Home » All CA/Browser Forum Posts » 2023-01-26 Minutes of the Code Signing Certificate Working Group

2023-01-26 Minutes of the Code Signing Certificate Working Group

Attendees

Andrea Holland (VikingCloud), Atsushi Inaba (GlobalSign), Ben Dewberry (Keyfactor), Brianca Martin (Amazon Trust Services), Bruce Morton (Entrust), Corey Bonnell (DigiCert), Dean Coclin (DigiCert), Dimitris Zacharopoulos (HARICA), Ian McMillan (Microsoft), Inigo Barreira (Sectigo), Janet Hines (VikingCloud), Martijn Katerbarg (Sectigo), Roberto Quinones (Intel), Tim Hollebeek (DigiCert), Trevoli (Amazon Trust Services)

Minutes

Antitrust statement read
Approval of minutes: Minutes for 12 January 2023 approved
Ballot: Malware base revocation (Martijn)

Some discussion and need to get feedback into Github before the end of the week.
Bruce stated he would endorse after review. Ian is the other endorser.

Ballot: Signing Service Update (Bruce)

Bruce is having difficulty with Github to move the ballot forward. Martijn volunteered to help out.
Ben asked for the procedure to give feedback, which can be done in Github or the mailing list
Tim H would like to see the mailing list used more often
Dean will check status of Ben in the mailing list
Ben started a discussion about multi-factor for Signing Service. We need to come up with a way to discuss how this can be done.
Ian indicated that the proposed change allows for secure server-to-server communication, but does not provide details

Ballot: Remove SSL BR References (Dimitris)

Dimitris stated work has been done and has been reviewed with Martijn, now need to review with the group
Dean suggested we add to the F2F meeting, but we decided to review in the meeting
Dimitris added “Editor” notes for review
Dimitris has imported text from SSL BRs where no text is in the CSBRs
Inigo is concerned about conflicts between BRs, but Tim H advised that concerned CAs work in multiple working groups
Bruce suggested that it would be good if we had the “BR of BRs” to cover common items
There was discussion about updates to definitions and references
Decided not to import 4.2.1 from SSL BRs
There was a discussion about importing SubCA revocation and misalignment of paragraphs. It was suggested this could be fixed with the revocation ballot or another future ballot.
Decided to add in OCSP “3600 seconds” change with an effective date
For Suspension, decided to add “No stipulation” and address in a future ballot.

Other business

F2F we have 1.5 hours scheduled
Try to make a plan for the year at F2F

Next Meeting – 9 February 2023
Adjourn

Latest releases

Server Certificate Requirements
SC-081v3: Introduce Schedule of Reducing Validity and Data Reuse Periods - May 21, 2025

BR v2.1.5

Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.9 - Ballot SMC011 - May 14, 2025

This ballot allows the option to use a European Unique Identifier (EUID) as a Registration Reference in the NTR Registration Scheme. The EUID uniquely identifies officially-registered organizations, Legal Entities, and branch offices within the European Union or the European Economic Area. The EUID is specified in chapter 9 of the Annex contained in the Implementing Regulation (EU) 2021/1042 which describes rules for the application of Directive (EU) 2017/1132 “relating to certain aspects of company law (codification)”. The ballot also includes several editorial corrections, (e.g., reordering of References and regrouping of information from Appendix A to Section 7.1.4.2.2 (d)). This ballot is proposed by Stephen Davidson (DigiCert) and endorsed by Adrian Mueller (SwissSign) and Adriano Santoni (Actalis).

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35