Final minutes of CSCWG meeting Jan 11, 2023





1.      Roll Call

*       Andrea Holland - (VikingCloud)
*       Brianca Martin - (Amazon)
*       Bruce Morton - (Entrust)
*       Corey Bonnell - (DigiCert)
*       Dimitris Zacharopoulos - (HARICA)
*       Eva Vansteenberge - (GlobalSign)
*       Ian McMillan - (Microsoft)
*       Inaba Atsushi - (GlobalSign)
*       Inigo Barreira - (Sectigo)
*       Janet Hines - (VikingCloud)
*       Martijn Katerbarg - (Sectigo)
*       Mohit Kumar - (GlobalSign)
*       Richard Kisley - (IBM)
*       Roberto Quionones - (Intel)
*       Rollin Yu - (TrustAsia)
*       Scott Rea - (eMudhra)
*       Thomas Zermeno - (SSL.com)
*       Tim Hollebeek - (DigiCert)

2.      Antitrust reminder: Read



3.      Approve prior meeting minutes - Nov 30th, Dec 14th : Both minutes were 
approved



4.      Ballot CSC-21 Signing Service: Discussion/Voting Period : Voting ends 
tomorrow 12 January 2024. Bruce stated 6 votes were required for quorum, but we 
only have 5 votes so far. Dimitris advised that the membership tool states the 
quorum is 5. Bruce stated that he might have counted the meeting attendees 
improperly, so we will use system quorum number of 5.



5.      Ballot CSC-22 Proposed High Risk Ballot: Discussion/Voting Period: 
Voting also ends 12 January 2024 and quorum of 5 has been met.



6.      Proposed ballot Remove EV Guideline References status: Dimitris has 
provided a proposal for review. He will provide a mapping document to assist 
for review. Would like feedback before proposing a ballot.



7.      Proposed ballot CSCWG charter update status: Martijn stated the ballot 
closes today and we are exactly on the quorum number.
8.      PCI-HSM certification for Code signing HSMs (Richard K): Richard would 
like the CSCWG to consider using PCI-HSM as a certification approval method for 
crypto modules for the CSBRs. PCI-HSM is a robust program which most vendors 
use. FIPS 140-2 and -3 have a long queue. For instance FIPS has 252 waiting, 8 
in process, and only 12 people performing the process, so processing takes 
12-18 months processing time. Common Criteria is not universal. PCI-HSM covers 
the requirements and could be used as an alternative. Dimitris asked what the 
proposal would apply to - CA or Subscriber keys; Richard did not know where to 
apply. Ian asked what is the difference between PCI-HSM and FIPS; Richard 
provided his perspective. Bruce stated that root CAs, subordinate CAs, 
time-stamp CA, Signing Service use HSMs, but there might not be a demand as 
this requirement is already met. Would PCI-HSM help to support the Subscriber 
end to provide more devices for signing code. Dimitris stated that the CSBRs 
allow FIPS 140 Level 2 for Subscribers, which is lower that level 3, so maybe 
it would be approved for Subscribers. Ian stated that they would investigate to 
see if PCI-HSM would acceptable for Subscribers. Dimitris asked if PCI-HSM 
supports remote key attestation; Richard stated the requirements do not address 
this requirement. If PCI-HSM is acceptable a member would have to write a 
ballot. We will wait until there is feedback from Microsoft.



9.      Other business: Bruce was asking if there is new business, since 3 
ballots will pass this week? Bruce asked if DigiCert is still planning to 
provide a CT demo; Corey suggested we review with Ian. Bruce also stated that 
another topic is time-stamp changes, but this is also Ian's action. It was 
suggested to work on the EV ballot. Dimitris said the change might be a issue 
as it could conflict with the BR of BRs process. Tim brought up the question of 
what we are trying to resolve, but Dimitris suggested that the exercise would 
remove some EV requirements which do not make sense for CSBRs. Tim asked if the 
EV Guidelines could be added as an appendix; Dimitris suggested that that would 
work for the verification requirements, but not the others.



10.     Next meeting -  January 25th



11.     Adjourn





_______________________________________________
Cscwg-public mailing list
Cscwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/cscwg-public

Reply via email to