[Cscwg-public] CSC-24 (v3): Timestamping Private Key Protection: BALLOT RESULTS

[Dean Coclin via Cscwg-public]

Voting on Ballot CSC-24 has ended and the ballot has FAILED.

 

CAs voting in favor: DigiCert, Entrust, Globalsign, Harica, Identrust, Sectigo

Opposed: None

Abstain: None

 

Certificate Consumers voting in favor: None

Opposed: None

Abstain: None

 

Quorum = 5 and was met.

 

Therefore the ballot fails.

 

The proposer and endorsers are urged to review the ballot and coordinate a 
re-vote.


Dean Coclin

CSCWG Char

 

From: Cscwg-public  On Behalf Of Martijn 
Katerbarg via Cscwg-public
Sent: Monday, May 20, 2024 11:05 AM
To: cscwg-public@cabforum.org
Subject: [Cscwg-public] [Voting Period Begins] CSC-24 (v3): Timestamping 
Private Key Protection

 

Purpose of the Ballot

This ballot updates the “Baseline Requirements for the Issuance and Management 
of Publicly‐Trusted Code Signing Certificates“ version 3.7 in order to clarify 
language regarding Timestamp Authority Private Key Protection. The main goals 
of this ballot are to:

1.  Require Private Keys  associated with newly issued Timestamp Authority 
Subordinate CA to be stored in offline HSMs
2.  Require newly issued Timestamp Certificates to be issued from a TSA CA 
with its Private key storedn in offline HSMs
3.  Add a requirement to remove Private Keys associated with Timestamp 
Certificates after a 18 months
4.  Add a requirement to reject SHA-1 timestamp requests

The following motion has been proposed by Martijn Katerbarg of Sectigo and 
endorsed by Bruce Morton of Entrust and Ian McMillan of Microsoft.

 

MOTION BEGINS

 

This ballot updates the “Baseline Requirements for the Issuance and Management 
of Publicly‐Trusted Code Signing Certificates” ("Code Signing Baseline 
Requirements") based on version 3.7. MODIFY the Code Signing Baseline 
Requirements as specified in the following redline: 
https://github.com/cabforum/code-signing/compare/d431d9104094f2b89f35ed4bf1d64b9a844e762b...61d9426e9025d448a13eb56fa75b9651b2136548
 

  

MOTION ENDS

The procedure for this ballot is as follows:

Discussion (7 days)

*   Start Time: 2024-05-10 10:45 UTC
*   End Time: Not before 2024-05-20 09:05 UTC

Vote for approval (7 days)

*   Start Time: 2024-05-20 09:05 UTC
*   End Time: 2024-05-27 09:05 UTC

 

 



smime.p7s
Description: S/MIME cryptographic signature
___
Cscwg-public mailing list
Cscwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/cscwg-public

[Cscwg-public] Final CSCWG May 2nd, 2024 Minutes

[Dean Coclin via Cscwg-public]

Attendees:
Dimitris (HARICA),
Corey Bonnell (DigiCert),,
Thomas Zermeno (SSL.com),
Scott Rea (eMudhra),
Bruce Morton (Entrust),
Andrea Holland (VikingCloud),
Rebecca Kelley (SSL.com),
Brian Winters (IdenTrust),
Ian McMillan (Microsoft),
Mohit Kumar (GlobalSign),
Marco Schambach (IdenTrust),
Richard Kisley (IBM),
Brianca Martin (Amazon),
Martijn Katerbarg (Sectigo),
Wangmo Tenzing (Wangmo Tenzing),
Tim Hollebeek (DigiCert),
Janet Hines (VikingCloud),
Atsushi INABA (GlobalSign),
Dean Coclin (DigiCert),
Inigo Barreira (Sectigo),
Janet Hines (VikingCloud)

Minute-taker: Brian Winters

AntiTrust Reminder read by Dean Coclin.


Face-to-face meeting minutes approved.

April 18th Minutes approved.


* EVCS Guidelines ballot CSC-23:

Bruce Morton indicated possible new requirement raised by Martijn.  Martijn
requested input by Dimitris, not on the call yet.
Cory stated that the language sometimes indicates EV Code Signing
certificate and in other places uses the term certificates.
Bruce asked what is the new requirement?  Cory indicated the Subject Org ID
requirement.  We are introducing new language about what the Org ID may
contain.
Bruce suggested a new ballot regarding the Org ID changes.  Agreed upon by
Ian, and Andrea Holland.
Dean mentioned having seen an open pull request to remove the Org ID
changes.  Pull request has comments by Dimitris and Corey Bonnell.
Corey stated that Dimitris is the main driver on this ballot.

Dimitris joined late and commented on new requirement as done on purpose, to
be effective sometime after September to be consistent with new EV
guidelines.
Bruce commented Org Id might be better to add later after adapting to new MS
EV Guidelines.  Dimitris stated he is ok with removing it now and adding it
later.  But thinks it could also be added now as optional.  Cory expressed
some customers might be already using Org Id and may have incompatibilities
with new Org Id standards.  Dimitris stated the September effective date
allows time for those customers to adapt.  Andrea asked Dimitris if it's
acceptable to create a separate ballot for the Org Id field.  Tim commented
achieving parity with TLS working group might be just updating requirements
for sake of updating requirements.  We should really solve the problem.  We
should find the best way to identify the globally unique publisher signing
code.  Most relying party software doesn't utilize Org Id field.  Tim urged
separating this into a new ballot.  Dimitris eventually agreed.

Bruce asked Dimitris about the Due Diligence requirement.  Martijn commented
about portions of it being in scope.  Expressed concern about the term
Nullified in the language.


* Timestamping Ballot CSC-24

Martijn raised topic about language to prevent CAs from issuing Timestamp
certificates from already issued SubCAs in an online state.  Language was
introduced on April 22nd, yet no comments produced.  Planned to effect
certificates issued on or after April 15, 2025.


* Face-to-Face meeting planning

Dean Coclin asked for suggestions for items to discuss.

- Ian suggested the topic "maximum certificate validity periods for CS
certificates".  Impact of reducing max validity from 39 to 15 or 24 months
duration.  What is the sweat spot for max validity periods.
- Bruce wants to discuss Microsoft's planned changes to EV CS certificates.
Ian agreed this is an important topic.  Tentative plan is one certificate
type, albeit Individual validated and Organization validated.  Dean pointed
out another notable example of Microsoft EV CS use hardware related
scenario.
- Corey raised issue regarding Microsoft's Trusted Signing Service
introduces custom EKU into CS certificates to uniquely identify the
publisher (face-to-face or future meeting).  Potential breakage for
publisher.  Per publisher EKU is potential solution to prevent breakage.
Ian discussed Windows Security Center involvement on this issue.  Only 1st
party CAs for integrity checks.
- Martijn,  CT for code signing time allowing.

* Other business

Next Meeting May 16th.

Following will be the Face-to-face meeting in Italy.

* Topic for next meeting

- PCI-HSM Acceptance for CA HSM evaluations (Richard Kisley).


smime.p7s
Description: S/MIME cryptographic signature
___
Cscwg-public mailing list
Cscwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/cscwg-public

[Cscwg-public] CSCWG Agenda May16, 2024

[Dean Coclin via Cscwg-public]

MINUTE TAKER: NEED A VOLUNTEER, START RECORDING

 

1.  Roll Call
2.  Antitrust reminder
3.  Approve prior meeting minutes - May 2 (Brian)
4.  Proposed ballots: Remove EV Guideline References (Dimitris)
5.  Proposed ballot for Time-stamp Requirements update; CSC-24 (Martijn)
6.  Proposal for PCi-HSM acceptance for CA HSMs evaluation (R.Kisley)
7.  Further discuss F2F Agenda
8.  Other business
9.  Next meeting - F2F   
10. Adjourn

 

 

Dean Coclin 

CSCWG Chair

 

 

 

 

 

 



smime.p7s
Description: S/MIME cryptographic signature
___
Cscwg-public mailing list
Cscwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/cscwg-public

[Cscwg-public] CSCWG April 18, 2024 Final meeting minutes

[Dean Coclin via Cscwg-public]

 

2024-04-18 Final Minutes

 

Attendees:

Andrea Holland (VikingCloud), Ben Dewberry (Keyfactor), Brian Winters
(IdenTrust), Bruce Morton (Entrust), Christophe Bonjean (GlobalSign), Corey
Bonnell (DigiCert), Dean Coclin (DigiCert), Dimitris Zacharopoulos (HARICA),
Eva Vansteenberge (GlobalSign), Inaba Atsushi (GlobalSign), Inigo Barreira
(Sectigo), Janet Hines (VikingCloud), Marco Schambach (IdenTrust), Martijn
Katerbarg (Sectigo), Nome Huang (TrustAsia), Scott Rea (eMudhra), Thomas
Zermeno (SSL.com), Tim Crawford (CPA Canada/WebTrust), Wangmo Tenzing
(Wangmo Tenzing)

 

Minute-taker: Corey Bonnell

 

Bruce read the note well.

 

Bruce said he will call for approval of the F2F minutes at the next meeting.

 

Meeting minutes for the March 21st meeting were approved.

Meeting minutes for the April 4th meeting were approved.

 

* Obsolete EVCS guidelines

 

Dimitris said the ballot needs to be converted to PDF and circulated on the
mailing list.

Bruce said he will take care of that and Corey will publish on the website.

 

* Remove EVG references

 

Dimitris asked for a review of this draft ballot. He said that a mapping
document is

available to assist in the review. Martijn and Corey offered to review the
PR

(https://url.avanan.click/v2/___https://github.com/cabforum/code-signing/pul
l/38___.YXAzOmRpZ2ljZXJ0OmE6bzo2Yjk1MjA2NDAyYWY4YmM5MzU3OGI3ODRkNWY2ZGQ3NDo2
OmNiMGU6ZDEzMDg3NzRjMzc5ZDE4YjE5MTZjNDY2ODNhODgxNjIxYTY0OTY4MGMxNDc0MzJmOGRh
ZTMxNWYwOWM0NjkzOTp0OkY
 ).

 

* Change to timestamp requirements

 

Martijn said Christophe provided several comments on the PR. Christophe
raised a

concern that re-issuance of a timestamping ICA would incur the requirement
to move

the CA private key to offline HSM. Bruce also raised a concern that
long-lived

timestamping CAs could be stored in online HSMs despite this ballot. Martijn

said that we could create an effective date to require CAs to move to
offline HSMs,

but that may be complex.

 

Dimitris said that moving a key does not eliminate the risk, as it was
previously

stored in an online HSM. Additionally, keys could have been generated before
the

effective date in an online state prior to being certified in a certificate.

Martijn said that if a key has been generated online, then it couldn't be
said that

it was "maintained" in an offline state. Martijn said he can clarify this in
the ballot.

 

Martijn said to resolve the concern about legacy online CAs being used in
perpetuity,

that we could propose a sunset date for issuing end-entity timestamping
responder

certificates to force a rotation to offline CA keys. Corey agreed with that
approach.

 

* Other business

 

Martijn said a ballot for modifying logging requirements in the TLS BRs.
He'd like

to align the CS BRs with this language. He will write a ballot to do this
and will

call for endorsers.

 

Martijn also mentioned that we could remove the EVCS JOI fields and replace
with

the orgId, as is done in the SMBRs, but said it might be too early for that
change.

Bruce said we should reconsider all subject fields in light of the
deprecation of

EV CS. Dimitris agreed and said that we need to incorporate Microsoft's
plans

on the validation level of code signing certificates.

 

Next meeting is May 2nd. Meeting adjourned.



smime.p7s
Description: S/MIME cryptographic signature
___
Cscwg-public mailing list
Cscwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/cscwg-public

[Cscwg-public] Final minutes of F2F CSCWG Feb 28, 2024

[Dean Coclin via Cscwg-public]

 

Code Signing Certificate Working Group Draft Minutes Feb 28, 2024 F2F
Meeting India

 

Discussion leader: Bruce Morton (Entrust)

Minutes: Andrea Holland (VikingCloud)

 

Attendees: Paul van Brouwershaven (Entrust), Dustin Hollenback (Microsoft),
Tim Callan (Sectigo), Scott Rea (eMudhra), Dimitris Zacharopoulos (HARICA),
Arno Fiedler (ETSI), Arvid Vermote (GlobalSign), Ashish Dhiman (GlobalSign),
Tadahiko Ito (SECOM), Corey Bonnell (DigiCert), Inigo Barreira (Sectigo),
Mrugesh Chandarana (IdenTrust), Marco Schambach (IdenTrust), Nitesh Bakliwal
(Microsoft), Kiran AM (eMudhra), Keshava N (eMudhra), Abhishek Bhat
(eMudhra), Naveen Kumar (eMudhra), Yashwanth (eMudhra), Dean Coclin
(DigiCert), Thomas Zermeno (SSL.com), Mohit Kumar (GlobalSign), Martijn
Katerbarg (Sectigo), Nargis Mannan (Viking Cloud), Marco Schambach
(IdenTrust), Tim Hollebeek (DigiCert), Atsushi Inaba (GlobalSign), Trevoli
Ponds-White (Amazon Trust Services), Aaron Poulsen (Amazon Trust Services),
Rich Smith (DigiCert), Roman Fischer (SwissSign), Eva Van Steenberge
(GlobalSign), Rollin Yu (TrustAsia), Michael Slaughter (Amazon Trust
Services), Nome Huang (TrustAsia), Kateryna Aleksieieva (Certum), Andrea
Holland (VikingCloud), Bruce Morton (Entrust), Tim Crawford (CPA
Canada/WebTrust), Ian McMillan (Microsoft), Stefan Kirch (Telekom Security),
Tsung-Min Kuo (Chunghwa Telecom), Rebecca Kelley (Apple), Li-Chun Chen
(Chunghwa Telecom)Interested Party: Ben Wilson (Mozilla), Invited Guests:
Ramachandran P (Office of CCA, MEITY, Govt of India), Mike Kushner
(Keyfactor), Seven Rajala (Keyfactor), 

 

Detailed minutes:

 

1.  Antitrust Compliance Statement read

2.  Review Agenda

3.  Statement from Nitish. 

*   Survey went out from Microsoft. If you have not received it please
reach out. 

*   Update to EV CS OID changes.

*   Deadline of August 2024 for feedback and reasons/scenarios for
supporting.

*   Timeline of February 2025 of planned removal of support of EV Code
Signing.

*   Policy update of removal of EV CS OID was published early and will
be reverted until the planned removal date.

*   Clarification that OCSP is required only for TLS not for Code
Signing or S/MIME.

4.  Approval of February 8th minutes
5.  Certificate Transparency for Code Signing

*   Discussion by Ian, Trev, Tim H., Bruce, Dimitris, Martijn, Paul, and
Dean.

*   Discussion about the problem statement for the need of public
transparency for Code Signing certificates and the revocation aspect.

