CA/Browser Forum posts
Posts by tag Code Signing
2023-09-07 Minutes of the Code Signing Certificate Working Group
September 7, 2023 by Corey BonnellAttendeesAndrea Holland – VikingCloud, Atsushi Inaba – GlobalSign, Brianca Martin – Amazon, Bruce Morton – Entrust, Corey Bonnell – DigiCert, Dimitris Zacharopoulos – Harica, Ian McMillan Microsoft, Inigo Barreira – Sectigo, Keshava N – eMudhra, Martijn Katerbarg – Sectigo, Mohit Kumar – GlobalSign, Scott Rea – eMudhra MinutesDiscussion Points Prior minutes approval – 24-Aug-2023 minutes approved with no objection
September 7, 2023 by Corey BonnellAttendeesAndrea Holland – VikingCloud, Atsushi Inaba – GlobalSign, Brianca Martin – Amazon, Bruce Morton – Entrust, Corey Bonnell – DigiCert, Dimitris Zacharopoulos – Harica, Ian McMillan Microsoft, Inigo Barreira – Sectigo, Keshava N – eMudhra, Martijn Katerbarg – Sectigo, Mohit Kumar – GlobalSign, Scott Rea – eMudhra MinutesDiscussion Points Prior minutes approval – 24-Aug-2023 minutes approved with no objection
2023-08-10 Minutes of the Code Signing Certificate Working Group
August 10, 2023 by Corey BonnellAttendees: Abhishek Bhat (eMudhra), Andrea Holland (VikingCloud), Ben Dewberry (Keyfactor), Brianca Martin (Amazon), Corey Bonnell (DigiCert), Dean Coclin (DigiCert), Ian McMillan (Microsoft), Inaba Atsushi (GlobalSign), Martijn Katerbarg (Sectigo), Mohit Kumar (GlobalSign), Rollin Yu (TrustAsia Technologies, Inc.), Scott Rea (eMudhra), Tim Hollebeek (DigiCert), Tomas Gustavsson (PrimeKey) Note Well: The Note Well was read. Approval of Minutes: July 27th minutes are approved. Interested Party application: Waiting on news from Adobe regarding their application.
August 10, 2023 by Corey BonnellAttendees: Abhishek Bhat (eMudhra), Andrea Holland (VikingCloud), Ben Dewberry (Keyfactor), Brianca Martin (Amazon), Corey Bonnell (DigiCert), Dean Coclin (DigiCert), Ian McMillan (Microsoft), Inaba Atsushi (GlobalSign), Martijn Katerbarg (Sectigo), Mohit Kumar (GlobalSign), Rollin Yu (TrustAsia Technologies, Inc.), Scott Rea (eMudhra), Tim Hollebeek (DigiCert), Tomas Gustavsson (PrimeKey) Note Well: The Note Well was read. Approval of Minutes: July 27th minutes are approved. Interested Party application: Waiting on news from Adobe regarding their application.
Ballot CSC-19: Remove TLS BR References
August 1, 2023 by Corey BonnellResults of Review Period (Mailing list post is available here.)
August 1, 2023 by Corey BonnellResults of Review Period (Mailing list post is available here.)
2023-07-13 Minutes of the Code Signing Certificate Working Group
July 13, 2023 by Corey BonnellAttendeesAndrea Holland (VikingCloud), Atsushi INABA (GlobalSign), Corey Bonnell (DigiCert), Dean Coclin (DigiCert), Dimitris Zacharopoulos (HARICA), Inigo Barreira (Sectigo), Mohit Kumar (GlobalSign), Scott Rea (eMudhra), Tim Crawford (BDO/WebTrust) Minutes1 item on agenda today (since Bruce and Ian are away) – removal of BR references, and which is the correct version of X.509 to be used. Dimitris to lead discussion. Ballot: CSC 19 Latest comments from Tim have been cleared, if no other concerns or objections, discussion period will start on Monday (17 July) No concerns raised over content, but procedural concern raised over discussion being held during summer holiday period If quorum is not achieved for vote (due to holiday period impact), a new ballot will be submitted with a new number (same content) Still waiting on feedback from Microsoft in respect to X.509 version Server WG requires conformance with RFC 5280 which specifically references X.509 2005 version Requiring latest version of X.509 is as inclusive as possible (since it already include 2005 edits) and should not present an issue No other business Next meeting: July 27
