Home » All CA/Browser Forum Posts » 2022-04-07 Minutes of the Code Signing Certificate Working Group

2022-04-07 Minutes of the Code Signing Certificate Working Group

Attendees

Andrea Holland (SecureTrust), Atsushi Inaba (GlobalSign), Bruce Morton (Entrust), Corey Bonell (DigiCert), Dean Coclin (DigiCert), Ian McMillan (Microsoft), Inigo Barreira (Sectigo), Joanna Fox (TrustCor), Mohit Kumar (GlobalSign), Tim Crawford (CPA Canada/WebTrust)

Minute-taker: Tim Crawford

Minutes

Antitrust Statement: Read by Dean

Minutes for the March 24th meetings were approved

Interested party application from Insta Oy

No comment was offered, and the application was accepted.

Updates on Ballot CSC-13 – Private Key Protection

Bruce mentioned that the ballot received eight (8) votes and is deemed to have passed. A question was raised on the need for 15 votes to have quorum. The chair will respond to that question and the group does not believe there is an issue with the number of votes. The ballot is ready for IPR review and set to be effective November 15th. The second question was on the need to circulate a Word version of the ballot. Bruce will send that. Bruce will also check the bylaws on the requirement to circulate particular formats of the ballot.

RFC3647 Ballot

The question was raised to determine if ballot CSC-13 can be incorporated into the version of the requirements in RFC 3647 format. There was discussion of an extended discussion period for the re-formatting the ballot to include CSC-13, post IPR. This ballot is not intended to make any changes to the requirements, only reformat the document. There have been a number of reviewers thus far and good feedback has been provided. Reviewers include Dimitris Zacharopoulos and Joanna Fox.

Other Business

The question was raised on areas future ballots will look at address. The three areas for future consideration mentioned by Bruce Morton and Ian McMillan were signing services, time stamping, and high risk application processing. Ian was asked how he would prioritize these topics and he indicated:

Timestamping
Signing services
High risk applicants (would like to update by November 15th deadline for ballot CSC-13)

Bruce indicated the best way to get future issued to a ballot would be to put forth a proposal.

The face to face in Warsaw is still scheduled to be in person. Other events are going on in this area without issue.

Adjourned.

Latest releases

Server Certificate Requirements
BRs/2.1.2 SC-080 V3: Sunset the use of WHOIS to identify Domain Contacts and relying DCV Methods - Dec 16, 2024

Ballot SC-080 V3: “Sunset the use of WHOIS to identify Domain Contact… (https://github.com/cabforum/servercert/pull/560) Ballot SC-080 V3: “Sunset the use of WHOIS to identify Domain Contacts and relying DCV Methods” (https://github.com/cabforum/servercert/pull/555)

Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.8 - Ballot SMC010 - Dec 23, 2024

This ballot adopts Multi-Perspective Issuance Corroboration (MPIC) for CAs when conducting Email Domain Control Validation (DCV) and Certification Authority Authorization (CAA) checks for S/MIME Certificates. The Ballot adopts the MPIC implementation consistent with the TLS Baseline Requirements. Acknowledging that some S/MIME CAs with no TLS operations may require additional time to deploy MPIC, the Ballot has a Compliance Date of May 15, 2025. Following that date the implementation timeline described in TLS BR section 3.2.2.9 applies. This ballot is proposed by Stephen Davidson (DigiCert) and endorsed by Ashish Dhiman (GlobalSign) and Nicolas Lidzborski (Google).

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35