CA/Browser Forum posts
Posts by tag Code Signing
2023-03-23 Minutes of the Code Signing Certificate Working Group
March 23, 2023 by Corey BonnellAttendeesAtsushi Inaba (GlobalSign), Brianca Martin (Amazon), Bruce Morton (Entrust), Dean Coclin (DigiCert), Dimitris Zacharopoulos (HARICA), Ian McMillan (Microsoft), Inigo Barreira (Sectigo), Martijn Katerbarg (Sectigo), Roberto Quinones (Intel), Tim Hollebeek (DigiCert) MinutesAdministration Attendance and requests a minute taker Reads antitrust statement Waiting on minutes for two meeting prior to face to face Face to face minutes will be approved at next meeting Malware Based Revocation Ballot Ballot summary Taking approach BRs and SBRs are taking on revocation Removing CS specific suspect code reference Discuss 5 day revocation window, consider a 5 day and/or 7 day Bruce noted good to sync with the SSL BRs at 24 hours and 5 days, but ok with suspect code at 5 days and 7 days Discussion if we should have requirements defining a misused certificate compared to private key misuse Additional discussion of misused keys, compared to compromised keys, and signed code that is suspect Action point to consider defining misuse Discussion on proper time limit for known compromise and signing malware Discussion of the difference in timing requirements between key compromise and singing suspect code and back dating revocation Discussed the consideration that signing suspect code should be treated as a potential compromise of key and/or the subscriber does not have practices in place to detect suspect code Discussion of asking Microsoft as the main certificate consumer to weigh in on complicated use cases.
March 23, 2023 by Corey BonnellAttendeesAtsushi Inaba (GlobalSign), Brianca Martin (Amazon), Bruce Morton (Entrust), Dean Coclin (DigiCert), Dimitris Zacharopoulos (HARICA), Ian McMillan (Microsoft), Inigo Barreira (Sectigo), Martijn Katerbarg (Sectigo), Roberto Quinones (Intel), Tim Hollebeek (DigiCert) MinutesAdministration Attendance and requests a minute taker Reads antitrust statement Waiting on minutes for two meeting prior to face to face Face to face minutes will be approved at next meeting Malware Based Revocation Ballot Ballot summary Taking approach BRs and SBRs are taking on revocation Removing CS specific suspect code reference Discuss 5 day revocation window, consider a 5 day and/or 7 day Bruce noted good to sync with the SSL BRs at 24 hours and 5 days, but ok with suspect code at 5 days and 7 days Discussion if we should have requirements defining a misused certificate compared to private key misuse Additional discussion of misused keys, compared to compromised keys, and signed code that is suspect Action point to consider defining misuse Discussion on proper time limit for known compromise and signing malware Discussion of the difference in timing requirements between key compromise and singing suspect code and back dating revocation Discussed the consideration that signing suspect code should be treated as a potential compromise of key and/or the subscriber does not have practices in place to detect suspect code Discussion of asking Microsoft as the main certificate consumer to weigh in on complicated use cases.
2023-03-09 Minutes of the Code Signing Certificate Working Group
March 9, 2023 by Corey BonnellAttendeesAndrea Holland (SecureTrust), Atsushi Inaba (GlobalSign), Brianca Martin (Amazon), Bruce Morton (Entrust), Corey Bonnell (DigiCert), Dean Coclin (DigiCert), Dimitris Zacharopoulos (HARICA), Ian McMillan (Microsoft), Inigo Barriera (Sectigo), Janet Hines (VikingCloud), Rollin Yu (TrustAsia), Tim Hollebeek (DigiCert), Tomas Gustavsson (Keyfactor) Minutes Assign Minute taker (start recording) Brianca is taking minutes Antitrust Statement Dean reminded all participants that they must comply with the CA/Browser Forum anti-trust policy, code of conduct, and intellectual property rights agreement.
