CA/Browser Forum
Home » All CA/Browser Forum Posts » 2024-08-22 Minutes of the Code Signing Certificate Working Group

2024-08-22 Minutes of the Code Signing Certificate Working Group

Attendees

Brianca Martin (Amazon), Brian Winters (IdenTrust), Bruce Morton (Entrust), Corey Bonnell (DigiCert), Dimitris Zacharopoulos (HARICA), Ian McMillan (Microsoft), Inaba Atsushi (GlobalSign), Marco Schambach (IdenTrust), Martijn Katerbarg (Sectigo), Rebecca Kelly (SSL.com), Roberto Quionones (Intel), Rollin Yu (TrustAsia), Scott Rea (eMudhra), Tim Crawford (CPA Canada/WebTrust), Trevoli Ponds-White (Amazon), Yateesh Bhardwaj (GlobalSign).

Minutes

Read note-well

Bruce read the note-well

Review of Agenda

No changes to the agenda.

Approval of previous meetings

  • June 27 meeting minutes were approved
  • August 8 meeting minutes were approved

Max validity of CS certs

  • Ian plans to build a ballot for reducing the validity of certificates. Ian asked whether to use days vs months. Bruce replied that when linting is involved, it’s better to be more accurate and express time in days.
  • Marco asked for the proposed dates.
  • Ian replied that the end-entity certificates’ validity is moving to 15 months ~465 days.

Simplifying EV

Tim H. was not on the call. Microsoft wants to stop using two types of certificates for code signing. The goal was supposed to bring both types of certificates together so ultimately there would be one type of code signing certificates.

Ian said it’s not a pressing matter at the moment. There is no agreement or plan about a date. Early September there will be a better timeline to share with the group. He confirmed that the goal is to “fuse” the two types of certificates and produce one secure code signing certificate type to be consumed by certificate consumers.

Bruce raised some questions about where to draw the line. He proposed taking the latest version of the CSBRs and mark it up for discussion and simplify the EV. The proposal would be to walk-through the document and probably do it at the next F2F.

Dimitris proposed that a Member (or more) could take a stab and try to “fuse” the two types of certificates, produce a draft that could be discussed at the F2F. This sounds like it would be more productive.

Ian proposed to schedule some meeting sessions with Bruce to prepare this work.

Fall elections

Martijn is currently the only candidate for Code Signing WG Chair.

Any Other business

There are new mailing lists for code signing management and public lists. Please use the new email addresses.

Next call

Next call is scheduled for September 5th.

Meeting adjourned.

Latest releases
Server Certificate Requirements
BRs/2.1.2 SC-080 V3: Sunset the use of WHOIS to identify Domain Contacts and relying DCV Methods - Dec 16, 2024

Ballot SC-080 V3: “Sunset the use of WHOIS to identify Domain Contact… (https://github.com/cabforum/servercert/pull/560) Ballot SC-080 V3: “Sunset the use of WHOIS to identify Domain Contacts and relying DCV Methods” (https://github.com/cabforum/servercert/pull/555)

Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.8 - Ballot SMC010 - Dec 23, 2024

This ballot adopts Multi-Perspective Issuance Corroboration (MPIC) for CAs when conducting Email Domain Control Validation (DCV) and Certification Authority Authorization (CAA) checks for S/MIME Certificates. The Ballot adopts the MPIC implementation consistent with the TLS Baseline Requirements. Acknowledging that some S/MIME CAs with no TLS operations may require additional time to deploy MPIC, the Ballot has a Compliance Date of May 15, 2025. Following that date the implementation timeline described in TLS BR section 3.2.2.9 applies. This ballot is proposed by Stephen Davidson (DigiCert) and endorsed by Ashish Dhiman (GlobalSign) and Nicolas Lidzborski (Google).

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35

Related posts
Tags
Code Signing Minutes
Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).