*   Discussion on the infrastructure of the tools necessary to monitor
the CT logs as well as subscriber benefits, but these should be a secondary
phase.

*   Discussion around use case of CT for CS and the differences between
CT for TLS vs for CS. 

*   Code Signing certificates are signing code that can last forever
which impacts the length of time needed for the CT log.

*   Single use CS certificates would cause a high number of records on
the CT logs.

*   Specific questions were discussed: How long should a record be in a
Trusted CT Log? What happens when a log gets retired? How long should a log
be active? How many logs would CAs be required to log to? These will be
continued based on implementation.

*   Action item: To define/refine the problem statement. 

6.  Reduction of Code Signing validity to 15 months

*   Discussion by Ian, Bruce, Dean, Martijn, Tim C., Dimitris, and Trev

*   Reason for request is the longer a validity period causes a
revocation to have a larger impact radius which causes unintended collateral
damage.

*   Original time of 39 months was based on the common actions at the
time, should this be revisited. How many certificates are being issued at 39
months? Are 12 month certs more common, or has this changed due to the
protection of the private key requirement? 

*   Discussion that the worry is the amount of software that is signed
under a particular key. In the event that a key gets compromised, you have
to revoke a whole bunch of software.

*   Action item: Get the data, review, and move forward from there.

7.  Ballot for EVG import

*   Discussion by Bruce, Tim H., Ian, Tim C., Dimitris, Mrugesh, Trev,
Enrico, and Paul

*   The idea is that non-EV code signing is going away and EV will be
the new standard. 

*   Microsoft confirms that hardware dev center is the only remaining
location which policy says EV cert is needed for onboarding only. Smart
screen doesn't distinguish between the two. 

*   Microsoft doesn't differentiate between OV and EV OIDs they are
treated the same.

*   Microsoft wants to simplify to one type of CS certificate with the
only difference in validation type (individual validation vs organization
validation). 

*   CS BRs points to specific references in EV Guidelines. The EVG
import should be completed first. Then next step is to simply CS BRs to
match with one CS type. The goal of 

[Cscwg-public] CSCWG Agenda May 2, 2024

[Dean Coclin via Cscwg-public]

 

MINUTE TAKER: NEED A VOLUNTEER, START RECORDING

 

1.  Roll Call
2.  Antitrust reminder
3.  Approve prior meeting minutes - F2F  (Andrea), April 18th (Corey)
4.  Proposed ballots: Remove EV Guideline References
5.  Proposed ballot for Time-stamp Requirements update; CSC-24
6.  Discuss F2F Agenda
7.  Other business
8.  Next meeting - May 16th   
9.  Adjourn

 

 

Dean Coclin 

CSCWG Chair

 

 

 

 

 

 



smime.p7s
Description: S/MIME cryptographic signature
___
Cscwg-public mailing list
Cscwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/cscwg-public

[Cscwg-public] Final CSCWG Minutes April 4, 2024

[Dean Coclin via Cscwg-public]

 

Minutes for CSCWG Call 4 Apr 2024

 

Agenda:

 

1.  Roll Call
2.  Antitrust reminder
3.  Approve prior meeting minutes - F2F  (awaiting draft from Andrea),
March 21st (Brianca)
4.  Ballot status: Marking the EV CS guidelines obsolete (CSC-23). Do we
need an IPR review?
5.  Proposed ballots: Remove EV Guideline References
6.  Proposed ballot for Time-stamp Requirements update; CSC-24
7.  Continued discussion on Application for Associate Member status from
Keyfactor 
8.  Interested Party application from Wangmo Tenzing (as an individual)
9.  Other business
10. Next meeting - April 18th
11. Adjourn

 

 

Attendees:

Brian Winters (Identrust), Bruce Morton (Entrust), Corey Bonnell (DigiCert),
Dean Coclin (DigiCert), Ian McMillan (Microsoft), Inaba Atsushi
(GlobalSign), Inigo Barreira (Sectigo), Marco Schambach - (IdenTrust), Mohit
Kumar (GlobalSign), Nome Huang - (TrustAsia), Rollin Yu - (TrustAsia), Scott
Rea (eMudhra), Tim Crawford - (CPA Canada/WebTrust), Trevoli Ponds-White -
(Amazon),

 

Minutes:

Dean read the note well.

 

Meeting minutes for F2F-New Delhi (Andrea Holland) yet to be posted.

Meeting minutes for March 21, 2024 Meeting (Brianca Martin) yet to be
posted.

 

Ballot CSC-23 Marking the EV Code Signing Guidelines SUPERCEDED

(Dean) This ballot passed, but the question has arisen whether there is need
for an IPR review since all we are doing is marking these obsolete?

(Bruce) there is nothing to present to lawyers, so what is there to review?

Consensus on call is that IPR Review is not necessary in this case as agreed
in WG call.

 

Removing EVG references in CSBRs

No recent update or status from Dimitris for removing references to EVGs.
Since Dimitris is not on current call, this will be deferred to next
meeting.

 

Ballot CSC-24 Timestamping Private Key Protection

Ballot was posted for discussion on 2 Apr 2024. Bruce raised concern that
potential re-word was required because of NOT catering to Online CAs already
in use. Mohit asked for clarification as to whether this only applied to
future NEW CAs or whether it anticipated existing CAs to also be covered by
the guideline. 

It is expected that some amendments will be applied to address the above,
and a restart to the discussion period will apply.

 

Individual Joiner Request

Wangmo Tenzing from Lawrence Livermore National Lab originally sent IPR
Agreement representing the Lab but clarified that this was rather meant to
be an individual Interested Party and not as the Lab's representative. IPRA
was withdrawn, and request resubmitted as an individual Interested Party.

No objections from WG to accept Wangmo as individual Interested Party. 

 

Associate Member Application

Follow on from previous meeting (and F2F meeting) where discussion was held
regarding Key Factor's application to become an Associated Member. 

No objections from WG to accept Key Factor as Associate Members.

 

Other Business: EV vs OV for Code Signing

Request Microsoft to clarify their treatment of OV vs EV CS certs and where
there is differentiation. (Ian) The only place of differentiation is
on-boarding for the Hardware Developer Centre Partner Program, which makes a
requirement for EV.  There are no other current differentiation anywhere.

Question from Bruce on how this is validated? (Ian) We are not looking at
the OID in the cert, we are more looking at the issuing CA, since its only
on application to the program. Microsoft is currently reviewing with the
Hardware Developer Centre folks to work out how this will be dealt with in
future.

Clarification requested from Bruce on whether its the case that EV no longer
helps with Reputation? (Ian) It is not the signer's reputation that is
paramount rather than the credentials they are using.

Clarification from Bruce as to whether Microsoft values SubjectInfo in EV
certs? (Ian) There is not a focus to put any value on EV-specific fields.

Clarification from Mohit as to whether that implies a move to OV in future?
(Ian) Microsoft is evaluating the bar between OV and EV and looking to
strike a balance between EV rigor and the effort for organizations around
the world to get it. We are trying to make it as simple as possible for the
ecosystem. So we are evaluating if an EV uplift is worth the value.

Suggestion from Bruce: take current BRs, and remove all EV related content
and see if it makes sense or whether the extra EV stuff is actually still
needed?

(Ian) The biggest challenge is how to provide clear communications to
developers about which certificate is required.

(Bruce) Perhaps the better approach is to decide where to go with this, and
then just work towards that.

Some discussion ensued about current validation of Organizations across all
the CABF working groups, and Bruce pointed out we already have 3 ways today,
and surely there was little value introducing a 4th specific to CS. To have
further discussion at the next F2F.

 

Meeting adjourned. Next 

[Cscwg-public] Final minutes of CSCWG March 21, 2024

[Dean Coclin via Cscwg-public]

 

Minutes for CSCWG Call 21 Mar 2024

 

Agenda:

 

1.  Roll Call
2.  Antitrust reminder
3.  Minutes
4.  Ballots
5.  Membership
6.  Other business
7.  Next meeting - April 4th
8.  Adjourn

 

Attendees:

Dean Coclin (DigiCert), Martijn Katerbarg (Sectigo), Brianca Martin
(Amazon), Tim Crawford (CPA Canada/WebTrust), Thomas Zermeno (SSL.com),
Mohit Kumar (GlobalSign), Scott Rea (eMudhra, Mohit Kumar (GlobalSign),
Dimitris Zacharopoulos (HARICA), Atsushi INABA (GlobalSign), Inigo Barreira
(Sectigo)

 

Minutes:

Dean Coclin read the Antitrust policy.

 

Meeting minutes - No minutes to approve. Andrea Holland working on minutes
from F2F-New Delhi.

 

Ballots

*   CSC-23, Marking the EV Code Signing Guidelines Obsolete, in the
voting period, ends next week. Needs vote from Microsoft (only CA in the
group).
*   Removing EV guidelines references (in discussion) - imported the
latest changes from the CS BR's, ballot is ready, looking for 2 endorsers.
EV will not be removed, will likely enhance the validation methods of the
existing OV level.
*   Noted that a file on the wiki hasn't been changed in years. Not
included in the guidelines, needs chair approval to remove it.
*   Timestamping Private Key Protection - Incorporated feedback, ready
to start discussion period.

 

Membership

*   Identrust - Current associate member, requesting transition to full
membership in the CSWG. Server Cert Working Group (SCWG) approved them to be
a full member. Each working group needs to approve their status, membership
level can be different across groups. Ian (Microsoft) confirmed they have
the appropriate root in Windows and the appropriate audit (link provided in
the application). Request approved without objection. Dean to send
confirmation to Marco.
*   Keyfactor - Request to upgrade to become an associate member in the
CSWG. Noted for information that the request was approved by the SCWG.
Status has traditionally been used for groups like FederalPKI, Webtrust,
Etsy and companies that are in the process of applying for a root
certificate in a browser. This would be the 1st time for the CSWG that a
particular company would be given associate member status. It was noted that
they run a CA platform that several CA/B forum members use, may not
specifically be related to code signing. Discussion on Keyfactor was held at
the forum level during the F2F meeting. Concern was raised about setting a
bad precedent. Dean to discuss with Tim. Approval postponed to the next
meeting.

 

Other Business: None

 

Meeting adjourned. Next meeting April 4th.

 

 

 



smime.p7s
Description: S/MIME cryptographic signature
___
Cscwg-public mailing list
Cscwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/cscwg-public

[Cscwg-public] CSCWG Agenda April 18, 2024

[Dean Coclin via Cscwg-public]

MINUTE TAKER: NEED A VOLUNTEER, START RECORDING

 Bruce will run the meeting as I have a conflict this week

 

1.  Roll Call
2.  Antitrust reminder
3.  Approve prior meeting minutes - F2F  (Andrea), March 21st (Brianca),
April 4th (Scott)
4.  Proposed ballots: Remove EV Guideline References
5.  Proposed ballot for Time-stamp Requirements update; CSC-24
6.  Other business
7.  Next meeting - May 2nd  
8.  Adjourn

 

 

Dean Coclin 

CSCWG Chair

 

 

 

 

 

 



smime.p7s
Description: S/MIME cryptographic signature
___
Cscwg-public mailing list
Cscwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/cscwg-public

[Cscwg-public] CSCWG Agenda April 4, 2024

[Dean Coclin via Cscwg-public]

Here's the draft agenda for this week's call:

 

MINUTE TAKER: NEED A VOLUNTEER, START RECORDING

 

1.  Roll Call
2.  Antitrust reminder
3.  Approve prior meeting minutes - F2F  (awaiting draft from Andrea),
March 21st (Brianca)
4.  Ballot status: Marking the EV CS guidelines obsolete (CSC-23). Do we
need an IPR review?
5.  Proposed ballots: Remove EV Guideline References
6.  Proposed ballot for Time-stamp Requirements update; CSC-24
7.  Continued discussion on Application for Associate Member status from
Keyfactor 
8.  Interested Party application from Wangmo Tenzing (as an individual)
9.  Other business
10. Next meeting - April 18th 
11. Adjourn

 

 

Dean Coclin 

CSCWG Chair



smime.p7s
Description: S/MIME cryptographic signature
___
Cscwg-public mailing list
Cscwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/cscwg-public

[Cscwg-public] Voting Results: Ballot CSC-23: Marking the EV Code Signing Guidelines SUPERCEDED

[Dean Coclin via Cscwg-public]

Voting has concluded on Ballot CSC-23 and the results are as follows:

 

Certificate Issuers:
Yes: 9

No: 0

Abstain: 0

Voting in favor: Actalis, Asseco (Certum), DigiCert, Entrust, Globalsign, 
HARICA, IdenTrust, Sectigo, SSL.com

 

 

Certificate Consumers:
Yes: 1

No: 0

Abstain: 0

Voting in favor: Microsoft

 

Quorum was met.


Therefore, the ballot passes.

 

Dean Coclin 

CSCWG Chair

 

 

 

 

From: Cscwg-public  On Behalf Of Dimitris 
Zacharopoulos (HARICA) via Cscwg-public
Sent: Tuesday, March 19, 2024 1:29 AM
To: cscwg-public@cabforum.org
Subject: [Cscwg-public] Voting Begins Ballot CSC-23: Marking the EV Code 
Signing Guidelines SUPERCEDED

 

Voting begins for ballot CSC-23.

Purpose of the Ballot

As agreed at the F2F#61 meeting, this is a ballot to mark the "Guidelines For 
The Issuance And Management Of Extended Validation Code Signing Certificates" 
as superceded. 

The following motion has been proposed by Dimitris Zacharopoulos of HARICA and 
endorsed by Scott Rea of eMudhra and Martijn Katerbarg of Sectigo.

MOTION BEGINS

Update the EVCS Guidelines v1.4 

  to version 1.5 with the following changes:

In the "Notice to Readers" section, update the second paragraph to state:

"The Code Signing Working Group considers this document SUPERCEDED as of 
September 2, 2020. CAs SHOULD NOT use this standard but instead SHOULD use the 
"Baseline Requirements for the Issuance and Management of Publicly‐Trusted Code 
Signing Certificates" that has incorporated and improved requirements related 
to Extended Validation (EV) Code Signing Certificates."

Update section 17.1 to state the following:

"As this document is marked SUPERCEDED, CAs SHOULD NOT be audited against this 
standard. "

MOTION ENDS

The procedure for this ballot is as follows:


Start time (8:00 UTC)

End time (8:00 UTC)


Discussion (at least 7 days)

2024-03-11

2024-03-18


Expected Vote for approval (7 days)

2024-03-19

2024-03-26

 



smime.p7s
Description: S/MIME cryptographic signature
___
Cscwg-public mailing list
Cscwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/cscwg-public

Re: [Cscwg-public] Voting Begins Ballot CSC-23: Marking the EV Code Signing Guidelines SUPERCEDED

[Dean Coclin via Cscwg-public]

Reminder: Voting on this ballot ends tomorrow. We still need a vote from a 
Certificate Consumer.


