CA/Browser Forum posts
Posts by tag Code Signing
2023-10-05 Minutes of the F2F Code Signing Certificate Working Group
October 5, 2023 by Corey BonnellAttendeesAdam Jones – (Microsoft), Aleksandra Kurosz – (Asseco Data Systems SA (Certum)), Andrea Holland – (VikingCloud), Arvid Vermote – (GlobalSign), Ashish Dhiman – (GlobalSign), Ben Dewberry – (Keyfactor), Ben Wilson – (Mozilla), Brianca Martin – (Amazon), Bruce Morton – (Entrust), Christophe Bonjean – (GlobalSign), Clemens Wanko – (ACAB Council), Corey Bonnell – (DigiCert), Dave Chin – (CPA Canada/WebTrust), Dean Coclin – (DigiCert), Don Sheehy – (CPA Canada/WebTrust), Doug Beattie – (GlobalSign), Ellie Lu – (TrustAsia Technologies, Inc.), Eva Vansteenberge – (GlobalSign), Hannah Sokol – (Microsoft), Inaba Atsushi – (GlobalSign), Inigo Barreira – (Sectigo), Janet Hines – (VikingCloud), John Mason – (Microsoft), Jozef Nigut – (Disig), Kateryna Aleksieieva – (Asseco Data Systems SA (Certum)), Li-Chun Chen – (Chunghwa Telecom), Marcelo Silva – (Visa), Marco Schambach – (IdenTrust), Martijn Katerbarg – (Sectigo), Mohit Kumar – (GlobalSign), Nate Smith – (GoDaddy), Naveen Kumar – (eMudhra), Nikolaos Soumelidis – (ACAB Council), Nitesh Bakliwal – (Microsoft), Paul van Brouwershaven – (Entrust), Pedro Fuentes – (OISTE Foundation), Rebecca Kelley – (Apple), Rich Kapushinski – (CommScope), Rollin Yu – (TrustAsia Technologies, Inc.), Roman Fischer – (SwissSign), Scott Rea – (eMudhra), Stephen Davidson – (DigiCert), Sven Rajala – (Keyfactor), Thomas Zermeno – (SSL.com), Tim Callan – (Sectigo), Tim Crawford – (CPA Canada/WebTrust), Tim Hollebeek – (DigiCert), Trevoli Ponds-White – (Amazon), Tsung-Min Kuo – (Chunghwa Telecom), Vijayakumar (Vijay) Manjunatha – (eMudhra)
October 5, 2023 by Corey BonnellAttendeesAdam Jones – (Microsoft), Aleksandra Kurosz – (Asseco Data Systems SA (Certum)), Andrea Holland – (VikingCloud), Arvid Vermote – (GlobalSign), Ashish Dhiman – (GlobalSign), Ben Dewberry – (Keyfactor), Ben Wilson – (Mozilla), Brianca Martin – (Amazon), Bruce Morton – (Entrust), Christophe Bonjean – (GlobalSign), Clemens Wanko – (ACAB Council), Corey Bonnell – (DigiCert), Dave Chin – (CPA Canada/WebTrust), Dean Coclin – (DigiCert), Don Sheehy – (CPA Canada/WebTrust), Doug Beattie – (GlobalSign), Ellie Lu – (TrustAsia Technologies, Inc.), Eva Vansteenberge – (GlobalSign), Hannah Sokol – (Microsoft), Inaba Atsushi – (GlobalSign), Inigo Barreira – (Sectigo), Janet Hines – (VikingCloud), John Mason – (Microsoft), Jozef Nigut – (Disig), Kateryna Aleksieieva – (Asseco Data Systems SA (Certum)), Li-Chun Chen – (Chunghwa Telecom), Marcelo Silva – (Visa), Marco Schambach – (IdenTrust), Martijn Katerbarg – (Sectigo), Mohit Kumar – (GlobalSign), Nate Smith – (GoDaddy), Naveen Kumar – (eMudhra), Nikolaos Soumelidis – (ACAB Council), Nitesh Bakliwal – (Microsoft), Paul van Brouwershaven – (Entrust), Pedro Fuentes – (OISTE Foundation), Rebecca Kelley – (Apple), Rich Kapushinski – (CommScope), Rollin Yu – (TrustAsia Technologies, Inc.), Roman Fischer – (SwissSign), Scott Rea – (eMudhra), Stephen Davidson – (DigiCert), Sven Rajala – (Keyfactor), Thomas Zermeno – (SSL.com), Tim Callan – (Sectigo), Tim Crawford – (CPA Canada/WebTrust), Tim Hollebeek – (DigiCert), Trevoli Ponds-White – (Amazon), Tsung-Min Kuo – (Chunghwa Telecom), Vijayakumar (Vijay) Manjunatha – (eMudhra)
2023-09-21 Minutes of the Code Signing Certificate Working Group
