CA/Browser Forum
Home » All CA/Browser Forum Posts » 2023-05-18 Minutes of the Code Signing Certificate Working Group

2023-05-18 Minutes of the Code Signing Certificate Working Group

Attendees

Atsushi Inaba (GlobalSign), Ben Dewberry (Keyfactor), Bianca Martin (Amazon), Bruce Morton (Entrust), Corey Bonnell (DigiCert), Dean Coclin (DigiCert), Eva Van Steenberge (GlobalSign), Ian McMillan (Microsoft), Inigo Barreira (Sectigo), Martijn Katerbarg (Sectigo), Mohit Kumar (GlobalSign), Roberto Quiñones (Intel), Rollin Yu (TrustAsia), Tim Crawford (BDO), Tim Hollebeek (DigiCert)

Minutes

  • The Antitrust statement was read
  • Minutes from May 4th approved
  • Ballot: CSC 18 – Malware base revocation (Martijn)
  • In discussion period, voting period ending before meeting is over
  • Dean: tracker shows quorum met
  • Removing SSL BR References
  • Martjin: About half docs reviewed for missing definitions. Removed 2 definitions that are not used. A couple may need to be added, will need to discuss
  • Subject Name stability
  • Email from new interested party (Mike Hearn)
  • Ian: MSIX (Appx) does hash calculation of the publisher’s name value that is in the manifest and compares it to the full subject name value of signing certificate
  • Was working fine when only used inside of store distribution. As its been rolled out broadly to allow MSI package into MSIX, they’ve run into this issue for companies that change their name or locale.
  • New packages would validate fine but presents inability to update existing apps because it depends on Package Name alignment.
  • This is Microsoft MSIX issue, not a broad certificate issuance problem.
  • Tim: This is example of using [subject] name instead of global identifier and this has all the issues that are well known.
  • Bruce: Even global identifier might change if company changes name, like with SSL and org ID
  • Ian: Apple and Google offer ways to uniquely identify orgs. If Microsoft offered something similar, it would not be something that Public CAs should have to do.
  • Ian will draft a response to this email
  • June F2F is June 6th afternoon.
  • Dean moves to cancel call scheduled for Jun 1st. No objections
  • Agenda for F2F
  • Time: 1:45pm to 3:45pm (nothing scheduled after this, so could keep going)
  • Ian: no guest speaker for code signing workgroup. Roy Williams is going to talk about Secure Supply Chain Integrity, Trust and Transparency.
  • Bruce: Spend some time reviewing time stamping changes Ian is proposing. Discuss EV Certificates. Continue discussion on Certificate Transparency
  • Dean may not be able to attend in person, Bruce can facilitate
Latest releases
Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.7 - Ballot SMC09 - Nov 25, 2024

This ballot includes updates for the following: • Require pre-linting of leaf end entity Certificates starting September 15, 2025 • Require WebTrust for Network Security for audits starting after April 1, 2025 • Clarify that multiple certificatePolicy OIDs are allowed in end entity certificates • Clarify use of organizationIdentifer references • Update of Appendix A.2 Natural Person Identifiers This ballot is proposed by Stephen Davidson (DigiCert) and endorsed by Clint Wilson (Apple) and Martijn Katerbarg (Sectigo).

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).