Home » All CA/Browser Forum Posts » 2021-09-23 Minutes of the Code Signing Certificate Working Group

2021-09-23 Minutes of the Code Signing Certificate Working Group

Attendees

Atsushi Inaba, Ben Wilson, Bruce Morton, Corey Bonnell, Dimitris Zacharopoulos, Ian McMillan, Iñigo Barreira, Janet Hines, Joanna Fox, Roberto Quiñones, Sebastian Schulz, Tim Crawford, Tomas Gustavsson

Minutes

Bruce read the antitrust statement.

Meeting minutes from Sept 9th were approved.

Ballot status:

CSC-9 and CSC-10 both completed IPR and were published.

CSC-6:

Ian said to wait to discuss in favor of discussing CSC-11.

CSC-11:

Ian shared current redline on the list for the discussion period. Voting will start on the 24th.

Invalidity Date ballot:

There has been good discussion on the list. Ian confirmed that the current and previous versions of Windows ignore the Invalidity Date and instead use revocation date. One of the main open questions is how to handle the Invalidity Date extension and its value since it serves no purpose in the CRL. Rob suggested that we prohibit the extension from appearing, since it increases CRL size.

It was agreed that it is strange for the invalidity date value to be different from the revocation date value given Windows’s processing, so the requirement in the proposed ballot for them to be equal starting from the effective date will remain. Bruce and Ian indicated that the current proposal of February is too aggressive. The group agreed for a summer 2022 effective date.

On the point raised on the list for adding a “Application of RFC 5280” section, there was a concern that adding that section and defining the revocationDate semantics there would define the CRL profile specification in multiple separate locations, which may be confusing. The group agreed to add some language calling out the practice of backdating the revocationDate as violating the SHOULD NOT of RFC 5280 in the current CRL profile section and will potentially move this content to an “Application of RFC 5280” section as part of the 3647 reformat.

F2F Agenda:

– Have a brief WG status overview

– Reserve most of the time for signing service. Ian said there are a lot of inconsistencies and oddities in the CSBRs surrounding Signing Services that need to be addressed.

The meeting likely will be held on October 7th but may be cancelled if there are no agenda items.

There was no other business; meeting was adjourned.

Latest releases

Server Certificate Requirements
BRs/2.1.2 SC-080 V3: Sunset the use of WHOIS to identify Domain Contacts and relying DCV Methods - Dec 16, 2024

Ballot SC-080 V3: “Sunset the use of WHOIS to identify Domain Contact… (https://github.com/cabforum/servercert/pull/560) Ballot SC-080 V3: “Sunset the use of WHOIS to identify Domain Contacts and relying DCV Methods” (https://github.com/cabforum/servercert/pull/555)

Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.8 - Ballot SMC010 - Dec 23, 2024

This ballot adopts Multi-Perspective Issuance Corroboration (MPIC) for CAs when conducting Email Domain Control Validation (DCV) and Certification Authority Authorization (CAA) checks for S/MIME Certificates. The Ballot adopts the MPIC implementation consistent with the TLS Baseline Requirements. Acknowledging that some S/MIME CAs with no TLS operations may require additional time to deploy MPIC, the Ballot has a Compliance Date of May 15, 2025. Following that date the implementation timeline described in TLS BR section 3.2.2.9 applies. This ballot is proposed by Stephen Davidson (DigiCert) and endorsed by Ashish Dhiman (GlobalSign) and Nicolas Lidzborski (Google).

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35