CA/Browser Forum
Home » All CA/Browser Forum Posts » 2024-05-02 Minutes of the Code Signing Certificate Working Group

2024-05-02 Minutes of the Code Signing Certificate Working Group

Attendees

Andrea Holland (VikingCloud), Atsushi INABA (GlobalSign), Brian Winters (IdenTrust), Brianca Martin (Amazon), Bruce Morton (Entrust), Corey Bonnell (DigiCert), Dean Coclin (DigiCert), Dimitris (HARICA), Ian McMillan (Microsoft), Inigo Barreira (Sectigo), Janet Hines (VikingCloud), Janet Hines (VikingCloud), Marco Schambach (IdenTrust), Martijn Katerbarg (Sectigo), Mohit Kumar (GlobalSign), Rebecca Kelley (SSL.com), Richard Kisley (IBM), Scott Rea (eMudhra), Thomas Zermeno (SSL.com), Tim Hollebeek (DigiCert), Wangmo Tenzing (Wangmo Tenzing)

Minute-taker: Brian Winters

Minutes

AntiTrust Reminder read by Dean Coclin.

Face-to-face meeting minutes approved.

April 18th Minutes approved.

EVCS Guidelines ballot CSC-23:

Bruce Morton indicated possible new requirement raised by Martijn. Martijn requested input by Dimitris, not on the call yet. Cory stated that the language sometimes indicates EV Code Signing certificate and in other places uses the term certificates. Bruce asked what is the new requirement? Cory indicated the Subject Org ID requirement. We are introducing new language about what the Org ID may contain. Bruce suggested a new ballot regarding the Org ID changes. Agreed upon by Ian, and Andrea Holland. Dean mentioned having seen an open pull request to remove the Org ID changes. Pull request has comments by Dimitris and Corey Bonnell. Corey stated that Dimitris is the main driver on this ballot.

Dimitris joined late and commented on new requirement as done on purpose, to be effective sometime after September to be consistent with new EV guidelines. Bruce commented Org Id might be better to add later after adapting to new MS EV Guidelines. Dimitris stated he is ok with removing it now and adding it later. But thinks it could also be added now as optional. Cory expressed some customers might be already using Org Id and may have incompatibilities with new Org Id standards. Dimitris stated the September effective date allows time for those customers to adapt. Andrea asked Dimitris if it’s acceptable to create a separate ballot for the Org Id field. Tim commented achieving parity with TLS working group might be just updating requirements for sake of updating requirements. We should really solve the problem. We should find the best way to identify the globally unique publisher signing code. Most relying party software doesn’t utilize Org Id field. Tim urged separating this into a new ballot. Dimitris eventually agreed.

Bruce asked Dimitris about the Due Diligence requirement. Martijn commented about portions of it being in scope. Expressed concern about the term Nullified in the language.

Timestamping Ballot CSC-24

Martijn raised topic about language to prevent CAs from issuing Timestamp certificates from already issued SubCAs in an online state. Language was introduced on April 22nd, yet no comments produced. Planned to effect certificates issued on or after April 15, 2025.

Face-to-Face meeting planning

Dean Coclin asked for suggestions for items to discuss.

  • Ian suggested the topic “maximum certificate validity periods for CS certificates”. Impact of reducing max validity from 39 to 15 or 24 months duration. What is the sweat spot for max validity periods.
  • Bruce wants to discuss Microsoft’s planned changes to EV CS certificates. Ian agreed this is an important topic. Tentative plan is one certificate type, albeit Individual validated and Organization validated. Dean pointed out another notable example of Microsoft EV CS use hardware related scenario.
  • Corey raised issue regarding Microsoft’s Trusted Signing Service introduces custom EKU into CS certificates to uniquely identify the publisher (face-to-face or future meeting). Potential breakage for publisher. Per publisher EKU is potential solution to prevent breakage. Ian discussed Windows Security Center involvement on this issue. Only 1st party CAs for integrity checks.
  • Martijn, CT for code signing time allowing.

Other business

Next Meeting May 16th.

Following will be the Face-to-face meeting in Italy.

Topic for next meeting

  • PCI-HSM Acceptance for CA HSM evaluations (Richard Kisley).
Latest releases
Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.7 - Ballot SMC09 - Nov 25, 2024

This ballot includes updates for the following: • Require pre-linting of leaf end entity Certificates starting September 15, 2025 • Require WebTrust for Network Security for audits starting after April 1, 2025 • Clarify that multiple certificatePolicy OIDs are allowed in end entity certificates • Clarify use of organizationIdentifer references • Update of Appendix A.2 Natural Person Identifiers This ballot is proposed by Stephen Davidson (DigiCert) and endorsed by Clint Wilson (Apple) and Martijn Katerbarg (Sectigo).

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).