Final minutes of CSCWG Aug 24, 2023


1.      Attendees: Abhishek Bhat - (eMudhra), Andrea Holland -
(VikingCloud), Bruce Morton - (Entrust), Corey Bonnell - (DigiCert), Dean
Coclin - (DigiCert), Dimitris Zacharopoulos - (HARICA), Ian McMillan -
(Microsoft), Inaba Atsushi - (GlobalSign), Inigo Barreira - (Sectigo),
Martijn Katerbarg - (Sectigo), Mohit Kumar - (GlobalSign), Scott Rea -
(eMudhra), Tim Crawford - (CPA Canada/WebTrust), Tim Hollebeek - (DigiCert)
2.      The Anti-trust reminder was read
3.      The minutes of August 10th were approved. 
4.      Adobe Interested party application - no update
5.      Ballot status

a.      SSL BR references - in IPR review until September 1st
b.      Signing Services - Bruce had sent out drafts for this and the other
2 below. He received 1 comment back. Bruce asked for help in moving this to
github and start working on the official ballot. Corey agreed to help. Ian
commented that the draft should mention FIPS Level 3. Did we want to clarify
the FIPS 140-3? Bruce said he can add a comma to include both. Ian asked
about an effective date and said we should set one to avoid chaos. Tim said
there's no confirmed evidence of anyone having a problem with this ballot
and we should pick a date and see if anyone complains. 
c.      High Risk applications - Bruce suggested we do one of these 3
ballots at a time, starting with the signing service, followed by the high
risk. Ian wants to spend more time scrutinizing the high risk ballot. 
d.      Time stamping: Ian said that Martijns comments (via email) addressed
his concerns. Martijn had some other concerns regarding the key destruction
part and auditor criteria. Having an auditor witness it every 18 months
could be costly. Could we just make sure that they are no longer online?
Bruce agreed that they don't need to be audited. Dimitris said it can be an
internal ceremony without an auditor. The auditor can review that.  Inigo
asked why they have to be destroyed. Tim said there is no reason for the
private keys to exist. Dimitris was concerned about key backups and having
to find and delete those. Tim said as long as they are no longer usable, it
should be fine. Final agreement: no auditor necessary. Martijn will draft
some language in github to make it clear. 
e.      Dimitris asked if there was interest in doing the same work that was
done with the TLS BRs and the Netsec guidelines for the EV guidelines
(pulling the EV guidelines into the CSBRs). Ian said it could be wasted work
if we decide to do away with EV and just have one standard. Dimitris said it
would be helpful to bring them in and review what should stay and what
should go. Tim said we should go thru and see what the actual EV references
are and look at each one. Corey had a concern about the changes to the
numbering and references. Dimitris said the CSBRs are already in the 3647
format. Tim said that we still need to go through each item. Dimitris
suggested we should have this discussion at the next F2F meeting. He will
pull together all the references to the EV guidelines from the CSBRs. 

6.      Lessons learned from June 1 change: Suggestion made to push this to
F2F.  One item Bruce heard was that their validation team was more technical
than they were used to.
7.      Next meeting September 7th 
8.      Adjourned



Dean Coclin 





