Home » All CA/Browser Forum Posts » 2023-01-26 Minutes of the Code Signing Certificate Working Group

2023-01-26 Minutes of the Code Signing Certificate Working Group

Attendees

Andrea Holland (VikingCloud), Atsushi Inaba (GlobalSign), Ben Dewberry (Keyfactor), Brianca Martin (Amazon Trust Services), Bruce Morton (Entrust), Corey Bonnell (DigiCert), Dean Coclin (DigiCert), Dimitris Zacharopoulos (HARICA), Ian McMillan (Microsoft), Inigo Barreira (Sectigo), Janet Hines (VikingCloud), Martijn Katerbarg (Sectigo), Roberto Quinones (Intel), Tim Hollebeek (DigiCert), Trevoli (Amazon Trust Services)

Minutes

Antitrust statement read
Approval of minutes: Minutes for 12 January 2023 approved
Ballot: Malware base revocation (Martijn)

Some discussion and need to get feedback into Github before the end of the week.
Bruce stated he would endorse after review. Ian is the other endorser.

Ballot: Signing Service Update (Bruce)

Bruce is having difficulty with Github to move the ballot forward. Martijn volunteered to help out.
Ben asked for the procedure to give feedback, which can be done in Github or the mailing list
Tim H would like to see the mailing list used more often
Dean will check status of Ben in the mailing list
Ben started a discussion about multi-factor for Signing Service. We need to come up with a way to discuss how this can be done.
Ian indicated that the proposed change allows for secure server-to-server communication, but does not provide details

Ballot: Remove SSL BR References (Dimitris)

Dimitris stated work has been done and has been reviewed with Martijn, now need to review with the group
Dean suggested we add to the F2F meeting, but we decided to review in the meeting
Dimitris added “Editor” notes for review
Dimitris has imported text from SSL BRs where no text is in the CSBRs
Inigo is concerned about conflicts between BRs, but Tim H advised that concerned CAs work in multiple working groups
Bruce suggested that it would be good if we had the “BR of BRs” to cover common items
There was discussion about updates to definitions and references
Decided not to import 4.2.1 from SSL BRs
There was a discussion about importing SubCA revocation and misalignment of paragraphs. It was suggested this could be fixed with the revocation ballot or another future ballot.
Decided to add in OCSP “3600 seconds” change with an effective date
For Suspension, decided to add “No stipulation” and address in a future ballot.

Other business

F2F we have 1.5 hours scheduled
Try to make a plan for the year at F2F

Next Meeting – 9 February 2023
Adjourn

Latest releases

Server Certificate Requirements
SC099: Improve Recording of Validation Methods - May 19, 2026

Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.14 - Ballot SMC016 - May 5, 2026

This ballot maintains consistency between the S/MIME Baseline Requirements and the TLS Baseline Requirements with changes introduced by Ballots SC096 and SC097. Specifically, this ballot: Creates a carve-out of the logging requirements for DNSSEC specifically, stating these are not in scope. For audit purposes, change management logging is able to confirm if the appropriate controls are in effect or not. Sunsets all remaining use of SHA-1 signatures in Certificates and CRLs. It is noted that most uses of SHA-1 signatures are already deprecated by SC097. With this ballot, all unexpired Subordinate CA Certificates issuing S/MIME containing the SHA-1 signature algorithm must be revoked. This proposal does not prohibit the use of SHA-1 to generate issuerKeyHash or issuerNameHash values as currently required by RFC 5019. Includes minor formatting corrections.

Network and Certificate System Security Requirements
Version 2.0.5 (Ballot NS-008) - Jul 9, 2025