<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle23
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:293564930;
mso-list-template-ids:875987844;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1
{mso-list-id:359362017;
mso-list-template-ids:1025912572;}
@list l2
{mso-list-id:541065680;
mso-list-type:hybrid;
mso-list-template-ids:1328560494 67698689 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l2:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:.75in;
text-indent:-.25in;
font-family:Symbol;}
@list l2:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:1.25in;
text-indent:-.25in;}
@list l2:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
margin-left:1.75in;
text-indent:-9.0pt;}
@list l2:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:2.25in;
text-indent:-.25in;}
@list l2:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:2.75in;
text-indent:-.25in;}
@list l2:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
margin-left:3.25in;
text-indent:-9.0pt;}
@list l2:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:3.75in;
text-indent:-.25in;}
@list l2:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:4.25in;
text-indent:-.25in;}
@list l2:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
margin-left:4.75in;
text-indent:-9.0pt;}
@list l3
{mso-list-id:919480452;
mso-list-template-ids:167300116;}
@list l3:level1
{mso-level-start-at:3;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l4
{mso-list-id:1347056202;
mso-list-type:hybrid;
mso-list-template-ids:620805700 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l4:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l4:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l4:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l4:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l4:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l4:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l4:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l4:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l4:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link="#0563C1" vlink="#954F72" style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Here are the final minutes of the subject call:<o:p></o:p></p><p class=MsoNormal style='margin-left:.5in;text-indent:-.25in'><o:p> </o:p></p><ol style='margin-top:0in' start=1 type=1><li class=MsoListParagraph style='margin-left:0in;mso-list:l4 level1 lfo3'>Attendees: Dean Coclin, Bruce Morton, Atsushi Inaba, Corey Bonnell, Daniella Hood, Ian McMillan, Jeff Ward, Karthik Ramasamy, Karina Sirota, Sebastian Schulz, Tim Crawford, Tomas Gustavsson<o:p></o:p></li><li class=MsoListParagraph style='margin-left:0in;mso-list:l4 level1 lfo3'>Minute takers: Minutes takers were assigned to future meetings. Note that Atsushi will not have to take minutes as he is working in the middle of the night. Minute takers through May 2021 are:<o:p></o:p></li></ol><ul style='margin-top:0in' type=disc><li class=MsoListParagraph style='margin-left:.25in;mso-list:l2 level1 lfo6'>Feb 11: Bruce<o:p></o:p></li><li class=MsoListParagraph style='margin-left:.25in;mso-list:l2 level1 lfo6'>Feb 25: Daniela<o:p></o:p></li><li class=MsoListParagraph style='margin-left:.25in;mso-list:l2 level1 lfo6'>March 11: Corey<o:p></o:p></li><li class=MsoListParagraph style='margin-left:.25in;mso-list:l2 level1 lfo6'>March 25: Ian<o:p></o:p></li><li class=MsoListParagraph style='margin-left:.25in;mso-list:l2 level1 lfo6'>April 8: Karthik<o:p></o:p></li><li class=MsoListParagraph style='margin-left:.25in;mso-list:l2 level1 lfo6'>April 22: Sebastian<o:p></o:p></li><li class=MsoListParagraph style='margin-left:.25in;mso-list:l2 level1 lfo6'>May 6: Tim C<o:p></o:p></li><li class=MsoListParagraph style='margin-left:.25in;mso-list:l2 level1 lfo6'>May 20: Tomas<o:p></o:p></li></ul><ol style='margin-top:0in' start=3 type=1><li class=MsoListParagraph style='margin-left:0in;mso-list:l4 level1 lfo3'>AntiTrust statement was read by Dean<o:p></o:p></li><li class=MsoListParagraph style='margin-left:0in;mso-list:l4 level1 lfo3'>Minutes from prior call: Although it was suggested that the minutes from 28 January 2021 did not have enough detail, the meeting was not recorded so there are issues with updating the minutes. The minutes for 28 January 2021 meeting were approved and will be sent to public list.<o:p></o:p></li><li class=MsoListParagraph style='margin-left:0in;mso-list:l4 level1 lfo3'>Ballot Status: CSCWG-7 has been approved and is now in IPR review until 5 March 2021. <o:p></o:p></li><li class=MsoListParagraph style='margin-left:0in;mso-list:l4 level1 lfo3'>Pandoc versions: It was suggested that the document should first be migrated to RFC 3647 format, then moved into the new pandoc version software. The Infrastructure group will help us with this formatting.