Re: [Smcwg-public] NOTICE OF REVIEW PERIOD – SMCWG BALLOT SMC06

2024-04-16 Thread Stephen Davidson via Smcwg-public 
Thanks Bruce.

The link should be working again: 
https://cabforum.org/posts/2024/2024-04-11-SMCWG-ballot-SMC06/CA-Browser-Forum-SMIMEBR-1.0.4-redline.pdf

Regards, Stephen



From: Bruce Morton 
Sent: Tuesday, April 16, 2024 3:08 PM
To: Stephen Davidson ; SMIME Certificate Working 
Group 
Subject: RE: NOTICE OF REVIEW PERIOD – SMCWG BALLOT SMC06



The redline document does not appear to clearly show the changes to be reviewed.



Thanks, Bruce.



From: Smcwg-public 
mailto:smcwg-public-boun...@cabforum.org>> 
On Behalf Of Stephen Davidson via Smcwg-public
Sent: Thursday, April 11, 2024 2:41 PM
To: smcwg-public@cabforum.org
Subject: [EXTERNAL] [Smcwg-public] NOTICE OF REVIEW PERIOD – SMCWG BALLOT SMC06



NOTICE OF REVIEW PERIOD – BALLOT SMC06 This Review Notice is sent pursuant to 
Section 4. 1 of the CA/Browser Forum’s Intellectual Property Rights Policy (v1. 
3). This 30-day Review Period is for the Final Maintenance Guideline that is 
attached



NOTICE OF REVIEW PERIOD – BALLOT SMC06

This Review Notice is sent pursuant to Section 4.1 of the CA/Browser Forum’s 
Intellectual Property Rights Policy (v1.3). This 30-day Review Period is for 
the Final Maintenance Guideline that is attached to this Review Notice.

Ballot for Review: Ballot SMC06, redline at 
https://cabforum.org/posts/2024/2024-04-11-SMCWG-ballot-SMC06/CA-Browser-Forum-SMIMEBR-1.0.4-redline.pdf
Start of Review Period: April 11, 2024
End of Review Period: 2359 UTC on May 11, 2024

Please forward a written notice to exclude Essential Claims by email to 
smcwg-public@cabforum.org and a copy to the 
CA/B Forum public mailing list pub...@cabforum.org 
before the end of the Review Period.

See current version of CA/Browser Forum Intellectual Property Rights Policy for 
details. See also 
https://cabforum.org/ipr-policy/.
  An optional format for an Exclusion Notice is available at 
https://cabforum.org/wp-content/uploads/Template-for-Exclusion-Notice.pdf.



Any email and files/attachments transmitted with it are intended solely for the 
use of the individual or entity to whom they are addressed. If this message has 
been sent to you in error, you must not copy, distribute or disclose of the 
information it contains. Please notify Entrust immediately and delete the 
message from your system.

___
Smcwg-public mailing list
Smcwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/smcwg-public

Re: [Smcwg-public] NOTICE OF REVIEW PERIOD – SMCWG BALLOT SMC06

2024-04-16 Thread Bruce Morton via Smcwg-public 
The redline document does not appear to clearly show the changes to be reviewed.

Thanks, Bruce.

From: Smcwg-public  On Behalf Of Stephen 
Davidson via Smcwg-public
Sent: Thursday, April 11, 2024 2:41 PM
To: smcwg-public@cabforum.org
Subject: [EXTERNAL] [Smcwg-public] NOTICE OF REVIEW PERIOD – SMCWG BALLOT SMC06

NOTICE OF REVIEW PERIOD – BALLOT SMC06 This Review Notice is sent pursuant to 
Section 4. 1 of the CA/Browser Forum’s Intellectual Property Rights Policy (v1. 
3). This 30-day Review Period is for the Final Maintenance Guideline that is 
attached

NOTICE OF REVIEW PERIOD – BALLOT SMC06

This Review Notice is sent pursuant to Section 4.1 of the CA/Browser Forum’s 
Intellectual Property Rights Policy (v1.3). This 30-day Review Period is for 
the Final Maintenance Guideline that is attached to this Review Notice.

