CA/Browser Forum posts
Posts by author Corey Bonnell
Ballot CSC-19: Remove TLS BR References
August 1, 2023 by Corey BonnellResults of Review Period (Mailing list post is available here.)
August 1, 2023 by Corey BonnellResults of Review Period (Mailing list post is available here.)
2023-07-13 Minutes of the Code Signing Certificate Working Group
July 13, 2023 by Corey BonnellAttendeesAndrea Holland (VikingCloud), Atsushi INABA (GlobalSign), Corey Bonnell (DigiCert), Dean Coclin (DigiCert), Dimitris Zacharopoulos (HARICA), Inigo Barreira (Sectigo), Mohit Kumar (GlobalSign), Scott Rea (eMudhra), Tim Crawford (BDO/WebTrust) Minutes1 item on agenda today (since Bruce and Ian are away) – removal of BR references, and which is the correct version of X.509 to be used. Dimitris to lead discussion. Ballot: CSC 19 Latest comments from Tim have been cleared, if no other concerns or objections, discussion period will start on Monday (17 July) No concerns raised over content, but procedural concern raised over discussion being held during summer holiday period If quorum is not achieved for vote (due to holiday period impact), a new ballot will be submitted with a new number (same content) Still waiting on feedback from Microsoft in respect to X.509 version Server WG requires conformance with RFC 5280 which specifically references X.509 2005 version Requiring latest version of X.509 is as inclusive as possible (since it already include 2005 edits) and should not present an issue No other business Next meeting: July 27
July 13, 2023 by Corey BonnellAttendeesAndrea Holland (VikingCloud), Atsushi INABA (GlobalSign), Corey Bonnell (DigiCert), Dean Coclin (DigiCert), Dimitris Zacharopoulos (HARICA), Inigo Barreira (Sectigo), Mohit Kumar (GlobalSign), Scott Rea (eMudhra), Tim Crawford (BDO/WebTrust) Minutes1 item on agenda today (since Bruce and Ian are away) – removal of BR references, and which is the correct version of X.509 to be used. Dimitris to lead discussion. Ballot: CSC 19 Latest comments from Tim have been cleared, if no other concerns or objections, discussion period will start on Monday (17 July) No concerns raised over content, but procedural concern raised over discussion being held during summer holiday period If quorum is not achieved for vote (due to holiday period impact), a new ballot will be submitted with a new number (same content) Still waiting on feedback from Microsoft in respect to X.509 version Server WG requires conformance with RFC 5280 which specifically references X.509 2005 version Requiring latest version of X.509 is as inclusive as possible (since it already include 2005 edits) and should not present an issue No other business Next meeting: July 27
2023-06-29 Minutes of the Code Signing Certificate Working Group
June 29, 2023 by Corey BonnellAttendeesAndrea Holland (VikingCloud), Atsushi INABA (GlobalSign), Ben Dewberry (Keyfactor), Bhat Abhishek (eMudhra), Brianca Martin (Amazon), Bruce Morton (Entrust), Corey Bonnell (DigiCert), Dean Coclin (DigiCert), Janet Hines (VikingCloud), Keshava N (eMudhra), Martijn Katerbarg (Sectigo), Mohit Kumar (GlobalSign), Roberto Quiñones (Intel), Scott Rea (eMudhra), Tim Crawford (BDO/WebTrust), Tim Hollebeek (DigiCert) Minutes**Antitrust statement: **The Antitrust statement was read. Approval of minutes: Previous F2F meeting’s minutes still being compiled Ballot: CSC 18 has passed and IPR review period is over
