CA/Browser Forum posts
Posts by tag Code Signing
Ballots CSC-21 and CSC-22
January 17, 2024 by Corey BonnellRESULTS OF REVIEW PERIOD The IPR review period ended on February 28, 2024 and no exclusion notices were filed.
January 17, 2024 by Corey BonnellRESULTS OF REVIEW PERIOD The IPR review period ended on February 28, 2024 and no exclusion notices were filed.
Ballot FORUM 20v2 – Amend Code Signing Certificate Working Group Charter
January 13, 2024 by Dimitris ZacharopoulosThe voting period for Ballot FORUM-020 v.2 - Amend Code Signing Certificate Working Group Charter has ended and the Ballot has Passed. Here are the results: Voting by Certificate Issuers 23 votes total including abstentions
January 13, 2024 by Dimitris ZacharopoulosThe voting period for Ballot FORUM-020 v.2 - Amend Code Signing Certificate Working Group Charter has ended and the Ballot has Passed. Here are the results: Voting by Certificate Issuers 23 votes total including abstentions
2023-12-14 Minutes of the Code Signing Certificate Working Group
December 14, 2023 by Corey BonnellAttendees Andrea Holland (VikingCloud), Bruce Morton (Entrust), Corey Bonnell (DigiCert), Dean Coclin (DigiCert), Ian McMillan (Microsoft), Inaba Atsushi (GlobalSign), Inigo Barreira (Sectigo), Martijn Katerbarg (Sectigo), Mohit Kumar (GlobalSign), Richard Kisley (IBM), Roberto Quionones (Intel), Rollin Yu (TrustAsia), Scott Rea (eMudhra), Tim Crawford (CPA Canada/WebTrust), Tim Hollebeek (DigiCert)
December 14, 2023 by Corey BonnellAttendees Andrea Holland (VikingCloud), Bruce Morton (Entrust), Corey Bonnell (DigiCert), Dean Coclin (DigiCert), Ian McMillan (Microsoft), Inaba Atsushi (GlobalSign), Inigo Barreira (Sectigo), Martijn Katerbarg (Sectigo), Mohit Kumar (GlobalSign), Richard Kisley (IBM), Roberto Quionones (Intel), Rollin Yu (TrustAsia), Scott Rea (eMudhra), Tim Crawford (CPA Canada/WebTrust), Tim Hollebeek (DigiCert)
2023-11-16 Minutes of the Code Signing Certificate Working Group
November 16, 2023 by Corey BonnellAttendeesAndrea Holland – (VikingCloud), Ben Dewberry – (Keyfactor), Brianca Martin – (Amazon), Bruce Morton – (Entrust), Corey Bonnell – (DigiCert), Dimitris Zacharopoulos – (HARICA), Eva Vansteenberge – (GlobalSign), Ian McMillan – (Microsoft), Inaba Atsushi – (GlobalSign), Inigo Barreira – (Sectigo), Janet Hines – (VikingCloud), Martijn Katerbarg – (Sectigo), Mohit Kumar – (GlobalSign), Richard Kisley – (IBM), Roberto Quionones – (Intel), Rollin Yu – (TrustAsia Technologies Inc), Scott Rea – (eMudhra), Tim Crawford – (CPA Canada/WebTrust)
November 16, 2023 by Corey BonnellAttendeesAndrea Holland – (VikingCloud), Ben Dewberry – (Keyfactor), Brianca Martin – (Amazon), Bruce Morton – (Entrust), Corey Bonnell – (DigiCert), Dimitris Zacharopoulos – (HARICA), Eva Vansteenberge – (GlobalSign), Ian McMillan – (Microsoft), Inaba Atsushi – (GlobalSign), Inigo Barreira – (Sectigo), Janet Hines – (VikingCloud), Martijn Katerbarg – (Sectigo), Mohit Kumar – (GlobalSign), Richard Kisley – (IBM), Roberto Quionones – (Intel), Rollin Yu – (TrustAsia Technologies Inc), Scott Rea – (eMudhra), Tim Crawford – (CPA Canada/WebTrust)
2023-11-02 Minutes of the Code Signing Certificate Working Group
November 2, 2023 by Corey BonnellAttendees Dean Coclin – DigiCert Atsushi Inaba – GlobalSign Ben Dewberry – Keyfactor Bianca Martin – Amazon Bruce Morton – Entrust Eva Vansteenberge – GlobalSign Inigo Barreira – Sectigo Janet Hines – VikingCloud Richard Kisley – IBM Scott Rea – eMudhra Robert Quinones – Intel Tim Crawford – CPA Canada/WebTrust Mohit Kumar – GlobalSign Minutes Assign Minute taker (start recording) Brianca Martin Roll call Completed by Dean Antitrust Compliance Statement
