Code Signing Certificate Working Group Draft Minutes Feb 28, 2024 F2F Meeting India
Discussion leader: Bruce Morton (Entrust) Minutes: Andrea Holland (VikingCloud) Attendees: Paul van Brouwershaven (Entrust), Dustin Hollenback (Microsoft), Tim Callan (Sectigo), Scott Rea (eMudhra), Dimitris Zacharopoulos (HARICA), Arno Fiedler (ETSI), Arvid Vermote (GlobalSign), Ashish Dhiman (GlobalSign), Tadahiko Ito (SECOM), Corey Bonnell (DigiCert), Inigo Barreira (Sectigo), Mrugesh Chandarana (IdenTrust), Marco Schambach (IdenTrust), Nitesh Bakliwal (Microsoft), Kiran AM (eMudhra), Keshava N (eMudhra), Abhishek Bhat (eMudhra), Naveen Kumar (eMudhra), Yashwanth (eMudhra), Dean Coclin (DigiCert), Thomas Zermeno (SSL.com), Mohit Kumar (GlobalSign), Martijn Katerbarg (Sectigo), Nargis Mannan (Viking Cloud), Marco Schambach (IdenTrust), Tim Hollebeek (DigiCert), Atsushi Inaba (GlobalSign), Trevoli Ponds-White (Amazon Trust Services), Aaron Poulsen (Amazon Trust Services), Rich Smith (DigiCert), Roman Fischer (SwissSign), Eva Van Steenberge (GlobalSign), Rollin Yu (TrustAsia), Michael Slaughter (Amazon Trust Services), Nome Huang (TrustAsia), Kateryna Aleksieieva (Certum), Andrea Holland (VikingCloud), Bruce Morton (Entrust), Tim Crawford (CPA Canada/WebTrust), Ian McMillan (Microsoft), Stefan Kirch (Telekom Security), Tsung-Min Kuo (Chunghwa Telecom), Rebecca Kelley (Apple), Li-Chun Chen (Chunghwa Telecom)Interested Party: Ben Wilson (Mozilla), Invited Guests: Ramachandran P (Office of CCA, MEITY, Govt of India), Mike Kushner (Keyfactor), Seven Rajala (Keyfactor), Detailed minutes: 1. Antitrust Compliance Statement read 2. Review Agenda 3. Statement from Nitish. * Survey went out from Microsoft. If you have not received it please reach out. * Update to EV CS OID changes. * Deadline of August 2024 for feedback and reasons/scenarios for supporting. * Timeline of February 2025 of planned removal of support of EV Code Signing. * Policy update of removal of EV CS OID was published early and will be reverted until the planned removal date. * Clarification that OCSP is required only for TLS not for Code Signing or S/MIME. 4. Approval of February 8th minutes 5. Certificate Transparency for Code Signing * Discussion by Ian, Trev, Tim H., Bruce, Dimitris, Martijn, Paul, and Dean. * Discussion about the problem statement for the need of public transparency for Code Signing certificates and the revocation aspect. * Discussion on the infrastructure of the tools necessary to monitor the CT logs as well as subscriber benefits, but these should be a secondary phase. * Discussion around use case of CT for CS and the differences between CT for TLS vs for CS. * Code Signing certificates are signing code that can last forever which impacts the length of time needed for the CT log. * Single use CS certificates would cause a high number of records on the CT logs. * Specific questions were discussed: How long should a record be in a Trusted CT Log? What happens when a log gets retired? How long should a log be active? How many logs would CAs be required to log to? These will be continued based on implementation. * Action item: To define/refine the problem statement. 6. Reduction of Code Signing validity to 15 months * Discussion by Ian, Bruce, Dean, Martijn, Tim C., Dimitris, and Trev * Reason for request is the longer a validity period causes a revocation to have a larger impact radius which causes unintended collateral damage. * Original time of 39 months was based on the common actions at the time, should this be revisited. How many certificates are being issued at 39 months? Are 12 month certs more common, or has this changed due to the protection of the private key requirement? * Discussion that the worry is the amount of software that is signed under a particular key. In the event that a key gets compromised, you have to revoke a whole bunch of software. * Action item: Get the data, review, and move forward from there. 7. Ballot for EVG import * Discussion by Bruce, Tim H., Ian, Tim C., Dimitris, Mrugesh, Trev, Enrico, and Paul * The idea is that non-EV code signing is going away and EV will be the new standard. * Microsoft confirms that hardware dev center is the only remaining location which policy says EV cert is needed for onboarding only. Smart screen doesn't distinguish between the two. * Microsoft doesn't differentiate between OV and EV OIDs they are treated the same. * Microsoft wants to simplify to one type of CS certificate with the only difference in validation type (individual validation vs organization validation). * CS BRs points to specific references in EV Guidelines. The EVG import should be completed first. Then next step is to simply CS BRs to match with one CS type. The goal of this CS type would be an efficient and modern EV. 8. Ballot for Time-stamp update * Discussion by Martijn, Ian, and Bruce * Offline subCAs for Timestamping certificates. * Adding key destruction to make sure that the private key that's associated to a certificate that still has 10 years left of validity period on it is destroyed and can't be used to travel through time. * Proposal of 15 month key use time and 18 month key destruction time mitigates the 135 month certificate validity period. Only required if your timestamp certificate has a validity period of over 15 months. * Language to be floated. 9. Any other Business * No meeting next week * IPR period has ended for CSC 21 and 22 * Group should deprecate obsolete document EV CS Guideline * Kept for historical reasons but you cannot get an audit report based on the document. * People accidentally reference this document. * A ballot will be drafted Dean Coclin CSCWG Chair
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Cscwg-public mailing list Cscwg-public@cabforum.org https://lists.cabforum.org/mailman/listinfo/cscwg-public