[Cscwg-public] Final minutes for 2023-12-14 CSCWG meeting
Dean Coclin
dean.coclin at digicert.com
Thu Jan 11 20:02:39 UTC 2024
Final minutes for 2023-12-14 CSCWG meeting
Attendees:
Andrea Holland (VikingCloud), Bruce Morton (Entrust), Corey Bonnell
(DigiCert), Dean Coclin (DigiCert), Ian McMillan (Microsoft), Inaba Atsushi
(GlobalSign), Inigo Barreira (Sectigo), Martijn Katerbarg (Sectigo), Mohit
Kumar (GlobalSign), Richard Kisley (IBM), Roberto Quionones (Intel), Rollin
Yu (TrustAsia), Scott Rea (eMudhra), Tim Crawford (CPA Canada/WebTrust), Tim
Hollebeek (DigiCert)
Bruce read the note well.
Minutes of the November 30th meeting were not approved as they were just
sent out.
- Signing Service Ballot
Bruce mentioned that Ian wanted to reduce the audit requirements for non-CA
signing services. One idea is to use CCM criteria. One challenge is a lack
of
familiarity with the CCM framework as well as how to map the criteria with
the specific requirements for HSMs.
Tim Crawford mentioned that the netsec-wg wants to use the STAR Alliance
requirements but are currently working through licensing issues.
Bruce has a proposal to move the ballot forward. He would like to retain
the current requirements for audit and address lesser audits in a future
ballot. Tim agreed that this is a good approach, as defining audit
requirements for non-CA Signing Services will be much more complex. Ian
also agreed with this approach.
Bruce proposed that he will bring the Signing Services ballot forward for
formal discussion and voting early next calendar year. There was agreement
on this approach.
- High Risk Ballot
Bruce said the text is complete and there are two endorsers. Bruce asked
if there's any objection to running two ballots concurrently. Martijn,
Tim, and Ian agreed that's fine as long as there's no overlap.
Corey raised a concern about potential complexity with immutable links if
multiple ballots are in flight. He will investigate if this is an actual
issue.
- Charter Update
Martijn said the ballot is ready but didn't want to kick off the voting
period during the holidays. He will look to start voting in early
January.
- Any other business
The December 28th meeting is cancelled. The next meeting will be
January 11th.
Richard from IBM suggested that HSMs for code signing be certified
under PCI-HSM in addition to CC and FIPS. Tim said in theory that
should be fine but need to investigate further.
Meeting adjourned.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20240111/dc575a4b/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5197 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20240111/dc575a4b/attachment.p7s>
More information about the Cscwg-public
mailing list