November 2, 2023 by Corey BonnellAttendees Dean Coclin – DigiCert Atsushi Inaba – GlobalSign Ben Dewberry – Keyfactor Bianca Martin – Amazon Bruce Morton – Entrust Eva Vansteenberge – GlobalSign Inigo Barreira – Sectigo Janet Hines – VikingCloud Richard Kisley – IBM Scott Rea – eMudhra Robert Quinones – Intel Tim Crawford – CPA Canada/WebTrust Mohit Kumar – GlobalSign Minutes Assign Minute taker (start recording) Brianca Martin Roll call Completed by Dean Antitrust Compliance Statement
Ballot CSC-20: Restore Version Reference to EV Guidelines
October 30, 2023 by Corey BonnellBallot CSC-20: Restore Version Reference to EV GuidelinesNotice of Review Period The IPR review period ended on December 7, 2023 and no exclusion notices were filed.
October 30, 2023 by Corey BonnellBallot CSC-20: Restore Version Reference to EV GuidelinesNotice of Review Period The IPR review period ended on December 7, 2023 and no exclusion notices were filed.
2023-10-19 Minutes of the Code Signing Certificate Working Group
October 19, 2023 by Corey BonnellAttendees Aaron Poulsen – Amazon Trust Services Andrea Holland – VikingCloud Atsushi INABA – GlobalSign Bruce Morton – Entrust Corey Bonnell Dean Coclin-DigiCert Dimitris Zacharopoulos (HARICA) Ian McMillan – Microsoft Janet Hines – VikingCloud Richard Kisley – IBM Mohit Kumar – GlobalSign Rollin Yu – TrustAsia Scott Rea – eMudhra Tim Crawford – BDO/WebTrust Minutes Assign Minute taker (start recording) Ian McMillan Roll call Completed by Dean Antitrust Compliance Statement
October 19, 2023 by Corey BonnellAttendees Aaron Poulsen – Amazon Trust Services Andrea Holland – VikingCloud Atsushi INABA – GlobalSign Bruce Morton – Entrust Corey Bonnell Dean Coclin-DigiCert Dimitris Zacharopoulos (HARICA) Ian McMillan – Microsoft Janet Hines – VikingCloud Richard Kisley – IBM Mohit Kumar – GlobalSign Rollin Yu – TrustAsia Scott Rea – eMudhra Tim Crawford – BDO/WebTrust Minutes Assign Minute taker (start recording) Ian McMillan Roll call Completed by Dean Antitrust Compliance Statement
2023-10-05 Minutes of the F2F Code Signing Certificate Working Group
October 5, 2023 by Corey BonnellAttendeesAdam Jones – (Microsoft), Aleksandra Kurosz – (Asseco Data Systems SA (Certum)), Andrea Holland – (VikingCloud), Arvid Vermote – (GlobalSign), Ashish Dhiman – (GlobalSign), Ben Dewberry – (Keyfactor), Ben Wilson – (Mozilla), Brianca Martin – (Amazon), Bruce Morton – (Entrust), Christophe Bonjean – (GlobalSign), Clemens Wanko – (ACAB Council), Corey Bonnell – (DigiCert), Dave Chin – (CPA Canada/WebTrust), Dean Coclin – (DigiCert), Don Sheehy – (CPA Canada/WebTrust), Doug Beattie – (GlobalSign), Ellie Lu – (TrustAsia Technologies, Inc.), Eva Vansteenberge – (GlobalSign), Hannah Sokol – (Microsoft), Inaba Atsushi – (GlobalSign), Inigo Barreira – (Sectigo), Janet Hines – (VikingCloud), John Mason – (Microsoft), Jozef Nigut – (Disig), Kateryna Aleksieieva – (Asseco Data Systems SA (Certum)), Li-Chun Chen – (Chunghwa Telecom), Marcelo Silva – (Visa), Marco Schambach – (IdenTrust), Martijn Katerbarg – (Sectigo), Mohit Kumar – (GlobalSign), Nate Smith – (GoDaddy), Naveen Kumar – (eMudhra), Nikolaos Soumelidis – (ACAB Council), Nitesh Bakliwal – (Microsoft), Paul van Brouwershaven – (Entrust), Pedro Fuentes – (OISTE Foundation), Rebecca Kelley – (Apple), Rich Kapushinski – (CommScope), Rollin Yu – (TrustAsia Technologies, Inc.), Roman Fischer – (SwissSign), Scott Rea – (eMudhra), Stephen Davidson – (DigiCert), Sven Rajala – (Keyfactor), Thomas Zermeno – (SSL.com), Tim Callan – (Sectigo), Tim Crawford – (CPA Canada/WebTrust), Tim Hollebeek – (DigiCert), Trevoli Ponds-White – (Amazon), Tsung-Min Kuo – (Chunghwa Telecom), Vijayakumar (Vijay) Manjunatha – (eMudhra)
