CSCWG Meeting 2023-10-19 Thursday, October 19, 2023
Attendees: * Aaron Poulsen - Amazon Trust Services * Andrea Holland - VikingCloud * Atsushi INABA - GlobalSign * Bruce Morton - Entrust * Corey Bonnell * Dean Coclin-DigiCert * Dimitris Zacharopoulos (HARICA) * Ian McMillan - Microsoft * Janet Hines - VikingCloud * Richard Kisley - IBM * Mohit Kumar - GlobalSign * Rollin Yu - TrustAsia * Scott Rea - eMudhra * Tim Crawford - BDO/WebTrust Agenda: * Assign Minute taker (start recording) * Ian McMillan * Roll call * Completed by Dean * Antitrust Compliance Statement * Completed by Dean * Review Agenda * No comments on the agenda * Approval of prior meeting minutes - F2F 5 Oct, Need minutes! * Minutes received from Mohit * Need to get other half of the minutes from Tim Callan (Dean to follow up) * Ballot CSC-20 Restore Version Reference to EV Guidelines * Voting completed and it has passed with quorum * Ballot CSC-21 Signing Service * In discussion period * Comments on the definition of Signing Service * This definition must not apply to a subscriber and that includes when the CA is a subscriber itself. * Current definition seems to not be clear for CAs that leverage a Signing Service they provide and how the Subscriber Agreement would apply or not in this case. * Microsoft has a case where the Signing Service does a Subscriber Agreement with the CA service team with a separation of duties between the teams, so there is precedence for this behavior. * Signing Service does not include a subscriber's managed signing service. * New proposed definition: An organization that generates the key pair and securely manages the private key associated with the code signing certificate on behalf of the subscriber. * Audit Requirements and Audit Dates * We should consider an effective date to allow for Signing Services to comply with the requirements * There should a ramp up period or include it in the next audit period so not to include it current audit periods. * We need to give CAs runway to get this into their audit plans * We should provide an effective date of 6 months from the projected ballot completion timeframe (e.g. June 1, 2024) for the audits starting after that effective date. * Section 8.4 currently requires a Signing Service to comply with the audit requirements for a CA or a Delegated 3rd Party * Is it possible that CSBRs say Signing Services must comply with the requirements including audits for the NetSec BRs, but they are not? * How does a CA know there is a Signing Service or not? * Resellers come into the picture here * Previously we questioned if Signing Services should have these audit requirements and we talked ourselves into it. * We can lean on the Subscriber Agreement and Subscriber Warranties to push the audit requirements onto 3rd party Signing Services and Resellers * How are these enforced? * 3 scenarios here. * CA that provides a Signing Service to Subscribers * Assumption is these are already being audited * CA that partners with a 3rd Party Signing Service to the CA subscribers * Subscriber uses a unaffiliated 3rd Party Signing Service to use a CA issued code signing certificate (CA may or may not be aware there is a signing service in the loop unless the Subscriber notifies the CA) * More or less a private key protection service * This is not easy here to tell when 3rd party Signing Service is involved * First focus on Signing Services that CAs know about, but this will not be equivalent * CAs with a Signing Service has the hardest compliance challenge, but a unaffiliated 3rd party Signing Service (Reseller) would not have the same requirements * We should consider dropping these audit requirements on the Signing Services and focus on the subscriber private key protection requirements * The one point we are considering is the Signing Service risk with a multi-tenant service, this is the same as Resellers. * Can we look at prohibiting Resellers from having an unaudited Signing Service? * We made a lot of progress here so we should consider moving forward as-is * Consider using the S/MIME BR language for effective date, Bruce/Corey to review that language * Proposed Ballot High Risk * No updates until CSC-21 is completed * Proposed ballot Remove EV Guideline References * Will pick this up once we have all the notes from the F2F discussion * Proposed ballot CSCWG Charter Update * Need Martijn to update here * Other business * None * Next meeting - 2 November
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Cscwg-public mailing list Cscwg-public@cabforum.org https://lists.cabforum.org/mailman/listinfo/cscwg-public