September 21, 2023 by Corey BonnellAttendeesAndrea Holland – VikingCloud, Atsushi INABA – GlobalSign, Brianca Martin – Amazon, Bruce Morton – Entrust, Corey Bonnell DigiCert, Ian McMillan Microsoft, Inigo Barreira, Martijn Katerbarg – Sectigo, Mohit Kumar – GlobalSign, Rollin Yu – TrustAsia, Scott Rea – eMudhra, Tim Crawford Minutes Roll Call – Bruce Morton – Entrust, Tim Crawford, Rollin Yu – TrustAsia, Atsushi INABA – GlobalSign, Scott Rea – eMudhra, Mohit Kumar – GlobalSign, Martijn Katerbarg – Sectigo, Inigo Barreira, Ian McMillan Microsoft, Andrea Holland – VikingCloud, Corey Bonnell DigiCert, Corey Bonnell DigiCert, Brianca Martin – Amazon Note well was read Approve prior meeting minutes – Sept 7 – not approved as the minutes were only provided for review on 21 September F2F Agenda, suggested items Private Keys in hardware feedback – There was generally no input as to whether this should be on the agenda. Ian stated it would be good to bring it up, but Bruce was not confident that there would be any feedback from the members, so would push to last on the agenda. Ballot: Remove EV Guideline refences (Dimitris) – Dimitris was not on the call to discuss. The goal will be to remove all EV Guidelines references, make adjustments where new text is not applicable to EV; then step 2 would be to adjust clauses to possibly make issuance of EV certificates easier. Note that it is impossible to issue an EV to an individual. It does not address consumer certificate. The client software does not make a distinction between non-EV and EV for code signing. Do we need all the clauses to authenticate certificate issuance? Should we make any changes, since the functionality of non-EV and EV is the same? For individuals we do require F2F for issuance of a code signing certificate. Do we need both non-EV and EV and if we do, what differences should they have? Also an issue with the due diligence validation where a person can approve vs. a machine. Do we need due diligence specified? Can we create a system for more consistent due diligence review? The goal was to require 2 people to get an EV certificate issued. Ballot: Charter update (Martijn) – Martijn agreed we could discuss at the F2F. Ballot: High Risk (Bruce/Ian) – Agreed to discuss at the F2F. Ian wants to ensure internally that we are not removing high risk as some items are still discussed in section 4.2.1 and 4.2.2. Should we consider changing a high risk certificate application as to when a subscriber which has been subject to a takeover attack requests a certificate? Individual and Organization verification mechanisms as discussed below. Review open Github items. Ballot Status Signing Service – Reviewed on last call. Tim has reviewed since and will endorse. Ian is reviewing, then hopefully will endorse. High Risk – Text has been drafted and Ian is reviewing. Charter Update – Martijn working on change. Time-stamp – Delay until other ballots are done. Other business – An email received from Tim McGrath from Microsoft. Ian knows the people that provided the email and will address. The question was about point-in-time for the address; but this is the type of data based on the CA review. Note there is no unique information included for an individual. An email address would be easy and unique for an individual and maybe we could drop location data. Can an individual specify a specific project for the signing, but the issue would be validating. It would be good if a CA could add information to distinguish an individual, so they would be added to a blocklist if they intentionally sign suspect code. What can we do to help protect relying parties? Perhaps we can brainstorm at the F2F about Individual and OV verification mechanisms. For organization, can we choose an existing model which is already defined in the CAB Forum. Would not like to create another model. Next meeting – F2F Oct 5 Adjourn
