Home » All CA/Browser Forum Posts » 2023-12-14 Minutes of the Code Signing Certificate Working Group

2023-12-14 Minutes of the Code Signing Certificate Working Group

Attendees

Andrea Holland (VikingCloud), Bruce Morton (Entrust), Corey Bonnell (DigiCert), Dean Coclin (DigiCert), Ian McMillan (Microsoft), Inaba Atsushi (GlobalSign), Inigo Barreira (Sectigo), Martijn Katerbarg (Sectigo), Mohit Kumar (GlobalSign), Richard Kisley (IBM), Roberto Quionones (Intel), Rollin Yu (TrustAsia), Scott Rea (eMudhra), Tim Crawford (CPA Canada/WebTrust), Tim Hollebeek (DigiCert)

Minutes

Bruce read the note well.

Minutes of the November 30th meeting were not approved as they were just sent out.

Signing Service Ballot

Bruce mentioned that Ian wanted to reduce the audit requirements for non-CA signing services. One idea is to use CCM criteria. One challenge is a lack of familiarity with the CCM framework as well as how to map the criteria with the specific requirements for HSMs.

Tim Crawford mentioned that the netsec-wg wants to use the STAR Alliance requirements but are currently working through licensing issues.

Bruce has a proposal to move the ballot forward. He would like to retain the current requirements for audit and address lesser audits in a future ballot. Tim agreed that this is a good approach, as defining audit requirements for non-CA Signing Services will be much more complex. Ian also agreed with this approach.

Bruce proposed that he will bring the Signing Services ballot forward for formal discussion and voting early next calendar year. There was agreement on this approach.

High Risk Ballot

Bruce said the text is complete and there are two endorsers. Bruce asked if there’s any objection to running two ballots concurrently. Martijn, Tim, and Ian agreed that’s fine as long as there’s no overlap.

Corey raised a concern about potential complexity with immutable links if multiple ballots are in flight. He will investigate if this is an actual issue.

Charter Update

Martijn said the ballot is ready but didn’t want to kick off the voting period during the holidays. He will look to start voting in early January.

Any other business

The December 28th meeting is cancelled. The next meeting will be January 11th.

Richard from IBM suggested that HSMs for code signing be certified under PCI-HSM in addition to CC and FIPS. Tim said in theory that should be fine but need to investigate further.

Meeting adjourned.

Latest releases

Server Certificate Requirements
BRs/2.1.2 SC-080 V3: Sunset the use of WHOIS to identify Domain Contacts and relying DCV Methods - Dec 16, 2024

Ballot SC-080 V3: “Sunset the use of WHOIS to identify Domain Contact… (https://github.com/cabforum/servercert/pull/560) Ballot SC-080 V3: “Sunset the use of WHOIS to identify Domain Contacts and relying DCV Methods” (https://github.com/cabforum/servercert/pull/555)

Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.8 - Ballot SMC010 - Dec 23, 2024

This ballot adopts Multi-Perspective Issuance Corroboration (MPIC) for CAs when conducting Email Domain Control Validation (DCV) and Certification Authority Authorization (CAA) checks for S/MIME Certificates. The Ballot adopts the MPIC implementation consistent with the TLS Baseline Requirements. Acknowledging that some S/MIME CAs with no TLS operations may require additional time to deploy MPIC, the Ballot has a Compliance Date of May 15, 2025. Following that date the implementation timeline described in TLS BR section 3.2.2.9 applies. This ballot is proposed by Stephen Davidson (DigiCert) and endorsed by Ashish Dhiman (GlobalSign) and Nicolas Lidzborski (Google).

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35