Ballot for Review: Ballot SMC06, redline at 
https://cabforum.org/posts/2024/2024-04-11-SMCWG-ballot-SMC06/CA-Browser-Forum-SMIMEBR-1.0.4-redline.pdf
Start of Review Period: April 11, 2024
End of Review Period: 2359 UTC on May 11, 2024
Please forward a written notice to exclude Essential Claims by email to 
smcwg-public@cabforum.org and a copy to the 
CA/B Forum public mailing list pub...@cabforum.org 
before the end of the Review Period.

See current version of CA/Browser Forum Intellectual Property Rights Policy for 
details. See also 
https://cabforum.org/ipr-policy/.
  An optional format for an Exclusion Notice is available at 
https://cabforum.org/wp-content/uploads/Template-for-Exclusion-Notice.pdf.

Any email and files/attachments transmitted with it are intended solely for the 
use of the individual or entity to whom they are addressed. If this message has 
been sent to you in error, you must not copy, distribute or disclose of the 
information it contains. Please notify Entrust immediately and delete the 
message from your system.
___
Smcwg-public mailing list
Smcwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/smcwg-public

[cabfpub] Draft Charter for IPR Subcommittee

2024-04-16 Thread Ben Wilson via Public 
All,

As mentioned during the Forum teleconference of April 11, 2024, here is a
draft charter for a Forum IPR Subcommittee. (This effort is separate, but
somewhat in parallel to the work of the Patent Advisory Group, which will
be handling GoDaddy's Patent Exclusion Notice, filed Mar. 22, 2024, in
relation to Ballot SC-70.)

Please provide your comments or questions.

Thanks,

Ben



*Forum IPR Subcommittee Charter*

Upon approval of the CAB Forum by ballot in accordance with section 5.6 of
the Bylaws, the Forum IPR Subcommittee (“FIS”) is created to perform the
activities as specified in this Charter, subject to the terms and
conditions of the CA/Browser Forum Bylaws and Intellectual Property Rights
(IPR) Policy, as such documents may change from time to time. The
definitions found in the Forum’s Bylaws or IPR Policy shall apply to
capitalized terms in this Charter.

*Scope*

The primary activity of the FIS shall be to review, and propose revisions
to, the Forum’s IPR Policy, IPR Policy Agreement, exclusion notice
template, and similar documents.  The FIS may perform other activities
ancillary to this primary activity.  The FIS will not create Final
Guidelines or Final Maintenance Guidelines.

*Anticipated End Date*

The FIS is chartered without a specific end date. However, it is expected
that the FIS will deliver results of its initial work to the Forum prior to
_ 2024.  Thereafter, the FIS will continue to exist, but may be
dissolved at any time by Forum ballot.

*Initial Chairs and Contacts*

The proposer of the ballot adopting this Charter, Ben Wilson, will act as
organizer of the FIS until the first teleconference is held for the FIS, at
which time the FIS will elect a chair and vice-chair, either by vote or by
acclamation of those present. The chair and vice-chair will normally serve
two-year terms.  However, the first term will start upon their election and
run through 31 October 2026.

*Members Eligible to Participate*

The FIS welcomes the participation of any Member organization of the Forum
interested in this work.  Forum Members that have initially declared their
participation in this Subcommittee are:

Amazon, Apple, DigiCert, GoDaddy, Google, HARICA, Let’s Encrypt, Mozilla,
Sectigo, SwissSign,

*Voting and Voting Structure*

Voting in the FIS shall be limited to Forum members. Voting shall be
egalitarian: all Members shall vote together as a single class, with one
vote granted to each Member organization. Any decisions of the FIS needed
to be voted upon by the FIS shall be considered adopted if the number of
votes in favor exceeds 50% of the votes cast.