June 29, 2023 by Corey BonnellAttendeesAndrea Holland (VikingCloud), Atsushi INABA (GlobalSign), Ben Dewberry (Keyfactor), Bhat Abhishek (eMudhra), Brianca Martin (Amazon), Bruce Morton (Entrust), Corey Bonnell (DigiCert), Dean Coclin (DigiCert), Janet Hines (VikingCloud), Keshava N (eMudhra), Martijn Katerbarg (Sectigo), Mohit Kumar (GlobalSign), Roberto Quiñones (Intel), Scott Rea (eMudhra), Tim Crawford (BDO/WebTrust), Tim Hollebeek (DigiCert) Minutes**Antitrust statement: **The Antitrust statement was read. Approval of minutes: Previous F2F meeting’s minutes still being compiled Ballot: CSC 18 has passed and IPR review period is over
Minutes of the F2F 59 Meeting in Redmond, WA, USA, 6-8 June 2023 – CSCWG (6 June)
June 6, 2023 by Corey BonnellAttendeesAttendance: IN THE ROOM (FROM SIGN UP SHEET) Ben Wilson (Mozilla), Dean Coclin (DigiCert), Ian McMillan (Microsoft), Karina Sirota Goodley (Microsoft), Tahmina Ahmad (Microsoft), Hannah Sokol (Microsoft), Nitesh Bakliwal (Microsoft), Brianca Martin (Amazon), Trevoli Ponds-White (Amazon), Jonathan Kozolchyk (Amazon), Blake Hess (Amazon), Aaron Poulsen (Amazon), Michael Slaughter (Amazon), Tim Crawford (WebTrust), Inigo Barreira (Sectigo), Yoshiro Yoneya (JPRS), Martijn Katerbard (Sectigo), Nick France (Sectigo), Tim Callen (Sectigo), Roberto Quinones (Intel), Ben Dewberry (Keyfactor), Sven Rajala (Keyfactor), Leo Grove (SSL.com), Stephen Davidson (DigiCert), Jeremy Rowley (DigiCert), Scott Olsen (Microsoft), Linda Diefendorf (Microsoft), Steve Lasker (Microsoft), Yamian Quinero (Microsoft), Thomas Zermeno (SSL.com), Georgy Sebastian (Amazon), Meha Sharma (Microsoft), Rakia Segeu (Microsoft), Dawn Wang (Microsoft), Eva van Steenberge (Globalsign), Christophe Bonjean (Globalsign), Romain Delval (Certigna), Josselin Allemandou (Certigna), Xiu Lei (GDCA), Xizo Qiang (GDCA), Corey Bonnell (DigiCert), Vikas Khanna (Microsoft), An Yin (iTrus China), Vijay Kumar (eMuhdra), Pankaj Chawla (eMuhdra), Scott Rea (eMuhdra), Paul van Browershaven (Entrust), Bruce Morton (Entrust), Arno Fiedler (ETSI ESI), Dimitris Zacharopoulos (HARICA)
June 6, 2023 by Corey BonnellAttendeesAttendance: IN THE ROOM (FROM SIGN UP SHEET) Ben Wilson (Mozilla), Dean Coclin (DigiCert), Ian McMillan (Microsoft), Karina Sirota Goodley (Microsoft), Tahmina Ahmad (Microsoft), Hannah Sokol (Microsoft), Nitesh Bakliwal (Microsoft), Brianca Martin (Amazon), Trevoli Ponds-White (Amazon), Jonathan Kozolchyk (Amazon), Blake Hess (Amazon), Aaron Poulsen (Amazon), Michael Slaughter (Amazon), Tim Crawford (WebTrust), Inigo Barreira (Sectigo), Yoshiro Yoneya (JPRS), Martijn Katerbard (Sectigo), Nick France (Sectigo), Tim Callen (Sectigo), Roberto Quinones (Intel), Ben Dewberry (Keyfactor), Sven Rajala (Keyfactor), Leo Grove (SSL.com), Stephen Davidson (DigiCert), Jeremy Rowley (DigiCert), Scott Olsen (Microsoft), Linda Diefendorf (Microsoft), Steve Lasker (Microsoft), Yamian Quinero (Microsoft), Thomas Zermeno (SSL.com), Georgy Sebastian (Amazon), Meha Sharma (Microsoft), Rakia Segeu (Microsoft), Dawn Wang (Microsoft), Eva van Steenberge (Globalsign), Christophe Bonjean (Globalsign), Romain Delval (Certigna), Josselin Allemandou (Certigna), Xiu Lei (GDCA), Xizo Qiang (GDCA), Corey Bonnell (DigiCert), Vikas Khanna (Microsoft), An Yin (iTrus China), Vijay Kumar (eMuhdra), Pankaj Chawla (eMuhdra), Scott Rea (eMuhdra), Paul van Browershaven (Entrust), Bruce Morton (Entrust), Arno Fiedler (ETSI ESI), Dimitris Zacharopoulos (HARICA)
Ballot CSC-18: Update Revocation Requirements
May 24, 2023 by Corey BonnellResults of Review Period (Mailing list post is available here.)
May 24, 2023 by Corey BonnellResults of Review Period (Mailing list post is available here.)