March 9, 2023 by Corey BonnellAttendeesAndrea Holland (SecureTrust), Atsushi Inaba (GlobalSign), Brianca Martin (Amazon), Bruce Morton (Entrust), Corey Bonnell (DigiCert), Dean Coclin (DigiCert), Dimitris Zacharopoulos (HARICA), Ian McMillan (Microsoft), Inigo Barriera (Sectigo), Janet Hines (VikingCloud), Rollin Yu (TrustAsia), Tim Hollebeek (DigiCert), Tomas Gustavsson (Keyfactor) Minutes Assign Minute taker (start recording) Brianca is taking minutes Antitrust Statement Dean reminded all participants that they must comply with the CA/Browser Forum anti-trust policy, code of conduct, and intellectual property rights agreement.
2023-02-09 Minutes of the Code Signing Certificate Working Group
February 9, 2023 by Corey BonnellAttendeesAndrea Holland (VikingCloud), Atsushi Inaba (GlobalSign), Ben Dewberry (Keyfactor), Brianca Martin (Amazon Trust Services), Bruce Morton (Entrust), Corey Bonnell (DigiCert), Dean Coclin (DigiCert), Ian McMillan (Microsoft), Inigo Barreira (Sectigo), Martijn Katerbarg (Sectigo), Mohit Kumar (GlobalSign), Roberto Quinones (Intel), Rollin Yu (TrustAsia), Tim Crawford (WebTrust), Tim Hollebeek (DigiCert) Minutes Antitrust statement read Approval of minutes: Jan 26th minutes have not been sent out Ballot: Malware base revocation (Martijn) Received some pushback on the mailing list.
February 9, 2023 by Corey BonnellAttendeesAndrea Holland (VikingCloud), Atsushi Inaba (GlobalSign), Ben Dewberry (Keyfactor), Brianca Martin (Amazon Trust Services), Bruce Morton (Entrust), Corey Bonnell (DigiCert), Dean Coclin (DigiCert), Ian McMillan (Microsoft), Inigo Barreira (Sectigo), Martijn Katerbarg (Sectigo), Mohit Kumar (GlobalSign), Roberto Quinones (Intel), Rollin Yu (TrustAsia), Tim Crawford (WebTrust), Tim Hollebeek (DigiCert) Minutes Antitrust statement read Approval of minutes: Jan 26th minutes have not been sent out Ballot: Malware base revocation (Martijn) Received some pushback on the mailing list.
2023-01-26 Minutes of the Code Signing Certificate Working Group
January 26, 2023 by Corey BonnellAttendeesAndrea Holland (VikingCloud), Atsushi Inaba (GlobalSign), Ben Dewberry (Keyfactor), Brianca Martin (Amazon Trust Services), Bruce Morton (Entrust), Corey Bonnell (DigiCert), Dean Coclin (DigiCert), Dimitris Zacharopoulos (HARICA), Ian McMillan (Microsoft), Inigo Barreira (Sectigo), Janet Hines (VikingCloud), Martijn Katerbarg (Sectigo), Roberto Quinones (Intel), Tim Hollebeek (DigiCert), Trevoli (Amazon Trust Services) Minutes Antitrust statement read Approval of minutes: Minutes for 12 January 2023 approved Ballot: Malware base revocation (Martijn) Some discussion and need to get feedback into Github before the end of the week.
January 26, 2023 by Corey BonnellAttendeesAndrea Holland (VikingCloud), Atsushi Inaba (GlobalSign), Ben Dewberry (Keyfactor), Brianca Martin (Amazon Trust Services), Bruce Morton (Entrust), Corey Bonnell (DigiCert), Dean Coclin (DigiCert), Dimitris Zacharopoulos (HARICA), Ian McMillan (Microsoft), Inigo Barreira (Sectigo), Janet Hines (VikingCloud), Martijn Katerbarg (Sectigo), Roberto Quinones (Intel), Tim Hollebeek (DigiCert), Trevoli (Amazon Trust Services) Minutes Antitrust statement read Approval of minutes: Minutes for 12 January 2023 approved Ballot: Malware base revocation (Martijn) Some discussion and need to get feedback into Github before the end of the week.
