CA/Browser Forum posts
Posts by tag Code Signing
Ballot CSC-18: Update Revocation Requirements
May 24, 2023 by Corey BonnellResults of Review Period (Mailing list post is available here.) The IPR review period ended on June 29, 2023 and no exclusion notices were filed. The final documents, with the effective date being 2023-06-29, are available here. This Review Notice is sent pursuant to Section 4.1 of the CA/Browser Forum’s Intellectual Property Rights Policy (v1.3). This Review Period is for a Final Maintenance Guideline (30 day Review Period). The complete Draft Guideline subject of this Review Notice is available here.
May 24, 2023 by Corey BonnellResults of Review Period (Mailing list post is available here.) The IPR review period ended on June 29, 2023 and no exclusion notices were filed. The final documents, with the effective date being 2023-06-29, are available here. This Review Notice is sent pursuant to Section 4.1 of the CA/Browser Forum’s Intellectual Property Rights Policy (v1.3). This Review Period is for a Final Maintenance Guideline (30 day Review Period). The complete Draft Guideline subject of this Review Notice is available here.
2023-05-18 Minutes of the Code Signing Certificate Working Group
May 18, 2023 by Corey BonnellAttendeesAtsushi Inaba (GlobalSign), Ben Dewberry (Keyfactor), Bianca Martin (Amazon), Bruce Morton (Entrust), Corey Bonnell (DigiCert), Dean Coclin (DigiCert), Eva Van Steenberge (GlobalSign), Ian McMillan (Microsoft), Inigo Barreira (Sectigo), Martijn Katerbarg (Sectigo), Mohit Kumar (GlobalSign), Roberto Quiñones (Intel), Rollin Yu (TrustAsia), Tim Crawford (BDO), Tim Hollebeek (DigiCert) Minutes The Antitrust statement was read Minutes from May 4th approved Ballot: CSC 18 – Malware base revocation (Martijn) In discussion period, voting period ending before meeting is over Dean: tracker shows quorum met Removing SSL BR References Martjin: About half docs reviewed for missing definitions.
May 18, 2023 by Corey BonnellAttendeesAtsushi Inaba (GlobalSign), Ben Dewberry (Keyfactor), Bianca Martin (Amazon), Bruce Morton (Entrust), Corey Bonnell (DigiCert), Dean Coclin (DigiCert), Eva Van Steenberge (GlobalSign), Ian McMillan (Microsoft), Inigo Barreira (Sectigo), Martijn Katerbarg (Sectigo), Mohit Kumar (GlobalSign), Roberto Quiñones (Intel), Rollin Yu (TrustAsia), Tim Crawford (BDO), Tim Hollebeek (DigiCert) Minutes The Antitrust statement was read Minutes from May 4th approved Ballot: CSC 18 – Malware base revocation (Martijn) In discussion period, voting period ending before meeting is over Dean: tracker shows quorum met Removing SSL BR References Martjin: About half docs reviewed for missing definitions.
2023-05-04 Minutes of the Code Signing Certificate Working Group
May 4, 2023 by Corey BonnellAttendeesAtsushi Inaba (GlobalSign), Ben Dewberry (Keyfactor), Bruce Morton (Entrust), Corey Bonnell (DigiCert), Dean Coclin (DigiCert), Eva Van Steenberge (GlobalSign), Ian McMillan (Microsoft), Janet Hines (VikingCloud), Martijn Katerbarg (Sectigo), Mohit Kumar (GlobalSign), Rollin Yu (TrustAsia), Tim Crawford (BDO), Tim Hollebeek (DigiCert) MinutesAntitrust statement: The Antitrust statement was read. Approval of minutes: Minutes for 26 January 2023 & 20 April 2023 approved Ballot: CSC 18 – Malware base revocation (Martijn) Sending out v2.
May 4, 2023 by Corey BonnellAttendeesAtsushi Inaba (GlobalSign), Ben Dewberry (Keyfactor), Bruce Morton (Entrust), Corey Bonnell (DigiCert), Dean Coclin (DigiCert), Eva Van Steenberge (GlobalSign), Ian McMillan (Microsoft), Janet Hines (VikingCloud), Martijn Katerbarg (Sectigo), Mohit Kumar (GlobalSign), Rollin Yu (TrustAsia), Tim Crawford (BDO), Tim Hollebeek (DigiCert) MinutesAntitrust statement: The Antitrust statement was read. Approval of minutes: Minutes for 26 January 2023 & 20 April 2023 approved Ballot: CSC 18 – Malware base revocation (Martijn) Sending out v2.
