2024-04-18 Final Minutes
Attendees: Andrea Holland (VikingCloud), Ben Dewberry (Keyfactor), Brian Winters (IdenTrust), Bruce Morton (Entrust), Christophe Bonjean (GlobalSign), Corey Bonnell (DigiCert), Dean Coclin (DigiCert), Dimitris Zacharopoulos (HARICA), Eva Vansteenberge (GlobalSign), Inaba Atsushi (GlobalSign), Inigo Barreira (Sectigo), Janet Hines (VikingCloud), Marco Schambach (IdenTrust), Martijn Katerbarg (Sectigo), Nome Huang (TrustAsia), Scott Rea (eMudhra), Thomas Zermeno (SSL.com), Tim Crawford (CPA Canada/WebTrust), Wangmo Tenzing (Wangmo Tenzing) Minute-taker: Corey Bonnell Bruce read the note well. Bruce said he will call for approval of the F2F minutes at the next meeting. Meeting minutes for the March 21st meeting were approved. Meeting minutes for the April 4th meeting were approved. * Obsolete EVCS guidelines Dimitris said the ballot needs to be converted to PDF and circulated on the mailing list. Bruce said he will take care of that and Corey will publish on the website. * Remove EVG references Dimitris asked for a review of this draft ballot. He said that a mapping document is available to assist in the review. Martijn and Corey offered to review the PR (https://url.avanan.click/v2/___https://github.com/cabforum/code-signing/pul l/38___.YXAzOmRpZ2ljZXJ0OmE6bzo2Yjk1MjA2NDAyYWY4YmM5MzU3OGI3ODRkNWY2ZGQ3NDo2 OmNiMGU6ZDEzMDg3NzRjMzc5ZDE4YjE5MTZjNDY2ODNhODgxNjIxYTY0OTY4MGMxNDc0MzJmOGRh ZTMxNWYwOWM0NjkzOTp0OkY <https://url.avanan.click/v2/___https:/github.com/cabforum/code-signing/pull /38___.YXAzOmRpZ2ljZXJ0OmE6bzo2Yjk1MjA2NDAyYWY4YmM5MzU3OGI3ODRkNWY2ZGQ3NDo2O mNiMGU6ZDEzMDg3NzRjMzc5ZDE4YjE5MTZjNDY2ODNhODgxNjIxYTY0OTY4MGMxNDc0MzJmOGRhZ TMxNWYwOWM0NjkzOTp0OkY> ). * Change to timestamp requirements Martijn said Christophe provided several comments on the PR. Christophe raised a concern that re-issuance of a timestamping ICA would incur the requirement to move the CA private key to offline HSM. Bruce also raised a concern that long-lived timestamping CAs could be stored in online HSMs despite this ballot. Martijn said that we could create an effective date to require CAs to move to offline HSMs, but that may be complex. Dimitris said that moving a key does not eliminate the risk, as it was previously stored in an online HSM. Additionally, keys could have been generated before the effective date in an online state prior to being certified in a certificate. Martijn said that if a key has been generated online, then it couldn't be said that it was "maintained" in an offline state. Martijn said he can clarify this in the ballot. Martijn said to resolve the concern about legacy online CAs being used in perpetuity, that we could propose a sunset date for issuing end-entity timestamping responder certificates to force a rotation to offline CA keys. Corey agreed with that approach. * Other business Martijn said a ballot for modifying logging requirements in the TLS BRs. He'd like to align the CS BRs with this language. He will write a ballot to do this and will call for endorsers. Martijn also mentioned that we could remove the EVCS JOI fields and replace with the orgId, as is done in the SMBRs, but said it might be too early for that change. Bruce said we should reconsider all subject fields in light of the deprecation of EV CS. Dimitris agreed and said that we need to incorporate Microsoft's plans on the validation level of code signing certificates. Next meeting is May 2nd. Meeting adjourned.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Cscwg-public mailing list Cscwg-public@cabforum.org https://lists.cabforum.org/mailman/listinfo/cscwg-public
