CA/Browser Forum
Home » All CA/Browser Forum Posts » 2024-04-18 Minutes of the Code Signing Certificate Working Group

2024-04-18 Minutes of the Code Signing Certificate Working Group

Attendees

Andrea Holland (VikingCloud), Ben Dewberry (Keyfactor), Brian Winters (IdenTrust), Bruce Morton (Entrust), Christophe Bonjean (GlobalSign), Corey Bonnell (DigiCert), Dean Coclin (DigiCert), Dimitris Zacharopoulos (HARICA), Eva Vansteenberge (GlobalSign), Inaba Atsushi (GlobalSign), Inigo Barreira (Sectigo), Janet Hines (VikingCloud), Marco Schambach (IdenTrust), Martijn Katerbarg (Sectigo), Nome Huang (TrustAsia), Scott Rea (eMudhra), Thomas Zermeno (SSL.com), Tim Crawford (CPA Canada/WebTrust), Wangmo Tenzing (Wangmo Tenzing)

Minute-taker: Corey Bonnell

Minutes

Bruce read the note well.

Bruce said he will call for approval of the F2F minutes at the next meeting.

Meeting minutes for the March 21st meeting were approved. Meeting minutes for the April 4th meeting were approved.

Obsolete EVCS guidelines

Dimitris said the ballot needs to be converted to PDF and circulated on the mailing list. Bruce said he will take care of that and Corey will publish on the website.

Remove EVG references

Dimitris asked for a review of this draft ballot. He said that a mapping document is available to assist in the review. Martijn and Corey offered to review the PR (https://github.com/cabforum/code-signing/pull/38).

Change to timestamp requirements

Martijn said Christophe provided several comments on the PR. Christophe raised a concern that re-issuance of a timestamping ICA would incur the requirement to move the CA private key to offline HSM. Bruce also raised a concern that long-lived timestamping CAs could be stored in online HSMs despite this ballot. Martijn said that we could create an effective date to require CAs to move to offline HSMs, but that may be complex.

Dimitris said that moving a key does not eliminate the risk, as it was previously stored in an online HSM. Additionally, keys could have been generated before the effective date in an online state prior to being certified in a certificate. Martijn said that if a key has been generated online, then it couldn’t be said that it was “maintained” in an offline state. Martijn said he can clarify this in the ballot.

Martijn said to resolve the concern about legacy online CAs being used in perpetuity, that we could propose a sunset date for issuing end-entity timestamping responder certificates to force a rotation to offline CA keys. Corey agreed with that approach.

Other business

Martijn said a ballot for modifying logging requirements in the TLS BRs. He’d like to align the CS BRs with this language. He will write a ballot to do this and will call for endorsers.

Martijn also mentioned that we could remove the EVCS JOI fields and replace with the orgId, as is done in the SMBRs, but said it might be too early for that change. Bruce said we should reconsider all subject fields in light of the deprecation of EV CS. Dimitris agreed and said that we need to incorporate Microsoft’s plans on the validation level of code signing certificates.

Next meeting is May 2nd. Meeting adjourned.

Latest releases
Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.7 - Ballot SMC09 - Nov 25, 2024

This ballot includes updates for the following: • Require pre-linting of leaf end entity Certificates starting September 15, 2025 • Require WebTrust for Network Security for audits starting after April 1, 2025 • Clarify that multiple certificatePolicy OIDs are allowed in end entity certificates • Clarify use of organizationIdentifer references • Update of Appendix A.2 Natural Person Identifiers This ballot is proposed by Stephen Davidson (DigiCert) and endorsed by Clint Wilson (Apple) and Martijn Katerbarg (Sectigo).

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).