2023-05-18 Minutes of the Code Signing Certificate Working Group
May 18, 2023 by Corey BonnellAttendeesAtsushi Inaba (GlobalSign), Ben Dewberry (Keyfactor), Bianca Martin (Amazon), Bruce Morton (Entrust), Corey Bonnell (DigiCert), Dean Coclin (DigiCert), Eva Van Steenberge (GlobalSign), Ian McMillan (Microsoft), Inigo Barreira (Sectigo), Martijn Katerbarg (Sectigo), Mohit Kumar (GlobalSign), Roberto Quiñones (Intel), Rollin Yu (TrustAsia), Tim Crawford (BDO), Tim Hollebeek (DigiCert) Minutes The Antitrust statement was read Minutes from May 4th approved Ballot: CSC 18 – Malware base revocation (Martijn) In discussion period, voting period ending before meeting is over Dean: tracker shows quorum met Removing SSL BR References Martjin: About half docs reviewed for missing definitions. Removed 2 definitions that are not used. A couple may need to be added, will need to discuss Subject Name stability Email from new interested party (Mike Hearn) Ian: MSIX (Appx) does hash calculation of the publisher’s name value that is in the manifest and compares it to the full subject name value of signing certificate Was working fine when only used inside of store distribution. As its been rolled out broadly to allow MSI package into MSIX, they’ve run into this issue for companies that change their name or locale. New packages would validate fine but presents inability to update existing apps because it depends on Package Name alignment. This is Microsoft MSIX issue, not a broad certificate issuance problem. Tim: This is example of using [subject] name instead of global identifier and this has all the issues that are well known. Bruce: Even global identifier might change if company changes name, like with SSL and org ID Ian: Apple and Google offer ways to uniquely identify orgs. If Microsoft offered something similar, it would not be something that Public CAs should have to do. Ian will draft a response to this email June F2F is June 6th afternoon. Dean moves to cancel call scheduled for Jun 1st. No objections Agenda for F2F Time: 1:45pm to 3:45pm (nothing scheduled after this, so could keep going) Ian: no guest speaker for code signing workgroup. Roy Williams is going to talk about Secure Supply Chain Integrity, Trust and Transparency. Bruce: Spend some time reviewing time stamping changes Ian is proposing. Discuss EV Certificates. Continue discussion on Certificate Transparency Dean may not be able to attend in person, Bruce can facilitate
May 18, 2023 by Corey BonnellAttendeesAtsushi Inaba (GlobalSign), Ben Dewberry (Keyfactor), Bianca Martin (Amazon), Bruce Morton (Entrust), Corey Bonnell (DigiCert), Dean Coclin (DigiCert), Eva Van Steenberge (GlobalSign), Ian McMillan (Microsoft), Inigo Barreira (Sectigo), Martijn Katerbarg (Sectigo), Mohit Kumar (GlobalSign), Roberto Quiñones (Intel), Rollin Yu (TrustAsia), Tim Crawford (BDO), Tim Hollebeek (DigiCert) Minutes The Antitrust statement was read Minutes from May 4th approved Ballot: CSC 18 – Malware base revocation (Martijn) In discussion period, voting period ending before meeting is over Dean: tracker shows quorum met Removing SSL BR References Martjin: About half docs reviewed for missing definitions. Removed 2 definitions that are not used. A couple may need to be added, will need to discuss Subject Name stability Email from new interested party (Mike Hearn) Ian: MSIX (Appx) does hash calculation of the publisher’s name value that is in the manifest and compares it to the full subject name value of signing certificate Was working fine when only used inside of store distribution. As its been rolled out broadly to allow MSI package into MSIX, they’ve run into this issue for companies that change their name or locale. New packages would validate fine but presents inability to update existing apps because it depends on Package Name alignment. This is Microsoft MSIX issue, not a broad certificate issuance problem. Tim: This is example of using [subject] name instead of global identifier and this has all the issues that are well known. Bruce: Even global identifier might change if company changes name, like with SSL and org ID Ian: Apple and Google offer ways to uniquely identify orgs. If Microsoft offered something similar, it would not be something that Public CAs should have to do. Ian will draft a response to this email June F2F is June 6th afternoon. Dean moves to cancel call scheduled for Jun 1st. No objections Agenda for F2F Time: 1:45pm to 3:45pm (nothing scheduled after this, so could keep going) Ian: no guest speaker for code signing workgroup. Roy Williams is going to talk about Secure Supply Chain Integrity, Trust and Transparency. Bruce: Spend some time reviewing time stamping changes Ian is proposing. Discuss EV Certificates. Continue discussion on Certificate Transparency Dean may not be able to attend in person, Bruce can facilitate
