CA/Browser Forum posts
Posts by tag Code Signing
2023-04-06 Minutes of the Code Signing Certificate Working Group
April 6, 2023 by Corey BonnellAttendeesAtsushi Inaba (Globalsign), Ben Dewberry (Keyfactor), Brianca Martin (Amazon), Corey Bonnell (DigiCert), Dean Coclin (DigiCert), Dimitris Zacharopoulos (HARICA), Janet Hines (Viking Cloud), Martijn Karterbarg (Sectigo), Mohit Kumar (Globalsign), Tim Crawford (BDO), Tomas Gustavson (Keyfactor) MinutesMinute taker: Dean Coclin The Anti-Trust summary was read Three sets of prior meeting minutes were approved: F2F, March 9 and March 23. Malware based revocation: Martijn stated that this was ready for ballot. The PR on github has been created. CSCWG 18 is the ballot number. Martijn will send out a summary and proposed ballot. Signing Service Update: Bruce was unable to attend, hence this topic was tabled until the next call Removing SSL BR references: Dimitris reviewed some of the changes to the BRs. Martijn agreed to help divide the upcoming work. Various sections were reviewed and updated in the document which Dimitris is maintaining on Git. All the modifications can be found on the Git repository. We expect to consider the import of the BRs at the next meeting. Following this, we will work on the references to the EV guidelines. Next meeting on April 20th.
April 6, 2023 by Corey BonnellAttendeesAtsushi Inaba (Globalsign), Ben Dewberry (Keyfactor), Brianca Martin (Amazon), Corey Bonnell (DigiCert), Dean Coclin (DigiCert), Dimitris Zacharopoulos (HARICA), Janet Hines (Viking Cloud), Martijn Karterbarg (Sectigo), Mohit Kumar (Globalsign), Tim Crawford (BDO), Tomas Gustavson (Keyfactor) MinutesMinute taker: Dean Coclin The Anti-Trust summary was read Three sets of prior meeting minutes were approved: F2F, March 9 and March 23. Malware based revocation: Martijn stated that this was ready for ballot. The PR on github has been created. CSCWG 18 is the ballot number. Martijn will send out a summary and proposed ballot. Signing Service Update: Bruce was unable to attend, hence this topic was tabled until the next call Removing SSL BR references: Dimitris reviewed some of the changes to the BRs. Martijn agreed to help divide the upcoming work. Various sections were reviewed and updated in the document which Dimitris is maintaining on Git. All the modifications can be found on the Git repository. We expect to consider the import of the BRs at the next meeting. Following this, we will work on the references to the EV guidelines. Next meeting on April 20th.
2023-03-23 Minutes of the Code Signing Certificate Working Group
March 23, 2023 by Corey BonnellAttendeesAtsushi Inaba (GlobalSign), Brianca Martin (Amazon), Bruce Morton (Entrust), Dean Coclin (DigiCert), Dimitris Zacharopoulos (HARICA), Ian McMillan (Microsoft), Inigo Barreira (Sectigo), Martijn Katerbarg (Sectigo), Roberto Quinones (Intel), Tim Hollebeek (DigiCert) MinutesAdministration Attendance and requests a minute taker Reads antitrust statement Waiting on minutes for two meeting prior to face to face Face to face minutes will be approved at next meeting Malware Based Revocation Ballot Ballot summary Taking approach BRs and SBRs are taking on revocation Removing CS specific suspect code reference Discuss 5 day revocation window, consider a 5 day and/or 7 day Bruce noted good to sync with the SSL BRs at 24 hours and 5 days, but ok with suspect code at 5 days and 7 days Discussion if we should have requirements defining a misused certificate compared to private key misuse Additional discussion of misused keys, compared to compromised keys, and signed code that is suspect Action point to consider defining misuse Discussion on proper time limit for known compromise and signing malware Discussion of the difference in timing requirements between key compromise and singing suspect code and back dating revocation Discussed the consideration that signing suspect code should be treated as a potential compromise of key and/or the subscriber does not have practices in place to detect suspect code Discussion of asking Microsoft as the main certificate consumer to weigh in on complicated use cases. This is a practice now and not an overly common practice, this would take place after revocation and there is an open period to back date revocation Mentioned the RFC does not allow back dating, but it is an important tool for code signing Need to cover the loophole for certificate problem reports for expired or revoked certificates Potential wording is being drafted and will be included in GitHub and distributed Other topics It was determined singing service did not have much to discuss at this time and we should focus on the revocation topic A couple of points on removing the SSL BR reference were mentioned and would be discussed on future calls
