Home » All CA/Browser Forum Posts » 2025-01-23 Minutes of the Code Signing Certificate Working Group

2025-01-23 Minutes of the Code Signing Certificate Working Group

Attendees

Kateryna Aleksieieva (Certum by Asseco); Inigo Barreira (Sectigo); Yateesh Bhardwaj (Globalsign); Corey Bonnell (DigiCert); Luis Cervantes (SSL.com); Dean Coclin (DigiCert); Tim Crawford (BDO); Atsushi INABA (GlobalSign); Martijn Katerbarg (Sectigo); Rebecca Kelley (SSL.com); Brianca Martin (Amazon); Bruce Morton (Entrust); Nome-Huang (TrustAsia); Marco Schambach (IdenTrust); Alexander Truskovsky (AWS); Thomas Zermeno (SSL.com).

Note Well

Anti-trust statement read by Martijn K.

Approval of prior meeting minutes

Previous minutes 2025-01-09 taken by Bruce M., presented to the CSCWG on 2025-01-13. No comments, approved. Final Agenda approved on mailing list - No new topics to add

Max validity reduction for Code Signing Certificates

Ian cannot join us this week, Nate (not Nick) will start attending the CSCWG next week, 2025-02-06 - at that time we can take up this topic again. No comments from the WG.

Aligning the CSCWG BRs with recent ballots

Bruce still waiting on endorsers, the ballot needs one more endorser. Corey B. showed interest in the ballot but will need to review the text before endorsing. Marco (IdenTrust) asked about the requirements to endorse the ballot. Martijn explained that any voting member who agreed with the ballot could endorse.

Cleanup Ballot

The word “effective” is used 17 times in the CSBRs, at least 12 are related to effective dates. It should be ok to remove those terms and clean up the BRs before transitioning to a single profile. Martijn was looking for someone to help him with this task - no immediate volunteers. Martijn will begin working on the cleanup ballot in the meantime.

Moving towards a Single Profile CSBR

How best to do that? Go through each section one by one or have someone present a complete proposal and then either accept or deny that? Corey suggests that we need to hear what Microsoft has to say about their requirements now that they are no longer making the EV distinction. The CSCWG needs to know more about Microsoft’s vision for Code Signing prior to making any changes to the profiles, since a strengthening to the “OV” model was mentioned at the announcement of EV deprecation. Bruce expressed concern that designing new validation methods without those high-level goals could be counterproductive. Corey agreed. The topic will be revisited next week to allow Microsoft time to present an overview of their desired changes.

Other Business

No other topics, next meeting 2025-02-06.

Latest releases

Server Certificate Requirements
SC-084: DNS Labeled With ACME Account ID Challenge (#566) - Mar 13, 2025

BRs release version 2.1.4

Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.8 - Ballot SMC010 - Dec 23, 2024

This ballot adopts Multi-Perspective Issuance Corroboration (MPIC) for CAs when conducting Email Domain Control Validation (DCV) and Certification Authority Authorization (CAA) checks for S/MIME Certificates. The Ballot adopts the MPIC implementation consistent with the TLS Baseline Requirements. Acknowledging that some S/MIME CAs with no TLS operations may require additional time to deploy MPIC, the Ballot has a Compliance Date of May 15, 2025. Following that date the implementation timeline described in TLS BR section 3.2.2.9 applies. This ballot is proposed by Stephen Davidson (DigiCert) and endorsed by Ashish Dhiman (GlobalSign) and Nicolas Lidzborski (Google).

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35