2023-04-20 Minutes of the Code Signing Certificate Working Group
April 20, 2023 by Corey BonnellAttendeesBruce Morton – (Entrust), Corey Bonnell – (DigiCert), Dean Coclin – (DigiCert), Dimitris Zacharopoulos – (HARICA), Ian McMillan – (Microsoft), Inaba Atsushi – (GlobalSign), Inigo Barreira – (Sectigo), Janet Hines – (VikingCloud), Martijn Katerbarg – (Sectigo), Tim Crawford – (CPA Canada/WebTrust) MinutesNote Well: The Note Well was read. Approval of Minutes: April 6th minutes are approved. January 26th minutes are pending. Bruce will take over writing these minutes. Ballot Status CSC-18 – In discussion period.
April 20, 2023 by Corey BonnellAttendeesBruce Morton – (Entrust), Corey Bonnell – (DigiCert), Dean Coclin – (DigiCert), Dimitris Zacharopoulos – (HARICA), Ian McMillan – (Microsoft), Inaba Atsushi – (GlobalSign), Inigo Barreira – (Sectigo), Janet Hines – (VikingCloud), Martijn Katerbarg – (Sectigo), Tim Crawford – (CPA Canada/WebTrust) MinutesNote Well: The Note Well was read. Approval of Minutes: April 6th minutes are approved. January 26th minutes are pending. Bruce will take over writing these minutes. Ballot Status CSC-18 – In discussion period.
2023-04-06 Minutes of the Code Signing Certificate Working Group
April 6, 2023 by Corey BonnellAttendeesAtsushi Inaba (Globalsign), Ben Dewberry (Keyfactor), Brianca Martin (Amazon), Corey Bonnell (DigiCert), Dean Coclin (DigiCert), Dimitris Zacharopoulos (HARICA), Janet Hines (Viking Cloud), Martijn Karterbarg (Sectigo), Mohit Kumar (Globalsign), Tim Crawford (BDO), Tomas Gustavson (Keyfactor) MinutesMinute taker: Dean Coclin The Anti-Trust summary was read Three sets of prior meeting minutes were approved: F2F, March 9 and March 23. Malware based revocation: Martijn stated that this was ready for ballot. The PR on github has been created.
April 6, 2023 by Corey BonnellAttendeesAtsushi Inaba (Globalsign), Ben Dewberry (Keyfactor), Brianca Martin (Amazon), Corey Bonnell (DigiCert), Dean Coclin (DigiCert), Dimitris Zacharopoulos (HARICA), Janet Hines (Viking Cloud), Martijn Karterbarg (Sectigo), Mohit Kumar (Globalsign), Tim Crawford (BDO), Tomas Gustavson (Keyfactor) MinutesMinute taker: Dean Coclin The Anti-Trust summary was read Three sets of prior meeting minutes were approved: F2F, March 9 and March 23. Malware based revocation: Martijn stated that this was ready for ballot. The PR on github has been created.
2023-03-23 Minutes of the Code Signing Certificate Working Group
March 23, 2023 by Corey BonnellAttendeesAtsushi Inaba (GlobalSign), Brianca Martin (Amazon), Bruce Morton (Entrust), Dean Coclin (DigiCert), Dimitris Zacharopoulos (HARICA), Ian McMillan (Microsoft), Inigo Barreira (Sectigo), Martijn Katerbarg (Sectigo), Roberto Quinones (Intel), Tim Hollebeek (DigiCert) MinutesAdministration Attendance and requests a minute taker Reads antitrust statement Waiting on minutes for two meeting prior to face to face Face to face minutes will be approved at next meeting Malware Based Revocation Ballot Ballot summary Taking approach BRs and SBRs are taking on revocation Removing CS specific suspect code reference Discuss 5 day revocation window, consider a 5 day and/or 7 day Bruce noted good to sync with the SSL BRs at 24 hours and 5 days, but ok with suspect code at 5 days and 7 days Discussion if we should have requirements defining a misused certificate compared to private key misuse Additional discussion of misused keys, compared to compromised keys, and signed code that is suspect Action point to consider defining misuse Discussion on proper time limit for known compromise and signing malware Discussion of the difference in timing requirements between key compromise and singing suspect code and back dating revocation Discussed the consideration that signing suspect code should be treated as a potential compromise of key and/or the subscriber does not have practices in place to detect suspect code Discussion of asking Microsoft as the main certificate consumer to weigh in on complicated use cases.
