local browser storage for preferences and security. See our Privacy Policy for details.

Confirm action