CA/Browser Forum
Home » All CA/Browser Forum Posts » 2024-04-04 Minutes of the Code Signing Certificate Working Group

2024-04-04 Minutes of the Code Signing Certificate Working Group

Agenda

  1. Roll Call
  2. Antitrust reminder
  3. Approve prior meeting minutes – F2F (awaiting draft from Andrea), March 21st (Brianca)
  4. Ballot status: Marking the EV CS guidelines obsolete (CSC-23). Do we need an IPR review?
  5. Proposed ballots: Remove EV Guideline References
  6. Proposed ballot for Time-stamp Requirements update; CSC-24
  7. Continued discussion on Application for Associate Member status from Keyfactor
  8. Interested Party application from Wangmo Tenzing (as an individual)
  9. Other business
  10. Next meeting – April 18th
  11. Adjourn

Attendees

Brian Winters (Identrust), Bruce Morton (Entrust), Corey Bonnell (DigiCert), Dean Coclin (DigiCert), Ian McMillan (Microsoft), Inaba Atsushi (GlobalSign), Inigo Barreira (Sectigo), Marco Schambach - (IdenTrust), Mohit Kumar (GlobalSign), Nome Huang - (TrustAsia), Rollin Yu - (TrustAsia), Scott Rea (eMudhra), Tim Crawford - (CPA Canada/WebTrust), Trevoli Ponds-White - (Amazon)

Minutes

Dean read the note well.

Meeting minutes for F2F-New Delhi (Andrea Holland) yet to be posted. Meeting minutes for March 21, 2024 Meeting (Brianca Martin) yet to be posted.

Ballot CSC-23 Marking the EV Code Signing Guidelines SUPERCEDED

(Dean) This ballot passed, but the question has arisen whether there is need for an IPR review since all we are doing is marking these obsolete? (Bruce) there is nothing to present to lawyers, so what is there to review? Consensus on call is that IPR Review is not necessary in this case as agreed in WG call.

Removing EVG references in CSBRs

No recent update or status from Dimitris for removing references to EVGs. Since Dimitris is not on current call, this will be deferred to next meeting.

Ballot CSC-24 Timestamping Private Key Protection

Ballot was posted for discussion on 2 Apr 2024. Bruce raised concern that potential re-word was required because of NOT catering to Online CAs already in use. Mohit asked for clarification as to whether this only applied to future NEW CAs or whether it anticipated existing CAs to also be covered by the guideline. It is expected that some amendments will be applied to address the above, and a restart to the discussion period will apply.

Individual Joiner Request

Wangmo Tenzing from Lawrence Livermore National Lab originally sent IPR Agreement representing the Lab but clarified that this was rather meant to be an individual Interested Party and not as the Lab’s representative. IPRA was withdrawn, and request resubmitted as an individual Interested Party. No objections from WG to accept Wangmo as individual Interested Party.

Associate Member Application

Follow on from previous meeting (and F2F meeting) where discussion was held regarding Key Factor’s application to become an Associated Member. No objections from WG to accept Key Factor as Associate Members.

Other Business: EV vs OV for Code Signing

Request Microsoft to clarify their treatment of OV vs EV CS certs and where there is differentiation. (Ian) The only place of differentiation is on-boarding for the Hardware Developer Centre Partner Program, which makes a requirement for EV. There are no other current differentiation anywhere. Question from Bruce on how this is validated? (Ian) We are not looking at the OID in the cert, we are more looking at the issuing CA, since its only on application to the program. Microsoft is currently reviewing with the Hardware Developer Centre folks to work out how this will be dealt with in future. Clarification requested from Bruce on whether its the case that EV no longer helps with Reputation? (Ian) It is not the signer’s reputation that is paramount rather than the credentials they are using. Clarification from Bruce as to whether Microsoft values SubjectInfo in EV certs? (Ian) There is not a focus to put any value on EV-specific fields. Clarification from Mohit as to whether that implies a move to OV in future? (Ian) Microsoft is evaluating the bar between OV and EV and looking to strike a balance between EV rigor and the effort for organizations around the world to get it. We are trying to make it as simple as possible for the ecosystem. So we are evaluating if an EV uplift is worth the value… Suggestion from Bruce: take current BRs, and remove all EV related content and see if it makes sense or whether the extra EV stuff is actually still needed? (Ian) The biggest challenge is how to provide clear communications to developers about which certificate is required. (Bruce) Perhaps the better approach is to decide where to go with this, and then just work towards that. Some discussion ensued about current validation of Organizations across all the CABF working groups, and Bruce pointed out we already have 3 ways today, and surely there was little value introducing a 4th specific to CS. To have further discussion at the next F2F.

Meeting adjourned. Next meeting April 18th.

Latest releases
Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.7 - Ballot SMC09 - Nov 25, 2024

This ballot includes updates for the following: • Require pre-linting of leaf end entity Certificates starting September 15, 2025 • Require WebTrust for Network Security for audits starting after April 1, 2025 • Clarify that multiple certificatePolicy OIDs are allowed in end entity certificates • Clarify use of organizationIdentifer references • Update of Appendix A.2 Natural Person Identifiers This ballot is proposed by Stephen Davidson (DigiCert) and endorsed by Clint Wilson (Apple) and Martijn Katerbarg (Sectigo).

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).