CA/Browser Forum
Home » All CA/Browser Forum Posts » 2023-11-02 Minutes of the Code Signing Certificate Working Group

2023-11-02 Minutes of the Code Signing Certificate Working Group

Attendees

  • Dean Coclin – DigiCert

  • Atsushi Inaba – GlobalSign

  • Ben Dewberry – Keyfactor

  • Bianca Martin – Amazon

  • Bruce Morton – Entrust

  • Eva Vansteenberge – GlobalSign

  • Inigo Barreira – Sectigo

  • Janet Hines – VikingCloud

  • Richard Kisley – IBM

  • Scott Rea – eMudhra

  • Robert Quinones – Intel

  • Tim Crawford – CPA Canada/WebTrust

  • Mohit Kumar – GlobalSign

Minutes

  • Assign Minute taker (start recording)

  • Brianca Martin

  • Roll call

  • Completed by Dean

  • Antitrust Compliance Statement

  • Completed by Dean

  • Approval of prior meeting minutes

  • October 19th – Minutes approved

  • F2F Meeting on October 5th– 1st and 2nd half – Minutes approved

  • Ballot CSC-21 Signing Service

  • Currently in discussion period, made changes to the ballot. Questions raised about auditing signing service, along with a request was to simplify this more.

  • One party re-endorsed, the second party did not.

  • Question: How long we can keep the discussion period going on for a ballot – minimum is 7 days, no maximum.

  • Example provided of a re-seller that also operates an HSM and is providing keys to its customers. By definition, the re-seller would be considered a signing service and the audit requirements would apply.

  • Question: How would a CA know if the person they are selling a certificate also offers a signing service and is this tracked? They may not know. The CA does a verification that keys are in an HSM, they don’t know who is operating the hardware. If a CA ran a signing service and the CA had it audited, it could be bundled in with its existing WebTrust for code signing audit report, uploaded to the CCDAB, Microsoft gets to see it.

  • Question: How would audit requirements be enforced and what would be done with the results, who does it go to? CA will post the audit and share it with their auditor.

  • Comment made that there is leverage on the CA to make sure they are getting it right but no mechanism to enforce it.

  • Discussion postponed for 2 weeks. Ballot will remain in the discussion period.

  • Ballot CSC-20 Restore Version Reference to EV Guidelines

  • Notice for review period sent on 10/30.

  • Ballot will be in IPR review for the next 30 days.

  • Proposed Ballot High Risk

  • Ballot is drafted, no updates. Postponed until CSC-21 is completed.

  • Proposed ballot Remove EV Guideline References

  • No update.

  • Proposed ballot CSCWG Charter Update

  • No update.

  • Question: Is this a CA/B Forum level ballot or a CSWG ballot? In the server cert working group the ballot is at the working group level – they are not changing their scope, only the rules around voting, etc.

  • Comment that it seems odd that a working group can change their charter when it was voted on by the working group.

  • Will bring this up in the next CA/B Forum call and have a discussion with governance experts.

  • Other business

  • Email to questions group from an organization in Hamburg, Germany.

  • Question about baseline requirements: Version 3.4, section 1.6.1. Verifying person. Can this organization (they complete tasks like notary, they are not a CA) legitimize their own employees to acquire code signing certificates based on their own authority? Confirmation requested by November 16th.

  • The CA does the verification and up it is up to each CA to establish a procedure that their auditor is happy with.

  • Appears to be what the requirements allow but it us up to each CA to verify and to make this determination and if they will allow this method.

  • Next meeting – 16 November

Latest releases
Server Certificate Requirements
SC-081v3: Introduce Schedule of Reducing Validity and Data Reuse Periods - May 21, 2025

BR v2.1.5

Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.9 - Ballot SMC011 - May 14, 2025

This ballot allows the option to use a European Unique Identifier (EUID) as a Registration Reference in the NTR Registration Scheme. The EUID uniquely identifies officially-registered organizations, Legal Entities, and branch offices within the European Union or the European Economic Area. The EUID is specified in chapter 9 of the Annex contained in the Implementing Regulation (EU) 2021/1042 which describes rules for the application of Directive (EU) 2017/1132 “relating to certain aspects of company law (codification)”. The ballot also includes several editorial corrections, (e.g., reordering of References and regrouping of information from Appendix A to Section 7.1.4.2.2 (d)). This ballot is proposed by Stephen Davidson (DigiCert) and endorsed by Adrian Mueller (SwissSign) and Adriano Santoni (Actalis).

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).