2023-01-12 Minutes of the Code Signing Certificate Working Group
January 12, 2023 by Corey BonnellAttendees Atsushi Inaba, Ben Dewberry, Corey Bonnell, Dean Coclin, Dimitris Zacharopoulos, Inigo Barreira, Janet Hines, Martijn Katerbarg, Michael Sykes, Mohit Kumar, Rollin Yu, Tim Crawford Minutes Minute Taker: Janet Hines. Antitrust statement was read by Dean Coclin. Approved minutes from December 15, 2022 meeting. Ballot around malware revocation Alternate language is being reviewed. Will update on next call. Signing service discussion No updates. Removing SSL BR references Section 7.1.4.2.3 had several BR references that need more discussion.
January 12, 2023 by Corey BonnellAttendees Atsushi Inaba, Ben Dewberry, Corey Bonnell, Dean Coclin, Dimitris Zacharopoulos, Inigo Barreira, Janet Hines, Martijn Katerbarg, Michael Sykes, Mohit Kumar, Rollin Yu, Tim Crawford Minutes Minute Taker: Janet Hines. Antitrust statement was read by Dean Coclin. Approved minutes from December 15, 2022 meeting. Ballot around malware revocation Alternate language is being reviewed. Will update on next call. Signing service discussion No updates. Removing SSL BR references Section 7.1.4.2.3 had several BR references that need more discussion.
2022-12-15 Minutes of the Code Signing Certificate Working Group
December 15, 2022 by Corey BonnellAttendees Andrea Holland, Brianca Martin, Bruce Morton, Corey Bonnell, Dean Coclin, Dimitris Zacharopoulos, Inigo Barreira, Michael Sykes Mohit Kumar, Rollin Yu, Tim Crawford, Trevoli Ponds-White Minutes Antitrust statement was read. Minutes approved for last meeting 1-Dec-22 and F2F. There was discussion on how we can make minutes more effective – in general with a suggestion on recapping along discussion by chair or minute taker for summary. Ballot around Malware protection Updates made to draft to suggest that subscriber can provide a different date based on impact.
December 15, 2022 by Corey BonnellAttendees Andrea Holland, Brianca Martin, Bruce Morton, Corey Bonnell, Dean Coclin, Dimitris Zacharopoulos, Inigo Barreira, Michael Sykes Mohit Kumar, Rollin Yu, Tim Crawford, Trevoli Ponds-White Minutes Antitrust statement was read. Minutes approved for last meeting 1-Dec-22 and F2F. There was discussion on how we can make minutes more effective – in general with a suggestion on recapping along discussion by chair or minute taker for summary. Ballot around Malware protection Updates made to draft to suggest that subscriber can provide a different date based on impact.
2022-12-01 Minutes of the Code Signing Certificate Working Group
December 1, 2022 by Corey BonnellAttendees Andrea Holland – (SecureTrust), Bruce Morton – (Entrust), Corey Bonnell – (DigiCert), Dean Coclin – (DigiCert), Dimitris Zacharopoulos – (HARICA), Ian McMillan – (Microsoft), Inaba Atsushi – (GlobalSign), Janet Hines – (SecureTrust), Martijn Katerbarg – (Sectigo), Roberto Quionones – (Intel), Tim Crawford – (CPA Canada/WebTrust), Tim Hollebeek – (DigiCert), Tomas Gustavsson – (PrimeKey), Trevoli Ponds-White – (Amazon) Minutes The Anti-trust statement was read Minutes of the last call were approved.
December 1, 2022 by Corey BonnellAttendees Andrea Holland – (SecureTrust), Bruce Morton – (Entrust), Corey Bonnell – (DigiCert), Dean Coclin – (DigiCert), Dimitris Zacharopoulos – (HARICA), Ian McMillan – (Microsoft), Inaba Atsushi – (GlobalSign), Janet Hines – (SecureTrust), Martijn Katerbarg – (Sectigo), Roberto Quionones – (Intel), Tim Crawford – (CPA Canada/WebTrust), Tim Hollebeek – (DigiCert), Tomas Gustavsson – (PrimeKey), Trevoli Ponds-White – (Amazon) Minutes The Anti-trust statement was read Minutes of the last call were approved.