September 21, 2023 by Corey BonnellAttendeesAndrea Holland – VikingCloud, Atsushi INABA – GlobalSign, Brianca Martin – Amazon, Bruce Morton – Entrust, Corey Bonnell DigiCert, Ian McMillan Microsoft, Inigo Barreira, Martijn Katerbarg – Sectigo, Mohit Kumar – GlobalSign, Rollin Yu – TrustAsia, Scott Rea – eMudhra, Tim Crawford Minutes Roll Call – Bruce Morton – Entrust, Tim Crawford, Rollin Yu – TrustAsia, Atsushi INABA – GlobalSign, Scott Rea – eMudhra, Mohit Kumar – GlobalSign, Martijn Katerbarg – Sectigo, Inigo Barreira, Ian McMillan Microsoft, Andrea Holland – VikingCloud, Corey Bonnell DigiCert, Corey Bonnell DigiCert, Brianca Martin – Amazon Note well was read Approve prior meeting minutes – Sept 7 – not approved as the minutes were only provided for review on 21 September F2F Agenda, suggested items Private Keys in hardware feedback – There was generally no input as to whether this should be on the agenda. Ian stated it would be good to bring it up, but Bruce was not confident that there would be any feedback from the members, so would push to last on the agenda. Ballot: Remove EV Guideline refences (Dimitris) – Dimitris was not on the call to discuss. The goal will be to remove all EV Guidelines references, make adjustments where new text is not applicable to EV; then step 2 would be to adjust clauses to possibly make issuance of EV certificates easier. Note that it is impossible to issue an EV to an individual. It does not address consumer certificate. The client software does not make a distinction between non-EV and EV for code signing. Do we need all the clauses to authenticate certificate issuance? Should we make any changes, since the functionality of non-EV and EV is the same? For individuals we do require F2F for issuance of a code signing certificate. Do we need both non-EV and EV and if we do, what differences should they have? Also an issue with the due diligence validation where a person can approve vs. a machine. Do we need due diligence specified? Can we create a system for more consistent due diligence review? The goal was to require 2 people to get an EV certificate issued. Ballot: Charter update (Martijn) – Martijn agreed we could discuss at the F2F. Ballot: High Risk (Bruce/Ian) – Agreed to discuss at the F2F. Ian wants to ensure internally that we are not removing high risk as some items are still discussed in section 4.2.1 and 4.2.2. Should we consider changing a high risk certificate application as to when a subscriber which has been subject to a takeover attack requests a certificate? Individual and Organization verification mechanisms as discussed below. Review open Github items. Ballot Status Signing Service – Reviewed on last call. Tim has reviewed since and will endorse. Ian is reviewing, then hopefully will endorse. High Risk – Text has been drafted and Ian is reviewing. Charter Update – Martijn working on change. Time-stamp – Delay until other ballots are