CA/Browser Forum
Home » All CA/Browser Forum Posts » 2023-09-07 Minutes of the Code Signing Certificate Working Group

2023-09-07 Minutes of the Code Signing Certificate Working Group

Attendees

Andrea Holland – VikingCloud, Atsushi Inaba – GlobalSign, Brianca Martin – Amazon, Bruce Morton – Entrust, Corey Bonnell – DigiCert, Dimitris Zacharopoulos – Harica, Ian McMillan Microsoft, Inigo Barreira – Sectigo, Keshava N – eMudhra, Martijn Katerbarg – Sectigo, Mohit Kumar – GlobalSign, Scott Rea – eMudhra

Minutes

Discussion Points

Prior minutes approval – 24-Aug-2023 minutes approved with no objection

Ballot Status

Ballot 19 is completed and effective 5-Sep-23 and new Code Signing BR version is published with updates from this ballot.

Signing Service Ballot – Updated draft based on previous ballots. Includes lot of cleanups, simplifying the language and not change any scope. The objective was to clear that Signing service is not supposed to do validation. Validation is expected from Certificate Authority and Signing service is expected to protect private keys on behalf of subscriber

Summary of Major updates for Signing Service:

  • Made clear signing service is not delegated third party. It is not an obligation for CA or CA doesn’t have to do it or delegate. It is optional for CA.
  • Change in definition of Signing service to include generation of key pair and its management as main job for signing service
  • Added section to ensure that Signing service don’t transfer keys to subscriber
  • Changed reference to Signing Key as Private Key where applicable
  • Improved content to avoid the interpretation that Signing service must do malware scans for all codes being signed
  • Broke the audit requirements between CA, Signing service and Timestamping

High Risk ballot – To be postponed for now and to be taken up later.

Discussion on need for charter update for TSA certificates

Dimitris brought to group attention that it was agreed at forum level that Codesigning Working group can work on requirements for TSA related to Code Signing and is in scope.

Martjin suggested that unless we have technical controls to figure out which Timestamp certificates or authority is being used for Codesigning vs not used for codesigning, it is difficult to differentiate.

It was highlighted that we have policy OIDs for Timestamp certificates to be used for Codesigning. There was discussion if these are mandatory and if its stated explicitly. It was called out that if policy OID is not being used in Timestamping certificate, it technically still works for codesigning.

But there is still difference in opinions if timestamping requirements are in scope or need the charter update, since it is not clear.

Action item was decided to review and update charter and consider timestamp certificates/TSA requirements for Codesigning

Latest releases
Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.7 - Ballot SMC09 - Nov 25, 2024

This ballot includes updates for the following: • Require pre-linting of leaf end entity Certificates starting September 15, 2025 • Require WebTrust for Network Security for audits starting after April 1, 2025 • Clarify that multiple certificatePolicy OIDs are allowed in end entity certificates • Clarify use of organizationIdentifer references • Update of Appendix A.2 Natural Person Identifiers This ballot is proposed by Stephen Davidson (DigiCert) and endorsed by Clint Wilson (Apple) and Martijn Katerbarg (Sectigo).

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).