October 5, 2023 by Corey BonnellAttendeesAdam Jones – (Microsoft), Aleksandra Kurosz – (Asseco Data Systems SA (Certum)), Andrea Holland – (VikingCloud), Arvid Vermote – (GlobalSign), Ashish Dhiman – (GlobalSign), Ben Dewberry – (Keyfactor), Ben Wilson – (Mozilla), Brianca Martin – (Amazon), Bruce Morton – (Entrust), Christophe Bonjean – (GlobalSign), Clemens Wanko – (ACAB Council), Corey Bonnell – (DigiCert), Dave Chin – (CPA Canada/WebTrust), Dean Coclin – (DigiCert), Don Sheehy – (CPA Canada/WebTrust), Doug Beattie – (GlobalSign), Ellie Lu – (TrustAsia Technologies, Inc.), Eva Vansteenberge – (GlobalSign), Hannah Sokol – (Microsoft), Inaba Atsushi – (GlobalSign), Inigo Barreira – (Sectigo), Janet Hines – (VikingCloud), John Mason – (Microsoft), Jozef Nigut – (Disig), Kateryna Aleksieieva – (Asseco Data Systems SA (Certum)), Li-Chun Chen – (Chunghwa Telecom), Marcelo Silva – (Visa), Marco Schambach – (IdenTrust), Martijn Katerbarg – (Sectigo), Mohit Kumar – (GlobalSign), Nate Smith – (GoDaddy), Naveen Kumar – (eMudhra), Nikolaos Soumelidis – (ACAB Council), Nitesh Bakliwal – (Microsoft), Paul van Brouwershaven – (Entrust), Pedro Fuentes – (OISTE Foundation), Rebecca Kelley – (Apple), Rich Kapushinski – (CommScope), Rollin Yu – (TrustAsia Technologies, Inc.), Roman Fischer – (SwissSign), Scott Rea – (eMudhra), Stephen Davidson – (DigiCert), Sven Rajala – (Keyfactor), Thomas Zermeno – (SSL.com), Tim Callan – (Sectigo), Tim Crawford – (CPA Canada/WebTrust), Tim Hollebeek – (DigiCert), Trevoli Ponds-White – (Amazon), Tsung-Min Kuo – (Chunghwa Telecom), Vijayakumar (Vijay) Manjunatha – (eMudhra)
2023-09-21 Minutes of the Code Signing Certificate Working Group
September 21, 2023 by Corey BonnellAttendeesAndrea Holland – VikingCloud, Atsushi INABA – GlobalSign, Brianca Martin – Amazon, Bruce Morton – Entrust, Corey Bonnell DigiCert, Ian McMillan Microsoft, Inigo Barreira, Martijn Katerbarg – Sectigo, Mohit Kumar – GlobalSign, Rollin Yu – TrustAsia, Scott Rea – eMudhra, Tim Crawford Minutes Roll Call – Bruce Morton – Entrust, Tim Crawford, Rollin Yu – TrustAsia, Atsushi INABA – GlobalSign, Scott Rea – eMudhra, Mohit Kumar – GlobalSign, Martijn Katerbarg – Sectigo, Inigo Barreira, Ian McMillan Microsoft, Andrea Holland – VikingCloud, Corey Bonnell DigiCert, Corey Bonnell DigiCert, Brianca Martin – Amazon Note well was read Approve prior meeting minutes – Sept 7 – not approved as the minutes were only provided for review on 21 September F2F Agenda, suggested items Private Keys in hardware feedback – There was generally no input as to whether this should be on the agenda. Ian stated it would be good to bring it up, but Bruce was not confident that there would be any feedback from the members, so would push to last on the agenda. Ballot: Remove EV Guideline refences (Dimitris) – Dimitris was not on the call to discuss. The goal will be to remove all EV Guidelines references, make adjustments where new text is not applicable to EV; then step 2 would be to adjust clauses to possibly make issuance of EV certificates easier. Note that it is impossible to issue an EV to an individual. It does not address consumer certificate. The client software does not make a distinction between non-EV and EV for code signing. Do we need all the clauses to authenticate certificate