<o:p></o:p></li><li class=MsoListParagraph style='margin-left:0in;mso-list:l4 level1 lfo3'>OCSP in timestamping certs: From Dimitris email, where it was asked “I would like to ask for Members to consider requiring either CRL or OCSP information to be required in end-entity certificates used for Time-stamping. The rationale is that Time-stamping Certificates are very few compared to other end-entity certificates and CRLs should be considered sufficient because their size is not significant.” Corey had stated that Microsoft requirements state that CRL and OCSP is required for end entity certificates. Dimitris had thought that TSA certificates were CA certificates, so the OCSP requirement did not apply. Ian needs to sync with Microsoft internal personnel before saying if we can have an exception for TSA certificates. There were follow on discussion about TSA certificate validity period which is allowed to be 135 months, which allows a signature to be verified for a long time. Note that the key must be updated every 15 months which helps protect compromise. There was other discussion that TSA is open to the Internet with no access control or authentication to use, which allows anyone in the world to get one or many time-stamps. It was decided that protection of the TSA to have proper time is paramount. Ian wants to know whether to remove OCSP requirement or reduce the TSA certificate validity period. Ian will get back to discuss time-stamp certificate requirements which will also address the OCSP question.<o:p></o:p></li><li class=MsoListParagraph style='margin-left:0in;mso-list:l4 level1 lfo3'>Subscriber Key Protection: Ian took feedback and revamped to state “FIPS-140 Level 2 or CC EAL 4+ based on CEN PP EN 418 221-5.” Tomas stated that the common criteria is very confusing, so the reference is confusing. Need to make sure that we say the a crypto module needs to EAL 4+. Tomas is volunteering for he and maybe some other to discuss this topic on a future meeting. There is also issue for how to validate that the subscriber is using a crypto module. Ian added “and with compliance being confirmed by means of an audit on the attestation records received by the CA from the Subscriber to accepting the terms of the subscriber agreement.” It was suggested that the subscriber should respond to accept the terms and provide the make/model of the HSM. There could be 3 options: 1) subscriber accept the terms, 2) subscriber provide evidence, or 3) third party provide evidence. The subscriber could provide make/model or use a public-cloud which meets requirements. How do we confirm that the public-cloud meets the requirements? Public-cloud states what they meet, so you need to make sure they use the right service. Are there issues with unknown public-cloud? Ian is confident that the public-cloud disclosure is correct. There will be reuse requirements as customers will want to issue many certificates on one HSM. Have not found an answer for an independent confirmation from a manufacturer or service. <o:p></o:p></li><li class=MsoListParagraph style='margin-left:0in;mso-list:l4 level1 lfo3'>High Risk Requests: Ian talked to Reversing Labs. They have been active in researching code signing and CA abuse. They are interested to share their information and possibly make a community platform to share data. Group is in favor of having Reversing Labs present at the 25 February meeting. Ian also stated that in CSBR 11.5, we should remove High Risk Region of Concern and call a high risk applicant 1) a victim of a take-over attack or 2) identity rejected for some reason, such as failed validation. How can we allow a company to categorize themselves as high risk, then something else has to be done? This would require a central or common data store. This is already a problem as the current high risk will only be for one CA and not all.<o:p></o:p></li><li class=MsoListParagraph style='margin-left:0in;mso-list:l4 level1 lfo3'>Status of suitable tokens to meet June reqts: We do not have a list of tokens that support 3072/4096 RSA and are certified. Is SafeNet 5110CC certified? There is a CC portal to confirm compliance; however, sometimes there are issues with the name. Agreed to use the list to communicate.<o:p></o:p></li><li class=MsoListParagraph style='margin-left:0in;mso-list:l4 level1 lfo3'>Next Meeting Feb 25<sup>th</sup> , Daniela will be the note taker<o:p></o:p></li></ol><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Bruce Morton<o:p></o:p></p><p class=MsoNormal>CSWG Vice Chair<o:p></o:p></p></div></body></html>