July 13, 2023 by Corey BonnellAttendeesAndrea Holland (VikingCloud), Atsushi INABA (GlobalSign), Corey Bonnell (DigiCert), Dean Coclin (DigiCert), Dimitris Zacharopoulos (HARICA), Inigo Barreira (Sectigo), Mohit Kumar (GlobalSign), Scott Rea (eMudhra), Tim Crawford (BDO/WebTrust) Minutes1 item on agenda today (since Bruce and Ian are away) – removal of BR references, and which is the correct version of X.509 to be used. Dimitris to lead discussion. Ballot: CSC 19 Latest comments from Tim have been cleared, if no other concerns or objections, discussion period will start on Monday (17 July) No concerns raised over content, but procedural concern raised over discussion being held during summer holiday period If quorum is not achieved for vote (due to holiday period impact), a new ballot will be submitted with a new number (same content) Still waiting on feedback from Microsoft in respect to X.509 version Server WG requires conformance with RFC 5280 which specifically references X.509 2005 version Requiring latest version of X.509 is as inclusive as possible (since it already include 2005 edits) and should not present an issue No other business Next meeting: July 27
2023-06-29 Minutes of the Code Signing Certificate Working Group
June 29, 2023 by Corey BonnellAttendeesAndrea Holland (VikingCloud), Atsushi INABA (GlobalSign), Ben Dewberry (Keyfactor), Bhat Abhishek (eMudhra), Brianca Martin (Amazon), Bruce Morton (Entrust), Corey Bonnell (DigiCert), Dean Coclin (DigiCert), Janet Hines (VikingCloud), Keshava N (eMudhra), Martijn Katerbarg (Sectigo), Mohit Kumar (GlobalSign), Roberto Quiñones (Intel), Scott Rea (eMudhra), Tim Crawford (BDO/WebTrust), Tim Hollebeek (DigiCert) Minutes**Antitrust statement: **The Antitrust statement was read. Approval of minutes: Previous F2F meeting’s minutes still being compiled Ballot: CSC 18 has passed and IPR review period is over
June 29, 2023 by Corey BonnellAttendeesAndrea Holland (VikingCloud), Atsushi INABA (GlobalSign), Ben Dewberry (Keyfactor), Bhat Abhishek (eMudhra), Brianca Martin (Amazon), Bruce Morton (Entrust), Corey Bonnell (DigiCert), Dean Coclin (DigiCert), Janet Hines (VikingCloud), Keshava N (eMudhra), Martijn Katerbarg (Sectigo), Mohit Kumar (GlobalSign), Roberto Quiñones (Intel), Scott Rea (eMudhra), Tim Crawford (BDO/WebTrust), Tim Hollebeek (DigiCert) Minutes**Antitrust statement: **The Antitrust statement was read. Approval of minutes: Previous F2F meeting’s minutes still being compiled Ballot: CSC 18 has passed and IPR review period is over
Minutes of the F2F 59 Meeting in Redmond, WA, USA, 6-8 June 2023 – CSCWG (6 June)
June 6, 2023 by Corey BonnellAttendeesAttendance: IN THE ROOM (FROM SIGN UP SHEET) Ben Wilson (Mozilla), Dean Coclin (DigiCert), Ian McMillan (Microsoft), Karina Sirota Goodley (Microsoft), Tahmina Ahmad (Microsoft), Hannah Sokol (Microsoft), Nitesh Bakliwal (Microsoft), Brianca Martin (Amazon), Trevoli Ponds-White (Amazon), Jonathan Kozolchyk (Amazon), Blake Hess (Amazon), Aaron Poulsen (Amazon), Michael Slaughter (Amazon), Tim Crawford (WebTrust), Inigo Barreira (Sectigo), Yoshiro Yoneya (JPRS), Martijn Katerbard (Sectigo), Nick France (Sectigo), Tim Callen (Sectigo), Roberto Quinones (Intel), Ben Dewberry (Keyfactor), Sven Rajala (Keyfactor), Leo Grove (SSL.com), Stephen Davidson (DigiCert), Jeremy Rowley (DigiCert), Scott Olsen (Microsoft), Linda Diefendorf (Microsoft), Steve Lasker (Microsoft), Yamian Quinero (Microsoft), Thomas Zermeno (SSL.com), Georgy Sebastian (Amazon), Meha Sharma (Microsoft), Rakia Segeu (Microsoft), Dawn Wang (Microsoft), Eva van Steenberge (Globalsign), Christophe Bonjean (Globalsign), Romain Delval (Certigna), Josselin Allemandou (Certigna), Xiu Lei (GDCA), Xizo Qiang (GDCA), Corey Bonnell (DigiCert), Vikas Khanna (Microsoft), An Yin (iTrus China), Vijay Kumar (eMuhdra), Pankaj Chawla (eMuhdra), Scott Rea (eMuhdra), Paul van Browershaven (Entrust), Bruce Morton (Entrust), Arno Fiedler (ETSI ESI), Dimitris Zacharopoulos (HARICA)
June 6, 2023 by Corey BonnellAttendeesAttendance: IN THE ROOM (FROM SIGN UP SHEET) Ben Wilson (Mozilla), Dean Coclin (DigiCert), Ian McMillan (Microsoft), Karina Sirota Goodley (Microsoft), Tahmina Ahmad (Microsoft), Hannah Sokol (Microsoft), Nitesh Bakliwal (Microsoft), Brianca Martin (Amazon), Trevoli Ponds-White (Amazon), Jonathan Kozolchyk (Amazon), Blake Hess (Amazon), Aaron Poulsen (Amazon), Michael Slaughter (Amazon), Tim Crawford (WebTrust), Inigo Barreira (Sectigo), Yoshiro Yoneya (JPRS), Martijn Katerbard (Sectigo), Nick France (Sectigo), Tim Callen (Sectigo), Roberto Quinones (Intel), Ben Dewberry (Keyfactor), Sven Rajala (Keyfactor), Leo Grove (SSL.com), Stephen Davidson (DigiCert), Jeremy Rowley (DigiCert), Scott Olsen (Microsoft), Linda Diefendorf (Microsoft), Steve Lasker (Microsoft), Yamian Quinero (Microsoft), Thomas Zermeno (SSL.com), Georgy Sebastian (Amazon), Meha Sharma (Microsoft), Rakia Segeu (Microsoft), Dawn Wang (Microsoft), Eva van Steenberge (Globalsign), Christophe Bonjean (Globalsign), Romain Delval (Certigna), Josselin Allemandou (Certigna), Xiu Lei (GDCA), Xizo Qiang (GDCA), Corey Bonnell (DigiCert), Vikas Khanna (Microsoft), An Yin (iTrus China), Vijay Kumar (eMuhdra), Pankaj Chawla (eMuhdra), Scott Rea (eMuhdra), Paul van Browershaven (Entrust), Bruce Morton (Entrust), Arno Fiedler (ETSI ESI), Dimitris Zacharopoulos (HARICA)