March 23, 2023 by Corey BonnellAttendeesAtsushi Inaba (GlobalSign), Brianca Martin (Amazon), Bruce Morton (Entrust), Dean Coclin (DigiCert), Dimitris Zacharopoulos (HARICA), Ian McMillan (Microsoft), Inigo Barreira (Sectigo), Martijn Katerbarg (Sectigo), Roberto Quinones (Intel), Tim Hollebeek (DigiCert) MinutesAdministration Attendance and requests a minute taker Reads antitrust statement Waiting on minutes for two meeting prior to face to face Face to face minutes will be approved at next meeting Malware Based Revocation Ballot Ballot summary Taking approach BRs and SBRs are taking on revocation Removing CS specific suspect code reference Discuss 5 day revocation window, consider a 5 day and/or 7 day Bruce noted good to sync with the SSL BRs at 24 hours and 5 days, but ok with suspect code at 5 days and 7 days Discussion if we should have requirements defining a misused certificate compared to private key misuse Additional discussion of misused keys, compared to compromised keys, and signed code that is suspect Action point to consider defining misuse Discussion on proper time limit for known compromise and signing malware Discussion of the difference in timing requirements between key compromise and singing suspect code and back dating revocation Discussed the consideration that signing suspect code should be treated as a potential compromise of key and/or the subscriber does not have practices in place to detect suspect code Discussion of asking Microsoft as the main certificate consumer to weigh in on complicated use cases.
2023-03-09 Minutes of the Code Signing Certificate Working Group
March 9, 2023 by Corey BonnellAttendeesAndrea Holland (SecureTrust), Atsushi Inaba (GlobalSign), Brianca Martin (Amazon), Bruce Morton (Entrust), Corey Bonnell (DigiCert), Dean Coclin (DigiCert), Dimitris Zacharopoulos (HARICA), Ian McMillan (Microsoft), Inigo Barriera (Sectigo), Janet Hines (VikingCloud), Rollin Yu (TrustAsia), Tim Hollebeek (DigiCert), Tomas Gustavsson (Keyfactor) Minutes Assign Minute taker (start recording) Brianca is taking minutes Antitrust Statement Dean reminded all participants that they must comply with the CA/Browser Forum anti-trust policy, code of conduct, and intellectual property rights agreement.
March 9, 2023 by Corey BonnellAttendeesAndrea Holland (SecureTrust), Atsushi Inaba (GlobalSign), Brianca Martin (Amazon), Bruce Morton (Entrust), Corey Bonnell (DigiCert), Dean Coclin (DigiCert), Dimitris Zacharopoulos (HARICA), Ian McMillan (Microsoft), Inigo Barriera (Sectigo), Janet Hines (VikingCloud), Rollin Yu (TrustAsia), Tim Hollebeek (DigiCert), Tomas Gustavsson (Keyfactor) Minutes Assign Minute taker (start recording) Brianca is taking minutes Antitrust Statement Dean reminded all participants that they must comply with the CA/Browser Forum anti-trust policy, code of conduct, and intellectual property rights agreement.
2023-02-09 Minutes of the Code Signing Certificate Working Group
February 9, 2023 by Corey BonnellAttendeesAndrea Holland (VikingCloud), Atsushi Inaba (GlobalSign), Ben Dewberry (Keyfactor), Brianca Martin (Amazon Trust Services), Bruce Morton (Entrust), Corey Bonnell (DigiCert), Dean Coclin (DigiCert), Ian McMillan (Microsoft), Inigo Barreira (Sectigo), Martijn Katerbarg (Sectigo), Mohit Kumar (GlobalSign), Roberto Quinones (Intel), Rollin Yu (TrustAsia), Tim Crawford (WebTrust), Tim Hollebeek (DigiCert) Minutes Antitrust statement read Approval of minutes: Jan 26th minutes have not been sent out Ballot: Malware base revocation (Martijn) Received some pushback on the mailing list.
