CA/Browser Forum
Home » All CA/Browser Forum Posts » 2022-09-22 Minutes of the Code Signing Certificate Working Group

2022-09-22 Minutes of the Code Signing Certificate Working Group

Attendees

Andrea Holland, Atsushi Inaba, Bruce Morton, Corey Bonnell, Dean Coclin, Ian McMillan, Joanna Fox, Martijn Katerbarg, Michael Sykes, Roberto Quiñones, Tim Crawford, Tim Hollebeek

Minutes

Dean read the anti-trust statement

No objection to minutes from Aug 8, minutes approved. Will be sent to public list

Information that the IPR review on CSC-15 ended and the ballot has been approved. The website has been updated.

CSC-17, subscriber private key protection, is in voting period that closes September 23rd.

Malware proposal

Martijn Katerbarg is finishing the text and will send out the latest changes. Bruce Morton and Ian McMillan plan to endorse after review.

Special election ballot

There is a chair ratification ballot, it’s a ratification ballot, either you ratify or not.

Vice chair nomination

Bruce Morton is nominated so far. Other nominations should be submitted to the list before October 3.

Signing service discussion

There was a discussion what a signing service should provide, being complications between subscribers and signing service requirements. It was discussed that a signing service should not only be a key protection service without any other security mechanisms, that could sign anything if breached, regardless if a HSM is used locally or a cloud HSM is used.

Bruce suggested to wait for Ian’s ballot (CSC-17) to go through, then discuss the signing service in more detail. Tim suggested that it was a good topic to discuss during the next F2F, to start defining which security services are required. Bruce suggested to create a model for the subscriber signing protection that enforces the same security level regardless of how the signing is done. It was agreed to discuss further at F2F.

Timestamping

Ian is holding off on that for the moment to not distract from the malware proposal and the signing service discussion.

Other business

The F2F coming up in one month. If there are topics someone want to add to the list to discuss, send them to Bruce.

Joanna noticed that some numbering is confusing and looks off in section 6.2.7.4.1 in Ian’s ballot. Ian thinks the numbering is intentional, but will go back and look at it.

Dean suggested to cancel the meeting the 20th of October due to the F2F the following week. This will be discussed on the next meeting.

Meeting was closed

Latest releases
Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.7 - Ballot SMC09 - Nov 25, 2024

This ballot includes updates for the following: • Require pre-linting of leaf end entity Certificates starting September 15, 2025 • Require WebTrust for Network Security for audits starting after April 1, 2025 • Clarify that multiple certificatePolicy OIDs are allowed in end entity certificates • Clarify use of organizationIdentifer references • Update of Appendix A.2 Natural Person Identifiers This ballot is proposed by Stephen Davidson (DigiCert) and endorsed by Clint Wilson (Apple) and Martijn Katerbarg (Sectigo).

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).