2024-04-04 Minutes of the Code Signing Certificate Working Group
Agenda
- Roll Call
- Antitrust reminder
- Approve prior meeting minutes – F2F (awaiting draft from Andrea), March 21st (Brianca)
- Ballot status: Marking the EV CS guidelines obsolete (CSC-23). Do we need an IPR review?
- Proposed ballots: Remove EV Guideline References
- Proposed ballot for Time-stamp Requirements update; CSC-24
- Continued discussion on Application for Associate Member status from Keyfactor
- Interested Party application from Wangmo Tenzing (as an individual)
- Other business
- Next meeting – April 18th
- Adjourn
Attendees
Brian Winters (Identrust), Bruce Morton (Entrust), Corey Bonnell (DigiCert), Dean Coclin (DigiCert), Ian McMillan (Microsoft), Inaba Atsushi (GlobalSign), Inigo Barreira (Sectigo), Marco Schambach - (IdenTrust), Mohit Kumar (GlobalSign), Nome Huang - (TrustAsia), Rollin Yu - (TrustAsia), Scott Rea (eMudhra), Tim Crawford - (CPA Canada/WebTrust), Trevoli Ponds-White - (Amazon)
Minutes
Dean read the note well.
Meeting minutes for F2F-New Delhi (Andrea Holland) yet to be posted. Meeting minutes for March 21, 2024 Meeting (Brianca Martin) yet to be posted.
Ballot CSC-23 Marking the EV Code Signing Guidelines SUPERCEDED
(Dean) This ballot passed, but the question has arisen whether there is need for an IPR review since all we are doing is marking these obsolete? (Bruce) there is nothing to present to lawyers, so what is there to review? Consensus on call is that IPR Review is not necessary in this case as agreed in WG call.
Removing EVG references in CSBRs
No recent update or status from Dimitris for removing references to EVGs. Since Dimitris is not on current call, this will be deferred to next meeting.
Ballot CSC-24 Timestamping Private Key Protection
Ballot was posted for discussion on 2 Apr 2024. Bruce raised concern that potential re-word was required because of NOT catering to Online CAs already in use. Mohit asked for clarification as to whether this only applied to future NEW CAs or whether it anticipated existing CAs to also be covered by the guideline. It is expected that some amendments will be applied to address the above, and a restart to the discussion period will apply.
Individual Joiner Request
Wangmo Tenzing from Lawrence Livermore National Lab originally sent IPR Agreement representing the Lab but clarified that this was rather meant to be an individual Interested Party and not as the Lab’s representative. IPRA was withdrawn, and request resubmitted as an individual Interested Party. No objections from WG to accept Wangmo as individual Interested Party.
Associate Member Application
Follow on from previous meeting (and F2F meeting) where discussion was held regarding Key Factor’s application to become an Associated Member. No objections from WG to accept Key Factor as Associate Members.
Other Business: EV vs OV for Code Signing
Request Microsoft to clarify their treatment of OV vs EV CS certs and where there is differentiation. (Ian) The only place of differentiation is on-boarding for the Hardware Developer Centre Partner Program, which makes a requirement for EV. There are no other current differentiation anywhere. Question from Bruce on how this is validated? (Ian) We are not looking at the OID in the cert, we are more looking at the issuing CA, since its only on application to the program. Microsoft is currently reviewing with the Hardware Developer Centre folks to work out how this will be dealt with in future. Clarification requested from Bruce on whether its the case that EV no longer helps with Reputation? (Ian) It is not the signer’s reputation that is paramount rather than the credentials they are using. Clarification from Bruce as to whether Microsoft values SubjectInfo in EV certs? (Ian) There is not a focus to put any value on EV-specific fields. Clarification from Mohit as to whether that implies a move to OV in future? (Ian) Microsoft is evaluating the bar between OV and EV and looking to strike a balance between EV rigor and the effort for organizations around the world to get it. We are trying to make it as simple as possible for the ecosystem. So we are evaluating if an EV uplift is worth the value… Suggestion from Bruce: take current BRs, and remove all EV related content and see if it makes sense or whether the extra EV stuff is actually still needed? (Ian) The biggest challenge is how to provide clear communications to developers about which certificate is required. (Bruce) Perhaps the better approach is to decide where to go with this, and then just work towards that. Some discussion ensued about current validation of Organizations across all the CABF working groups, and Bruce pointed out we already have 3 ways today, and surely there was little value introducing a 4th specific to CS. To have further discussion at the next F2F.
Meeting adjourned. Next meeting April 18th.