2023-05-04 Minutes of the Code Signing Certificate Working Group
May 4, 2023 by Corey BonnellAttendeesAtsushi Inaba (GlobalSign), Ben Dewberry (Keyfactor), Bruce Morton (Entrust), Corey Bonnell (DigiCert), Dean Coclin (DigiCert), Eva Van Steenberge (GlobalSign), Ian McMillan (Microsoft), Janet Hines (VikingCloud), Martijn Katerbarg (Sectigo), Mohit Kumar (GlobalSign), Rollin Yu (TrustAsia), Tim Crawford (BDO), Tim Hollebeek (DigiCert) MinutesAntitrust statement: The Antitrust statement was read. Approval of minutes: Minutes for 26 January 2023 & 20 April 2023 approved Ballot: CSC 18 – Malware base revocation (Martijn) Sending out v2.1 soon Noted a few small changes Request from Ian Changed effective date to allow both using the new procedure right away or wait until the effective date (April 15, 2024) Tim will send around internally for review. Ballot: Remove SSL BR References (Dimitris was not present so Bruce gave update) Review of the capitalized terms has started but is not complete Looking for two endorsers F2F Agenda Topics Discussion Discussion around possible presentation from Microsoft but Ian is looking for some idea of the main topics Suggested there may be time to discuss signing services after the revocation and 3647 ballot but may need to wait for updates based other ballots Suggested to discuss Timestamping changes Suggested discussing removing text allowing for keys not stored in hw Bruce suggested discussing high risk items, and Tim mentioned that in previous discussions post June the plan was to remove high risk language, Bruce agreed. Bruce suggested potentially a clean-up ballot Ben suggested discussion around some of the proposed changes in the CSBRs and will think about specific topics for discussion Some side discussion between Bruce and Ian about the future of EV certificates, potential topic for MS to present on and/or have on the agenda at the F2F Ian suggested discussing certificate transparency for code signing certificates were there was discussion amongst the attendees that it was a good topic to add In summary; timestamping changes, high risk language, potentially some specific CSBR github discussion threads, EV/OV certificates, certificate transparency Other business Discussed request for new interested party participant from Hydraulic Software, Dean will connect with Wayne to accomplish. Next Meeting: May 18th 2023 Adjourn
May 4, 2023 by Corey BonnellAttendeesAtsushi Inaba (GlobalSign), Ben Dewberry (Keyfactor), Bruce Morton (Entrust), Corey Bonnell (DigiCert), Dean Coclin (DigiCert), Eva Van Steenberge (GlobalSign), Ian McMillan (Microsoft), Janet Hines (VikingCloud), Martijn Katerbarg (Sectigo), Mohit Kumar (GlobalSign), Rollin Yu (TrustAsia), Tim Crawford (BDO), Tim Hollebeek (DigiCert) MinutesAntitrust statement: The Antitrust statement was read. Approval of minutes: Minutes for 26 January 2023 & 20 April 2023 approved Ballot: CSC 18 – Malware base revocation (Martijn) Sending out v2.1 soon Noted a few small changes Request from Ian Changed effective date to allow both using the new procedure right away or wait until the effective date (April 15, 2024) Tim will send around internally for review. Ballot: Remove SSL BR References (Dimitris was not present so Bruce gave update) Review of the capitalized terms has started but is not complete Looking for two endorsers F2F Agenda Topics Discussion Discussion around possible presentation from Microsoft but Ian is looking for some idea of the main topics Suggested there may be time to discuss signing services after the revocation and 3647 ballot but may need to wait for updates based other ballots Suggested to discuss Timestamping changes Suggested discussing removing text allowing for keys not stored in hw Bruce suggested discussing high risk items, and Tim mentioned that in previous discussions post June the plan was to remove high risk language, Bruce agreed. Bruce suggested potentially a clean-up ballot Ben suggested discussion around some of the proposed changes in the CSBRs and will think about specific topics for discussion Some side discussion between Bruce and Ian about the future of EV certificates, potential topic for MS to present on and/or have on the agenda at the F2F Ian suggested discussing certificate transparency for code signing certificates were there was discussion amongst the attendees that it was a good topic to add In summary; timestamping changes, high risk language, potentially some specific CSBR github discussion threads, EV/OV certificates, certificate transparency Other business Discussed request for new interested party participant from Hydraulic Software, Dean will connect with Wayne to accomplish. Next Meeting: May 18th 2023 Adjourn
