CA/Browser Forum
Home » All CA/Browser Forum Posts » 2022-08-11 Minutes of the Code Signing Certificate Working Group

2022-08-11 Minutes of the Code Signing Certificate Working Group

Attendees

Atsushi Inaba, Bruce Morton, Corey Bonnell, Dean Coclin, Ian McMillan, Lynn Jeun, Martijn Katerbarg, Michael Sykes, Tomas Gustavsson

Minutes

  • Anti-Trust Statement read by Dean
  • Prior meeting minutes fron July 28, 2022 are approved without objection or comment.

CSC-15 Ballot Status

  • Voting period closed and Dean will be announcing the results.
  • Next steps to send out for IPR.

Signing Service Proposed Ballot Update

  • Bruce is waiting for the CSC-15 ballot to clear before proceeding.
  • Suggested changes need to be merged using Bruce’s Word markup to a GitHub PR.

Timestamping Updates

  • Ian waiting on talking with Tim Hollebeek to incorporate his feedback on changes (Tim back next week).
  • Looking at setting clear expectations on TSA CA protection requirements being offline and shortening the TSA entity certificate max validity period.

Malware Proposal from Martijn

  • Further discussion with Bruce lead to changes in the removal of exceptions for not having to notify the subscriber when the Certificate Beneficiary reaches out on a key compromise scenario. This is invoked in both 4.9.1.1 and 4.9.1.3.
  • Martijn is waiting on feedback from Ian on the new updates before proceeding with the ballot proposal. In general Ian is feeling this is on the right track, but will follow up with detailed feedback.
  • Martijn will be posting the proposal to both the mailing list and on the GitHub

Handling changes in the future (GitHub vs Mailing List + marked-up Word)

  • Do we hold the conversation on the PRs in GitHub or on the Mailing List?
  • There is no convention right now.
  • SCWG has a mix but no true stated norm.
  • Smaller or targeted comments and changes on specific lines is great in GitHub.
  • Handling on the list with multiple copies of the Word doc can be difficult to track/follow.
  • Larger or broader changes can be harder to view in its totality on GitHub.
  • No conclusion, discussion will continue.

Chair/Vice-Chair Elections Coming Up

  • Dean to put out an announcement in the next week or 2 weeks (must be before August 30, 2022).
  • Vice-Chair election will be first, followed by the Chair.
  • Chairs and Vice-Chairs have the option to re-run for another term.
  • Any Vice-Chair candidates need to get a nomination from a WG member in to the Chair.
  • Bruce is willing to continue as Vice-Chair (nomination for Bruce).
  • Elections ballots are submitted to either the WebTrust (Don S or Jeff W) or ETSI (Arnaud) representative members.
  • ETSI and WebTrust members compiled the votes and provide only the results without sharing a detailed breakdown of who voted for who.
  • Only one vote per organization (not per individual participant).

Next meeting on August 25, 2022

Latest releases
Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.7 - Ballot SMC09 - Nov 25, 2024

This ballot includes updates for the following: • Require pre-linting of leaf end entity Certificates starting September 15, 2025 • Require WebTrust for Network Security for audits starting after April 1, 2025 • Clarify that multiple certificatePolicy OIDs are allowed in end entity certificates • Clarify use of organizationIdentifer references • Update of Appendix A.2 Natural Person Identifiers This ballot is proposed by Stephen Davidson (DigiCert) and endorsed by Clint Wilson (Apple) and Martijn Katerbarg (Sectigo).

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35

Related posts
Tags
Code Signing Minutes
Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).