CA/Browser Forum
Home » All CA/Browser Forum Posts » 2023-12-14 Minutes of the Code Signing Certificate Working Group

2023-12-14 Minutes of the Code Signing Certificate Working Group

Attendees

Andrea Holland (VikingCloud), Bruce Morton (Entrust), Corey Bonnell (DigiCert), Dean Coclin (DigiCert), Ian McMillan (Microsoft), Inaba Atsushi (GlobalSign), Inigo Barreira (Sectigo), Martijn Katerbarg (Sectigo), Mohit Kumar (GlobalSign), Richard Kisley (IBM), Roberto Quionones (Intel), Rollin Yu (TrustAsia), Scott Rea (eMudhra), Tim Crawford (CPA Canada/WebTrust), Tim Hollebeek (DigiCert)

Minutes

Bruce read the note well.

Minutes of the November 30th meeting were not approved as they were just sent out.

Signing Service Ballot

Bruce mentioned that Ian wanted to reduce the audit requirements for non-CA signing services. One idea is to use CCM criteria. One challenge is a lack of familiarity with the CCM framework as well as how to map the criteria with the specific requirements for HSMs.

Tim Crawford mentioned that the netsec-wg wants to use the STAR Alliance requirements but are currently working through licensing issues.

Bruce has a proposal to move the ballot forward. He would like to retain the current requirements for audit and address lesser audits in a future ballot. Tim agreed that this is a good approach, as defining audit requirements for non-CA Signing Services will be much more complex. Ian also agreed with this approach.

Bruce proposed that he will bring the Signing Services ballot forward for formal discussion and voting early next calendar year. There was agreement on this approach.

High Risk Ballot

Bruce said the text is complete and there are two endorsers. Bruce asked if there’s any objection to running two ballots concurrently. Martijn, Tim, and Ian agreed that’s fine as long as there’s no overlap.

Corey raised a concern about potential complexity with immutable links if multiple ballots are in flight. He will investigate if this is an actual issue.

Charter Update

Martijn said the ballot is ready but didn’t want to kick off the voting period during the holidays. He will look to start voting in early January.

Any other business

The December 28th meeting is cancelled. The next meeting will be January 11th.

Richard from IBM suggested that HSMs for code signing be certified under PCI-HSM in addition to CC and FIPS. Tim said in theory that should be fine but need to investigate further.

Meeting adjourned.

Latest releases
Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.7 - Ballot SMC09 - Nov 25, 2024

This ballot includes updates for the following: • Require pre-linting of leaf end entity Certificates starting September 15, 2025 • Require WebTrust for Network Security for audits starting after April 1, 2025 • Clarify that multiple certificatePolicy OIDs are allowed in end entity certificates • Clarify use of organizationIdentifer references • Update of Appendix A.2 Natural Person Identifiers This ballot is proposed by Stephen Davidson (DigiCert) and endorsed by Clint Wilson (Apple) and Martijn Katerbarg (Sectigo).

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).