done. Other business – An email received from Tim McGrath from Microsoft. Ian knows the people that provided the email and will address. The question was about point-in-time for the address; but this is the type of data based on the CA review. Note there is no unique information included for an individual. An email address would be easy and unique for an individual and maybe we could drop location data. Can an individual specify a specific project for the signing, but the issue would be validating. It would be good if a CA could add information to distinguish an individual, so they would be added to a blocklist if they intentionally sign suspect code. What can we do to help protect relying parties? Perhaps we can brainstorm at the F2F about Individual and OV verification mechanisms. For organization, can we choose an existing model which is already defined in the CAB Forum. Would not like to create another model. Next meeting – F2F Oct 5 Adjourn
2023-09-07 Minutes of the Code Signing Certificate Working Group
September 7, 2023 by Corey BonnellAttendeesAndrea Holland – VikingCloud, Atsushi Inaba – GlobalSign, Brianca Martin – Amazon, Bruce Morton – Entrust, Corey Bonnell – DigiCert, Dimitris Zacharopoulos – Harica, Ian McMillan Microsoft, Inigo Barreira – Sectigo, Keshava N – eMudhra, Martijn Katerbarg – Sectigo, Mohit Kumar – GlobalSign, Scott Rea – eMudhra MinutesDiscussion Points Prior minutes approval – 24-Aug-2023 minutes approved with no objection
September 7, 2023 by Corey BonnellAttendeesAndrea Holland – VikingCloud, Atsushi Inaba – GlobalSign, Brianca Martin – Amazon, Bruce Morton – Entrust, Corey Bonnell – DigiCert, Dimitris Zacharopoulos – Harica, Ian McMillan Microsoft, Inigo Barreira – Sectigo, Keshava N – eMudhra, Martijn Katerbarg – Sectigo, Mohit Kumar – GlobalSign, Scott Rea – eMudhra MinutesDiscussion Points Prior minutes approval – 24-Aug-2023 minutes approved with no objection
2023-08-10 Minutes of the Code Signing Certificate Working Group
August 10, 2023 by Corey BonnellAttendees: Abhishek Bhat (eMudhra), Andrea Holland (VikingCloud), Ben Dewberry (Keyfactor), Brianca Martin (Amazon), Corey Bonnell (DigiCert), Dean Coclin (DigiCert), Ian McMillan (Microsoft), Inaba Atsushi (GlobalSign), Martijn Katerbarg (Sectigo), Mohit Kumar (GlobalSign), Rollin Yu (TrustAsia Technologies, Inc.), Scott Rea (eMudhra), Tim Hollebeek (DigiCert), Tomas Gustavsson (PrimeKey) Note Well: The Note Well was read. Approval of Minutes: July 27th minutes are approved. Interested Party application: Waiting on news from Adobe regarding their application.
August 10, 2023 by Corey BonnellAttendees: Abhishek Bhat (eMudhra), Andrea Holland (VikingCloud), Ben Dewberry (Keyfactor), Brianca Martin (Amazon), Corey Bonnell (DigiCert), Dean Coclin (DigiCert), Ian McMillan (Microsoft), Inaba Atsushi (GlobalSign), Martijn Katerbarg (Sectigo), Mohit Kumar (GlobalSign), Rollin Yu (TrustAsia Technologies, Inc.), Scott Rea (eMudhra), Tim Hollebeek (DigiCert), Tomas Gustavsson (PrimeKey) Note Well: The Note Well was read. Approval of Minutes: July 27th minutes are approved. Interested Party application: Waiting on news from Adobe regarding their application.
Ballot CSC-19: Remove TLS BR References
August 1, 2023 by Corey BonnellResults of Review Period (Mailing list post is available here.)
August 1, 2023 by Corey BonnellResults of Review Period (Mailing list post is available here.)