March 23, 2023 by Corey BonnellAttendeesAtsushi Inaba (GlobalSign), Brianca Martin (Amazon), Bruce Morton (Entrust), Dean Coclin (DigiCert), Dimitris Zacharopoulos (HARICA), Ian McMillan (Microsoft), Inigo Barreira (Sectigo), Martijn Katerbarg (Sectigo), Roberto Quinones (Intel), Tim Hollebeek (DigiCert) MinutesAdministration Attendance and requests a minute taker Reads antitrust statement Waiting on minutes for two meeting prior to face to face Face to face minutes will be approved at next meeting Malware Based Revocation Ballot Ballot summary Taking approach BRs and SBRs are taking on revocation Removing CS specific suspect code reference Discuss 5 day revocation window, consider a 5 day and/or 7 day Bruce noted good to sync with the SSL BRs at 24 hours and 5 days, but ok with suspect code at 5 days and 7 days Discussion if we should have requirements defining a misused certificate compared to private key misuse Additional discussion of misused keys, compared to compromised keys, and signed code that is suspect Action point to consider defining misuse Discussion on proper time limit for known compromise and signing malware Discussion of the difference in timing requirements between key compromise and singing suspect code and back dating revocation Discussed the consideration that signing suspect code should be treated as a potential compromise of key and/or the subscriber does not have practices in place to detect suspect code Discussion of asking Microsoft as the main certificate consumer to weigh in on complicated use cases. This is a practice now and not an overly common practice, this would take place after revocation and there is an open period to back date revocation Mentioned the RFC does not allow back dating, but it is an important tool for code signing Need to cover the loophole for certificate problem reports for expired or revoked certificates Potential wording is being drafted and will be included in GitHub and distributed Other topics It was determined singing service did not have much to discuss at this time and we should focus on the revocation topic A couple of points on removing the SSL BR reference were mentioned and would be discussed on future calls
2023-03-09 Minutes of the Code Signing Certificate Working Group
March 9, 2023 by Corey BonnellAttendeesAndrea Holland (SecureTrust), Atsushi Inaba (GlobalSign), Brianca Martin (Amazon), Bruce Morton (Entrust), Corey Bonnell (DigiCert), Dean Coclin (DigiCert), Dimitris Zacharopoulos (HARICA), Ian McMillan (Microsoft), Inigo Barriera (Sectigo), Janet Hines (VikingCloud), Rollin Yu (TrustAsia), Tim Hollebeek (DigiCert), Tomas Gustavsson (Keyfactor) Minutes Assign Minute taker (start recording) Brianca is taking minutes Antitrust Statement Dean reminded all participants that they must comply with the CA/Browser Forum anti-trust policy, code of conduct, and intellectual property rights agreement. Please contact the chair with any comments or concerns about these policies. Meeting Minutes February 9th meeting minutes pending receipt from Trevoli Ponds (Amazon). Martijn took minutes at the F2F Meeting on February 28th. Agenda – Items discussed in the F2F meeting a. Ian provided an overview from Microsoft’s perspective. Subscribers (buy certs, sign code) and consumers (consume the code/application that is signed/application).
March 9, 2023 by Corey BonnellAttendeesAndrea Holland (SecureTrust), Atsushi Inaba (GlobalSign), Brianca Martin (Amazon), Bruce Morton (Entrust), Corey Bonnell (DigiCert), Dean Coclin (DigiCert), Dimitris Zacharopoulos (HARICA), Ian McMillan (Microsoft), Inigo Barriera (Sectigo), Janet Hines (VikingCloud), Rollin Yu (TrustAsia), Tim Hollebeek (DigiCert), Tomas Gustavsson (Keyfactor) Minutes Assign Minute taker (start recording) Brianca is taking minutes Antitrust Statement Dean reminded all participants that they must comply with the CA/Browser Forum anti-trust policy, code of conduct, and intellectual property rights agreement. Please contact the chair with any comments or concerns about these policies. Meeting Minutes February 9th meeting minutes pending receipt from Trevoli Ponds (Amazon). Martijn took minutes at the F2F Meeting on February 28th. Agenda – Items discussed in the F2F meeting a. Ian provided an overview from Microsoft’s perspective. Subscribers (buy certs, sign code) and consumers (consume the code/application that is signed/application).
