<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link="#0563C1" vlink="#954F72" style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal><b>FINAL MINUTES OF SUBJECT CALL<o:p></o:p></b></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><b>Role Call<o:p></o:p></b></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>- Adriano Santoni<o:p></o:p></p><p class=MsoNormal>- Andrea Holland<o:p></o:p></p><p class=MsoNormal>- Atsushi Inaba<o:p></o:p></p><p class=MsoNormal>- Bruce Morton<o:p></o:p></p><p class=MsoNormal>- Corey Bonnell<o:p></o:p></p><p class=MsoNormal>- Dean Coclin<o:p></o:p></p><p class=MsoNormal>- Daniela Hood<o:p></o:p></p><p class=MsoNormal>- Ian McMillan<o:p></o:p></p><p class=MsoNormal>- Inigo Barreira<o:p></o:p></p><p class=MsoNormal>- Tim Hollebeek<o:p></o:p></p><p class=MsoNormal>- Tomas Gustavsson<o:p></o:p></p><p class=MsoNormal>- Sebastian Schulz<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Anti-Trust Statement is read<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Doug Beattie joins later<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Daniela makes an Announcement on behalf of GoDaddy:<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal> - Starting June 1st GoDaddy will no longer Code Signing certificates<o:p></o:p></p><p class=MsoNormal> - GoDaddy will retire from the CA/B Forum Working Group<o:p></o:p></p><p class=MsoNormal> - No new certificates can be issued, no rekeying will be possible<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Thomas Zermeno joins later<o:p></o:p></p><p class=MsoNormal>Dimitris Zacharopoulos joins later<o:p></o:p></p><p class=MsoNormal>Chris Kemmerer joins later<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Intel Membership<o:p></o:p></p><p class=MsoNormal> - Will NOT be joining as certificate consumer now<o:p></o:p></p><p class=MsoNormal> - Wil join as interested party only for now, on invite-only basis<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>"Clean-up" items:<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>- Combine ballot for "cleaning up BR" with pending ballot?<o:p></o:p></p><p class=MsoNormal> - General Agreement is tending to "NO", have a separate ballot<o:p></o:p></p><p class=MsoNormal>- Bruce Morton to hold a small a separate small meeting to identify items for clean-up ballot, with the below<o:p></o:p></p><p class=MsoNormal> - Tim<o:p></o:p></p><p class=MsoNormal> - Corey<o:p></o:p></p><p class=MsoNormal> - Ian<o:p></o:p></p><p class=MsoNormal> - Bruce<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Dedicated Roots for Code Signing:<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>- What should be the scope of a dedicated Code Signing Root?<o:p></o:p></p><p class=MsoNormal> - Bruce: Scope being everything that's addressed by CS BRs<o:p></o:p></p><p class=MsoNormal> - Ian: From MS perspective, this seems like a favorable approach<o:p></o:p></p><p class=MsoNormal> - Bruce: Going down path of Dedicated Root for Code Signing<o:p></o:p></p><p class=MsoNormal> - Test certificates are a concern, as they are normally addressed by TLS<o:p></o:p></p><p class=MsoNormal> - Dimitris: Appendix C wasn't meant to be in CS BR. Requirement should be to create test CS certs<o:p></o:p></p><p class=MsoNormal> - Bruce: Document is inappropriately calling out SSL BRs, there weren't any issues yet<o:p></o:p></p><p class=MsoNormal> - Dimitris: CAs should be mandated to maintain an expired/revoked/valid Code Signing certificate<o:p></o:p></p><p class=MsoNormal> - No agreement from the audience on the above<o:p></o:p></p><p class=MsoNormal> - Doug: Should this also be for timestamps?<o:p></o:p></p><p class=MsoNormal> - Dimitris, Tim: Testing should be more the responsibility of the CAs<o:p></o:p></p><p class=MsoNormal> - Corey: Requirement for maintaining the test service isn't per Root<o:p></o:p></p><p class=MsoNormal> - Dimitris: Do CAs really need to maintain their own TSA?<o:p></o:p></p><p class=MsoNormal> - Ian: From MS side, that is not required<o:p></o:p></p><p class=MsoNormal> - CS BRs only require a CA to offer a TSA, not that it's used together with the certs of that CA<o:p></o:p></p><p class=MsoNormal> - In reality, TSA and Code Signing signatures are often mix & match<o:p></o:p></p><p class=MsoNormal> - Doug: Why do CAs even have to maintain test sites then?