2023-07-13 Minutes of the Code Signing Certificate Working Group
July 13, 2023 by Corey BonnellAttendeesAndrea Holland (VikingCloud), Atsushi INABA (GlobalSign), Corey Bonnell (DigiCert), Dean Coclin (DigiCert), Dimitris Zacharopoulos (HARICA), Inigo Barreira (Sectigo), Mohit Kumar (GlobalSign), Scott Rea (eMudhra), Tim Crawford (BDO/WebTrust) Minutes1 item on agenda today (since Bruce and Ian are away) – removal of BR references, and which is the correct version of X.509 to be used. Dimitris to lead discussion. Ballot: CSC 19 Latest comments from Tim have been cleared, if no other concerns or objections, discussion period will start on Monday (17 July) No concerns raised over content, but procedural concern raised over discussion being held during summer holiday period If quorum is not achieved for vote (due to holiday period impact), a new ballot will be submitted with a new number (same content) Still waiting on feedback from Microsoft in respect to X.509 version Server WG requires conformance with RFC 5280 which specifically references X.509 2005 version Requiring latest version of X.509 is as inclusive as possible (since it already include 2005 edits) and should not present an issue No other business Next meeting: July 27
July 13, 2023 by Corey BonnellAttendeesAndrea Holland (VikingCloud), Atsushi INABA (GlobalSign), Corey Bonnell (DigiCert), Dean Coclin (DigiCert), Dimitris Zacharopoulos (HARICA), Inigo Barreira (Sectigo), Mohit Kumar (GlobalSign), Scott Rea (eMudhra), Tim Crawford (BDO/WebTrust) Minutes1 item on agenda today (since Bruce and Ian are away) – removal of BR references, and which is the correct version of X.509 to be used. Dimitris to lead discussion. Ballot: CSC 19 Latest comments from Tim have been cleared, if no other concerns or objections, discussion period will start on Monday (17 July) No concerns raised over content, but procedural concern raised over discussion being held during summer holiday period If quorum is not achieved for vote (due to holiday period impact), a new ballot will be submitted with a new number (same content) Still waiting on feedback from Microsoft in respect to X.509 version Server WG requires conformance with RFC 5280 which specifically references X.509 2005 version Requiring latest version of X.509 is as inclusive as possible (since it already include 2005 edits) and should not present an issue No other business Next meeting: July 27
2023-06-29 Minutes of the Code Signing Certificate Working Group
June 29, 2023 by Corey BonnellAttendeesAndrea Holland (VikingCloud), Atsushi INABA (GlobalSign), Ben Dewberry (Keyfactor), Bhat Abhishek (eMudhra), Brianca Martin (Amazon), Bruce Morton (Entrust), Corey Bonnell (DigiCert), Dean Coclin (DigiCert), Janet Hines (VikingCloud), Keshava N (eMudhra), Martijn Katerbarg (Sectigo), Mohit Kumar (GlobalSign), Roberto Quiñones (Intel), Scott Rea (eMudhra), Tim Crawford (BDO/WebTrust), Tim Hollebeek (DigiCert) Minutes**Antitrust statement: **The Antitrust statement was read. Approval of minutes: Previous F2F meeting’s minutes still being compiled Ballot: CSC 18 has passed and IPR review period is over
