CA/Browser Forum
Home » All CA/Browser Forum Posts » 2022-09-08 Minutes of the Code Signing Certificate Working Group

2022-09-08 Minutes of the Code Signing Certificate Working Group

Attendees

Andrea Holland, Atsushi Inaba, Bruce Morton, Dean Coclin, Dimitris Zacharopoulos, Ian McMillan, Iñigo Barreira, Janet Hines, Joanna Fox, Martjin Katerbarg, Michael Sykes, Mohit Kumar, Roberto Quiñones, Tim Hollebeek, Tomas Gustavsson, Vijay eMudhra

Minutes

Dean read the anti-trust statement.

No objection to minutes from Aug-25th, minutes approved. Will be sent to public list.

Reminder on CSC 15 , IPR review ends on Sept 18th

Malware Proposal from Martijn

Nothing new to discuss at this time.

Key Protection requirements deadline

  • Ian shared that there has been feedback/concerns on deadline approaching fast and not everyone ready to adopt new requirements.
  • Time between publication of requirement to deadline may have been too aggressive. Tim suggests standardizing on general 1 year notice before enforcement
  • In addition to short deadline, market conditions and supply chain issues may be preventing some from adoption new requirements.
  • This group has been aware of topic for a long time, but even after CSBRs are published, most developers do not read them
  • Several points about the communication problem
  • Some CAs have been actively reaching out to subscribers about new requirements
  • Moving date does not resolve awareness
  • Batching updates may help to communicate changes
  • Moving date implies not as critical as initially suggested
  • It was suggested that we could keep original date and use an exception process
  • Exception processes have not worked well in the past.
  • They may be inconsistent and public review creates more risk
  • Goal should be to avoid an exception process
  • Creating conditional rules for issuance under exceptions adds additional complexity requirement for CAs in short time. Better to just move out the date
  • Ian will write ballot draft and send out sept-9th to get discussion period moving and collect endorsers. Tim and Bruce offered to endorse

Signing Service discussion

  • Bruce: Corey has published info in GitHub for anybody to review. Discussing separating audit criteria for CA vs signing service vs timestamp authority. Looking for help to review it.

Timestamping

  • Ian: will work on draft to require TSA CA issuing timestamp and entity certs, be protected offline, and reduce validity period of those timestamp and entity cert, to no more than 6 years.
  • It should cover period for Java using yearly new key. We can send message to Oracle on intent, to get their feedback.

Other business

Anyone that will attend Berlin should sign up now to allow for planning for limited spots. Some guests or companies with multiple spots may be asked to limit attendance since only 60 spots available.

Next meeting will be September 22nd

Meeting adjourned

Latest releases
Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.7 - Ballot SMC09 - Nov 25, 2024

This ballot includes updates for the following: • Require pre-linting of leaf end entity Certificates starting September 15, 2025 • Require WebTrust for Network Security for audits starting after April 1, 2025 • Clarify that multiple certificatePolicy OIDs are allowed in end entity certificates • Clarify use of organizationIdentifer references • Update of Appendix A.2 Natural Person Identifiers This ballot is proposed by Stephen Davidson (DigiCert) and endorsed by Clint Wilson (Apple) and Martijn Katerbarg (Sectigo).

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).