<o:p></o:p></p><p class=MsoNormal> - Bruce: CAs SHOULD maintain test sites, as Oracle requires that (Dimitris confirms that from recent experience)<o:p></o:p></p><p class=MsoNormal> - Ian: Indeed shouldn't be a MUST requirement for now<o:p></o:p></p><p class=MsoNormal> - Bruce and Dimitris to address this<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>- Daniela has to leave the call<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Presentation from Tomas Gustavsson:<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>"Common Criteria Re-Mystified"<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>- CC Profiles, FIPS certification and audit standards are often misinterpreted by customers<o:p></o:p></p><p class=MsoNormal>- Common Criteria Recognition Arrangement (CCRA)<o:p></o:p></p><p class=MsoNormal> - Menat to allow international recognition of products<o:p></o:p></p><p class=MsoNormal>- Issued certificates and security targets are available online<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>- Security target: Define target of evaluation, claims performance to protection profile<o:p></o:p></p><p class=MsoNormal> - protection profile: document created by user community which identifies security devices<o:p></o:p></p><p class=MsoNormal> - Certification without protection profile is pretty much useless<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>- Assurance levels (Evaluation assurance levels)<o:p></o:p></p><p class=MsoNormal> - EALS 1-6 represent "level of effort"<o:p></o:p></p><p class=MsoNormal> - non-EAL collaborative protection profile (cPP) does not specify a EAL level, but rather specifies intended usage<o:p></o:p></p><p class=MsoNormal> - EU Cyber Security Act: Basic, Substantial and High - correlating with the associated risk of using service or product<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>- Different requirements of certifications in different areas<o:p></o:p></p><p class=MsoNormal> - SOG-IS in EU<o:p></o:p></p><p class=MsoNormal> - NIAP in US<o:p></o:p></p><p class=MsoNormal> - Forces vendors into multiple certifications<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>- writing requirements<o:p></o:p></p><p class=MsoNormal> - strong recommendation to specify protection profile<o:p></o:p></p><p class=MsoNormal> - eIDAS, FIPS 140-2 L2 or L3<o:p></o:p></p><p class=MsoNormal> - Public procurement may refer to eIDAS, Common Criteria, FIPS<o:p></o:p></p><p class=MsoNormal> - Audits may also attempt to meet requirements<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>- What's practical?<o:p></o:p></p><p class=MsoNormal> - Currently many different modules are available<o:p></o:p></p><p class=MsoNormal> - FIPS or Common Criteria seems to prevent shady/homegrown certifications<o:p></o:p></p><p class=MsoNormal> - Tim: Both FIPS and CC are very dependent on process and documentation<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>- CC may be "misused": Broad/invalid requirements, vendor lock-out and lock-in, vulnerabilities in "certified versions", audit inconsistencies<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>- FIPS doesn't always clarify which tools are FIPS certified, no guarantee FIPS mode is enabled, auditor mileage may vary<o:p></o:p></p><p class=MsoNormal> - Dimitris: Better to have a certified device than "just anything"<o:p></o:p></p><p class=MsoNormal> - Relevant to Code Signing: Good randomness for the key generation and key protection<o:p></o:p></p><p class=MsoNormal> - Tim: Many standards only refer to CC or FIPS to ensure key protection<o:p></o:p></p><p class=MsoNormal> - Adriano: Requirements for certifications aren't always clear (FIPS does that best, being holistic for all components of a hardware device)<o:p></o:p></p><p class=MsoNormal> - Tim: FIPS also only covers the crypto module<o:p></o:p></p><p class=MsoNormal> - Dimitris: relevant controls are covered by evaluation of the crypto module<o:p></o:p></p><p class=MsoNormal> - Tim: Neither FIPS nor CC were meant to focus on key management evaluation<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p></div></body></html>