Dean

 

 

 

 

From: Cscwg-public  On Behalf Of Dimitris 
Zacharopoulos (HARICA) via Cscwg-public
Sent: Tuesday, March 19, 2024 1:29 AM
To: cscwg-public@cabforum.org
Subject: [Cscwg-public] Voting Begins Ballot CSC-23: Marking the EV Code 
Signing Guidelines SUPERCEDED

 

Voting begins for ballot CSC-23.

Purpose of the Ballot

As agreed at the F2F#61 meeting, this is a ballot to mark the "Guidelines For 
The Issuance And Management Of Extended Validation Code Signing Certificates" 
as superceded. 

The following motion has been proposed by Dimitris Zacharopoulos of HARICA and 
endorsed by Scott Rea of eMudhra and Martijn Katerbarg of Sectigo.

MOTION BEGINS

Update the EVCS Guidelines v1.4 

  to version 1.5 with the following changes:

In the "Notice to Readers" section, update the second paragraph to state:

"The Code Signing Working Group considers this document SUPERCEDED as of 
September 2, 2020. CAs SHOULD NOT use this standard but instead SHOULD use the 
"Baseline Requirements for the Issuance and Management of Publicly‐Trusted Code 
Signing Certificates" that has incorporated and improved requirements related 
to Extended Validation (EV) Code Signing Certificates."

Update section 17.1 to state the following:

"As this document is marked SUPERCEDED, CAs SHOULD NOT be audited against this 
standard. "

MOTION ENDS

The procedure for this ballot is as follows:


Start time (8:00 UTC)

End time (8:00 UTC)


Discussion (at least 7 days)

2024-03-11

2024-03-18


Expected Vote for approval (7 days)

2024-03-19

2024-03-26

 



smime.p7s
Description: S/MIME cryptographic signature
___
Cscwg-public mailing list
Cscwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/cscwg-public

[Cscwg-public] CSCWG Agenda March 21, 2024

[Dean Coclin via Cscwg-public]

Here's the draft agenda for this week's call:

 

MINUTE TAKER: NEED A VOLUNTEER, START RECORDING

 

1.  Roll Call
2.  Antitrust reminder
3.  Approve prior meeting minutes - F2F  (awaiting draft as of March 17)
4.  Proposed ballots: Remove EV Guideline References and marking the EV
CS guidelines obsolete (CSC-23)
5.  Proposed ballot for Time-stamp Requirements update.
6.  Application for full membership from Identrust (included in MS Root
store per Ian)
7.  Application for Associate Member status from Keyfactor 
8.  Other business
9.  Next meeting - April 4th 
10. Adjourn

 

 

Dean Coclin 

CSCWG Chair



smime.p7s
Description: S/MIME cryptographic signature
___
Cscwg-public mailing list
Cscwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/cscwg-public

Re: [Cscwg-public] Notice of IPR review Ballots CSCWG 21 and 22

[Dean Coclin via Cscwg-public]

The review period for CSCWG 21 and 22 has concluded. No essential claims
were filed.

 

Corey-please create the final guideline, based on the drafts, and publish to
the website. The effective date will be today.


Thank you,

 

Dean Coclin 

CSCWG Chair

 

 

 

 

From: Cscwg-public  On Behalf Of Dean
Coclin via Cscwg-public
Sent: Wednesday, January 17, 2024 8:59 AM
To: Dean Coclin via Cscwg-public 
Subject: [Cscwg-public] Notice of IPR review Ballots CSCWG 21 and 22

 

NOTICE OF REVIEW PERIOD

This Review Notice is sent pursuant to Section 4.1 of the CA/Browser Forum's
Intellectual Property Rights Policy (v1.3). This Review Period of 30 days is
for one Final Maintenance Guidelines. The complete Draft Maintenance
Guideline that is the subject of this Review Notice is attached to this
email, in red-line draft format.

 

Summary of Review

Ballot(s) for Review:  CSCWG 21 (version 3.6) and CSCWG 22 (version 3.7)

 

Start of Review Period: 17 January 2024 at 09:00 Eastern Time

End of Review Period: 18 February 2024 at 09:00 Eastern Time

 

Members with any Essential Claim(s) to exclude must forward a written Notice
to Exclude Essential Claims to the Working Group Chair (email to Dean Coclin
mailto:dean.coc...@digicert.com> >) and also
submit a copy to the CA/B CSCWG public mailing list (email to cscwg-public
at cabforum.org before the end of the Review Period.

For details, please see the current version of the
<https://url.avanan.click/v2/___https:/cabforum.org/wp-content/uploads/CABF-
IPR-Policy-v.1.3_4APR18.pdf___.YXAzOmRpZ2ljZXJ0OmE6bzpjNWQ0NDk5YzExYTE2YWYzZ
TFjNTAyMzk5YTg5YjY4YTo2OjJiNzc6YzYxZWRjNTgwZGE2MDVkNjVmMmFmZDA5ZDBhZTkzNmYwO
WE2MDgyNGUzYmMwYzI4MGI3NTI0YzdmZjBlZDZjNjpoOkY> CA/Browser Forum
Intellectual Property Rights Policy.

(An optional template for submitting an Exclusion Notice is available at
<https://url.avanan.click/v2/___https:/cabforum.org/wp-content/uploads/Templ
ate-for-Exclusion-Notice.pdf___.YXAzOmRpZ2ljZXJ0OmE6bzpjNWQ0NDk5YzExYTE2YWYz
ZTFjNTAyMzk5YTg5YjY4YTo2OjYyNmI6NmY2ZWJjYWIwYTE2M2M3ZTY2MTQzOGQ2MzQ3YTk5MGMy
ZTBhNWZmOTlhMTRjOWIzZWQxMDNhMDYyNTdiMTJhNDpoOkY>
https://cabforum.org/wp-content/uploads/Template-for-Exclusion-Notice.pdf)

 

 

Dean Coclin 

CSCWG Chair

 

 

 

 



smime.p7s
Description: S/MIME cryptographic signature
___
Cscwg-public mailing list
Cscwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/cscwg-public

[Cscwg-public] CSCWG meeting minutes Feb 8, 2024

[Dean Coclin via Cscwg-public]

 

Attendees:

Abhishek Bhat (eMudhra), Ben Dewberry (Keyfactor), Brianca Martin (Amazon),
Bruce Morton (Entrust), Corey Bonnell (DigiCert), Dean Coclin (DigiCert),
Dimitris Zacharopoulos (HARICA), Ian McMillan (Microsoft), Inaba Atsushi
(GlobalSign), Inigo Barreira (Sectigo), Keshava Nagaraju (eMudhra), Mohit
Kumar (GlobalSign), Richard Kisley (IBM), Scott Rea (eMudhra), Thomas
Zermeno (SSL.com)

 

Dean read the note well.

 

Meeting minutes for January 25th meeting were approved.

 

Import EVG references into CSBRs

Dimitris gave status update for removing references to EVGs. A mapping
spreadsheet was provided on the list to facilitate comparison. Dimitris gave
the group a walkthrough of the document. Dimitris added the
organizationIdentifier field, as it's in the EVGs but not the CSBRs.

Bruce said that introducing the orgId attribute is a change to the profile
and should be a separate document. Dimitris proposed that he will circulate
a diff of EVG 1.7.2 and 1.8.0 so the group can compare the differences in
normative requirements between the versions.

 

Timestamping

Bruce said that Martijn has a ballot proposal on Github. Ian would like to
halve the maximum validity of the end-entity timestamp certificate. Bruce
said the motivation of requiring key destruction is that long-lived
timestamp certificates are not a risk if the private key material is
destroyed.

Also, a long-lived certificate provides interoperability with other
ecosystems, such as Java. Ian said that long-lived certificates might be a
burden for CAs in providing OCSP responses for potentially several decades.
Bruce said that we can raise this point as feedback to the ballot.

 

F2F discussion

Dean said that the February 22nd meeting is cancelled. Dean asked the group
for topics to discuss.

 

Ian provided these topics:

1. Certificate transparency requirements for code signing certificates.
Which activities that are logged (issuance, revocation) would be good to
discuss. Also, which monitors are needed in the ecosystem?

2. Reduction of code signing certificate validity to 15 months

 

Bruce called for additional topics for the F2F. Dimitris said he will
prepare the import of the EVGs for presentation at the F2F.

 

Meeting adjourned. Next meeting is at the F2F; the February 22nd meeting is
cancelled.



smime.p7s
Description: S/MIME cryptographic signature
___
Cscwg-public mailing list
Cscwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/cscwg-public

[Cscwg-public] Final CSCWG Minutes Jan 25, 2024

[Dean Coclin via Cscwg-public]

Here are the final minutes of the subject call:

 

CSCWG Conference Call-2024/01/25 

 

Attendees:

Scott Rea,

Corey Bonnell,

Thomas Zermeno,

Bruce Morton,

Atsushi Inaba,

Mohit Kumar,

Dean Coclin,

Brianca Martin,

Martijn Katerbarg,

Bhat Abhishek,

Trevoli Ponds-White,

Tim Crawford,

Keshava N,

Inigo Barreira,

Janet Hines,

Tim Hollebeek,

Richard Kisley,

Lucy Buecking,

Ian McMillan

 

Agenda + Notes:

1. Roll Call 

*   Completed by Dean

2. Antitrust reminder 

*   Completed by Dean

3. Approve prior meeting minutes - Jan 11th 

*   Meeting Minutes from 2024/01/11 sent out on 2024/01/12, Approved

4. Ballot CSC-21 Signing Service: Status

*   In IPR until 2024/02/18

5. Ballot CSC-22 Proposed High Risk Ballot: Status

*   In IPR until 2024/02/18

6. Proposed ballot Remove EV Guideline References status

*   Work done by Dimitris to pull in the necessary text from the EV
Guidelines and ready for feedback in
https://github.com/cabforum/code-signing/compare/main...importEVG
 

7. Proposed ballot CSCWG charter update status

*   Completed at the Forum level, and merged.

8. Proposed ballot for Time-stamp Requirements update.

*   Martijn has a draft in CSC-XX: Timestamp Certificate, SubCA and Key
restrictions by XolphinMartijn
 . Pull Request #34 . cabforum/code-signing
(github.com)
*   General pieces are to add key deletion for timestamp certs with
validity greater than 15 months, remove SHA1 tokens, and making sure offline
SubCA (TSA CA)
*   Need to add effective date for offline subCA requirements, and scope
to only new end-entity certs needing to be fulfilled from an offline subCA.

*   Can look to separately define these effective dates and make a
proposal

*   Group to review, provide feedback, and look to endorse

9. Other business

*   Membership application from Troy Anderson, Common Crypto Authority
as an Interested Party

*   No objections for adding as an Interested Party

*   Next F2F Discussion Topics?

*   Most folks will attend virtually
*   To discuss at next meeting on 2024/02/08
*   Group to bring item ideas for the F2F
*   Consider Certificate Transparency & simplifying EV code signing
*   Consider making the session at the F2F shorter (currently on Tuesday
night at 11:30pm ET, 8:30pm PT)

10. Next meeting -  February 8th

11. Adjourn 

 



smime.p7s
Description: S/MIME cryptographic signature
___
Cscwg-public mailing list
Cscwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/cscwg-public

[Cscwg-public] CSCWG Agenda February 8, 2024

[Dean Coclin via Cscwg-public]

 Here's the draft agenda for this week's call:

 

MINUTE TAKER: NEED A VOLUNTEER, START RECORDING

 

1.  Roll Call
2.  Antitrust reminder
3.  Approve prior meeting minutes - Jan 25th  
4.  Proposed ballot Remove EV Guideline References status
5.  Proposed ballot for Time-stamp Requirements update.
6.  Discussions for F2F
7.  Other business
8.  Next meeting -  February 22nd  (Should we cancel since F2F is the
following week?)
9.  Adjourn

 

 

Dean Coclin 

CSCWG Chair



smime.p7s
Description: S/MIME cryptographic signature
___
Cscwg-public mailing list
Cscwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/cscwg-public

[Cscwg-public] FW: CSCWG Final Minutes January 11, 2023

[Dean Coclin via Cscwg-public]

Final minutes of CSCWG meeting Jan 11, 2023





1.  Roll Call

*   Andrea Holland - (VikingCloud)
*   Brianca Martin - (Amazon)
*   Bruce Morton - (Entrust)
*   Corey Bonnell - (DigiCert)
*   Dimitris Zacharopoulos - (HARICA)
*   Eva Vansteenberge - (GlobalSign)
*   Ian McMillan - (Microsoft)
*   Inaba Atsushi - (GlobalSign)
*   Inigo Barreira - (Sectigo)
*   Janet Hines - (VikingCloud)
*   Martijn Katerbarg - (Sectigo)
*   Mohit Kumar - (GlobalSign)
*   Richard Kisley - (IBM)
*   Roberto Quionones - (Intel)
*   Rollin Yu - (TrustAsia)
*   Scott Rea - (eMudhra)
*   Thomas Zermeno - (SSL.com)
*   Tim Hollebeek - (DigiCert)

2.  Antitrust reminder: Read



3.  Approve prior meeting minutes - Nov 30th, Dec 14th : Both minutes were 
approved



4.  Ballot CSC-21 Signing Service: Discussion/Voting Period : Voting ends 
tomorrow 12 January 2024. Bruce stated 6 votes were required for quorum, but we 
only have 5 votes so far. Dimitris advised that the membership tool states the 
quorum is 5. Bruce stated that he might have counted the meeting attendees 
improperly, so we will use system quorum number of 5.



5.  Ballot CSC-22 Proposed High Risk Ballot: Discussion/Voting Period: 
Voting also ends 12 January 2024 and quorum of 5 has been met.



6.  Proposed ballot Remove EV Guideline References status: Dimitris has 
provided a proposal for review. He will provide a mapping document to assist 
for review. Would like feedback before proposing a ballot.



7.  Proposed ballot CSCWG charter update status: Martijn stated the ballot 
closes today and we are exactly on the quorum number.
8.  PCI-HSM certification for Code signing HSMs (Richard K): Richard would 
like the CSCWG to consider using PCI-HSM as a certification approval method for 
crypto modules for the CSBRs. PCI-HSM is a robust program which most vendors 
use. FIPS 140-2 and -3 have a long queue. For instance FIPS has 252 waiting, 8 
in process, and only 12 people performing the process, so processing takes 
12-18 months processing time. Common Criteria is not universal. PCI-HSM covers 
the requirements and could be used as an alternative. Dimitris asked what the 
proposal would apply to - CA or Subscriber keys; Richard did not know where to 
apply. Ian asked what is the difference between PCI-HSM and FIPS; Richard 
provided his perspective. Bruce stated that root CAs, subordinate CAs, 
time-stamp CA, Signing Service use HSMs, but there might not be a demand as 
this requirement is already met. Would PCI-HSM help to support the Subscriber 
end to provide more devices for signing code. Dimitris stated that the CSBRs 
allow FIPS 140 Level 2 for Subscribers, which is lower that level 3, so maybe 
it would be approved for Subscribers. Ian stated that they would investigate to 
see if PCI-HSM would acceptable for Subscribers. Dimitris asked if PCI-HSM 
supports remote key attestation; Richard stated the requirements do not address 
this requirement. If PCI-HSM is acceptable a member would have to write a 
ballot. We will wait until there is feedback from Microsoft.