June 29, 2023 by Corey BonnellAttendeesAndrea Holland (VikingCloud), Atsushi INABA (GlobalSign), Ben Dewberry (Keyfactor), Bhat Abhishek (eMudhra), Brianca Martin (Amazon), Bruce Morton (Entrust), Corey Bonnell (DigiCert), Dean Coclin (DigiCert), Janet Hines (VikingCloud), Keshava N (eMudhra), Martijn Katerbarg (Sectigo), Mohit Kumar (GlobalSign), Roberto Quiñones (Intel), Scott Rea (eMudhra), Tim Crawford (BDO/WebTrust), Tim Hollebeek (DigiCert) Minutes**Antitrust statement: **The Antitrust statement was read. Approval of minutes: Previous F2F meeting’s minutes still being compiled Ballot: CSC 18 has passed and IPR review period is over
Minutes of the F2F 59 Meeting in Redmond, WA, USA, 6-8 June 2023 – CSCWG (6 June)
June 6, 2023 by Corey BonnellAttendeesAttendance: IN THE ROOM (FROM SIGN UP SHEET) Ben Wilson (Mozilla), Dean Coclin (DigiCert), Ian McMillan (Microsoft), Karina Sirota Goodley (Microsoft), Tahmina Ahmad (Microsoft), Hannah Sokol (Microsoft), Nitesh Bakliwal (Microsoft), Brianca Martin (Amazon), Trevoli Ponds-White (Amazon), Jonathan Kozolchyk (Amazon), Blake Hess (Amazon), Aaron Poulsen (Amazon), Michael Slaughter (Amazon), Tim Crawford (WebTrust), Inigo Barreira (Sectigo), Yoshiro Yoneya (JPRS), Martijn Katerbard (Sectigo), Nick France (Sectigo), Tim Callen (Sectigo), Roberto Quinones (Intel), Ben Dewberry (Keyfactor), Sven Rajala (Keyfactor), Leo Grove (SSL.com), Stephen Davidson (DigiCert), Jeremy Rowley (DigiCert), Scott Olsen (Microsoft), Linda Diefendorf (Microsoft), Steve Lasker (Microsoft), Yamian Quinero (Microsoft), Thomas Zermeno (SSL.com), Georgy Sebastian (Amazon), Meha Sharma (Microsoft), Rakia Segeu (Microsoft), Dawn Wang (Microsoft), Eva van Steenberge (Globalsign), Christophe Bonjean (Globalsign), Romain Delval (Certigna), Josselin Allemandou (Certigna), Xiu Lei (GDCA), Xizo Qiang (GDCA), Corey Bonnell (DigiCert), Vikas Khanna (Microsoft), An Yin (iTrus China), Vijay Kumar (eMuhdra), Pankaj Chawla (eMuhdra), Scott Rea (eMuhdra), Paul van Browershaven (Entrust), Bruce Morton (Entrust), Arno Fiedler (ETSI ESI), Dimitris Zacharopoulos (HARICA)
June 6, 2023 by Corey BonnellAttendeesAttendance: IN THE ROOM (FROM SIGN UP SHEET) Ben Wilson (Mozilla), Dean Coclin (DigiCert), Ian McMillan (Microsoft), Karina Sirota Goodley (Microsoft), Tahmina Ahmad (Microsoft), Hannah Sokol (Microsoft), Nitesh Bakliwal (Microsoft), Brianca Martin (Amazon), Trevoli Ponds-White (Amazon), Jonathan Kozolchyk (Amazon), Blake Hess (Amazon), Aaron Poulsen (Amazon), Michael Slaughter (Amazon), Tim Crawford (WebTrust), Inigo Barreira (Sectigo), Yoshiro Yoneya (JPRS), Martijn Katerbard (Sectigo), Nick France (Sectigo), Tim Callen (Sectigo), Roberto Quinones (Intel), Ben Dewberry (Keyfactor), Sven Rajala (Keyfactor), Leo Grove (SSL.com), Stephen Davidson (DigiCert), Jeremy Rowley (DigiCert), Scott Olsen (Microsoft), Linda Diefendorf (Microsoft), Steve Lasker (Microsoft), Yamian Quinero (Microsoft), Thomas Zermeno (SSL.com), Georgy Sebastian (Amazon), Meha Sharma (Microsoft), Rakia Segeu (Microsoft), Dawn Wang (Microsoft), Eva van Steenberge (Globalsign), Christophe Bonjean (Globalsign), Romain Delval (Certigna), Josselin Allemandou (Certigna), Xiu Lei (GDCA), Xizo Qiang (GDCA), Corey Bonnell (DigiCert), Vikas Khanna (Microsoft), An Yin (iTrus China), Vijay Kumar (eMuhdra), Pankaj Chawla (eMuhdra), Scott Rea (eMuhdra), Paul van Browershaven (Entrust), Bruce Morton (Entrust), Arno Fiedler (ETSI ESI), Dimitris Zacharopoulos (HARICA)
Ballot CSC-18: Update Revocation Requirements
May 24, 2023 by Corey BonnellResults of Review Period (Mailing list post is available here.)
May 24, 2023 by Corey BonnellResults of Review Period (Mailing list post is available here.)
