2024-09-22 Minutes of the Code Signing Certificate Working Group

Attendees

Bruce Morton (Entrust), Corey Bonnell (DigiCert), Andrea Holland (VikingCloud), AtsushiI Inaba (GlobalSign, Brian Winters (IdenTrust), Ian Macmillan (Microsoft), Marco Schambach (IdenTrust), Scott Rea (eMudra), Tim Crawford ( BDO ), Tim Hollebeek (DigiCert), Nate Santiago ( Microsoft ), Martijn Karterbarg (Sectigo), Mohit Kumar (GlobalSign), Brianca Martin (Amazon)

Minutes

Antitrust reminder – Read

Approve prior meeting minutes – Sept 5th (Brianca) – Approved

Max validity of CS certs (Ian) – proposal

• Ian McMillan to send out within 2-3 weeks the proposed language change and justification for maximum validity of code signing certificates
• Need at least two endorsers
• Nate Santiago to start participating in discussions and potentially replace Ian McMillan in future conversations

Fall elections: Vice Chair nomination

• Have new Chair (Martijn)
• Nominations for a vice chair in the code signing working group will be discussed in the forum
• Tim: If no one responds within the CS WG, we go to the Forum to get nominations
• Martijn and Bruce are disqualified and so it is Tim Crawford
• Dean could be nominated but he is already appointed as the new Forum Chair

Preparing for F2F

Proposed topics:

1. Focus on consolidating the differences between non-EV CS and EV CS certificates.
2. Ian : Have discussion on post-quantum algorithms and certificate types.
   1. Algorithms
   2. Cert types
   3. Tim and Nate volunteer to lead this discussion for 30-45 minutes
   4. Need level setting and then review the available options
   5. Identify use cases

Tim H: ICA and Root creation Post Quantum (PQ) will require a lot of transition/migration

Ian: Need to clear the requirements for applying PQ

3. Ballot review
   1. None pending

Other business

• Bruce: Email thread about the redlined document of the CS BR v 3.7

• Corey:

  • There were 2 published versions, but the approved version was an old version.
  • Should the approved version be corrected, although it passed IPR?
  • Should a new ballot be created acknowledging the error and confirming that the final clean version is correct?
  • Any objections to keep documents as they are now?
  • No Objection raised but agreed to add an agenda item in the F2F in Seattle to includes a review of the code signing BR version 3.7 red line and potential cleanup items.
  • Consider a cleanup ballot to remove unnecessary text prior to effective dates

• Andrea Holland: Viking Cloud is stepping away from the CS WG

Next meeting – Oct 3rd, should we cancel? F2F following week No objections to cancel and conduct the following meeting during the F2F meeting in Seattle