[Cscwg-public] Final Minutes of CSCWG F2F meeting June 6, 2023

Dean Coclin dean.coclin at digicert.com
Fri Jul 28 16:58:51 UTC 2023 

Code Signing Certificate Working Group Meeting

 

Presentation by: Bruce Morton (Entrust)

 

Minutes:  Brianca Martin/Roberto Quinones

 

Attendance: IN THE ROOM (FROM SIGN UP SHEET) Ben Wilson (Mozilla), Dean
Coclin (DigiCert), Ian McMillan (Microsoft), Karina Sirota Goodley
(Microsoft), Tahmina Ahmad (Microsoft), Hannah Sokol (Microsoft), Nitesh
Bakliwal (Microsoft), Brianca Martin (Amazon), Trevoli Ponds-White (Amazon),
Jonathan Kozolchyk (Amazon), Blake Hess (Amazon), Aaron Poulsen (Amazon),
Michael Slaughter (Amazon), Tim Crawford (WebTrust), Inigo Barreira
(Sectigo), Yoshiro Yoneya (JPRS), Martijn Katerbard (Sectigo), Nick France
(Sectigo), Tim Callen (Sectigo), Roberto Quinones (Intel), Ben Dewberry
(Keyfactor), Sven Rajala (Keyfactor), Leo Grove (SSL.com), Stephen Davidson
(DigiCert), Jeremy Rowley (DigiCert), Scott Olsen (Microsoft), Linda
Diefendorf (Microsoft), Steve Lasker (Microsoft), Yamian Quinero
(Microsoft), Thomas Zermeno (SSL.com), Georgy Sebastian (Amazon), Meha
Sharma (Microsoft), Rakia Segeu (Microsoft), Dawn Wang (Microsoft), Eva van
Steenberge (Globalsign), Christophe Bonjean (Globalsign), Romain Delval
(Certigna), Josselin Allemandou (Certigna), Xiu Lei (GDCA), Xizo Qiang
(GDCA), Corey Bonnell (DigiCert), Vikas Khanna (Microsoft), An Yin (iTrus
China), Vijay Kumar (eMuhdra), Pankaj Chawla (eMuhdra), Scott Rea (eMuhdra),
Paul van Browershaven (Entrust), Bruce Morton (Entrust), Arno Fiedler (ETSI
ESI), Dimitris Zacharopoulos (HARICA)
NEED TO ADD ONLINE ATTENDEES

 

*	The Antitrust statement was read

*	Minutes from May 18th approved

 

*	Ballot CSC-18: Malware based revocation - Passed

*	IPR through 23 June 2023, Effective 15 April 2025

 

*	Ballot: Remove SSL BR References

*	Dimitris Zacharopoulos (HARICA) + Martijn Katerbarg working on the
references, ready to be sent out

*	Will wait until IPR for CSC-18 is complete to import

*	Will start discussion period, add comments to GitHub

*	Bruce Morton (Entrust) added as an endorser

 

*	Ballot: Signing Service

*	Plan to address after 2 items above have passed

 

*	Presentation: Microsoft's Secure Supply Chain by Kristina Yasuda and
Roy Williams

 

*	ITU-T X.509 version in CSBR (Dimitris)

*	item skipped (late for Dimitris, was not online)

 

*	Time-stamping change proposal (Ian)
*	Confirmed no change to private key reuse period of 15 months and
Timestamp certificate validity period of 135 months
*	Private key must be destroyed after 18 months, unless the Timestamp
certificate validity period was 15 months or less
*	TSA CA will be indicated as offline
*	TSA to reject SHA-1 hashed timestamp requests

*	Ian will draft up proposal to align expiration periods for TSA key
and certificate

 

*	High Risk language change proposal (Bruce/Tim/Ian)

*	remove language that has never been used, and now with keys moved
into hardware, some of the language in no longer needed

*	there was intent to also define list of countries that certs would
not be issued to, but this section was also not used.

 

*	EV certificates removal or merging EV/OV into one policy (Ian/Bruce)

*	Ian - normal OV cert works just fine , no different that EV cert. no
difference in smart screen or defender

*	Nick - Microsoft documentation states that there was a difference
between EV and OV.

*
https://learn.microsoft.com/en-gb/archive/blogs/ie/microsoft-smartscreen-ext
ended-validation-ev-code-signing-certificates
<https://url.avanan.click/v2/___https:/learn.microsoft.com/en-gb/archive/blo
gs/ie/microsoft-smartscreen-extended-validation-ev-code-signing-certificates
___.YXAzOmRpZ2ljZXJ0OmE6bzo3NzM1ZjY1OGQzNDg4YzdlOGIxNjE3YzIxZDBiYmVmZjo2OjJh
NmE6OGRhZWY0YTRhYzgzZDg3ZTU2Zjc3OTk4MjgwNWM5NWZjNmMzNWFkNTJlZDJkZTI3NGVkNTQz
MWMwMDVjOWM4MTpoOkY> 

*	can we move OV to EV

 

*	Other Items?

*	Microsoft has been working on detection of malicious use of code
signing certificates.

*	Some CA's may have already received a call as a result of this
analysis

 

*	Next meeting - 15 June or cancel?

*	next scheduled meeting is for Jun 15th but updates may not be ready

*	confirm with Dimitris if OK to review on 15th or push to Jun 29th

 

*	Meeting adjourned @ 15:43

 

 

 

 

Dean Coclin 

 

 

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20230728/8f704e25/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: F2F 59 - CSWG 202306.pdf
Type: application/pdf
Size: 194824 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20230728/8f704e25/attachment-0001.pdf>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5197 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20230728/8f704e25/attachment-0001.p7s>

More information about the Cscwg-public mailing list