*Primary Means of Communication*

The FIS will communicate primarily through listserv-based email and shall
conduct periodic calls or face-to-face meetings as needed.
___
Public mailing list
Public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/public

[Smcwg-public] Draft Minutes of SMCWG April 10, 2024

2024-04-16 Thread Stephen Davidson via Smcwg-public 
## Minutes of SMCWG



April 10, 2024



These are the Draft Minutes of the meeting described in the subject of this 
message. Corrections and clarifications where needed are encouraged by reply.



## Attendees



Abhishek Bhat - (eMudhra), Adrian Mueller - (SwissSign), Adriano Santoni - 
(Actalis S.p.A.), Aggie Wang - (TrustAsia), Andreas Henschel - (D-TRUST), 
Ashish Dhiman - (GlobalSign), Ben Wilson - (Mozilla), Clint Wilson - (Apple), 
Dave Chin - (CPA Canada/WebTrust), Eva Vansteenberge - (GlobalSign), Inaba 
Atsushi - (GlobalSign), Inigo Barreira - (Sectigo), Keshava Nagaraju - 
(eMudhra), Martijn Katerbarg - (Sectigo), Naveen Kumar - (eMudhra), Nome Huang 
- (TrustAsia), Renne Rodriguez - (Apple), Rollin Yu - (TrustAsia), Sandy Balzer 
- (SwissSign), Scott Rea - (eMudhra), Stefan Selbitschka - (rundQuadrat), 
Stephen Davidson - (DigiCert), Tadahiko Ito - (SECOM Trust Systems), Thomas 
Zermeno - (SSL.com), Tsung-Min Kuo - (Chunghwa Telecom), Yashwanth TM - 
(eMudhra)



## 1. Roll Call



The Roll Call was taken.



## 2. Read Antitrust Statement



The statement was read concerning the antitrust policy, code of conduct, and 
intellectual property rights agreement.



## 3. Review Agenda



Minutes were prepared by Stephen Davidson.



## 4. Approval of minutes from last teleconference



The minutes for the teleconference of March 27 were approved.



## 5. Discussion



Stephen Davidson  noted that Ballot SMC06 was in Voting Period until April 11. 
See https://lists.cabforum.org/pipermail/smcwg-public/2024-April/000957.html.

The WG reviewed Issue 240 raised by Martijn Karterbarg that the GOV 
registration scheme did not allow the use of the XX country code for countries 
that do not yet have an ISO-assigned code.  See 
https://github.com/cabforum/smime/issues/240

Stephen confirmed that there are CAs with significant existing populations of 
valid Legacy generation certificates, particularly in the Sponsor- and 
Org-validated categories.

The WG commenced a discussion of the differences between the Legacy generation 
certificate profiles versus the Multipurpose and Strict.  The following 
summarises the conversation, providing links to the related sections.

https://cabforum.org/posts/2024/2024-04-10-legacy-deprecation/SMCWG_20240410_Final.pdf

Stephen asked Certificate Issuers to review this information and provide 
feedback to help the SMCWG determine appropriate steps and timelines to migrate 
to the Multipurpose/Strict profiles. If preferred, that information can be 
provided directly to Stephen or Martijn to consolidate.

## 6. Any Other Business



It was agreed to cancel the teleconference scheduled for May 22 due to 
proximity to the F2F 62 meeting.



## 7. Next call



Next call: Wednesday, April 24, 2024 at 11:00 am Eastern Time



## Adjourned





___
Smcwg-public mailing list
Smcwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/smcwg-public

[Cscwg-public] CSCWG Agenda April 18, 2024

2024-04-16 Thread Dean Coclin via Cscwg-public 
MINUTE TAKER: NEED A VOLUNTEER, START RECORDING

 Bruce will run the meeting as I have a conflict this week

 

1.  Roll Call
2.  Antitrust reminder
3.  Approve prior meeting minutes - F2F  (Andrea), March 21st (Brianca),
April 4th (Scott)
4.  Proposed ballots: Remove EV Guideline References
5.  Proposed ballot for Time-stamp Requirements update; CSC-24
6.  Other business
7.  Next meeting - May 2nd  
8.  Adjourn