Ballot CSC-18: Update Revocation Requirements
May 24, 2023 by Corey BonnellResults of Review Period (Mailing list post is available here.)
May 24, 2023 by Corey BonnellResults of Review Period (Mailing list post is available here.)
2023-05-18 Minutes of the Code Signing Certificate Working Group
May 18, 2023 by Corey BonnellAttendeesAtsushi Inaba (GlobalSign), Ben Dewberry (Keyfactor), Bianca Martin (Amazon), Bruce Morton (Entrust), Corey Bonnell (DigiCert), Dean Coclin (DigiCert), Eva Van Steenberge (GlobalSign), Ian McMillan (Microsoft), Inigo Barreira (Sectigo), Martijn Katerbarg (Sectigo), Mohit Kumar (GlobalSign), Roberto Quiñones (Intel), Rollin Yu (TrustAsia), Tim Crawford (BDO), Tim Hollebeek (DigiCert) Minutes The Antitrust statement was read Minutes from May 4th approved Ballot: CSC 18 – Malware base revocation (Martijn) In discussion period, voting period ending before meeting is over Dean: tracker shows quorum met Removing SSL BR References Martjin: About half docs reviewed for missing definitions. Removed 2 definitions that are not used. A couple may need to be added, will need to discuss Subject Name stability Email from new interested party (Mike Hearn) Ian: MSIX (Appx) does hash calculation of the publisher’s name value that is in the manifest and compares it to the full subject name value of signing certificate Was working fine when only used inside of store distribution. As its been rolled out broadly to allow MSI package into MSIX, they’ve run into this issue for companies that change their name or locale. New packages would validate fine but presents inability to update existing apps because it depends on Package Name alignment. This is Microsoft MSIX issue, not a broad certificate issuance problem. Tim: This is example of using [subject] name instead of global identifier and this has all the issues that are well known. Bruce: Even global identifier might change if company changes name, like with SSL and org ID Ian: Apple and Google offer ways to uniquely identify orgs. If Microsoft offered something similar, it would not be something that Public CAs should have to do. Ian will draft a response to this email June F2F is June 6th afternoon. Dean moves to cancel call scheduled for Jun 1st. No objections Agenda for F2F Time: 1:45pm to 3:45pm (nothing scheduled after this, so could keep going) Ian: no guest speaker for code signing workgroup. Roy Williams is going to talk about Secure Supply Chain Integrity, Trust and Transparency. Bruce: Spend some time reviewing time stamping changes Ian is proposing. Discuss EV Certificates. Continue discussion on Certificate Transparency Dean may not be able to attend in person, Bruce can facilitate
May 18, 2023 by Corey BonnellAttendeesAtsushi Inaba (GlobalSign), Ben Dewberry (Keyfactor), Bianca Martin (Amazon), Bruce Morton (Entrust), Corey Bonnell (DigiCert), Dean Coclin (DigiCert), Eva Van Steenberge (GlobalSign), Ian McMillan (Microsoft), Inigo Barreira (Sectigo), Martijn Katerbarg (Sectigo), Mohit Kumar (GlobalSign), Roberto Quiñones (Intel), Rollin Yu (TrustAsia), Tim Crawford (BDO), Tim Hollebeek (DigiCert) Minutes The Antitrust statement was read Minutes from May 4th approved Ballot: CSC 18 – Malware base revocation (Martijn) In discussion period, voting period ending before meeting is over Dean: tracker shows quorum met Removing SSL BR References Martjin: About half docs reviewed for missing definitions. Removed 2 definitions that are not used. A couple may need to be added, will need to discuss Subject Name stability Email from new interested party (Mike Hearn) Ian: MSIX (Appx) does hash calculation of the publisher’s name value that is in the manifest and compares it to the full subject name value of signing certificate Was working fine when only used inside of store distribution. As its been