CA/Browser Forum
Home » All CA/Browser Forum Posts » 2024-05-02 Minutes of the Code Signing Certificate Working Group

2024-05-02 Minutes of the Code Signing Certificate Working Group

Attendees

Andrea Holland (VikingCloud), Atsushi INABA (GlobalSign), Brian Winters (IdenTrust), Brianca Martin (Amazon), Bruce Morton (Entrust), Corey Bonnell (DigiCert), Dean Coclin (DigiCert), Dimitris (HARICA), Ian McMillan (Microsoft), Inigo Barreira (Sectigo), Janet Hines (VikingCloud), Janet Hines (VikingCloud), Marco Schambach (IdenTrust), Martijn Katerbarg (Sectigo), Mohit Kumar (GlobalSign), Rebecca Kelley (SSL.com), Richard Kisley (IBM), Scott Rea (eMudhra), Thomas Zermeno (SSL.com), Tim Hollebeek (DigiCert), Wangmo Tenzing (Wangmo Tenzing)

Minute-taker: Brian Winters

Minutes

AntiTrust Reminder read by Dean Coclin.

Face-to-face meeting minutes approved.

April 18th Minutes approved.

EVCS Guidelines ballot CSC-23:

Bruce Morton indicated possible new requirement raised by Martijn. Martijn requested input by Dimitris, not on the call yet. Cory stated that the language sometimes indicates EV Code Signing certificate and in other places uses the term certificates. Bruce asked what is the new requirement? Cory indicated the Subject Org ID requirement. We are introducing new language about what the Org ID may contain. Bruce suggested a new ballot regarding the Org ID changes. Agreed upon by Ian, and Andrea Holland. Dean mentioned having seen an open pull request to remove the Org ID changes. Pull request has comments by Dimitris and Corey Bonnell. Corey stated that Dimitris is the main driver on this ballot.

Dimitris joined late and commented on new requirement as done on purpose, to be effective sometime after September to be consistent with new EV guidelines. Bruce commented Org Id might be better to add later after adapting to new MS EV Guidelines. Dimitris stated he is ok with removing it now and adding it later. But thinks it could also be added now as optional. Cory expressed some customers might be already using Org Id and may have incompatibilities with new Org Id standards. Dimitris stated the September effective date allows time for those customers to adapt. Andrea asked Dimitris if it’s acceptable to create a separate ballot for the Org Id field. Tim commented achieving parity with TLS working group might be just updating requirements for sake of updating requirements. We should really solve the problem. We should find the best way to identify the globally unique publisher signing code. Most relying party software doesn’t utilize Org Id field. Tim urged separating this into a new ballot. Dimitris eventually agreed.

Bruce asked Dimitris about the Due Diligence requirement. Martijn commented about portions of it being in scope. Expressed concern about the term Nullified in the language.

Timestamping Ballot CSC-24

Martijn raised topic about language to prevent CAs from issuing Timestamp certificates from already issued SubCAs in an online state. Language was introduced on April 22nd, yet no comments produced. Planned to effect certificates issued on or after April 15, 2025.

Face-to-Face meeting planning

Dean Coclin asked for suggestions for items to discuss.

  • Ian suggested the topic “maximum certificate validity periods for CS certificates”. Impact of reducing max validity from 39 to 15 or 24 months duration. What is the sweat spot for max validity periods.
  • Bruce wants to discuss Microsoft’s planned changes to EV CS certificates. Ian agreed this is an important topic. Tentative plan is one certificate type, albeit Individual validated and Organization validated. Dean pointed out another notable example of Microsoft EV CS use hardware related scenario.
  • Corey raised issue regarding Microsoft’s Trusted Signing Service introduces custom EKU into CS certificates to uniquely identify the publisher (face-to-face or future meeting). Potential breakage for publisher. Per publisher EKU is potential solution to prevent breakage. Ian discussed Windows Security Center involvement on this issue. Only 1st party CAs for integrity checks.
  • Martijn, CT for code signing time allowing.

Other business

Next Meeting May 16th.

Following will be the Face-to-face meeting in Italy.

Topic for next meeting

  • PCI-HSM Acceptance for CA HSM evaluations (Richard Kisley).
Latest releases
Server Certificate Requirements
BRs/2.1.2 SC-080 V3: Sunset the use of WHOIS to identify Domain Contacts and relying DCV Methods - Dec 16, 2024

Ballot SC-080 V3: “Sunset the use of WHOIS to identify Domain Contact… (https://github.com/cabforum/servercert/pull/560) Ballot SC-080 V3: “Sunset the use of WHOIS to identify Domain Contacts and relying DCV Methods” (https://github.com/cabforum/servercert/pull/555)

Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.8 - Ballot SMC010 - Dec 23, 2024

This ballot adopts Multi-Perspective Issuance Corroboration (MPIC) for CAs when conducting Email Domain Control Validation (DCV) and Certification Authority Authorization (CAA) checks for S/MIME Certificates. The Ballot adopts the MPIC implementation consistent with the TLS Baseline Requirements. Acknowledging that some S/MIME CAs with no TLS operations may require additional time to deploy MPIC, the Ballot has a Compliance Date of May 15, 2025. Following that date the implementation timeline described in TLS BR section 3.2.2.9 applies. This ballot is proposed by Stephen Davidson (DigiCert) and endorsed by Ashish Dhiman (GlobalSign) and Nicolas Lidzborski (Google).

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).