2023-04-20 Minutes of the Code Signing Certificate Working Group
April 20, 2023 by Corey BonnellAttendeesBruce Morton – (Entrust), Corey Bonnell – (DigiCert), Dean Coclin – (DigiCert), Dimitris Zacharopoulos – (HARICA), Ian McMillan – (Microsoft), Inaba Atsushi – (GlobalSign), Inigo Barreira – (Sectigo), Janet Hines – (VikingCloud), Martijn Katerbarg – (Sectigo), Tim Crawford – (CPA Canada/WebTrust) MinutesNote Well: The Note Well was read. Approval of Minutes: April 6th minutes are approved. January 26th minutes are pending. Bruce will take over writing these minutes. Ballot Status CSC-18 – In discussion period. A few additional items were mentioned which are being added: Request from Application Software Suppliers to not revoke a certificate when requested by them Effective Date. During the call it was discussed to set April 15th 2024 as the effective date, also adding language that will allow CAs to start using the new way earlier. A v2 ballot will be started soon Incorporating BR references No changes since the last meeting. Still need to review and go over definitions Signing Service No changes here. Also waiting on the other two ballots to complete first RFC for Key Attestation Mike from Entrust is trying to put together an RFC around Key Attestation. Information was circulated on the public list for anyone wanting to assist
April 20, 2023 by Corey BonnellAttendeesBruce Morton – (Entrust), Corey Bonnell – (DigiCert), Dean Coclin – (DigiCert), Dimitris Zacharopoulos – (HARICA), Ian McMillan – (Microsoft), Inaba Atsushi – (GlobalSign), Inigo Barreira – (Sectigo), Janet Hines – (VikingCloud), Martijn Katerbarg – (Sectigo), Tim Crawford – (CPA Canada/WebTrust) MinutesNote Well: The Note Well was read. Approval of Minutes: April 6th minutes are approved. January 26th minutes are pending. Bruce will take over writing these minutes. Ballot Status CSC-18 – In discussion period. A few additional items were mentioned which are being added: Request from Application Software Suppliers to not revoke a certificate when requested by them Effective Date. During the call it was discussed to set April 15th 2024 as the effective date, also adding language that will allow CAs to start using the new way earlier. A v2 ballot will be started soon Incorporating BR references No changes since the last meeting. Still need to review and go over definitions Signing Service No changes here. Also waiting on the other two ballots to complete first RFC for Key Attestation Mike from Entrust is trying to put together an RFC around Key Attestation. Information was circulated on the public list for anyone wanting to assist
2023-04-06 Minutes of the Code Signing Certificate Working Group
April 6, 2023 by Corey BonnellAttendeesAtsushi Inaba (Globalsign), Ben Dewberry (Keyfactor), Brianca Martin (Amazon), Corey Bonnell (DigiCert), Dean Coclin (DigiCert), Dimitris Zacharopoulos (HARICA), Janet Hines (Viking Cloud), Martijn Karterbarg (Sectigo), Mohit Kumar (Globalsign), Tim Crawford (BDO), Tomas Gustavson (Keyfactor) MinutesMinute taker: Dean Coclin The Anti-Trust summary was read Three sets of prior meeting minutes were approved: F2F, March 9 and March 23. Malware based revocation: Martijn stated that this was ready for ballot. The PR on github has been created. CSCWG 18 is the ballot number. Martijn will send out a summary and proposed ballot. Signing Service Update: Bruce was unable to attend, hence this topic was tabled until the next call Removing SSL BR references: Dimitris reviewed some of the changes to the BRs. Martijn agreed to help divide the upcoming work. Various sections were reviewed and updated in the document which Dimitris is maintaining on Git. All the modifications can be found on the Git repository. We expect to consider the import of the BRs at the next meeting. Following this, we will work on the references to the EV guidelines. Next meeting on April 20th.