9.  Other business: Bruce was asking if there is new business, since 3 
ballots will pass this week? Bruce asked if DigiCert is still planning to 
provide a CT demo; Corey suggested we review with Ian. Bruce also stated that 
another topic is time-stamp changes, but this is also Ian's action. It was 
suggested to work on the EV ballot. Dimitris said the change might be a issue 
as it could conflict with the BR of BRs process. Tim brought up the question of 
what we are trying to resolve, but Dimitris suggested that the exercise would 
remove some EV requirements which do not make sense for CSBRs. Tim asked if the 
EV Guidelines could be added as an appendix; Dimitris suggested that that would 
work for the verification requirements, but not the others.



10. Next meeting -  January 25th



11. Adjourn





___
Cscwg-public mailing list
Cscwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/cscwg-public

[Cscwg-public] CSCWG Final Minutes January 11, 2023

[Dean Coclin via Cscwg-public]

smime.p7m
Description: S/MIME encrypted message
___
Cscwg-public mailing list
Cscwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/cscwg-public

[Cscwg-public] CSCWG Agenda January 25, 2023

[Dean Coclin via Cscwg-public]

 

MINUTE TAKER: NEED A VOLUNTEER, START RECORDING

 

1.  Roll Call
2.  Antitrust reminder
3.  Approve prior meeting minutes - Jan 11th 
4.  Ballot CSC-21 Signing Service: Status
5.  Ballot CSC-22 Proposed High Risk Ballot: Status
6.  Proposed ballot Remove EV Guideline References status
7.  Proposed ballot CSCWG charter update status
8.  Proposed ballot for Time-stamp Requirements update.
9.  Other business
10. Next meeting -  February 8th
11. Adjourn

 

 

Dean Coclin 

CSCWG Chair

 

 

 

 



smime.p7s
Description: S/MIME cryptographic signature
___
Cscwg-public mailing list
Cscwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/cscwg-public

[Cscwg-public] FW: Ballot CSC-22: High Risk Requirements Update

[Dean Coclin via Cscwg-public]

Resending to the list…

 

Dean Coclin 

 

 

From: Dean Coclin 
Sent: Friday, January 12, 2024 4:26 PM
Subject: Ballot CSC-22: High Risk Requirements Update

 

Voting has concluded on Ballot CSC 22 and the results are as follows:

 

Certificate Issuers: 
Yes: (7) Digicert, eMudra, Entrust, Globalsign, HARICA, Sectigo, Viking Cloud

No: (0)

Abstain: (0)

 

Certificate Consumers:
Yes: (1) Microsoft

No: (0)

Abstain: (0)

 

Quorum was achieved. Therefore the ballot passes.

 

 

Dean Coclin 

CSCWG Chair

 

 

 

From: Cscwg-public mailto:cscwg-public-boun...@cabforum.org> > On Behalf Of Bruce Morton via 
Cscwg-public
Sent: Friday, January 5, 2024 3:02 PM
To: cscwg-public@cabforum.org  
Subject: [Cscwg-public] Voting Period begins - Ballot CSC-22: High Risk 
Requirements Update

 

Purpose of the Ballot

This ballot updates the “Baseline Requirements for the Issuance and Management 
of Publicly‐Trusted Code Signing Certificates“ version 3.4 in order to clarify 
language regarding Signing Service and signing requests. The main goals of this 
ballot are to:

1.  Remove references to High Risk Certificate Request, since the CSBRs do 
not provide any actions for a high risk application.
2.  Remove references to High Risk Region of Concern, since the CSBR 
appendix has never been populated.
3.  Remove rules for a Takeover Attack to require the Subscriber to 
generate keys in a crypto device, since crypto device key generation is now a 
baseline requirement for all code signing certificates.
4.  Remove option to transfer private key which has been generated in 
software.
5.  Cleanup to remove Subscriber key generation option which expired 
effective 1 June 2023.
6.  Cleanup to remove “any other method” to verify the Subscriber key was 
generated in a crypto device, since this option expired 1 June 2023.

The following motion has been proposed by Bruce Morton of Entrust and endorsed 
by Tim Hollebeek of DigiCert and Ian McMillan of Microsoft.

 

MOTION BEGINS

 

This ballot updates the “Baseline Requirements for the Issuance and Management 
of Publicly‐Trusted Code Signing Certificates” ("Code Signing Baseline 
Requirements") based on version 3.4. MODIFY the Code Signing Baseline 
Requirements as specified in the following redline: 
https://github.com/cabforum/code-signing/compare/e0da5532ab81e35e2e92536c1bc9ea3c36765b26...50871dc08d39102daf6c93fa556a869790643fb6
 

 

 

MOTION ENDS

The procedure for this ballot is as follows: Discussion (minimum 7 days)

 

*   Start Time: 2023-12-15 00:00 UTC
*   End Time: 2024-01-05 20:00 UTC

 

Vote for approval (7 days)

 

*   Start Time: 2024-01-05 20:00 UTC
*   End Time: 2024-01-12 20:00 UTC

Any email and files/attachments transmitted with it are intended solely for the 
use of the individual or entity to whom they are addressed. If this message has 
been sent to you in error, you must not copy, distribute or disclose of the 
information it contains. Please notify Entrust immediately and delete the 
message from your system. 



smime.p7s
Description: S/MIME cryptographic signature
___
Cscwg-public mailing list
Cscwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/cscwg-public

[Cscwg-public] Ballot CSC-21v2: Signing Service Update

[Dean Coclin via Cscwg-public]

Voting has concluded on Ballot CSC 21v2 and the results are as follows:

 

Certificate Issuers: 
Yes: (6) Digicert, eMudra, Entrust, Globalsign, HARICA, Viking Cloud

No: (0)

Abstain: (1) Sectigo

 

Certificate Consumers:
Yes: (1) Microsoft

No: (0)

Abstain: (0)

 

Quorum was achieved. Therefore the ballot passes.

 

Dean Coclin 

CSCWG Chair

 

 

 

 

From: Cscwg-public  On Behalf Of Bruce 
Morton via Cscwg-public
Sent: Friday, January 5, 2024 3:02 PM
To: cscwg-public@cabforum.org
Subject: [Cscwg-public] Voting Period begins - Ballot CSC-21v2: Signing Service 
Update

 

Purpose of the Ballot

This ballot updates the “Baseline Requirements for the Issuance and Management 
of Publicly‐Trusted Code Signing Certificates“ version 3.4 in order to clarify 
language regarding Signing Service and signing requests. The main goals of this 
ballot are to:

1.  Clarify the Signing Service definition and the expected deployment 
model.
2.  Remove requirements for signing request.
3.  Change text so Signing Service is not categorized as a Delegated Third 
Party.
4.  Not allow Signing Service to transport Private Key to Subscriber.
5.  Ensure Network Security Requirements are applicable to Signing Service.
6.  State audit requirements for Signing Service.

The following motion has been proposed by Bruce Morton of Entrust and endorsed 
by Tim Hollebeek of DigiCert and Ian McMillan of Microsoft.

 

MOTION BEGINS

 

This ballot updates the “Baseline Requirements for the Issuance and Management 
of Publicly‐Trusted Code Signing Certificates” ("Code Signing Baseline 
Requirements") based on version 3.4. MODIFY the Code Signing Baseline 
Requirements as specified in the following redline: 
https://github.com/cabforum/code-signing/compare/e0da5532ab81e35e2e92536c1bc9ea3c36765b26..1a134a77e74fb93ca2581d288e5a82859d6e8f88
 

  

 

MOTION ENDS

The procedure for this ballot is as follows: Discussion (minimum 7 days)

 

*   Start Time: 2023-12-15 00:00 UTC

*   End Time: 2024-01-05 20:00 UTC

 

Vote for approval (7 days)

 

*   Start Time: 2024-01-05 20:00 UTC

*   End Time: 2024-01-12 20:00 UTC

Any email and files/attachments transmitted with it are intended solely for the 
use of the individual or entity to whom they are addressed. If this message has 
been sent to you in error, you must not copy, distribute or disclose of the 
information it contains. Please notify Entrust immediately and delete the 
message from your system. 



smime.p7s
Description: S/MIME cryptographic signature
___
Cscwg-public mailing list
Cscwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/cscwg-public

[Cscwg-public] Final minutes for 2023-12-14 CSCWG meeting

[Dean Coclin via Cscwg-public]

Final minutes for 2023-12-14 CSCWG meeting

 

Attendees:

Andrea Holland (VikingCloud), Bruce Morton (Entrust), Corey Bonnell
(DigiCert), Dean Coclin (DigiCert), Ian McMillan (Microsoft), Inaba Atsushi
(GlobalSign), Inigo Barreira (Sectigo), Martijn Katerbarg (Sectigo), Mohit
Kumar (GlobalSign), Richard Kisley (IBM), Roberto Quionones (Intel), Rollin
Yu (TrustAsia), Scott Rea (eMudhra), Tim Crawford (CPA Canada/WebTrust), Tim
Hollebeek (DigiCert)

 

Bruce read the note well.

 

Minutes of the November 30th meeting were not approved as they were just
sent out.

 

- Signing Service Ballot

 

Bruce mentioned that Ian wanted to reduce the audit requirements for non-CA

signing services. One idea is to use CCM criteria. One challenge is a lack
of

familiarity with the CCM framework as well as how to map the criteria with

the specific requirements for HSMs.

 

Tim Crawford mentioned that the netsec-wg wants to use the STAR Alliance

requirements but are currently working through licensing issues.

 

Bruce has a proposal to move the ballot forward. He would like to retain

the current requirements for audit and address lesser audits in a future

ballot. Tim agreed that this is a good approach, as defining audit

requirements for non-CA Signing Services will be much more complex. Ian

also agreed with this approach.

 

Bruce proposed that he will bring the Signing Services ballot forward for

formal discussion and voting early next calendar year. There was agreement

on this approach.

 

- High Risk Ballot

 

Bruce said the text is complete and there are two endorsers. Bruce asked

if there's any objection to running two ballots concurrently. Martijn,

Tim, and Ian agreed that's fine as long as there's no overlap.

 

Corey raised a concern about potential complexity with immutable links if

multiple ballots are in flight. He will investigate if this is an actual

issue.

 

- Charter Update

 

Martijn said the ballot is ready but didn't want to kick off the voting

period during the holidays. He will look to start voting in early

January.

 

- Any other business

 

The December 28th meeting is cancelled. The next meeting will be

January 11th.

 

Richard from IBM suggested that HSMs for code signing be certified

under PCI-HSM in addition to CC and FIPS. Tim said in theory that

should be fine but need to investigate further.

 

Meeting adjourned.



smime.p7s
Description: S/MIME cryptographic signature
___
Cscwg-public mailing list
Cscwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/cscwg-public

Re: [Cscwg-public] UPDATED CSCWG Agenda January 11, 2023

[Dean Coclin via Cscwg-public]

 

 

MINUTE TAKER: NEED A VOLUNTEER, START RECORDING

 

1.  Roll Call
2.  Antitrust reminder
3.  Approve prior meeting minutes - Nov 30th, Dec 14th
4.  Ballot CSC-21 Signing Service: Discussion/Voting Period
5.  Ballot CSC-22 Proposed High Risk Ballot: Discussion/Voting Period
6.  Proposed ballot Remove EV Guideline References status
7.  Proposed ballot CSCWG charter update status
8.  PCI-HSM certification for Code signing HSMs (Richard K)
9.  Other business
10. Next meeting -  January 25th   
11. Adjourn

 

 

Dean Coclin 

CSCWG Chair

 

 

 

 



smime.p7s
Description: S/MIME cryptographic signature
___
Cscwg-public mailing list
Cscwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/cscwg-public

Re: [Cscwg-public] Consider PCI-HSM certification for Code signing HSMs

[Dean Coclin via Cscwg-public]

Richard,

Should we add this to the agenda for this week's call?

Thanks

Dean

 

Dean Coclin 

Sr. Director Business Development

M 1.781.789.8686

 



 

 

From: Cscwg-public  On Behalf Of Richard
Kisley via Cscwg-public
Sent: Tuesday, January 2, 2024 5:31 PM
To: cscwg-public@cabforum.org
Subject: [Cscwg-public] Consider PCI-HSM certification for Code signing HSMs

 

Hi,

Thank you for the opportunity to discuss this topic.  My apologies for not
sending this sooner, EOY work (day job) and the holidays took over my time.

 

My AOB question on 12/14 was: 'would the group consider adding PCI HSM as an
acceptable certification for Code Signing workloads?'

 

Please find attached the PCI HSM v4 pdf from the PCI SSC documents page
(https://www.pcisecuritystandards.org/document_library/
 , filter by 'PTS'). Note that in this location
you have also the 'FAQs', which "enhance" understanding of various topics.

 

My reasons for suggesting this:

1.  PCI (PTS) HSM is a robust program for HSM evaluation in the payment
security space.
2.  The financial services world, while having some unique requirements
(in particular for PKI), is in my opinion not so different for overall
device validation
3.  FIPS 140-3 & FIPS 140-2 (now closed) CMVP programs have a long queue
that is delaying products by well over a year
4.  CC, while valuable in many markets, is not universal
5.  Adding PCI-HSM closes the loop across the main HSM evaluation
regimes

 

Thanks,

 

Richard Kisley

Firmware & Security Architect, 
IBM Senior Technical Staff Member, Master Inventor
Payment Card Industry Professional (PCIP)
IBM Cryptographic Technology Development
 http://www.ibm.com/security/cryptocards/
  kis...@us.ibm.com



smime.p7s
Description: S/MIME cryptographic signature
___
Cscwg-public mailing list
Cscwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/cscwg-public

[Cscwg-public] CSCWG Agenda January 11, 2023

[Dean Coclin via Cscwg-public]

MINUTE TAKER: NEED A VOLUNTEER, START RECORDING

 

1.  Roll Call
2.  Antitrust reminder
3.  Approve prior meeting minutes - Nov 30th, Dec 14th
4.  Ballot CSC-21 Signing Service: Discussion/Voting Period
5.  Ballot CSC-22 Proposed High Risk Ballot: Discussion/Voting Period
6.  Proposed ballot Remove EV Guideline References status
7.  Proposed ballot CSCWG charter update status
8.  Other business
9.  Next meeting -  January 25th   
10. Adjourn

 

 

Dean Coclin 

CSCWG Chair

 

 

 

 



smime.p7s
Description: S/MIME cryptographic signature
___
Cscwg-public mailing list
Cscwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/cscwg-public

[Cscwg-public] CSCWG Agenda December 14, 2023

[Dean Coclin via Cscwg-public]

This should be a short call this week.