2022-11-17 Minutes of the Code Signing Certificate Working Group
November 17, 2022 by Corey BonnellAttendees Atsushi Inaba (GobalSign), Bruce Morton (Entrust), Corey Bonnell (DigiCert), Dimitris Zacharopoulos (HARICA), Ian McMillan (Microsoft), Joanna Fox (Trustcor), Martijn Katerberg (Sectigo), Roberto Quinones (Intel), Tim Crawford (BDO), Tomas Gustavsson, Trevoli Ponds-White (Amazon Trust Services) Minutes Antitrust statement was read. Minutes from 25 October are not yet available. Minutes from 3 November were approved. Ballot: Signing Service Update – The draft text has been recirculated. Dimitris has some comments on the ETSI Time-stamping audit requirements.
November 17, 2022 by Corey BonnellAttendees Atsushi Inaba (GobalSign), Bruce Morton (Entrust), Corey Bonnell (DigiCert), Dimitris Zacharopoulos (HARICA), Ian McMillan (Microsoft), Joanna Fox (Trustcor), Martijn Katerberg (Sectigo), Roberto Quinones (Intel), Tim Crawford (BDO), Tomas Gustavsson, Trevoli Ponds-White (Amazon Trust Services) Minutes Antitrust statement was read. Minutes from 25 October are not yet available. Minutes from 3 November were approved. Ballot: Signing Service Update – The draft text has been recirculated. Dimitris has some comments on the ETSI Time-stamping audit requirements.
2022-11-03 Minutes of the Code Signing Certificate Working Group
November 3, 2022 by Corey BonnellAttendees Andrea Holland, Atsushi Inaba, Bruce Morton, Corey Bonnell, Dean Coclin, Dimitris Zacharopoulos, Ian McMillan, Inigo Barreira, Mohit Kumar, Tim Crawford, Tim Hollebeek, Tomas Gustavsson Minutes Dean read the antitrust statement. Signing Service Ballot Bruce said that he received no further feedback and would like to push this to ballot. Tim and Ian offered to review and endorse, barring any issues found. Dimitris mentioned that one of the takeaways from the F2F was that there is ETSI guidance for remote QSCDs for activation and we should consider incorporating.
November 3, 2022 by Corey BonnellAttendees Andrea Holland, Atsushi Inaba, Bruce Morton, Corey Bonnell, Dean Coclin, Dimitris Zacharopoulos, Ian McMillan, Inigo Barreira, Mohit Kumar, Tim Crawford, Tim Hollebeek, Tomas Gustavsson Minutes Dean read the antitrust statement. Signing Service Ballot Bruce said that he received no further feedback and would like to push this to ballot. Tim and Ian offered to review and endorse, barring any issues found. Dimitris mentioned that one of the takeaways from the F2F was that there is ETSI guidance for remote QSCDs for activation and we should consider incorporating.
2022-10-06 Minutes of the Code Signing Certificate Working Group
October 6, 2022 by Corey BonnellAttendees Atsushi Inaba (GlobalSign), Bruce Morton (Entrust), Corey Bonnell (DigiCert), Dimitris Zacharopoulos (HARICA), Ian McMillan (Microsoft), Inigo Barreira (Sectigo), Martijn Katerbarg (Sectigo), Michael Sykes (SSL.com), Mohit Kumar (GlobalSign) Minutes Antitrust statement was read. Approval of prior meeting minutes: Minutes for 22 September 2022 were approved. Ballot Status: CSC 15: IPR review ended 18 September 2022, so is now complete. CSC 17: Passed and is not in IPR period until 27 October 2022.
October 6, 2022 by Corey BonnellAttendees Atsushi Inaba (GlobalSign), Bruce Morton (Entrust), Corey Bonnell (DigiCert), Dimitris Zacharopoulos (HARICA), Ian McMillan (Microsoft), Inigo Barreira (Sectigo), Martijn Katerbarg (Sectigo), Michael Sykes (SSL.com), Mohit Kumar (GlobalSign) Minutes Antitrust statement was read. Approval of prior meeting minutes: Minutes for 22 September 2022 were approved. Ballot Status: CSC 15: IPR review ended 18 September 2022, so is now complete. CSC 17: Passed and is not in IPR period until 27 October 2022.