April 6, 2023 by Corey BonnellAttendeesAtsushi Inaba (Globalsign), Ben Dewberry (Keyfactor), Brianca Martin (Amazon), Corey Bonnell (DigiCert), Dean Coclin (DigiCert), Dimitris Zacharopoulos (HARICA), Janet Hines (Viking Cloud), Martijn Karterbarg (Sectigo), Mohit Kumar (Globalsign), Tim Crawford (BDO), Tomas Gustavson (Keyfactor) MinutesMinute taker: Dean Coclin The Anti-Trust summary was read Three sets of prior meeting minutes were approved: F2F, March 9 and March 23. Malware based revocation: Martijn stated that this was ready for ballot. The PR on github has been created. CSCWG 18 is the ballot number. Martijn will send out a summary and proposed ballot. Signing Service Update: Bruce was unable to attend, hence this topic was tabled until the next call Removing SSL BR references: Dimitris reviewed some of the changes to the BRs. Martijn agreed to help divide the upcoming work. Various sections were reviewed and updated in the document which Dimitris is maintaining on Git. All the modifications can be found on the Git repository. We expect to consider the import of the BRs at the next meeting. Following this, we will work on the references to the EV guidelines. Next meeting on April 20th.
2023-03-23 Minutes of the Code Signing Certificate Working Group
March 23, 2023 by Corey BonnellAttendeesAtsushi Inaba (GlobalSign), Brianca Martin (Amazon), Bruce Morton (Entrust), Dean Coclin (DigiCert), Dimitris Zacharopoulos (HARICA), Ian McMillan (Microsoft), Inigo Barreira (Sectigo), Martijn Katerbarg (Sectigo), Roberto Quinones (Intel), Tim Hollebeek (DigiCert) MinutesAdministration Attendance and requests a minute taker Reads antitrust statement Waiting on minutes for two meeting prior to face to face Face to face minutes will be approved at next meeting Malware Based Revocation Ballot Ballot summary Taking approach BRs and SBRs are taking on revocation Removing CS specific suspect code reference Discuss 5 day revocation window, consider a 5 day and/or 7 day Bruce noted good to sync with the SSL BRs at 24 hours and 5 days, but ok with suspect code at 5 days and 7 days Discussion if we should have requirements defining a misused certificate compared to private key misuse Additional discussion of misused keys, compared to compromised keys, and signed code that is suspect Action point to consider defining misuse Discussion on proper time limit for known compromise and signing malware Discussion of the difference in timing requirements between key compromise and singing suspect code and back dating revocation Discussed the consideration that signing suspect code should be treated as a potential compromise of key and/or the subscriber does not have practices in place to detect suspect code Discussion of asking Microsoft as the main certificate consumer to weigh in on complicated use cases. This is a practice now and not an overly common practice, this would take place after revocation and there is an open period to back date revocation Mentioned the RFC does not allow back dating, but it is an important tool for code signing Need to cover the loophole for certificate problem reports for expired or revoked certificates Potential wording is being drafted and will be included in GitHub and distributed Other topics It was determined singing service did not have much to discuss at this time and we should focus on the revocation topic A couple of points on removing the SSL BR reference were mentioned and would be discussed on future calls
March 23, 2023 by Corey BonnellAttendeesAtsushi Inaba (GlobalSign), Brianca Martin (Amazon), Bruce Morton (Entrust), Dean Coclin (DigiCert), Dimitris Zacharopoulos (HARICA), Ian McMillan (Microsoft), Inigo Barreira (Sectigo), Martijn Katerbarg (Sectigo), Roberto Quinones (Intel), Tim Hollebeek (DigiCert) MinutesAdministration Attendance and requests a minute taker Reads antitrust statement Waiting on minutes for two meeting prior to face to face Face to face minutes will be approved at next meeting Malware Based Revocation Ballot Ballot summary Taking approach BRs and SBRs are taking on revocation Removing CS specific suspect code reference Discuss 5 day revocation window, consider a 5 day and/or 7 day Bruce noted good to sync with the SSL BRs at 24 hours and 5 days, but ok with suspect code at 5 days and 7 days Discussion if we should have requirements defining a misused certificate compared to private key misuse Additional discussion of misused keys, compared to compromised keys, and signed code that is suspect Action point to consider defining misuse Discussion on proper time limit for known compromise and signing malware Discussion of the difference in timing requirements between key compromise and singing suspect code and back dating revocation Discussed the consideration that signing suspect code should be treated as a potential compromise of key and/or the subscriber does not have practices in place to detect suspect code Discussion of asking Microsoft as the main certificate consumer to weigh in on complicated use cases. This is a practice now and not an overly common practice, this would take place after revocation and there is an open period to back date revocation Mentioned the RFC does not allow back dating, but it is an important tool for code signing Need to cover the loophole for certificate problem reports for expired or revoked certificates Potential wording is being drafted and will be included in GitHub and distributed Other topics It was determined singing service did not have much to discuss at this time and we should focus on the revocation topic A couple of points on removing the SSL BR reference were mentioned and would be discussed on future calls