issuance? Should we make any changes, since the functionality of non-EV and EV is the same? For individuals we do require F2F for issuance of a code signing certificate. Do we need both non-EV and EV and if we do, what differences should they have? Also an issue with the due diligence validation where a person can approve vs. a machine. Do we need due diligence specified? Can we create a system for more consistent due diligence review? The goal was to require 2 people to get an EV certificate issued. Ballot: Charter update (Martijn) – Martijn agreed we could discuss at the F2F. Ballot: High Risk (Bruce/Ian) – Agreed to discuss at the F2F. Ian wants to ensure internally that we are not removing high risk as some items are still discussed in section 4.2.1 and 4.2.2. Should we consider changing a high risk certificate application as to when a subscriber which has been subject to a takeover attack requests a certificate? Individual and Organization verification mechanisms as discussed below. Review open Github items. Ballot Status Signing Service – Reviewed on last call. Tim has reviewed since and will endorse. Ian is reviewing, then hopefully will endorse. High Risk – Text has been drafted and Ian is reviewing. Charter Update – Martijn working on change. Time-stamp – Delay until other ballots are done. Other business – An email received from Tim McGrath from Microsoft. Ian knows the people that provided the email and will address. The question was about point-in-time for the address; but this is the type of data based on the CA review. Note there is no unique information included for an individual. An email address would be easy and unique for an individual and maybe we could drop location data. Can an individual specify a specific project for the signing, but the issue would be validating. It would be good if a CA could add information to distinguish an individual, so they would be added to a blocklist if they intentionally sign suspect code. What can we do to help protect relying parties? Perhaps we can brainstorm at the F2F about Individual and OV verification mechanisms. For organization, can we choose an existing model which is already defined in the CAB Forum. Would not like to create another model. Next meeting – F2F Oct 5 Adjourn
September 21, 2023 by Corey BonnellAttendeesAndrea Holland – VikingCloud, Atsushi INABA – GlobalSign, Brianca Martin – Amazon, Bruce Morton – Entrust, Corey Bonnell DigiCert, Ian McMillan Microsoft, Inigo Barreira, Martijn Katerbarg – Sectigo, Mohit Kumar – GlobalSign, Rollin Yu – TrustAsia, Scott Rea – eMudhra, Tim Crawford Minutes Roll Call – Bruce Morton – Entrust, Tim Crawford, Rollin Yu – TrustAsia, Atsushi INABA – GlobalSign, Scott Rea – eMudhra, Mohit Kumar – GlobalSign, Martijn Katerbarg – Sectigo, Inigo Barreira, Ian McMillan Microsoft, Andrea Holland – VikingCloud, Corey Bonnell DigiCert, Corey Bonnell DigiCert, Brianca Martin – Amazon Note well was read Approve prior meeting minutes – Sept 7 – not approved as the minutes were only provided for review on 21 September F2F Agenda, suggested items Private Keys in hardware feedback – There was generally no input as to whether this should be on the agenda. Ian stated it would be good to bring it up, but Bruce was not confident that there would be any feedback from the members, so would push to last on the agenda. Ballot: Remove EV Guideline refences (Dimitris) – Dimitris was not on the call to discuss. The goal will be to remove all EV Guidelines references, make adjustments where new text is not applicable to EV; then