2023-02-09 Minutes of the Code Signing Certificate Working Group
February 9, 2023 by Corey BonnellAttendeesAndrea Holland (VikingCloud), Atsushi Inaba (GlobalSign), Ben Dewberry (Keyfactor), Brianca Martin (Amazon Trust Services), Bruce Morton (Entrust), Corey Bonnell (DigiCert), Dean Coclin (DigiCert), Ian McMillan (Microsoft), Inigo Barreira (Sectigo), Martijn Katerbarg (Sectigo), Mohit Kumar (GlobalSign), Roberto Quinones (Intel), Rollin Yu (TrustAsia), Tim Crawford (WebTrust), Tim Hollebeek (DigiCert) Minutes Antitrust statement read Approval of minutes: Jan 26th minutes have not been sent out Ballot: Malware base revocation (Martijn) Received some pushback on the mailing list. Discussion from Martijn K., Bruce M., Ian M., and Tim H. around revamping the entire revocation section. Agreed to pull revocation sections from the TLS and SMIME BRs and removing unnecessary items and added necessary sections like backdating and revocation investigations. Ballot: Signing Service Update (Bruce) Previous action item was to change the definition of Signing Service to align what a signing service does and its models. Proposed definition- **Subscriber Key Protection Service**: An organization that generates the Key Pair and securely generates and manages the Private Key associated with a Subscriber’s Code Signing Certificate. Discussion from Bruce M., Tim H., Ian M., Inigo B., and Martijn K. on the requirements for signing service: who generates, who activates, who stores, how it is stored and how is it managed. Discussion around adjusting the name from Signing Service to Subscriber Key Protection Service as the focus of the Signing Service is on protection not the artifact being signed. Next step is to close out the comments, push through the new definition, get a second proposal, and effective date. Ballot: Remove SSL BR References – tabled discussion Other business – F2F prep Top 3 Goals are being worked on
February 9, 2023 by Corey BonnellAttendeesAndrea Holland (VikingCloud), Atsushi Inaba (GlobalSign), Ben Dewberry (Keyfactor), Brianca Martin (Amazon Trust Services), Bruce Morton (Entrust), Corey Bonnell (DigiCert), Dean Coclin (DigiCert), Ian McMillan (Microsoft), Inigo Barreira (Sectigo), Martijn Katerbarg (Sectigo), Mohit Kumar (GlobalSign), Roberto Quinones (Intel), Rollin Yu (TrustAsia), Tim Crawford (WebTrust), Tim Hollebeek (DigiCert) Minutes Antitrust statement read Approval of minutes: Jan 26th minutes have not been sent out Ballot: Malware base revocation (Martijn) Received some pushback on the mailing list. Discussion from Martijn K., Bruce M., Ian M., and Tim H. around revamping the entire revocation section. Agreed to pull revocation sections from the TLS and SMIME BRs and removing unnecessary items and added necessary sections like backdating and revocation investigations. Ballot: Signing Service Update (Bruce) Previous action item was to change the definition of Signing Service to align what a signing service does and its models. Proposed definition- **Subscriber Key Protection Service**: An organization that generates the Key Pair and securely generates and manages the Private Key associated with a Subscriber’s Code Signing Certificate. Discussion from Bruce M., Tim H., Ian M., Inigo B., and Martijn K. on the requirements for signing service: who generates, who activates, who stores, how it is stored and how is it managed. Discussion around adjusting the name from Signing Service to Subscriber Key Protection Service as the focus of the Signing Service is on protection not the artifact being signed. Next step is to close out the comments, push through the new definition, get a second proposal, and effective date. Ballot: Remove SSL BR References – tabled discussion Other business – F2F prep Top 3 Goals are being worked on
2023-01-26 Minutes of the Code Signing Certificate Working Group