 

 

MINUTE TAKER: NEED A VOLUNTEER, START RECORDING

 

1.  Roll Call
2.  Antitrust reminder
3.  Approve prior meeting minutes - Nov 30th   
4.  Ballot CSC-21 status
5.  Proposed High Risk Ballot status
6.  Proposed ballot Remove EV Guideline References status
7.  Proposed ballot CSCWG charter update status
8.  Other business
9.  Next meeting -  No meeting December 28th   
10. Adjourn

 

 

Dean Coclin 

CSCWG Chair

 

 

 

 



smime.p7s
Description: S/MIME cryptographic signature
___
Cscwg-public mailing list
Cscwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/cscwg-public

Re: [Cscwg-public] NOTICE OF REVIEW PERIOD – BALLOT CSC-20

[Dean Coclin via Cscwg-public]

The review period for Ballot CSC-20 has concluded. No essential claims were
filed. 

 

Corey Bonnell will update this in github for approval by the chairs.

 

Thank you,

 

Dean Coclin 

CSCWG Chair

 

 

 

 

From: Cscwg-public  On Behalf Of Dean
Coclin via Cscwg-public
Sent: Monday, October 30, 2023 5:48 PM
To: Dean Coclin via Cscwg-public 
Subject: [Cscwg-public] NOTICE OF REVIEW PERIOD - BALLOT CSC-20

 

This Review Notice is sent pursuant to Section 4.1 of the CA/Browser Forum's
Intellectual Property Rights Policy (v1.3). This Review Period is for a
Final Maintenance Guideline (30 day Review Period). Attached is a complete
Draft Guideline subject of this Review Notice.

 

 

Ballot for Review: Ballot CSC-20

Start of Review Period: October 30, 2023 at 6:00 pm Eastern Time

End of Review Period: December 1, 2023 at 6:00 pm Eastern Time

 

Please forward a written notice to exclude Essential Claims to the Forum and
Working Group Chair by email to dean.coc...@digicert.com
<mailto:dean.coc...@digicert.com>  and a copy to the CA/B Forum CSCWG public
mailing list cscwg-public@cabforum.org <mailto:cscwg-public@cabforum.org>
before the end of the Review Period.

 

See current version of CA/Browser Forum Intellectual Property Rights Policy
for details.

 

(Optional form of Exclusion Notice is available at
https://url.avanan.click/v2/___https://cabforum.org/wp-content/uploads/Templ
ate-for-Exclusion-Notice.pdf___.YXAzOmRpZ2ljZXJ0OmE6bzpmYzllOGRlY2EyMTBkNzQ5
ODkwMzcyMjA2ZDcwYzQxYjo2OmRhOGE6M2ZkZWI3YTA0NzNjYzIyZDQyODY3ODQzNTdkZWFjMGYz
NTQzYTk1ZjM4MDk5MjNmMGY1MTc1MDJmNjliNDUzMzp0OkY
<https://url.avanan.click/v2/___https:/cabforum.org/wp-content/uploads/Templ
ate-for-Exclusion-Notice.pdf___.YXAzOmRpZ2ljZXJ0OmE6bzpmYzllOGRlY2EyMTBkNzQ5
ODkwMzcyMjA2ZDcwYzQxYjo2OmRhOGE6M2ZkZWI3YTA0NzNjYzIyZDQyODY3ODQzNTdkZWFjMGYz
NTQzYTk1ZjM4MDk5MjNmMGY1MTc1MDJmNjliNDUzMzp0OkY> )

 

Dean Coclin 

CSCWG Chair

 

 



smime.p7s
Description: S/MIME cryptographic signature
___
Cscwg-public mailing list
Cscwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/cscwg-public

[Cscwg-public] Final minutes of CSCWG meeting November 16, 2023

[Dean Coclin via Cscwg-public]

CSCWG Meeting 2023-11-16

 

General Note: A recording was not started for the meeting. As such, most items 
in these minutes were provided by Bruce based on his own notes. If anyone has 
anything to add, please reach out.

 

Attendees 

Andrea Holland - (VikingCloud), Ben Dewberry - (Keyfactor), Brianca Martin - 
(Amazon), Bruce Morton - (Entrust), Corey Bonnell - (DigiCert), Dimitris 
Zacharopoulos - (HARICA), Eva Vansteenberge - (GlobalSign), Ian McMillan - 
(Microsoft), Inaba Atsushi - (GlobalSign), Inigo Barreira - (Sectigo), Janet 
Hines - (VikingCloud), Martijn Katerbarg - (Sectigo), Mohit Kumar - 
(GlobalSign), Richard Kisley - (IBM), Roberto Quionones - (Intel), Rollin Yu - 
(TrustAsia Technologies Inc), Scott Rea - (eMudhra), Tim Crawford - (CPA 
Canada/WebTrust)

 

Assign Minute taker

*   Martijn Katerbarg

 

Roll call

*   Read by Bruce

 

Antitrust Compliance Statement

*   Read by Bruce

 

Approval of prior meeting minutes

*   Minutes of the November 2nd meeting were approved.

 

Ballot CSC-21 (Signing Service) Status

*   Ian discussed with Tim that the Cloud Security Alliance (CSA) STAR CCM 
Certification with the audit requirements (“Level 1” or “Level 2”) could be an 
alternative to the proposed audit requirements. 
*   Bruce suggested that this could be a big change to the ballot, so how 
do we proceed. 
*   Dimitris stated that the discussion period can last for 90-days, so we 
have time to update and start a new discussion period. Bruce and Ian will work 
on an update to the ballot.

 

High Risk Ballot

*   It’s agreed that with CSC-21 being put on hold, the High Risk ballot 
can proceed and take priority. Bruce with work with Corey to add the proposal 
to GitHub and start a ballot.

 

Remove EV Guideline References Ballot

*   Dimitris offered to prepare a non-normative ballot to remove all EV 
Guideline references from the CSBRs. A follow-up normative ballot will be 
considered to change/update the EV requirements.

 

CSCWG Charter Update Ballot

*   Ballot text is final. Dimitris has already endorsed. Bruce offered to 
endorse during the call.

 

Other business

*   During the November 30 meeting, a presentation will be given regarding 
the Key Attestation RFC.

 

Next meeting

*   2023-11-30

 

 



smime.p7s
Description: S/MIME cryptographic signature
___
Cscwg-public mailing list
Cscwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/cscwg-public

[Cscwg-public] CSCWG Agenda November 30, 2023

[Dean Coclin via Cscwg-public]

NOTE: We will have a guest presentation this week as indicated in the agenda
below:

 

MINUTE TAKER: NEED A VOLUNTEER, START RECORDING

 

1.  Roll Call
2.  Antitrust reminder
3.  Approve prior meeting minutes - Nov 16th  
4.  Ballot CSC-21 status
5.  Proposed High Risk Ballot status
6.  Proposed ballot Remove EV Guideline References status
7.  Proposed ballot CSCWG charter update status
8.  RFC for Key Attestation Presentation (Mike Ounsworth-Entrust)
9.  Other business
10. Next meeting -  Dec 14th  
11. Adjourn

 

 

Dean Coclin 

CSCWG Chair

 

 

 

 



smime.p7s
Description: S/MIME cryptographic signature
___
Cscwg-public mailing list
Cscwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/cscwg-public

[Cscwg-public] Final CSCWG Minutes Oct 19, 2023

[Dean Coclin via Cscwg-public]

CSCWG Meeting 2023-10-19

Thursday, October 19, 2023

 

Attendees:

*   Aaron Poulsen - Amazon Trust Services
*   Andrea Holland - VikingCloud
*   Atsushi INABA - GlobalSign
*   Bruce Morton - Entrust
*   Corey Bonnell
*   Dean Coclin-DigiCert
*   Dimitris Zacharopoulos (HARICA)
*   Ian McMillan - Microsoft
*   Janet Hines - VikingCloud
*   Richard Kisley - IBM
*   Mohit Kumar - GlobalSign
*   Rollin Yu - TrustAsia
*   Scott Rea - eMudhra
*   Tim Crawford - BDO/WebTrust

 

Agenda: 

*   Assign Minute taker (start recording)

*   Ian McMillan

*   Roll call

*   Completed by Dean

*   Antitrust Compliance Statement

*   Completed by Dean

*   Review Agenda

*   No comments on the agenda

*   Approval of prior meeting minutes - F2F 5 Oct, Need minutes!

*   Minutes received from Mohit
*   Need to get other half of the minutes from Tim Callan (Dean to
follow up)

*   Ballot CSC-20 Restore Version Reference to EV Guidelines

*   Voting completed and it has passed with quorum 

*   Ballot CSC-21 Signing Service

*   In discussion period
*   Comments on the definition of Signing Service

*   This definition must not apply to a subscriber and that includes
when the CA is a subscriber itself.
*   Current definition seems to not be clear for CAs that leverage a
Signing Service they provide and how the Subscriber Agreement would apply or
not in this case.

*   Microsoft has a case where the Signing Service does a Subscriber
Agreement with the CA service team with a separation of duties between the
teams, so there is precedence for this behavior.

*   Signing Service does not include a subscriber's managed signing
service.
*   New proposed definition: An organization that generates the key pair
and securely manages the private key associated with the code signing
certificate on behalf of the subscriber.

*   Audit Requirements and Audit Dates

*   We should consider an effective date to allow for Signing Services
to comply with the requirements

*   There should a ramp up period or include it in the next audit period
so not to include it current audit periods.
*   We need to give CAs runway to get this into their audit plans
*   We should provide an effective date of 6 months from the projected
ballot completion timeframe (e.g. June 1, 2024) for the audits starting
after that effective date.

*   Section 8.4 currently requires a Signing Service to comply with the
audit requirements for a CA or a Delegated 3rd Party

*   Is it possible that CSBRs say Signing Services must comply with the
requirements including audits for the NetSec BRs, but they are not?
*   How does a CA know there is a Signing Service or not?

*   Resellers come into the picture here
*   Previously we questioned if Signing Services should have these audit
requirements and we talked ourselves into it.
*   We can lean on the Subscriber Agreement and Subscriber Warranties to
push the audit requirements onto 3rd party Signing Services and Resellers

*   How are these enforced?

*   3 scenarios here.

*   CA that provides a Signing Service to Subscribers

*   Assumption is these are already being audited

*   CA that partners with a 3rd Party Signing Service to the CA
subscribers
*   Subscriber uses a unaffiliated 3rd Party Signing Service to use a CA
issued code signing certificate (CA may or may not be aware there is a
signing service in the loop unless the Subscriber notifies the CA)

*   More or less a private key protection service
*   This is not easy here to tell when 3rd party Signing Service is
involved

*   First focus on Signing Services that CAs know about, but this will
not be equivalent

*   CAs with a Signing Service has the hardest compliance challenge, but
a unaffiliated 3rd party Signing Service (Reseller) would not have the same
requirements
*   We should consider dropping these audit requirements on the Signing
Services and focus on the subscriber private key protection requirements

*   The one point we are considering is the Signing Service risk with a
multi-tenant service, this is the same as Resellers.
*   Can we look at prohibiting Resellers from having an unaudited
Signing Service?

*   We made a lot of progress here so we should consider moving forward
as-is

*   Consider using the S/MIME BR language for effective date,
Bruce/Corey to review that language 

*   Proposed Ballot High Risk

*   No updates until CSC-21 is completed

*   Proposed ballot Remove EV Guideline References

*   Will pick this up once we have all the notes from the F2F discussion

*   Proposed ballot CSCWG Charter Update

*   Need Martijn to update here

*   Other business

*   None

*   Next meeting - 2 November

 

 



smime.p7s
Description: S/MIME cryptographic signature

[Cscwg-public] Final Minutes of F2F Meeting – Code Signing Working Group

[Dean Coclin via Cscwg-public]

Minutes of CSCWG F2F Meeting 

 

5th October, 2023

Attendees: Adam Jones - (Microsoft), Aleksandra Kurosz - (Asseco Data
Systems SA (Certum)), Andrea Holland - (VikingCloud), Arvid Vermote -
(GlobalSign), Ashish Dhiman - (GlobalSign), Ben Dewberry - (Keyfactor), Ben
Wilson - (Mozilla), Brianca Martin - (Amazon), Bruce Morton - (Entrust),
Christophe Bonjean - (GlobalSign), Clemens Wanko - (ACAB Council), Corey
Bonnell - (DigiCert), Dave Chin - (CPA Canada/WebTrust), Dean Coclin -
(DigiCert), Don Sheehy - (CPA Canada/WebTrust), Doug Beattie - (GlobalSign),
Ellie Lu - (TrustAsia Technologies, Inc.), Eva Vansteenberge - (GlobalSign),
Hannah Sokol - (Microsoft), Inaba Atsushi - (GlobalSign), Inigo Barreira -
(Sectigo), Janet Hines - (VikingCloud), John Mason - (Microsoft), Jozef
Nigut - (Disig), Kateryna Aleksieieva - (Asseco Data Systems SA (Certum)),
Li-Chun Chen - (Chunghwa Telecom), Marcelo Silva - (Visa), Marco Schambach -
(IdenTrust), Martijn Katerbarg - (Sectigo), Mohit Kumar - (GlobalSign), Nate
Smith - (GoDaddy), Naveen Kumar - (eMudhra), Nikolaos Soumelidis - (ACAB
Council), Nitesh Bakliwal - (Microsoft), Paul van Brouwershaven - (Entrust),
Pedro Fuentes - (OISTE Foundation), Rebecca Kelley - (Apple), Rich
Kapushinski - (CommScope), Rollin Yu - (TrustAsia Technologies, Inc.), Roman
Fischer - (SwissSign), Scott Rea - (eMudhra), Stephen Davidson - (DigiCert),
Sven Rajala - (Keyfactor), Thomas Zermeno - (SSL.com), Tim Callan -
(Sectigo), Tim Crawford - (CPA Canada/WebTrust), Tim Hollebeek - (DigiCert),
Trevoli Ponds-White - (Amazon), Tsung-Min Kuo - (Chunghwa Telecom),
Vijayakumar (Vijay) Manjunatha - (eMudhra)

 

 

Minutes Approval – Approved for 7th September 2023 and 21st September 2023

 

Interested Party status – IBM added as interested party

 

Ballot Proposals Status:- 

Cleanup Ballot - Proposal shared , to be pursued forward for discussion
period

 

Signing Service Ballot – reviewed and have 2 endorsers, to be pursued
forward for discussion period

 

Remove EV guidelines references - Discussion happened if working group wants
to copy exact requirements from EV guidelines or if they want to first
review what is really required and then add it to the baseline requirements
for Codesigning. Approach decided to bring all the requirements with
reference to EV guidelines in a pull request, highlight which are new
compared to 1.7.1 and then review what is relevant and only then bring it in
Codesigning BRs.