2023-05-18 Minutes of the Code Signing Certificate Working Group
May 18, 2023 by Corey BonnellAttendeesAtsushi Inaba (GlobalSign), Ben Dewberry (Keyfactor), Bianca Martin (Amazon), Bruce Morton (Entrust), Corey Bonnell (DigiCert), Dean Coclin (DigiCert), Eva Van Steenberge (GlobalSign), Ian McMillan (Microsoft), Inigo Barreira (Sectigo), Martijn Katerbarg (Sectigo), Mohit Kumar (GlobalSign), Roberto Quiñones (Intel), Rollin Yu (TrustAsia), Tim Crawford (BDO), Tim Hollebeek (DigiCert) Minutes The Antitrust statement was read Minutes from May 4th approved Ballot: CSC 18 – Malware base revocation (Martijn) In discussion period, voting period ending before meeting is over Dean: tracker shows quorum met Removing SSL BR References Martjin: About half docs reviewed for missing definitions. Removed 2 definitions that are not used. A couple may need to be added, will need to discuss Subject Name stability Email from new interested party (Mike Hearn) Ian: MSIX (Appx) does hash calculation of the publisher’s name value that is in the manifest and compares it to the full subject name value of signing certificate Was working fine when only used inside of store distribution. As its been rolled out broadly to allow MSI package into MSIX, they’ve run into this issue for companies that change their name or locale. New packages would validate fine but presents inability to update existing apps because it depends on Package Name alignment. This is Microsoft MSIX issue, not a broad certificate issuance problem. Tim: This is example of using [subject] name instead of global identifier and this has all the issues that are well known. Bruce: Even global identifier might change if company changes name, like with SSL and org ID Ian: Apple and Google offer ways to uniquely identify orgs. If Microsoft offered something similar, it would not be something that Public CAs should have to do. Ian will draft a response to this email June F2F is June 6th afternoon. Dean moves to cancel call scheduled for Jun 1st. No objections Agenda for F2F Time: 1:45pm to 3:45pm (nothing scheduled after this, so could keep going) Ian: no guest speaker for code signing workgroup. Roy Williams is going to talk about Secure Supply Chain Integrity, Trust and Transparency. Bruce: Spend some time reviewing time stamping changes Ian is proposing. Discuss EV Certificates. Continue discussion on Certificate Transparency Dean may not be able to attend in person, Bruce can facilitate
May 18, 2023 by Corey BonnellAttendeesAtsushi Inaba (GlobalSign), Ben Dewberry (Keyfactor), Bianca Martin (Amazon), Bruce Morton (Entrust), Corey Bonnell (DigiCert), Dean Coclin (DigiCert), Eva Van Steenberge (GlobalSign), Ian McMillan (Microsoft), Inigo Barreira (Sectigo), Martijn Katerbarg (Sectigo), Mohit Kumar (GlobalSign), Roberto Quiñones (Intel), Rollin Yu (TrustAsia), Tim Crawford (BDO), Tim Hollebeek (DigiCert) Minutes The Antitrust statement was read Minutes from May 4th approved Ballot: CSC 18 – Malware base revocation (Martijn) In discussion period, voting period ending before meeting is over Dean: tracker shows quorum met Removing SSL BR References Martjin: About half docs reviewed for missing definitions. Removed 2 definitions that are not used. A couple may need to be added, will need to discuss Subject Name stability Email from new interested party (Mike Hearn) Ian: MSIX (Appx) does hash calculation of the publisher’s name value that is in the manifest and compares it to the full subject name value of signing certificate Was working fine when only used inside of store distribution. As its been rolled out broadly to allow MSI package into MSIX, they’ve run into this issue for companies that change their name or locale. New packages would validate fine but presents inability to update existing apps because it depends on Package Name alignment. This is Microsoft MSIX issue, not a broad certificate issuance problem. Tim: This is example of using [subject] name instead of global identifier and this has all the issues that are well known. Bruce: Even global identifier might change if company changes name, like with SSL and org ID Ian: Apple and Google offer ways to uniquely identify orgs. If Microsoft offered something similar, it would not be something that Public CAs should have to do. Ian will draft a response to this email June F2F is June 6th afternoon. Dean moves to cancel call scheduled for Jun 1st. No objections Agenda for F2F Time: 1:45pm to 3:45pm (nothing scheduled after this, so could keep going) Ian: no guest speaker for code signing workgroup. Roy Williams is going to talk about Secure Supply Chain Integrity, Trust and Transparency. Bruce: Spend some time reviewing time stamping changes Ian is proposing. Discuss EV Certificates. Continue discussion on Certificate Transparency Dean may not be able to attend in person, Bruce can facilitate