January 26, 2023 by Corey BonnellAttendeesAndrea Holland (VikingCloud), Atsushi Inaba (GlobalSign), Ben Dewberry (Keyfactor), Brianca Martin (Amazon Trust Services), Bruce Morton (Entrust), Corey Bonnell (DigiCert), Dean Coclin (DigiCert), Dimitris Zacharopoulos (HARICA), Ian McMillan (Microsoft), Inigo Barreira (Sectigo), Janet Hines (VikingCloud), Martijn Katerbarg (Sectigo), Roberto Quinones (Intel), Tim Hollebeek (DigiCert), Trevoli (Amazon Trust Services) Minutes Antitrust statement read Approval of minutes: Minutes for 12 January 2023 approved Ballot: Malware base revocation (Martijn) Some discussion and need to get feedback into Github before the end of the week. Bruce stated he would endorse after review. Ian is the other endorser. Ballot: Signing Service Update (Bruce) Bruce is having difficulty with Github to move the ballot forward. Martijn volunteered to help out. Ben asked for the procedure to give feedback, which can be done in Github or the mailing list Tim H would like to see the mailing list used more often Dean will check status of Ben in the mailing list Ben started a discussion about multi-factor for Signing Service. We need to come up with a way to discuss how this can be done. Ian indicated that the proposed change allows for secure server-to-server communication, but does not provide details Ballot: Remove SSL BR References (Dimitris) Dimitris stated work has been done and has been reviewed with Martijn, now need to review with the group Dean suggested we add to the F2F meeting, but we decided to review in the meeting Dimitris added “Editor” notes for review Dimitris has imported text from SSL BRs where no text is in the CSBRs Inigo is concerned about conflicts between BRs, but Tim H advised that concerned CAs work in multiple working groups Bruce suggested that it would be good if we had the “BR of BRs” to cover common items There was discussion about updates to definitions and references Decided not to import 4.2.1 from SSL BRs There was a discussion about importing SubCA revocation and misalignment of paragraphs. It was suggested this could be fixed with the revocation ballot or another future ballot. Decided to add in OCSP “3600 seconds” change with an effective date For Suspension, decided to add “No stipulation” and address in a future ballot. Other business F2F we have 1.5 hours scheduled Try to make a plan for the year at F2F Next Meeting – 9 February 2023 Adjourn
January 26, 2023 by Corey BonnellAttendeesAndrea Holland (VikingCloud), Atsushi Inaba (GlobalSign), Ben Dewberry (Keyfactor), Brianca Martin (Amazon Trust Services), Bruce Morton (Entrust), Corey Bonnell (DigiCert), Dean Coclin (DigiCert), Dimitris Zacharopoulos (HARICA), Ian McMillan (Microsoft), Inigo Barreira (Sectigo), Janet Hines (VikingCloud), Martijn Katerbarg (Sectigo), Roberto Quinones (Intel), Tim Hollebeek (DigiCert), Trevoli (Amazon Trust Services) Minutes Antitrust statement read Approval of minutes: Minutes for 12 January 2023 approved Ballot: Malware base revocation (Martijn) Some discussion and need to get feedback into Github before the end of the week. Bruce stated he would endorse after review. Ian is the other endorser. Ballot: Signing Service Update (Bruce) Bruce is having difficulty with Github to move the ballot forward. Martijn volunteered to help out. Ben asked for the procedure to give feedback, which can be done in Github or the mailing list Tim H would like to see the mailing list used more often Dean will check status of Ben in the mailing list Ben started a discussion about multi-factor for Signing Service. We need to come up with a way to discuss how this can be done. Ian indicated that the proposed change allows for secure server-to-server communication, but does not provide details Ballot: Remove SSL BR References (Dimitris) Dimitris stated work has been done and has been reviewed with Martijn, now need to review with the group Dean suggested we add to the F2F meeting, but we decided to review in the meeting Dimitris added “Editor” notes for review Dimitris has imported text from SSL BRs where no text is in the CSBRs Inigo is concerned about conflicts between