 

Code Signing Working Group Charter Update – Proposed language update.
Changes done to add scope to manage the issuance and management of
Timestamping for Codesigning determined by Policy OID 2.23.140.1.4.2. It
also has update to Voting structure to reach Quorum as per charter. No
comments from group. To be raised for ballot after 2 weeks to give time to
review.

 

High Risk Ballot – To be cleaned up and ballot to be provided but after
Service Signing ballot is pursued for discussion and is closer to be
approved.

 

Individual and Organization verification Mechanism :

Value of point in time location verification and use fields like State and
Locality being discussed – It was highlighted that there could be tools in
the market may be using these fields, so consuming technology may need these
fields but what level of verification is required can be discussed

 

It was raised that point of location verification and related records are
also being done for traceability purpose so relying party can use that if
required. But some members shared that CAs have lot more accurate
information in their records and if consumer complaints to CA, CA has the
ability to act on that or share that information if seems adequate. 

 

Question came up if there is enough information in Code Signing Certificate
to share in CT logs that may highlight any individuals uniquely who sign
malicious code. It was raised that public availability of this information
may be helping in restricting subscriber to sign malicious code. Discussion
then moved to second part – which was if an individual can specify a Code
project i.e. can a code signing certificate be issued for a specific
project. Possibility was discussed but no conclusion made.

 

On organization validation side, question raised if there is need for OV and
EV for Code Signing. It was noted that functionality wise, OV and EV
certificates are same in Microsoft ecosystem and Smart screen reputation in
MS  Windows is based on Issuer (Issuing CA) and Subscriber. 

 

Different validation levels could be a problem across all certificate types.
So suggestion came that this should be taken by validation sub committee.
There was consensus in general. This was further discussed and point made to
make validation more inline with future needs, and align a level for Code
Signing. No further comments from anyone.

 

Agenda Items 8 -12

8. Individual and Organization verification mechanism review

9. Private keys in Hardware observations

10. Github open Items

11. Other 

[Cscwg-public] Draft CSCWG Minutes October 5, 2023 - Second Half

[Dean Coclin via Cscwg-public]

Here are the minutes from the 2nd half of our F2F meeting. The first half
were sent last week.

 

Minutes from the Code Signing Certificate Working Group

October 5, 2023 – 2nd half of Meeting

 

Agenda Items 8 -12

8. Individual and Organization verification mechanism review

9. Private keys in Hardware observations

10. Github open Items

11. Other business

12. Next meeting

 

8.  Last meeting there was a discussion about a Microsoft email wherein they
asked about the differences between IV and OV verification.  Ian brough up
the point in time location verification.  What is the value of this check?
It is part of the subject DN, and many different technologies have become
dependent on this information. Removal of that information would affect
consuming technologies.  As such any changes there could not be supported by
Microsoft.

But how do we handle the address information?  It may change from the time
of verification versus when a relying party trusts the DN. Are there
significant differences between IV and OV address verification?  

Dimitris points out that the reason we keep this address information is for
traceability purposes. 

Bruce says that the CA has more information about the subject than the
certificate.  Tim agrees; doesn’t know that it is particularly useful to
have all the information in the cert. Ian points out that the cert’s purpose
is not for the public to find a specific individual, although a CA will have
that information.  Dimitris questions if we are having the discussion so
that the ecosystem will be able to identify malicious actors based on the
information in the certs.  Bruce mentions the need for CT for code signing
as there is not always enough information in the subject to prevent
malicious entities from obtaining certs from other CAs. 

Paul suggests that the information in the subject indicates to the
subscriber that their information is known and that would potentially deter
them from malicious activity.  It can also let relying parties know that CAs
have additional information on the subject.   

Dimitris mentions that more certs are issued to organizations than to
individuals.  Bruce brings up coding groups/ like open source projects.
Some people may want to have a cert specific to their contributions in a
project. 

Tim brings up that the project could be verified.  Martijn suggests DV code
signing, Tim objects. At least one real person should be identified with the
project.  Bruce points out that time is running out and we should focus on
Organization (instead of individual) verification. 

There are 2 methods of verification OV/EV, but is there a difference in
functionality from the Microsoft point of view?  Ian confirms that there is
no difference in OV/EV certification.  SmartScreen is related not to the
policy OID, but the direct issuer of the certificate (CA, not coder).  The
adoption of a new ICA could have detrimental effects on SmartScreen rating. 

Bruce asks do we need 2 different methods of validation for organizations,
if there is no difference in handling? There may be too many methods, when
considering S/MIME OV.  Tim observes that the different methods are not
really “levels” of validation.  However, this is a discussion that is wider
than the CSCWG. Suggests that the TLS validation group be elevated to a
multigroup / CABF scope to generate a set list of organizational validation
methods.  Then, different groups (CS, S/MIME, etc.) could select the
validation method from that list. 

Bruce sums it up by saying that we should bring verification to the future.


 

9. Private keys in hardware observations – all keys need to be generated in
hardware… any thoughts on this? 

Dimitris mentions that IETF is working on remote key attestation draft.  Tim
talks about the IETF work; lots of political discussions going on in this
field.  There is a decent chance of one or two RFCs coming out in 2024. A
presentation from IETF would be beneficial to the CABF. 

IETF is very closely related to the skit work that Microsoft spoke about in
Redmond.  We should be ready for incorporation of the RFC when published.
Bruce takes action to reach out to Mike Ownsworth to see if he can speak at
one of our meetings. 

Martijn gives anecdotal evidence about customers providing half-a-page
“audits” when trying to obtain a certificate. There may be some work needed
to tighten up the requirements of the HSM audits.  General consensus on this
idea was reached. 

Paul brings up that there are several hardware devices that cannot handle
attestation.  Tim says that we may need to start out with vague guidelines
that strengthen as the ecosystem does. 

-- Break --

 

 

10. Bruce wants to bring up open Github items, with Martijn’s assistance, as
they are mostly his items.

Items 26, 23, 21, 19, and 18.  #19 has been added to the clean-up ballot. 

#26 should be included when importing the EVGs, it will be reassessed later

#23 is in the signing service ballot and will be handled 

[Cscwg-public] CSCWG Agenda November 2, 2023

[Dean Coclin via Cscwg-public]

MINUTE TAKER: NEED A VOLUNTEER, START RECORDING

 

1.  Roll Call
2.  Antitrust reminder
3.  Approve prior meeting minutes - F2F (Mohit/Tim C) and Oct 19th (Ian)
4.  Ballot CSC-21 status
5.  Proposed High Risk Ballot
6.  Proposed ballot Remove EV Guideline References
7.  Proposed ballot CSCWG charter update
8.  Other business
9.  Next meeting -  Nov 16th 
10. Adjourn

 

REMINDER: we will discuss the RFC for Key Attestation on 30 November

 

Dean Coclin 

CSCWG Chair

 

 

 

 



smime.p7s
Description: S/MIME cryptographic signature
___
Cscwg-public mailing list
Cscwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/cscwg-public

[Cscwg-public] Voting results: CSC-20: Restore Version Reference to EV Guidelines

[Dean Coclin via Cscwg-public]

The voting period on Ballot CSC-20: Restore Version Reference to EV
Guidelines has ended and the ballot has PASSED. 

 

Votes in favor by Certificate Issuers:

DigiCert, eMuhdra, Entrust, Globalsign, Harica, Sectigo

 

Votes in favor by Certificate Consumers:

Microsoft

 

Quorum requirement: 5.

 

Therefore the ballot passes.

 

Dean Coclin 

CSCWG Chair

 

 

 

 

From: Cscwg-public  On Behalf Of Corey
Bonnell via Cscwg-public
Sent: Thursday, October 12, 2023 10:44 AM
To: cscwg-public@cabforum.org
Subject: [Cscwg-public] Voting period begins: CSC-20: Restore Version
Reference to EV Guidelines

 

Purpose of the Ballot

 

This ballot updates the "Baseline Requirements for the Issuance and
Management of Publicly-Trusted Code Signing Certificates" version 3.4 in
order to restore a version reference to the Extended Validation Guidelines
which was inadvertently removed in a previous version of the Requirements.
In addition, a minor typographical issue is also resolved.

 

The following motion has been proposed by Corey Bonnell of DigiCert and
endorsed by Bruce Morton of Entrust and Dimitris Zacharopoulos of HARICA.

 

MOTION BEGINS

 

This ballot updates the "Baseline Requirements for the Issuance and
Management of Publicly-Trusted Code Signing Certificates" ("Code Signing
Baseline Requirements") based on version 3.4.

 

MODIFY the Code Signing Baseline Requirements as specified in the following
redline:
https://github.com/cabforum/code-signing/compare/93ee9976cdc4e1104952146e355
6800459694874...50b40d41319ffae5fec9c9dd22ae6ebb55c34ba1
 

 

MOTION ENDS

 

The procedure for approval of this ballot is as follows:

 

Discussion (7 days)

 

* Start Time: 2023-10-05 12:00 UTC

* End Time: 2023-10-12 14:45 UTC

 

Vote for approval (7 days)

 

* Start Time: 2023-10-12 14:45 UTC

* End Time: 2023-10-19 14:45 UTC

 



smime.p7s
Description: S/MIME cryptographic signature
___
Cscwg-public mailing list
Cscwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/cscwg-public

[Cscwg-public] CSCWG Agenda 19 October

[Dean Coclin via Cscwg-public]

 

Proposed agenda

 

 

1.  Assign Minute taker (start recording)
2.  Roll call
3.  Antitrust Compliance Statement
4.  Review Agenda
5.  Approval of prior meeting minutes - F2F 5 Oct, Need minutes!
6.  Ballot CSC-20 Restore Version Reference to EV Guidelines
7.  Ballot CSC-21 Signing Service
8.  Proposed Ballot High Risk
9.  Proposed ballot Remove EV Guideline References
10. Proposed ballot CSCWG Charter Update
11. Other business
12. Next meeting - 2 November

 

 



smime.p7s
Description: S/MIME cryptographic signature
___
Cscwg-public mailing list
Cscwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/cscwg-public

[Cscwg-public] Final Codesigning Working Group minutes- 7-Sep-2023

[Dean Coclin via Cscwg-public]

Minutes of Codesigning WG meet on Sep 7th, 2023

 

Attendees:

Atsushi Inaba - GlobalSign

Keshava N - eMudhra

Inigo Barreira - Sectigo

Dimitris Zacharopoulos - Harica

Martijn Katerbarg - Sectigo

Ian McMillan Microsoft

Brianca Martin - Amazon

Mohit Kumar - GlobalSign

Bruce Morton - Entrust

Scott Rea - eMudhra

Andrea Holland - VikingCloud

Corey Bonnell - DigiCert

 

Discussion Points:

Prior minutes approval - 24-Aug-2023 minutes approved with no objection 

Ballot Status

Ballot 19 is completed and effective 5-Sep-23 and new Code Signing BR
version is published with updates from this ballot.

 

Signing Service Ballot - Updated draft based on previous ballots. Includes
lot of cleanups, simplifying the language and not change any scope. The
objective was to clear that Signing service is not supposed to do
validation. Validation is expected from Certificate Authority and Signing
service is expected to protect private keys on behalf of subscriber

Summary of Major updates for Signing Service:

*   Made clear signing service is not delegated third party. It is not
an obligation for CA or CA doesn't have to do it or delegate. It is optional
for CA.
*   Change in definition of Signing service to include generation of key
pair and its management as main job for signing service
*   Added section to ensure that Signing service don't transfer keys to
subscriber
*   Changed reference to Signing Key as Private Key where applicable
*   Improved content to avoid the interpretation that Signing service
must do malware scans for all codes being signed
*   Broke the audit requirements between CA, Signing service and
Timestamping

 

High Risk ballot - To be postponed for now and to be taken up later. 

 

Discussion on need for charter update for TSA certificates

Dimitris  brought to group attention that it was agreed at forum level that
Codesigning Working group can work on requirements for TSA related to Code
Signing and is in scope.

Martjin suggested that unless we have technical controls to figure out which
Timestamp certificates or authority is being used for Codesigning vs not
used for codesigning, it is difficult to differentiate.

 

It was highlighted that we have policy OIDs for Timestamp certificates to be
used for Codesigning. There was discussion if these are mandatory and if its
stated explicitly. It was called out that if policy OID is not being used in
Timestamping certificate, it technically still works for codesigning. 

But there is still difference in opinions if timestamping requirements are
in scope or need the charter update, since it is not clear. 

Action item was decided to review and update charter and consider timestamp
certificates/TSA requirements for Codesigning

 

 

 



smime.p7s
Description: S/MIME cryptographic signature
___
Cscwg-public mailing list
Cscwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/cscwg-public

[Cscwg-public] Final CSCWG Minutes September 21, 2023

[Dean Coclin via Cscwg-public]

 Final minutes from 21 September 2023.

 

 

1.  Roll Call - Bruce Morton - Entrust, Tim Crawford, Rollin Yu -
TrustAsia, Atsushi INABA - GlobalSign, Scott Rea - eMudhra, Mohit Kumar -
GlobalSign, Martijn Katerbarg - Sectigo, Inigo Barreira, Ian McMillan
Microsoft, Andrea Holland - VikingCloud, Corey Bonnell DigiCert, Corey
Bonnell DigiCert, Brianca Martin - Amazon
2.  Note well was read
3.  Approve prior meeting minutes - Sept 7 - not approved as the minutes
were only provided for review on 21 September
4.  F2F Agenda, suggested items

a.  Private Keys in hardware feedback - There was generally no input as
to whether this should be on the agenda. Ian stated it would be good to
bring it up, but Bruce was not confident that there would be any feedback
from the members, so would push to last on the agenda.
b.  Ballot: Remove EV Guideline refences (Dimitris) - Dimitris was not
on the call to discuss. The goal will be to remove all EV Guidelines
references, make adjustments where new text is not applicable to EV; then
step 2 would be to adjust clauses to possibly make issuance of EV
certificates easier. Note that it is impossible to issue an EV to an
individual. It does not address consumer certificate. The client software
does not make a distinction between non-EV and EV for code signing. Do we
need all the clauses to authenticate certificate issuance? Should we make
any changes, since the functionality of non-EV and EV is the same? For
individuals we do require F2F for issuance of a code signing certificate. Do
we need both non-EV and EV and if we do, what differences should they have?
Also an issue with the due diligence validation where a person can approve
vs. a machine. Do we need due diligence specified? Can we create a system
for more consistent due diligence review? The goal was to require 2 people
to get an EV certificate issued.
c.  Ballot: Charter update (Martijn) - Martijn agreed we could discuss
at the F2F.
d.  Ballot: High Risk (Bruce/Ian) - Agreed to discuss at the F2F. Ian
wants to ensure internally that we are not removing high risk as some items
are still discussed in section 4.2.1 and 4.2.2. Should we consider changing
a high risk certificate application as to when a subscriber which has been
subject to a takeover attack requests a certificate?
e.  Individual and Organization verification mechanisms as discussed
below.
f.  Review open Github items.