rolled out broadly to allow MSI package into MSIX, they’ve run into this issue for companies that change their name or locale. New packages would validate fine but presents inability to update existing apps because it depends on Package Name alignment. This is Microsoft MSIX issue, not a broad certificate issuance problem. Tim: This is example of using [subject] name instead of global identifier and this has all the issues that are well known. Bruce: Even global identifier might change if company changes name, like with SSL and org ID Ian: Apple and Google offer ways to uniquely identify orgs. If Microsoft offered something similar, it would not be something that Public CAs should have to do. Ian will draft a response to this email June F2F is June 6th afternoon. Dean moves to cancel call scheduled for Jun 1st. No objections Agenda for F2F Time: 1:45pm to 3:45pm (nothing scheduled after this, so could keep going) Ian: no guest speaker for code signing workgroup. Roy Williams is going to talk about Secure Supply Chain Integrity, Trust and Transparency. Bruce: Spend some time reviewing time stamping changes Ian is proposing. Discuss EV Certificates. Continue discussion on Certificate Transparency Dean may not be able to attend in person, Bruce can facilitate
2023-05-04 Minutes of the Code Signing Certificate Working Group
May 4, 2023 by Corey BonnellAttendeesAtsushi Inaba (GlobalSign), Ben Dewberry (Keyfactor), Bruce Morton (Entrust), Corey Bonnell (DigiCert), Dean Coclin (DigiCert), Eva Van Steenberge (GlobalSign), Ian McMillan (Microsoft), Janet Hines (VikingCloud), Martijn Katerbarg (Sectigo), Mohit Kumar (GlobalSign), Rollin Yu (TrustAsia), Tim Crawford (BDO), Tim Hollebeek (DigiCert) MinutesAntitrust statement: The Antitrust statement was read. Approval of minutes: Minutes for 26 January 2023 & 20 April 2023 approved Ballot: CSC 18 – Malware base revocation (Martijn) Sending out v2.1 soon Noted a few small changes Request from Ian Changed effective date to allow both using the new procedure right away or wait until the effective date (April 15, 2024) Tim will send around internally for review. Ballot: Remove SSL BR References (Dimitris was not present so Bruce gave update) Review of the capitalized terms has started but is not complete Looking for two endorsers F2F Agenda Topics Discussion Discussion around possible presentation from Microsoft but Ian is looking for some idea of the main topics Suggested there may be time to discuss signing services after the revocation and 3647 ballot but may need to wait for updates based other ballots Suggested to discuss Timestamping changes Suggested discussing removing text allowing for keys not stored in hw Bruce suggested discussing high risk items, and Tim mentioned that in previous discussions post June the plan was to remove high risk language, Bruce agreed. Bruce suggested potentially a clean-up ballot Ben suggested discussion around some of the proposed changes in the CSBRs and will think about specific topics for discussion Some side discussion between Bruce and Ian about the future of EV certificates, potential topic for MS to present on and/or have on the agenda at the F2F Ian suggested discussing certificate transparency for code signing certificates were there was discussion amongst the attendees that it was a good topic to add In summary; timestamping changes, high risk language, potentially some specific CSBR github discussion threads, EV/OV certificates, certificate transparency Other business Discussed request for new interested party participant from Hydraulic Software, Dean will connect with Wayne to accomplish. Next Meeting: May 18th 2023 Adjourn
May 4, 2023 by Corey BonnellAttendeesAtsushi Inaba (GlobalSign), Ben Dewberry (Keyfactor), Bruce Morton (Entrust), Corey Bonnell (DigiCert), Dean Coclin (DigiCert), Eva Van Steenberge (GlobalSign), Ian McMillan (Microsoft), Janet Hines (VikingCloud), Martijn Katerbarg (Sectigo), Mohit Kumar (GlobalSign), Rollin Yu (TrustAsia), Tim Crawford (BDO), Tim Hollebeek (DigiCert) MinutesAntitrust statement: The Antitrust statement was read. Approval of minutes: Minutes for 26 January 2023 & 20 April 2023 approved Ballot: CSC 18 – Malware base revocation (Martijn) Sending out v2.1 soon Noted a few small changes Request from Ian Changed effective date