 

 

Dean Coclin 

CSCWG Chair

 

 

 

 

 

 



smime.p7s
Description: S/MIME cryptographic signature
___
Cscwg-public mailing list
Cscwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/cscwg-public

Re: [Cscwg-public] [External Sender] Re: [Discussion Period Begins] CSC-24 (v2): Timestamping Private Key Protection

2024-04-16 Thread Martijn Katerbarg via Cscwg-public 
Hi Christophe, Adriano,

Thank you for the comments. 

I kind of think this may be a slight mismatch between what’s listed as the 
purpose of the ballot, vs the language included in the redline. However, I’m 
not sure I agree with your solution:

> I would recommend to scope this change to Private Keys generated after the 
> effective date, instead of linking it to the issuing date of the Subordinate 
> CA Certificate for those keys. 

> For example if a CA issues a new Subordinate CA Certificate after this date, 
> with an existing Private Key, then the related Private Key would need to be 
> moved to an offline state. I think the intention is only for new keys to 
> follow this requirement. 

Am I understanding correctly that you’re proposing that if CAs issue a new 
SubCA after the effective date using a key already in existance, you want them 
to keep using that CA in an online state? 

If so, that kindof defeats the purpose of this ballot. CA’s may have loads of 
parked private keys in their online HSMs, meaning if we scope it to when a key 
was generated, they could keep issuing new SubCAs for timestamping for many 
years to come in an online state. 

Instead, I think we could restate the purpose of the ballot to make it a bit 
more clear if we feel that may help, as:
1. Require Private Keys associated with newly issued Timestamp Authority 
Subordinate CA to be stored in offline HSMs 
2. Add a requirement to remove Private Keys associated with Timestamp 
Certificates after a 18 months 
3. Add a requirement to reject SHA-1 timestamp requests 


Thoughts?

(If so, I wonder, since the redline doesn’t change, only the ballot 
description, does it need a new ballot version?)

Regards,

Martijn 

From: Cscwg-public  on behalf of Adriano 
Santoni via Cscwg-public 
Date: Tuesday, 16 April 2024 at 08:35
To: cscwg-public@cabforum.org 
Subject: Re: [Cscwg-public] [External Sender] Re: [Discussion Period Begins] 
CSC-24 (v2): Timestamping Private Key Protection 

CAUTION: This email originated from outside of the organization. Do not click 
links or open attachments unless you recognize the sender and know the content 
is safe. 


I concur with Christophe. 
Adriano 

Il 12/04/2024 16:30, Christophe Bonjean via Cscwg-public ha scritto: 

Hi Martijn, 

Looking at the purpose of the ballot, the goal is to require newly issued [..] 
Private Keys to be stored in offline HSMs. 

The proposed change scopes this change to [keys related to] Root CA 
certificates and new Subordinate CA certificates 

I would recommend to scope this change to Private Keys generated after the 
effective date, instead of linking it to the issuing date of the Subordinate CA 
Certificate for those keys. 

For example if a CA issues a new Subordinate CA Certificate after this date, 
with an existing Private Key, then the related Private Key would need to be 
moved to an offline state. I think the intention is only for new keys to follow 
this requirement. 

Christophe 


From: Cscwg-public  
 On Behalf Of Martijn Katerbarg via 
Cscwg-public
Sent: Monday, April 8, 2024 9:32 AM
To: cscwg-public@cabforum.org 
Subject: [Cscwg-public] [Discussion Period Begins] CSC-24 (v2): Timestamping 
Private Key Protection 



Purpose of the Ballot 
This ballot updates the “Baseline Requirements for the Issuance and Management 
of Publicly‐Trusted Code Signing Certificates“ version 3.7 in order to clarify 
language regarding Timestamp Authority Private Key Protection. The main goals 
of this ballot are to: 

