Andrea Holland (VikingCloud), Bruce Morton (Entrust), Corey Bonnell (DigiCert), Dean Coclin (DigiCert), Ian McMillan (Microsoft), Inaba Atsushi (GlobalSign), Inigo Barreira (Sectigo), Martijn Katerbarg (Sectigo), Mohit Kumar (GlobalSign), Richard Kisley (IBM), Roberto Quionones (Intel), Rollin Yu (TrustAsia), Scott Rea (eMudhra), Tim Crawford (CPA Canada/WebTrust), Tim Hollebeek (DigiCert)
Bruce read the note well.
Minutes of the November 30th meeting were not approved as they were just sent out.
Bruce mentioned that Ian wanted to reduce the audit requirements for non-CA signing services. One idea is to use CCM criteria. One challenge is a lack of familiarity with the CCM framework as well as how to map the criteria with the specific requirements for HSMs.
Tim Crawford mentioned that the netsec-wg wants to use the STAR Alliance requirements but are currently working through licensing issues.
Bruce has a proposal to move the ballot forward. He would like to retain the current requirements for audit and address lesser audits in a future ballot. Tim agreed that this is a good approach, as defining audit requirements for non-CA Signing Services will be much more complex. Ian also agreed with this approach.
Bruce proposed that he will bring the Signing Services ballot forward for formal discussion and voting early next calendar year. There was agreement on this approach.
Bruce said the text is complete and there are two endorsers. Bruce asked if there’s any objection to running two ballots concurrently. Martijn, Tim, and Ian agreed that’s fine as long as there’s no overlap.
Corey raised a concern about potential complexity with immutable links if multiple ballots are in flight. He will investigate if this is an actual issue.
Martijn said the ballot is ready but didn’t want to kick off the voting period during the holidays. He will look to start voting in early January.
The December 28th meeting is cancelled. The next meeting will be January 11th.
Richard from IBM suggested that HSMs for code signing be certified under PCI-HSM in addition to CC and FIPS. Tim said in theory that should be fine but need to investigate further.