February 9, 2023 by Corey BonnellAttendeesAndrea Holland (VikingCloud), Atsushi Inaba (GlobalSign), Ben Dewberry (Keyfactor), Brianca Martin (Amazon Trust Services), Bruce Morton (Entrust), Corey Bonnell (DigiCert), Dean Coclin (DigiCert), Ian McMillan (Microsoft), Inigo Barreira (Sectigo), Martijn Katerbarg (Sectigo), Mohit Kumar (GlobalSign), Roberto Quinones (Intel), Rollin Yu (TrustAsia), Tim Crawford (WebTrust), Tim Hollebeek (DigiCert) Minutes Antitrust statement read Approval of minutes: Jan 26th minutes have not been sent out Ballot: Malware base revocation (Martijn) Received some pushback on the mailing list.
2023-01-26 Minutes of the Code Signing Certificate Working Group
January 26, 2023 by Corey BonnellAttendeesAndrea Holland (VikingCloud), Atsushi Inaba (GlobalSign), Ben Dewberry (Keyfactor), Brianca Martin (Amazon Trust Services), Bruce Morton (Entrust), Corey Bonnell (DigiCert), Dean Coclin (DigiCert), Dimitris Zacharopoulos (HARICA), Ian McMillan (Microsoft), Inigo Barreira (Sectigo), Janet Hines (VikingCloud), Martijn Katerbarg (Sectigo), Roberto Quinones (Intel), Tim Hollebeek (DigiCert), Trevoli (Amazon Trust Services) Minutes Antitrust statement read Approval of minutes: Minutes for 12 January 2023 approved Ballot: Malware base revocation (Martijn) Some discussion and need to get feedback into Github before the end of the week.
January 26, 2023 by Corey BonnellAttendeesAndrea Holland (VikingCloud), Atsushi Inaba (GlobalSign), Ben Dewberry (Keyfactor), Brianca Martin (Amazon Trust Services), Bruce Morton (Entrust), Corey Bonnell (DigiCert), Dean Coclin (DigiCert), Dimitris Zacharopoulos (HARICA), Ian McMillan (Microsoft), Inigo Barreira (Sectigo), Janet Hines (VikingCloud), Martijn Katerbarg (Sectigo), Roberto Quinones (Intel), Tim Hollebeek (DigiCert), Trevoli (Amazon Trust Services) Minutes Antitrust statement read Approval of minutes: Minutes for 12 January 2023 approved Ballot: Malware base revocation (Martijn) Some discussion and need to get feedback into Github before the end of the week.
2023-01-12 Minutes of the Code Signing Certificate Working Group
January 12, 2023 by Corey BonnellAttendees Atsushi Inaba, Ben Dewberry, Corey Bonnell, Dean Coclin, Dimitris Zacharopoulos, Inigo Barreira, Janet Hines, Martijn Katerbarg, Michael Sykes, Mohit Kumar, Rollin Yu, Tim Crawford Minutes Minute Taker: Janet Hines. Antitrust statement was read by Dean Coclin. Approved minutes from December 15, 2022 meeting. Ballot around malware revocation Alternate language is being reviewed. Will update on next call. Signing service discussion No updates. Removing SSL BR references Section 7.1.4.2.3 had several BR references that need more discussion.
January 12, 2023 by Corey BonnellAttendees Atsushi Inaba, Ben Dewberry, Corey Bonnell, Dean Coclin, Dimitris Zacharopoulos, Inigo Barreira, Janet Hines, Martijn Katerbarg, Michael Sykes, Mohit Kumar, Rollin Yu, Tim Crawford Minutes Minute Taker: Janet Hines. Antitrust statement was read by Dean Coclin. Approved minutes from December 15, 2022 meeting. Ballot around malware revocation Alternate language is being reviewed. Will update on next call. Signing service discussion No updates. Removing SSL BR references Section 7.1.4.2.3 had several BR references that need more discussion.