5.  Ballot Status

a.  Signing Service - Reviewed on last call. Tim has reviewed since and
will endorse. Ian is reviewing, then hopefully will endorse.
b.  High Risk - Text has been drafted and Ian is reviewing. 
c.  Charter Update - Martijn working on change.
d.  Time-stamp - Delay until other ballots are done.

6.  Other business - An email received from Tim McGrath from Microsoft.
Ian knows the people that provided the email and will address. The question
was about point-in-time for the address; but this is the type of data based
on the CA review. Note there is no unique information included for an
individual. An email address would be easy and unique for an individual and
maybe we could drop location data. Can an individual specify a specific
project for the signing, but the issue would be validating. It would be good
if a CA could add information to distinguish an individual, so they would be
added to a blocklist if they intentionally sign suspect code. What can we do
to help protect relying parties? Perhaps we can brainstorm at the F2F about
Individual and OV verification mechanisms. For organization, can we choose
an existing model which is already defined in the CAB Forum. Would not like
to create another model.
7.  Next meeting -  F2F Oct 5
8.  Adjourn



smime.p7s
Description: S/MIME cryptographic signature
___
Cscwg-public mailing list
Cscwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/cscwg-public

[Cscwg-public] F2F CSCWG Agenda

[Dean Coclin via Cscwg-public]

Here is the agenda for this week's F2F session which will be Thursday
morning:

 

1.  Assign Minute taker (start recording)
2.  Roll call
3.  Antitrust Compliance Statement
4.  Review Agenda
5.  Approval of prior meeting minutes - 21 Sept
6.  Ballot proposals:

a.  Signing Service
b.  Remove EV Guideline References
c.  CSCWG Charter Update
d.  High Risk

7.  Private Keys in Hardware observations
8.  Other business
9.  Next meeting - 19 October

 

 

Dean Coclin 

CSCWG Chair

 

 



smime.p7s
Description: S/MIME cryptographic signature
___
Cscwg-public mailing list
Cscwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/cscwg-public

[Cscwg-public] Final CSCWG Minutes August 24, 202

[Dean Coclin via Cscwg-public]

Final minutes of CSCWG Aug 24, 2023

 

1.  Attendees: Abhishek Bhat - (eMudhra), Andrea Holland -
(VikingCloud), Bruce Morton - (Entrust), Corey Bonnell - (DigiCert), Dean
Coclin - (DigiCert), Dimitris Zacharopoulos - (HARICA), Ian McMillan -
(Microsoft), Inaba Atsushi - (GlobalSign), Inigo Barreira - (Sectigo),
Martijn Katerbarg - (Sectigo), Mohit Kumar - (GlobalSign), Scott Rea -
(eMudhra), Tim Crawford - (CPA Canada/WebTrust), Tim Hollebeek - (DigiCert)
2.  The Anti-trust reminder was read
3.  The minutes of August 10th were approved. 
4.  Adobe Interested party application - no update
5.  Ballot status

a.  SSL BR references - in IPR review until September 1st
b.  Signing Services - Bruce had sent out drafts for this and the other
2 below. He received 1 comment back. Bruce asked for help in moving this to
github and start working on the official ballot. Corey agreed to help. Ian
commented that the draft should mention FIPS Level 3. Did we want to clarify
the FIPS 140-3? Bruce said he can add a comma to include both. Ian asked
about an effective date and said we should set one to avoid chaos. Tim said
there's no confirmed evidence of anyone having a problem with this ballot
and we should pick a date and see if anyone complains. 
c.  High Risk applications - Bruce suggested we do one of these 3
ballots at a time, starting with the signing service, followed by the high
risk. Ian wants to spend more time scrutinizing the high risk ballot. 
d.  Time stamping: Ian said that Martijns comments (via email) addressed
his concerns. Martijn had some other concerns regarding the key destruction
part and auditor criteria. Having an auditor witness it every 18 months
could be costly. Could we just make sure that they are no longer online?
Bruce agreed that they don't need to be audited. Dimitris said it can be an
internal ceremony without an auditor. The auditor can review that.  Inigo
asked why they have to be destroyed. Tim said there is no reason for the
private keys to exist. Dimitris was concerned about key backups and having
to find and delete those. Tim said as long as they are no longer usable, it
should be fine. Final agreement: no auditor necessary. Martijn will draft
some language in github to make it clear. 
e.  Dimitris asked if there was interest in doing the same work that was
done with the TLS BRs and the Netsec guidelines for the EV guidelines
(pulling the EV guidelines into the CSBRs). Ian said it could be wasted work
if we decide to do away with EV and just have one standard. Dimitris said it
would be helpful to bring them in and review what should stay and what
should go. Tim said we should go thru and see what the actual EV references
are and look at each one. Corey had a concern about the changes to the
numbering and references. Dimitris said the CSBRs are already in the 3647
format. Tim said that we still need to go through each item. Dimitris
suggested we should have this discussion at the next F2F meeting. He will
pull together all the references to the EV guidelines from the CSBRs. 

6.  Lessons learned from June 1 change: Suggestion made to push this to
F2F.  One item Bruce heard was that their validation team was more technical
than they were used to.
7.  Next meeting September 7th 
8.  Adjourned

 

 

Dean Coclin 

 

 

 

 



smime.p7s
Description: S/MIME cryptographic signature
___
Cscwg-public mailing list
Cscwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/cscwg-public

Re: [Cscwg-public] Proposed Signing Service, High Risk and Timestamp Changes

[Dean Coclin via Cscwg-public]

What "current timestamping BRs" are you referring to?

 

As I said, timestamping strictly related to code signing should be in scope.

 

Dean

 

Dean Coclin 

Sr. Director Business Development

M 1.781.789.8686

 



 

 

From: Tim Hollebeek  
Sent: Tuesday, September 12, 2023 8:27 PM
To: Dean Coclin ; cscwg-public@cabforum.org;
Martijn Katerbarg ; Bruce Morton

Subject: RE: [Cscwg-public] Proposed Signing Service, High Risk and
Timestamp Changes

 

This is just wrong, and Martijn was trying to say the opposite thing anyway:
we should update the charter to explicitly state that timestamping is in
scope.  And I agree.

 

The reason it can't be true that timestamping is out of scope is because the
current timestamping BRs have over 75+ references to timestamping!


We've always considered timestamping to be in scope, because it's an
essential part of a secure code signing ecosystem.  

 

-Tim

 

From: Cscwg-public mailto:cscwg-public-boun...@cabforum.org> > On Behalf Of Dean Coclin via
Cscwg-public
Sent: Tuesday, September 5, 2023 10:15 AM
To: Martijn Katerbarg mailto:martijn.katerb...@sectigo.com> >; cscwg-public@cabforum.org
<mailto:cscwg-public@cabforum.org> ; Bruce Morton mailto:bruce.mor...@entrust.com> >
Subject: Re: [Cscwg-public] Proposed Signing Service, High Risk and
Timestamp Changes

 

As has been pointed out many times, the charter of the CSCWG does not
include timestamping. Hence anything related to that beyond Code Signing
would require a change to the charter.

 

Thanks for the point Martijn.


Dean

 

Dean Coclin 

Sr. Director Business Development

M 1.781.789.8686

 



 

 

From: Cscwg-public mailto:cscwg-public-boun...@cabforum.org> > On Behalf Of Martijn Katerbarg
via Cscwg-public
Sent: Tuesday, September 5, 2023 11:47 AM
To: Bruce Morton mailto:bruce.mor...@entrust.com>
>; cscwg-public@cabforum.org <mailto:cscwg-public@cabforum.org> 
Subject: Re: [Cscwg-public] Proposed Signing Service, High Risk and
Timestamp Changes

 

Hey Bruce,


I'm inclined to say that even the removal of TSC Private Keys, is a new
requirement. If we're not explicitly saying that existing keys up until this
point are excluded, then CA's may need to remove a fair number of keys. If
so, we may need to allow for a bit more time.

 

That also brings me to another concern that popped up:

 

We're adding more restrictions around timestamp certificates. While these
obviously are heavily used for code signing, they're not used just for that
purpose.

 

With that in mind, I think at least in the next Forum level meeting, we
should make all members aware of the proposed changes, since it will
probably impact members that are not a member of the CSWG. Secondly, I've
started to wonder if we need to get our charter updated to include the scope
of timestamping certificates, and possibly allow members that do not issue
code signing certificates but that still are a TSA.

 

Regards,

Martijn

 

From: Bruce Morton mailto:bruce.mor...@entrust.com> >
Date: Thursday, 31 August 2023 at 17:30
To: Martijn Katerbarg mailto:martijn.katerb...@sectigo.com> >, cscwg-public@cabforum.org
<mailto:cscwg-public@cabforum.org>  mailto:cscwg-public@cabforum.org> >
Subject: RE: [Cscwg-public] Proposed Signing Service, High Risk and
Timestamp Changes

Hi Martijn,

 

Thanks for the Github version!

 

We should discuss which items need a future effective date. I assume the
only issue is offline Subordinate CA. I would propose 15 September 2024. I
don't think there should be any impact to TSA certificates, since the
private key can only be used for 15-months which is not changing.

 

 

Bruce.

 

From: Martijn Katerbarg mailto:martijn.katerb...@sectigo.com> > 
Sent: Thursday, August 31, 2023 10:56 AM
To: Bruce Morton mailto:bruce.mor...@entrust.com>
>; cscwg-public@cabforum.org <mailto:cscwg-public@cabforum.org> 
Subject: [EXTERNAL] RE: [Cscwg-public] Proposed Signing Service, High Risk
and Timestamp Changes

 

As discussed on the last call, I've moved the language into GitHub, which
can be reviewed at
https://github.com/cabforum/code-signing/compare/main...XolphinMartijn:code-
signing:TSA_Changes?expand=1
<https://url.avanan.click/v2/___https:/github.com/cabforum/code-signing/comp
are/main...XolphinMartijn:code-signing:TSA_Changes?expand=1___.YXAzOmRpZ2ljZ
XJ0OmE6bzo0ZGY3NmNlYWMzMDA4N2ZkOWU0OWFjZmUwNzAxMWY3MTo2OjczZDc6N2JlZWYyZWRjN
TU1ZTZmYmIxODIyMDZhNmU5NDY2YTY3ZTU2OTA2OWVhNDQ3YmNlNzVlZGQwY2U4MjdkYmJmMDpoO
kY> 

 

In this, I've also added text on logging key removal and how to handle key
recovery scenarios

 

It occurs to me that we're missing two details on this item:

 

1.  What kind of effective date are we looking to attach to this
2.  What will apply to SubCAs and Timestamp Certificates that have
already been issued. 

1.  If we want the same logic to be applied, do we want to maybe give
additional t

Re: [Cscwg-public] Proposed Signing Service, High Risk and Timestamp Changes

[Dean Coclin via Cscwg-public]

As has been pointed out many times, the charter of the CSCWG does not
include timestamping. Hence anything related to that beyond Code Signing
would require a change to the charter.

 

Thanks for the point Martijn.


Dean

 

Dean Coclin 

Sr. Director Business Development

M 1.781.789.8686

 



 

 

From: Cscwg-public  On Behalf Of Martijn
Katerbarg via Cscwg-public
Sent: Tuesday, September 5, 2023 11:47 AM
To: Bruce Morton ; cscwg-public@cabforum.org
Subject: Re: [Cscwg-public] Proposed Signing Service, High Risk and
Timestamp Changes

 

Hey Bruce,


I'm inclined to say that even the removal of TSC Private Keys, is a new
requirement. If we're not explicitly saying that existing keys up until this
point are excluded, then CA's may need to remove a fair number of keys. If
so, we may need to allow for a bit more time.

 

That also brings me to another concern that popped up:

 

We're adding more restrictions around timestamp certificates. While these
obviously are heavily used for code signing, they're not used just for that
purpose.

 

With that in mind, I think at least in the next Forum level meeting, we
should make all members aware of the proposed changes, since it will
probably impact members that are not a member of the CSWG. Secondly, I've
started to wonder if we need to get our charter updated to include the scope
of timestamping certificates, and possibly allow members that do not issue
code signing certificates but that still are a TSA.

 

Regards,

Martijn

 

From: Bruce Morton mailto:bruce.mor...@entrust.com> >
Date: Thursday, 31 August 2023 at 17:30
To: Martijn Katerbarg mailto:martijn.katerb...@sectigo.com> >, cscwg-public@cabforum.org
  mailto:cscwg-public@cabforum.org> >
Subject: RE: [Cscwg-public] Proposed Signing Service, High Risk and
Timestamp Changes

Hi Martijn,

 

Thanks for the Github version!

 

We should discuss which items need a future effective date. I assume the
only issue is offline Subordinate CA. I would propose 15 September 2024. I
don't think there should be any impact to TSA certificates, since the
private key can only be used for 15-months which is not changing.

 

 

Bruce.

 

From: Martijn Katerbarg mailto:martijn.katerb...@sectigo.com> > 
Sent: Thursday, August 31, 2023 10:56 AM
To: Bruce Morton mailto:bruce.mor...@entrust.com>
>; cscwg-public@cabforum.org  
Subject: [EXTERNAL] RE: [Cscwg-public] Proposed Signing Service, High Risk
and Timestamp Changes

 

As discussed on the last call, I've moved the language into GitHub, which
can be reviewed at
https://github.com/cabforum/code-signing/compare/main...XolphinMartijn:code-
signing:TSA_Changes?expand=1
 

 

In this, I've also added text on logging key removal and how to handle key
recovery scenarios

 

It occurs to me that we're missing two details on this item:

 

1.  What kind of effective date are we looking to attach to this
2.  What will apply to SubCAs and Timestamp Certificates that have
already been issued. 

1.  If we want the same logic to be applied, do we want to maybe give
additional time for existing setups?

 

Thoughts?

 

Regards,

Martijn

 

From: Bruce Morton mailto:bruce.mor...@entrust.com> > 
Sent: Wednesday, 16 August 2023 20:00
To: Martijn Katerbarg mailto:martijn.katerb...@sectigo.com> >; cscwg-public@cabforum.org
 
Subject: RE: [Cscwg-public] Proposed Signing Service, High Risk and
Timestamp Changes

 

Agreed with the change proposal.

 

Thanks, Bruce.

