[Cscwg-public] Final CSCWG Minutes September 21, 2023

Thu Oct 5 22:13:10 UTC 2023

 Final minutes from 21 September 2023.

1.	Roll Call - Bruce Morton - Entrust, Tim Crawford, Rollin Yu -
TrustAsia, Atsushi INABA - GlobalSign, Scott Rea - eMudhra, Mohit Kumar -
GlobalSign, Martijn Katerbarg - Sectigo, Inigo Barreira, Ian McMillan
Microsoft, Andrea Holland - VikingCloud, Corey Bonnell DigiCert, Corey
Bonnell DigiCert, Brianca Martin - Amazon
2.	Note well was read
3.	Approve prior meeting minutes - Sept 7 - not approved as the minutes
were only provided for review on 21 September
4.	F2F Agenda, suggested items

a.	Private Keys in hardware feedback - There was generally no input as
to whether this should be on the agenda. Ian stated it would be good to
bring it up, but Bruce was not confident that there would be any feedback
from the members, so would push to last on the agenda.
b.	Ballot: Remove EV Guideline refences (Dimitris) - Dimitris was not
on the call to discuss. The goal will be to remove all EV Guidelines
references, make adjustments where new text is not applicable to EV; then
step 2 would be to adjust clauses to possibly make issuance of EV
certificates easier. Note that it is impossible to issue an EV to an
individual. It does not address consumer certificate. The client software
does not make a distinction between non-EV and EV for code signing. Do we
need all the clauses to authenticate certificate issuance? Should we make
any changes, since the functionality of non-EV and EV is the same? For
individuals we do require F2F for issuance of a code signing certificate. Do
we need both non-EV and EV and if we do, what differences should they have?
Also an issue with the due diligence validation where a person can approve
vs. a machine. Do we need due diligence specified? Can we create a system
for more consistent due diligence review? The goal was to require 2 people
to get an EV certificate issued.
c.	Ballot: Charter update (Martijn) - Martijn agreed we could discuss
at the F2F.
d.	Ballot: High Risk (Bruce/Ian) - Agreed to discuss at the F2F. Ian
wants to ensure internally that we are not removing high risk as some items
are still discussed in section 4.2.1 and 4.2.2. Should we consider changing
a high risk certificate application as to when a subscriber which has been
subject to a takeover attack requests a certificate?
e.	Individual and Organization verification mechanisms as discussed
below.
f.	Review open Github items.

5.	Ballot Status

a.	Signing Service - Reviewed on last call. Tim has reviewed since and
will endorse. Ian is reviewing, then hopefully will endorse.
b.	High Risk - Text has been drafted and Ian is reviewing. 
c.	Charter Update - Martijn working on change.
d.	Time-stamp - Delay until other ballots are done.

6.	Other business - An email received from Tim McGrath from Microsoft.
Ian knows the people that provided the email and will address. The question
was about point-in-time for the address; but this is the type of data based
on the CA review. Note there is no unique information included for an
individual. An email address would be easy and unique for an individual and
maybe we could drop location data. Can an individual specify a specific
project for the signing, but the issue would be validating. It would be good
if a CA could add information to distinguish an individual, so they would be
added to a blocklist if they intentionally sign suspect code. What can we do
to help protect relying parties? Perhaps we can brainstorm at the F2F about
Individual and OV verification mechanisms. For organization, can we choose
an existing model which is already defined in the CAB Forum. Would not like
to create another model.
7.	Next meeting -  F2F Oct 5
8.	Adjourn

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20231005/ce619107/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5197 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20231005/ce619107/attachment.p7s>