to allow both using the new procedure right away or wait until the effective date (April 15, 2024) Tim will send around internally for review. Ballot: Remove SSL BR References (Dimitris was not present so Bruce gave update) Review of the capitalized terms has started but is not complete Looking for two endorsers F2F Agenda Topics Discussion Discussion around possible presentation from Microsoft but Ian is looking for some idea of the main topics Suggested there may be time to discuss signing services after the revocation and 3647 ballot but may need to wait for updates based other ballots Suggested to discuss Timestamping changes Suggested discussing removing text allowing for keys not stored in hw Bruce suggested discussing high risk items, and Tim mentioned that in previous discussions post June the plan was to remove high risk language, Bruce agreed. Bruce suggested potentially a clean-up ballot Ben suggested discussion around some of the proposed changes in the CSBRs and will think about specific topics for discussion Some side discussion between Bruce and Ian about the future of EV certificates, potential topic for MS to present on and/or have on the agenda at the F2F Ian suggested discussing certificate transparency for code signing certificates were there was discussion amongst the attendees that it was a good topic to add In summary; timestamping changes, high risk language, potentially some specific CSBR github discussion threads, EV/OV certificates, certificate transparency Other business Discussed request for new interested party participant from Hydraulic Software, Dean will connect with Wayne to accomplish. Next Meeting: May 18th 2023 Adjourn
2023-04-20 Minutes of the Code Signing Certificate Working Group
April 20, 2023 by Corey BonnellAttendeesBruce Morton – (Entrust), Corey Bonnell – (DigiCert), Dean Coclin – (DigiCert), Dimitris Zacharopoulos – (HARICA), Ian McMillan – (Microsoft), Inaba Atsushi – (GlobalSign), Inigo Barreira – (Sectigo), Janet Hines – (VikingCloud), Martijn Katerbarg – (Sectigo), Tim Crawford – (CPA Canada/WebTrust) MinutesNote Well: The Note Well was read. Approval of Minutes: April 6th minutes are approved. January 26th minutes are pending. Bruce will take over writing these minutes. Ballot Status CSC-18 – In discussion period. A few additional items were mentioned which are being added: Request from Application Software Suppliers to not revoke a certificate when requested by them Effective Date. During the call it was discussed to set April 15th 2024 as the effective date, also adding language that will allow CAs to start using the new way earlier. A v2 ballot will be started soon Incorporating BR references No changes since the last meeting. Still need to review and go over definitions Signing Service No changes here. Also waiting on the other two ballots to complete first RFC for Key Attestation Mike from Entrust is trying to put together an RFC around Key Attestation. Information was circulated on the public list for anyone wanting to assist
April 20, 2023 by Corey BonnellAttendeesBruce Morton – (Entrust), Corey Bonnell – (DigiCert), Dean Coclin – (DigiCert), Dimitris Zacharopoulos – (HARICA), Ian McMillan – (Microsoft), Inaba Atsushi – (GlobalSign), Inigo Barreira – (Sectigo), Janet Hines – (VikingCloud), Martijn Katerbarg – (Sectigo), Tim Crawford – (CPA Canada/WebTrust) MinutesNote Well: The Note Well was read. Approval of Minutes: April 6th minutes are approved. January 26th minutes are pending. Bruce will take over writing these minutes. Ballot Status CSC-18 – In discussion period. A few additional items were mentioned which are being added: Request from Application Software Suppliers to not revoke a certificate when requested by them Effective Date. During the call it was discussed to set April 15th 2024 as the effective date, also adding language that will allow CAs to start using the new way earlier. A v2 ballot will be started soon Incorporating BR references No changes since the last meeting. Still need to review and go over definitions Signing Service No changes here. Also waiting on the other two ballots to complete first RFC for Key Attestation Mike from Entrust is trying to put together an RFC around Key Attestation. Information was circulated on the public list for anyone wanting to assist