 

From: Martijn Katerbarg mailto:martijn.katerb...@sectigo.com> > 
Sent: Thursday, August 10, 2023 3:54 PM
To: Bruce Morton mailto:bruce.mor...@entrust.com>
>; cscwg-public@cabforum.org  
Subject: [EXTERNAL] RE: [Cscwg-public] Proposed Signing Service, High Risk
and Timestamp Changes

 

Thanks Bruce,

 

I'm going through the TSA changes, and one thing caught my eye:

 

Section 6.2.7.2 now reads:

A Timestamp Authority MUST protect its Private Key in offline Hardware
Crypto Module conforming to FIPS 140-2 level 3, Common Criteria EAL 4+
(ALC_FLR.2), or higher. The Timestamp Authority MUST protect its signing
operations in accordance with the CA/Browser Forum's Network and Certificate
System Security Requirements.

 

The definition of "Timestamp Authority" (TSA) reads:

A service operated by the CA or a delegated third party for its own code
signing certificate users that timestamps data using a certificate chained
to a public root, thereby asserting that the data (or the data from which
the data were derived via a secure hashing algorithm) existed at the
specified 

[Cscwg-public] CSCWG Agenda August 24, 2023

[Dean Coclin via Cscwg-public]

MINUTE TAKER: NEED A VOLUNTEER

 

1.  Roll Call
2.  Antitrust reminder
3.  Approve prior meeting minutes - Aug 10th  
4.  Adobe IP application update
5.  Status

a.  Ballot: Remove SSL BR References - passed, in IPR review until Sept
1
b.  Ballot: Signing Service (Bruce)
c.  Ballot: High Risk (Bruce)
d.  Time-stamping (Ian)

6.  Lessons learned from June 1st change - any further discussion?
7.  Next meeting -  September 7th (Dean out)  
8.  Adjourn

 

 

Dean Coclin 

 

 

 

 



smime.p7s
Description: S/MIME cryptographic signature
___
Cscwg-public mailing list
Cscwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/cscwg-public

[Cscwg-public] CSCWG Final Minutes July 27, 2023

[Dean Coclin via Cscwg-public]

CSCWG Minutes July 27, 2023

 

Attendance: 

Roberto Quiñones - Intel

Brianca Martin - Amazon

Bruce Morton - Entrust

Atsushi INABA - GlobalSign

Dean Coclin-DigiCert

Andrea Holland - VikingCloud

Mohit Kumar - GlobalSign

Scott Rea - eMudhra

Tim Crawford - WebTrust

lan McMillan - Microsoft

Brianca Martin - Amazon

 

 

Minutes of the meeting:

Minutes approved for F2F

Interested party application from Adobe was discussed. Legal contact in
Adobe is waiting for Authorization of application. No immediate action on
us. 

Adobe has Adobe air so significant to the group. 

CSC Ballot 19 was discussed and need for the votes for Quorum was
highlighted. Request made to members to place the vote.

 

Ballot on Signing Service:

Bruce circulated the drafts not only for Signing service but also
Timestamping and High Risk ballots. Suggestion made that people should start
taking look, as group would move forward after current ballots are passed
and published. 

Ian to look what is proposed on Timestamping and High risks ballot and share
comments.

Digicert to present their views on CT logs for next time as SME were not
available this week.

 

Proposal on merging EV and OV certificates:

Ian proposed to work on text for combining OV and EV together and find a
middle ground to eliminate need for EV Codesigning certificates. In
principle, standard to be maintained for organization validation that EV
does today and making that as new only standard – calling it OV. 

Question was raised on challenges to subscriber with that. 

Organization identifier scenario in SMIME was discussed as part of this
discussion. In SMIME, Org ID was introduced as single field that has all the
requirements vs EV which has 3-4 fields for same information. So this makes
certificate better than OV and close to EV  in terms of Identity.

 

Another change discussed was need for verification of certificate requestor,
contractor, signer etc because a lot of effort goes in there. It required in
EV and not for OV today. Also do we need dual verification that is done
today. 

Feedback is there that EV is very hard and do they provide the value or not.


As there is no Domain in Codesigning certs so it boils down to the need for
such verifications.

In SMIME BRs, there is no EV just a upgraded level of OV.  SMIME to be
studied further and to be observed in terms of feedback for SMIME for next
few months from SMIME BRs effective date. 

The expected timeline is 5-6 months atleast for this ballot given 3 ballots
ahead already. It’s a big change. 

Also discussed what should be the timeline to issue more than 1 certificate
in a subscription and how to use shorter lived certificates. 

 

Bruce also raised that CAs should provide feedback how Private Key ballot
landed may be in 1-2 months. He proposed that group should gather feedback
from CAs. Some CAs might be facing same issues, so we should have feedback
loop so we can iron out. This to be added to Agenda item for next time. 

 

Meeting was adjourned. 

 

 

 

 



smime.p7s
Description: S/MIME cryptographic signature
___
Cscwg-public mailing list
Cscwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/cscwg-public

[Cscwg-public] CSCWG Agenda August 10th

[Dean Coclin via Cscwg-public]

MINUTE TAKER: NEED A VOLUNTEER

 

1.  Roll Call
2.  Antitrust reminder
3.  Approve prior meeting minutes - JUL 27th 
4.  Adobe IP application update
5.  Status

a.  Ballot: Remove SSL BR References - passed
b.  Ballot: Signing Service (Bruce)
c.  Ballot: High Risk (Bruce)
d.  Time-stamping (Ian)

6.  Certificate Transparency - presentation from DigiCert (Tim H)
7.  Lessons learned from June 1st change
8.  Next meeting -  August 24th  
9.  Adjourn

 

 

 



smime.p7s
Description: S/MIME cryptographic signature
___
Cscwg-public mailing list
Cscwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/cscwg-public

[Cscwg-public] Ballot CSCWG-19 Voting results

[Dean Coclin via Cscwg-public]

Voting has ended on Ballot CSCWG-19 and the ballot has passed. Detailed
results are below:



Voting by Certificate Issuers - XX votes total including abstentions

 

- 5 Yes votes: DigiCert, Entrust, GDCA, GlobalSign, HARICA

- 0 No votes 

- 0 Abstain

 

100% of voting Certificate Issuers voted in favor.

 

Voting by Certificate Consumers - XX votes total including abstentions

 

- 1 Yes votes: Microsoft

- 0 No votes

- 0 Abstain

 

100% of voting Certificate Consumers voted in favor.

 

Relevant Bylaw references

 

Bylaw 2.3(f) requires:

 

- a "yes" vote by two-thirds of Certificate Issuer votes and 50%-plus-one
Certificate Consumer votes for approval.  Votes to abstain are not counted
for this purpose.  This requirement was met for both Certificate Issuers and
Certificate Consumers.

- at least one Certificate Issuer and one Certificate Consumer Member must
vote in favor of a ballot for the ballot to be adopted. This requirement was
also met.

 

Under Bylaw 2.3(g), "a ballot result will be considered valid only when more
than half of the number of currently active Members has participated". Votes
to abstain are counted in determining a quorum.  Half of currently active
Members as of the start of voting was 10, so quorum was 5 votes - quorum was
met."

 

Dean Coclin 

CSCWG Chair

 

 

 

 



smime.p7s
Description: S/MIME cryptographic signature
___
Cscwg-public mailing list
Cscwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/cscwg-public

[Cscwg-public] REMINDER: Voting ENDS MONDAY for Ballot CSC-19 - Remove TLS BR References

[Dean Coclin via Cscwg-public]

REMINDER: VOTING CLOSES MONDAY. PLEASE VOTE TO MAKE SURE WE GET A QUORUM

 

Dean Coclin 

CSCWG Chair

 

 

From: Cscwg-public  On Behalf Of Dimitris 
Zacharopoulos (HARICA) via Cscwg-public
Sent: Monday, July 24, 2023 5:02 AM
To: cscwg-public@cabforum.org
Subject: [Cscwg-public] Voting Begins for Ballot CSC-19 - Remove TLS BR 
References

 

This message begins the voting period for ballot CSC-19.

 

Dimitris.









 

Purpose of the Ballot





This ballot updates the “Baseline Requirements for the Issuance and Management 
of Publicly‐Trusted Code Signing Certificates“ version 3.3 in order to remove 
references pointing the Baseline Requirements for Publicly-Trusted TLS 
Certificates ("TLS BRs"). The main goals of this ballot are to:



1.  Remove dependencies with the "TLS BRs" that are decided in a different 
CA/B Forum Working Group
2.  Remove ambiguity about which exact requirements are applicable to Code 
Signing Issuers and Time-stamping Authorities

The following motion has been proposed by Dimitris Zacharopoulos of HARICA and 
endorsed by Martijn Katerbarg of Sectigo and Tim Hollebeek of Digicert.

MOTION BEGINS

This ballot updates the “Baseline Requirements for the Issuance and Management 
of Publicly‐Trusted Code Signing Certificates” ("Code Signing Baseline 
Requirements") based on version 3.3. MODIFY the Code Signing Baseline 
Requirements as specified in the following redline: 
https://url.avanan.click/v2/___https://github.com/cabforum/code-signing/pull/16/files%23diff-51665fed103b76d89fc3da15cf88817d58602089___.YXAzOmRpZ2ljZXJ0OmE6bzpiMzFlOTVjYzA1N2YyYjcxY2FmYjBkMmY1MjE2OGM0YTo2OjYwMzY6N2EwZGJiZTM4YWU3ZjlmYzdiOGIwODUwZWNlNzQ4NTE4ODdkZGM3ZGQ5YjJkMjE5N2E0YzNmMDgxOTkxMjAzMDp0OkY
 

  

MOTION ENDS

The procedure for this ballot is as follows:


CSC 19 - Remove TLS BR References 

Start time (10:00 UTC)

End time (10:00 UTC)


Discussion (at least 7 days)

17 July 2023

24 July 2023


Expected Vote for approval (7 days)

24 July 2023

31 July 2023

 



smime.p7s
Description: S/MIME cryptographic signature
___
Cscwg-public mailing list
Cscwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/cscwg-public

[Cscwg-public] Final minutes of CSCWG Meeting July 13, 2023

[Dean Coclin via Cscwg-public]

CABF - CSCWG - Thu 13 July, 2023 - Code Signing WG Meeting

Attendance:

Andrea Holland (VikingCloud), Atsushi INABA (GlobalSign), Corey Bonnell
(DigiCert), Dean Coclin (DigiCert), Dimitris Zacharopoulos (HARICA), Inigo
Barreira (Sectigo), Mohit Kumar (GlobalSign), Scott Rea (eMudhra), Tim
Crawford (BDO/WebTrust)

 

Minutes:

Dean Coclin (DigiCert) as Host, welcomes and lists attendees

Antitrust statement:  Antitrust statement is read

Approval of minutes: Minutes of June 29 meeting are presented - approved

 

Invitation for remote attendees at the F2F to identify themselves (a paper
list was circulated in the room to capture physical attendees, but no remote
equivalent, hence the request). Draft Minutes from F2F are available online
for anyone who wants to add their name. Approval of those minutes will be
sought on next call. 

 

Agenda:

1 item on agenda today (since Bruce and Ian are away) - removal of BR
references, and which is the correct version of X.509 to be used. Dimitris
to lead discussion.

*   Ballot: CSC 19 

*   Latest comments from Tim have been cleared, if no other concerns or
objections, discussion period will start on Monday (17 July)
*   No concerns raised over content, but procedural concern raised over
discussion being held during summer holiday period

*   If quorum is not achieved for vote (due to holiday period impact), a
new ballot will be submitted with a new number (same content)

*   Still waiting on feedback from Microsoft in respect to X.509 version

*   Server WG requires conformance with RFC 5280 which specifically
references X.509 2005 version
*   Requiring latest version of X.509 is as inclusive as possible (since
it already include 2005 edits) and should not present an issue

 

No other business

Next meeting: July 27

Adjourn

 

Dean Coclin 

 

 



smime.p7s
Description: S/MIME cryptographic signature
___
Cscwg-public mailing list
Cscwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/cscwg-public

[Cscwg-public] CSCWG Agenda

[Dean Coclin via Cscwg-public]

 

MINUTE TAKER: NEED A VOLUNTEER

 

1.  Roll Call
2.  Antitrust reminder
3.  Approve prior meeting minutes - F2F, June 6th, July 7th 
4.  Adobe IP application
5.  Status

a.  Ballot: Remove SSL BR References (Dimitris)
b.  Ballot: Signing Service (Bruce)
c.  Ballot: High Risk (Bruce)
d.  Time-stamping (Ian)

6.  Certificate Transparency - presentation from DigiCert?
7.  Next meeting -  August 10th 
8.  Adjourn

 

 

 



smime.p7s
Description: S/MIME cryptographic signature
___
Cscwg-public mailing list
Cscwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/cscwg-public

[Cscwg-public] CSCWG Final Minutes June 29, 2023

[Dean Coclin via Cscwg-public]

Code Signing WG Meeting: June 29th, 2023

 

Attendance:

Roberto Quiñones (Intel), Corey Bonnell (DigiCert), Dean Coclin (DigiCert),
Andrea Holland (VikingCloud), Janet Hines (VikingCloud), Atsushi INABA
(GlobalSign), Bhat Abhishek (eMudhra), Bruce Morton (Entrust), Mohit Kumar
(GlobalSign), Tim Crawford (BDO/WebTrust), Martijn Katerbarg (Sectigo),
Keshava N (eMudhra), Ben Dewberry (Keyfactor), Tim Hollebeek (DigiCert),
Scott Rea (eMudhra), Brianca Martin (Amazon)

 

Minutes

Antitrust statement: The Antitrust statement was read.

Approval of minutes: Previous F2F meeting’s minutes still being compiled

*   Ballot: CSC 18 has passed and IPR review period is over

*   No claims received

*   Look into rebasing the last two Ballots into Dimitri’s branch

*   Now that the IPR period is over that can be done

*   Signing service Ballot

*   Most of the text is written but could now be out of Sync with
updates coming in from Dimitri’s ballot
*   Need to recut the ballot after going through the previous ballot

*   High risk language change proposal (Bruce, Tim, and Ian)

*   Work on getting (High risk language, time stamping change, EB
certificates, certificate transparency) discussion in a prioritized order
*   All items that have been talked about but nobody is working on a
specific one
*   High risk can be done now, other two waiting on more fleshed out
text
*   Certificate Transparency

*   Presentation on Certificate Transparency Coming up at an upcoming
code signing meeting

*   Time Stamping change

*   Setting a requirement for time stamping, also impacts non code
signing items
*   Time stamping authorities for code signing intermixed with time
stamping authorities for other things and causes a number of problems but no
need for it to necessarily continue
*   Potential next steps

*   Designate which timestamp servers are meant to be a codesigning
according to the CAB forum code signing requirements

*   Prioritization discussions to come when Ian joins next

*   Next Call: July 13th
*   Adjourn

 

 



smime.p7s
Description: S/MIME cryptographic signature
___
Cscwg-public mailing list
Cscwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/cscwg-public