step 2 would be to adjust clauses to possibly make issuance of EV certificates easier. Note that it is impossible to issue an EV to an individual. It does not address consumer certificate. The client software does not make a distinction between non-EV and EV for code signing. Do we need all the clauses to authenticate certificate issuance? Should we make any changes, since the functionality of non-EV and EV is the same? For individuals we do require F2F for issuance of a code signing certificate. Do we need both non-EV and EV and if we do, what differences should they have? Also an issue with the due diligence validation where a person can approve vs. a machine. Do we need due diligence specified? Can we create a system for more consistent due diligence review? The goal was to require 2 people to get an EV certificate issued. Ballot: Charter update (Martijn) – Martijn agreed we could discuss at the F2F. Ballot: High Risk (Bruce/Ian) – Agreed to discuss at the F2F. Ian wants to ensure internally that we are not removing high risk as some items are still discussed in section 4.2.1 and 4.2.2. Should we consider changing a high risk certificate application as to when a subscriber which has been subject to a takeover attack requests a certificate? Individual and Organization verification mechanisms as discussed below. Review open Github items. Ballot Status Signing Service – Reviewed on last call. Tim has reviewed since and will endorse. Ian is reviewing, then hopefully will endorse. High Risk – Text has been drafted and Ian is reviewing. Charter Update – Martijn working on change. Time-stamp – Delay until other ballots are done. Other business – An email received from Tim McGrath from Microsoft. Ian knows the people that provided the email and will address. The question was about point-in-time for the address; but this is the type of data based on the CA review. Note there is no unique information included for an individual. An email address would be easy and unique for an individual and maybe we could drop location data. Can an individual specify a specific project for the signing, but the issue would be validating. It would be good if a CA could add information to distinguish an individual, so they would be added to a blocklist if they intentionally sign suspect code. What can we do to help protect relying parties? Perhaps we can brainstorm at the F2F about Individual and OV verification mechanisms. For organization, can we choose an existing model which is already defined in the CAB Forum. Would not like to create another model. Next meeting – F2F Oct 5 Adjourn
2023-09-07 Minutes of the Code Signing Certificate Working Group
September 7, 2023 by Corey BonnellAttendeesAndrea Holland – VikingCloud, Atsushi Inaba – GlobalSign, Brianca Martin – Amazon, Bruce Morton – Entrust, Corey Bonnell – DigiCert, Dimitris Zacharopoulos – Harica, Ian McMillan Microsoft, Inigo Barreira – Sectigo, Keshava N – eMudhra, Martijn Katerbarg – Sectigo, Mohit Kumar – GlobalSign, Scott Rea – eMudhra MinutesDiscussion Points Prior minutes approval – 24-Aug-2023 minutes approved with no objection
September 7, 2023 by Corey BonnellAttendeesAndrea Holland – VikingCloud, Atsushi Inaba – GlobalSign, Brianca Martin – Amazon, Bruce Morton – Entrust, Corey Bonnell – DigiCert, Dimitris Zacharopoulos – Harica, Ian McMillan Microsoft, Inigo Barreira – Sectigo, Keshava N – eMudhra, Martijn Katerbarg – Sectigo, Mohit Kumar – GlobalSign, Scott Rea – eMudhra MinutesDiscussion Points Prior minutes approval – 24-Aug-2023 minutes approved with no objection