CA/Browser Forum
Home » All CA/Browser Forum Posts » 2024-09-22 Minutes of the Code Signing Certificate Working Group

2024-09-22 Minutes of the Code Signing Certificate Working Group

Attendees

Bruce Morton (Entrust), Corey Bonnell (DigiCert), Andrea Holland (VikingCloud), AtsushiI Inaba (GlobalSign, Brian Winters (IdenTrust), Ian Macmillan (Microsoft), Marco Schambach (IdenTrust), Scott Rea (eMudra), Tim Crawford ( BDO ), Tim Hollebeek (DigiCert), Nate Santiago ( Microsoft ), Martijn Karterbarg (Sectigo), Mohit Kumar (GlobalSign), Brianca Martin (Amazon)

Minutes

Antitrust reminder – Read

Approve prior meeting minutes – Sept 5th (Brianca) – Approved

Max validity of CS certs (Ian) – proposal

  • Ian McMillan to send out within 2-3 weeks the proposed language change and justification for maximum validity of code signing certificates
  • Need at least two endorsers
  • Nate Santiago to start participating in discussions and potentially replace Ian McMillan in future conversations

Fall elections: Vice Chair nomination

  • Have new Chair (Martijn)
  • Nominations for a vice chair in the code signing working group will be discussed in the forum
  • Tim: If no one responds within the CS WG, we go to the Forum to get nominations
  • Martijn and Bruce are disqualified and so it is Tim Crawford
  • Dean could be nominated but he is already appointed as the new Forum Chair

Preparing for F2F

Proposed topics:

  1. Focus on consolidating the differences between non-EV CS and EV CS certificates.
  2. Ian : Have discussion on post-quantum algorithms and certificate types.
    1. Algorithms
    2. Cert types
    3. Tim and Nate volunteer to lead this discussion for 30-45 minutes
    4. Need level setting and then review the available options
    5. Identify use cases

Tim H: ICA and Root creation Post Quantum (PQ) will require a lot of transition/migration

Ian: Need to clear the requirements for applying PQ

  1. Ballot review
    1. None pending

Other business

  • Bruce: Email thread about the redlined document of the CS BR v 3.7

  • Corey:

    • There were 2 published versions, but the approved version was an old version.
    • Should the approved version be corrected, although it passed IPR?
    • Should a new ballot be created acknowledging the error and confirming that the final clean version is correct?
    • Any objections to keep documents as they are now?
    • No Objection raised but agreed to add an agenda item in the F2F in Seattle to includes a review of the code signing BR version 3.7 red line and potential cleanup items.
    • Consider a cleanup ballot to remove unnecessary text prior to effective dates
  • Andrea Holland: Viking Cloud is stepping away from the CS WG

Next meeting – Oct 3rd, should we cancel? F2F following week No objections to cancel and conduct the following meeting during the F2F meeting in Seattle

Latest releases
Server Certificate Requirements
BRs/2.1.2 SC-080 V3: Sunset the use of WHOIS to identify Domain Contacts and relying DCV Methods - Dec 16, 2024

Ballot SC-080 V3: “Sunset the use of WHOIS to identify Domain Contact… (https://github.com/cabforum/servercert/pull/560) Ballot SC-080 V3: “Sunset the use of WHOIS to identify Domain Contacts and relying DCV Methods” (https://github.com/cabforum/servercert/pull/555)

Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.8 - Ballot SMC010 - Dec 23, 2024

This ballot adopts Multi-Perspective Issuance Corroboration (MPIC) for CAs when conducting Email Domain Control Validation (DCV) and Certification Authority Authorization (CAA) checks for S/MIME Certificates. The Ballot adopts the MPIC implementation consistent with the TLS Baseline Requirements. Acknowledging that some S/MIME CAs with no TLS operations may require additional time to deploy MPIC, the Ballot has a Compliance Date of May 15, 2025. Following that date the implementation timeline described in TLS BR section 3.2.2.9 applies. This ballot is proposed by Stephen Davidson (DigiCert) and endorsed by Ashish Dhiman (GlobalSign) and Nicolas Lidzborski (Google).

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).