1. Require newly issued Timestamp Authority Subordinate CA Private Keys to be 
stored in offline HSMs 
2. Add a requirement to remove Private Keys associated with Timestamp 
Certificates after a 18 months 
3. Add a requirement to reject SHA-1 timestamp requests 
The following motion has been proposed by Martijn Katerbarg of Sectigo and 
endorsed by Bruce Morton of Entrust and Ian McMillan of Microsoft. 
MOTION BEGINS 
This ballot updates the “Baseline Requirements for the Issuance and Management 
of Publicly‐Trusted Code Signing Certificates” ("Code Signing Baseline 
Requirements") based on version 3.7. MODIFY the Code Signing Baseline 
Requirements as specified in the following redline: 
https://github.com/cabforum/code-signing/compare/d431d9104094f2b89f35ed4bf1d64b9a844e762b...84e8586846a0c836d5bccbe9ef74593358c5b421
 

 
MOTION ENDS 
The procedure for this ballot is as follows:

Re: [Cscwg-public] [External Sender] Re: [Discussion Period Begins] CSC-24 (v2): Timestamping Private Key Protection

2024-04-16 Thread Adriano Santoni via Cscwg-public 

I concur with Christophe.

Adriano


Il 12/04/2024 16:30, Christophe Bonjean via Cscwg-public ha scritto:


Hi Martijn,

Looking at the purpose of the ballot, the goal is to require *newly 
issued* [..] *Private Keys *to be stored in offline HSMs*.*


**

The proposed change scopes this change to [keys related to] Root CA 
certificates and *new Subordinate CA certificates*


I would recommend to scope this change to Private Keys generated after 
the effective date, instead of linking it to the issuing date of the 
Subordinate CA Certificate for those keys.


For example if a CA issues a new Subordinate CA Certificate after this 
date, with an existing Private Key, then the related Private Key would 
need to be moved to an offline state. I think the intention is only 
for new keys to follow this requirement.


Christophe

*From:*Cscwg-public  *On Behalf Of 
*Martijn Katerbarg via Cscwg-public

*Sent:* Monday, April 8, 2024 9:32 AM
*To:* cscwg-public@cabforum.org
*Subject:* [Cscwg-public] [Discussion Period Begins] CSC-24 (v2): 
Timestamping Private Key Protection


*Purpose of the Ballot*

This ballot updates the “Baseline Requirements for the Issuance and 
Management of Publicly‐Trusted Code Signing Certificates“ version 3.7 
in order to clarify language regarding Timestamp Authority Private Key 
Protection. The main goals of this ballot are to:


 1. Require newly issued Timestamp Authority Subordinate CA Private
Keys to be stored in offline HSMs
 2. Add a requirement to remove Private Keys associated with Timestamp
Certificates after a 18 months
 3. Add a requirement to reject SHA-1 timestamp requests

The following motion has been proposed by Martijn Katerbarg of Sectigo 
and endorsed by Bruce Morton of Entrust and Ian McMillan of Microsoft.


*MOTION BEGINS*

This ballot updates the “Baseline Requirements for the Issuance and 
Management of Publicly‐Trusted Code Signing Certificates” ("Code 
Signing Baseline Requirements") based on version 3.7. MODIFY the Code 
Signing Baseline Requirements as specified in the following 
redline:https://github.com/cabforum/code-signing/compare/d431d9104094f2b89f35ed4bf1d64b9a844e762b...84e8586846a0c836d5bccbe9ef74593358c5b421


*MOTION ENDS*

The procedure for this ballot is as follows:

Discussion (7 days)

  * Start Time: 2024-04-08 09:00 UTC
  * End Time: Not before 2024-04-15 17:00 UTC

Vote for approval (7 days)

  * Start Time: TBD
  * End Time: TBD


___
Cscwg-public mailing list
Cscwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/cscwg-public


smime.p7s
Description: Firma crittografica S/MIME
___
Cscwg-public mailing list
Cscwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/cscwg-public