BRs, but Tim H advised that concerned CAs work in multiple working groups Bruce suggested that it would be good if we had the “BR of BRs” to cover common items There was discussion about updates to definitions and references Decided not to import 4.2.1 from SSL BRs There was a discussion about importing SubCA revocation and misalignment of paragraphs. It was suggested this could be fixed with the revocation ballot or another future ballot. Decided to add in OCSP “3600 seconds” change with an effective date For Suspension, decided to add “No stipulation” and address in a future ballot. Other business F2F we have 1.5 hours scheduled Try to make a plan for the year at F2F Next Meeting – 9 February 2023 Adjourn
2023-01-12 Minutes of the Code Signing Certificate Working Group
January 12, 2023 by Corey BonnellAttendees Atsushi Inaba, Ben Dewberry, Corey Bonnell, Dean Coclin, Dimitris Zacharopoulos, Inigo Barreira, Janet Hines, Martijn Katerbarg, Michael Sykes, Mohit Kumar, Rollin Yu, Tim Crawford
January 12, 2023 by Corey BonnellAttendees Atsushi Inaba, Ben Dewberry, Corey Bonnell, Dean Coclin, Dimitris Zacharopoulos, Inigo Barreira, Janet Hines, Martijn Katerbarg, Michael Sykes, Mohit Kumar, Rollin Yu, Tim Crawford
2022-12-15 Minutes of the Code Signing Certificate Working Group
December 15, 2022 by Corey BonnellAttendees Andrea Holland, Brianca Martin, Bruce Morton, Corey Bonnell, Dean Coclin, Dimitris Zacharopoulos, Inigo Barreira, Michael Sykes Mohit Kumar, Rollin Yu, Tim Crawford, Trevoli Ponds-White
December 15, 2022 by Corey BonnellAttendees Andrea Holland, Brianca Martin, Bruce Morton, Corey Bonnell, Dean Coclin, Dimitris Zacharopoulos, Inigo Barreira, Michael Sykes Mohit Kumar, Rollin Yu, Tim Crawford, Trevoli Ponds-White
2022-12-01 Minutes of the Code Signing Certificate Working Group
December 1, 2022 by Corey BonnellAttendees Andrea Holland – (SecureTrust), Bruce Morton – (Entrust), Corey Bonnell – (DigiCert), Dean Coclin – (DigiCert), Dimitris Zacharopoulos – (HARICA), Ian McMillan – (Microsoft), Inaba Atsushi – (GlobalSign), Janet Hines – (SecureTrust), Martijn Katerbarg – (Sectigo), Roberto Quionones – (Intel), Tim Crawford – (CPA Canada/WebTrust), Tim Hollebeek – (DigiCert), Tomas Gustavsson – (PrimeKey), Trevoli Ponds-White – (Amazon)
December 1, 2022 by Corey BonnellAttendees Andrea Holland – (SecureTrust), Bruce Morton – (Entrust), Corey Bonnell – (DigiCert), Dean Coclin – (DigiCert), Dimitris Zacharopoulos – (HARICA), Ian McMillan – (Microsoft), Inaba Atsushi – (GlobalSign), Janet Hines – (SecureTrust), Martijn Katerbarg – (Sectigo), Roberto Quionones – (Intel), Tim Crawford – (CPA Canada/WebTrust), Tim Hollebeek – (DigiCert), Tomas Gustavsson – (PrimeKey), Trevoli Ponds-White – (Amazon)
2022-11-17 Minutes of the Code Signing Certificate Working Group
November 17, 2022 by Corey BonnellAttendees Atsushi Inaba (GobalSign), Bruce Morton (Entrust), Corey Bonnell (DigiCert), Dimitris Zacharopoulos (HARICA), Ian McMillan (Microsoft), Joanna Fox (Trustcor), Martijn Katerberg (Sectigo), Roberto Quinones (Intel), Tim Crawford (BDO), Tomas Gustavsson, Trevoli Ponds-White (Amazon Trust Services)
November 17, 2022 by Corey BonnellAttendees Atsushi Inaba (GobalSign), Bruce Morton (Entrust), Corey Bonnell (DigiCert), Dimitris Zacharopoulos (HARICA), Ian McMillan (Microsoft), Joanna Fox (Trustcor), Martijn Katerberg (Sectigo), Roberto Quinones (Intel), Tim Crawford (BDO), Tomas Gustavsson, Trevoli Ponds-White (Amazon Trust Services)
2022-11-03 Minutes of the Code Signing Certificate Working Group
November 3, 2022 by Corey BonnellAttendees Andrea Holland, Atsushi Inaba, Bruce Morton, Corey Bonnell, Dean Coclin, Dimitris Zacharopoulos, Ian McMillan, Inigo Barreira, Mohit Kumar, Tim Crawford, Tim Hollebeek, Tomas Gustavsson
November 3, 2022 by Corey BonnellAttendees Andrea Holland, Atsushi Inaba, Bruce Morton, Corey Bonnell, Dean Coclin, Dimitris Zacharopoulos, Ian McMillan, Inigo Barreira, Mohit Kumar, Tim Crawford, Tim Hollebeek, Tomas Gustavsson