CA/Browser Forum
Home » Posts » Minutes of the F2F 59 Meeting in Redmond, WA, USA, 6-8 June 2023 – CSCWG (6 June)

Minutes of the F2F 59 Meeting in Redmond, WA, USA, 6-8 June 2023 – CSCWG (6 June)

Attendees

Attendance: IN THE ROOM (FROM SIGN UP SHEET) Ben Wilson (Mozilla), Dean Coclin (DigiCert), Ian McMillan (Microsoft), Karina Sirota Goodley (Microsoft), Tahmina Ahmad (Microsoft), Hannah Sokol (Microsoft), Nitesh Bakliwal (Microsoft), Brianca Martin (Amazon), Trevoli Ponds-White (Amazon), Jonathan Kozolchyk (Amazon), Blake Hess (Amazon), Aaron Poulsen (Amazon), Michael Slaughter (Amazon), Tim Crawford (WebTrust), Inigo Barreira (Sectigo), Yoshiro Yoneya (JPRS), Martijn Katerbard (Sectigo), Nick France (Sectigo), Tim Callen (Sectigo), Roberto Quinones (Intel), Ben Dewberry (Keyfactor), Sven Rajala (Keyfactor), Leo Grove (SSL.com), Stephen Davidson (DigiCert), Jeremy Rowley (DigiCert), Scott Olsen (Microsoft), Linda Diefendorf (Microsoft), Steve Lasker (Microsoft), Yamian Quinero (Microsoft), Thomas Zermeno (SSL.com), Georgy Sebastian (Amazon), Meha Sharma (Microsoft), Rakia Segeu (Microsoft), Dawn Wang (Microsoft), Eva van Steenberge (Globalsign), Christophe Bonjean (Globalsign), Romain Delval (Certigna), Josselin Allemandou (Certigna), Xiu Lei (GDCA), Xizo Qiang (GDCA), Corey Bonnell (DigiCert), Vikas Khanna (Microsoft), An Yin (iTrus China), Vijay Kumar (eMuhdra), Pankaj Chawla (eMuhdra), Scott Rea (eMuhdra), Paul van Browershaven (Entrust), Bruce Morton (Entrust), Arno Fiedler (ETSI ESI), Dimitris Zacharopoulos (HARICA)

NEED TO ADD ONLINE ATTENDEES

Minutes

Presentation by: Bruce Morton (Entrust)

Minutes: Brianca Martin/Roberto Quinones

  • The Antitrust statement was read

  • Minutes from May 18th approved

  • Ballot CSC-18: Malware based revocation – Passed

  • IPR through 23 June 2023, Effective 15 April 2025

  • Ballot: Remove SSL BR References

  • Dimitris Zacharopoulos (HARICA) + Martijn Katerbarg working on the references, ready to be sent out

  • Will wait until IPR for CSC-18 is complete to import

  • Will start discussion period, add comments to GitHub

  • Bruce Morton (Entrust) added as an endorser

  • Ballot: Signing Service

  • Plan to address after 2 items above have passed

  • Presentation: Microsoft’s Secure Supply Chain by Kristina Yasuda and Roy Williams

  • ITU-T X.509 version in CSBR (Dimitris)

  • item skipped (late for Dimitris, was not online)

  • Time-stamping change proposal (Ian)

  • Confirmed no change to private key reuse period of 15 months and Timestamp certificate validity period of 135 months

  • Private key must be destroyed after 18 months, unless the Timestamp certificate validity period was 15 months or less

  • TSA CA will be indicated as offline

  • TSA to reject SHA-1 hashed timestamp requests

  • Ian will draft up proposal to align expiration periods for TSA key and certificate

  • High Risk language change proposal (Bruce/Tim/Ian)

  • remove language that has never been used, and now with keys moved into hardware, some of the language in no longer needed

  • there was intent to also define list of countries that certs would not be issued to, but this section was also not used.

  • EV certificates removal or merging EV/OV into one policy (Ian/Bruce)

  • Ian – normal OV cert works just fine, no different that EV cert. no difference in smart screen or defender

  • Nick – Microsoft documentation states that there was a difference between EV and OV.

  • Microsoft SmartScreen & Extended Validation (EV) Code Signing Certificates

  • can we move OV to EV

  • Other Items?

  • Microsoft has been working on detection of malicious use of code signing certificates.

  • Some CA’s may have already received a call as a result of this analysis

  • Next meeting – 15 June or cancel?

  • next scheduled meeting is for Jun 15th but updates may not be ready

  • confirm with Dimitris if OK to review on 15th or push to Jun 29th

  • Meeting adjourned @ 15:43

Latest releases
Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed

Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.6 - Ballot SMC08 - Aug 29, 2024

This ballot sets a date by which issuance of certificates following the Legacy generation profiles must cease. It also includes the following minor updates:

  • Pins the domain validation procedures to v 2.0.5 of the TLS Baseline Requirements while the ballot activity for multi-perspective validation is concluded, and the SMCWG determines its corresponding course of action;
  • Updates the reference for SmtpUTF8Mailbox from RFC 8398 to RFC 9598; and
  • Small text corrections in the Reference section

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).