<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link="#0563C1" vlink="#954F72" style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Final Minutes for April 22nd CSCWG meeting<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Attendees:<o:p></o:p></p><p class=MsoNormal>- Adriano Santoni<o:p></o:p></p><p class=MsoNormal>- Andrea Holland<o:p></o:p></p><p class=MsoNormal>- Atsushi Inaba<o:p></o:p></p><p class=MsoNormal>- Bruce Morton<o:p></o:p></p><p class=MsoNormal>- Corey Bonnell<o:p></o:p></p><p class=MsoNormal>- Dimitris Zacharopoulos<o:p></o:p></p><p class=MsoNormal>- Ian McMillan<o:p></o:p></p><p class=MsoNormal>- Inigo Barreira<o:p></o:p></p><p class=MsoNormal>- Janet Hines<o:p></o:p></p><p class=MsoNormal>- Mike Reilly<o:p></o:p></p><p class=MsoNormal>- Roberto<o:p></o:p></p><p class=MsoNormal>- Tim Crawford<o:p></o:p></p><p class=MsoNormal>- Tim Hollebeek<o:p></o:p></p><p class=MsoNormal>- Tomas Gustavsson<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Minute-taker: Corey<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Antitrust statement was read by Bruce.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Corrected minutes for April 15th meeting were approved.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Bruce: D-Trust notified us is retiring from CSCWG. No longer issuing code signing certificates under our group's scope. Bruce asked if there's anything to do to remove them.<o:p></o:p></p><p class=MsoNormal>Tim: I believe there's nothing we need to do.<o:p></o:p></p><p class=MsoNormal>Dimitris: If this is the only group they're participating in, then we remove from the website.<o:p></o:p></p><p class=MsoNormal>Tim: Recommend forwarding notification to the group so there's an official record.<o:p></o:p></p><p class=MsoNormal>Bruce: I'll ask them to send an email to the group.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Bruce: Next up on the agenda is Timestamping OID. What action do we need to take?<o:p></o:p></p><p class=MsoNormal>Dimitris: Ben sent a reply to the list on next steps two days ago. No discussion on that yet.<o:p></o:p></p><p class=MsoNormal>Bruce: My thinking is that our charter calls out the old EVCSBRs. Timestamping is addressed there. From a higher up level, we have browsers that want us to specify the end-entity certificate profile for Timestamping in our document. We're not creating anything new; the document already addresses Timestamping.<o:p></o:p></p><p class=MsoNormal>Dimitris: I recommend that approach and going forward with the update.<o:p></o:p></p><p class=MsoNormal>Bruce: Someone needs to go to the arc and add the OID.<o:p></o:p></p><p class=MsoNormal>Dimitris: Let's add to the document first in the CSBRs and not wait for a website update to add the OID.<o:p></o:p></p><p class=MsoNormal>Tim: That's what we did the last time an OID was allocated. There's no formal process for adding OIDs; right now, they get created by virtue of adding them to documents and voting on the ballot.<o:p></o:p></p><p class=MsoNormal>Bruce: Let's reply to Ben's email with our plan to add the OID so it's on public record and we can address any pushback.<o:p></o:p></p><p class=MsoNormal>Tim: I've always viewed Timestamping for the purposes of Code Signing as under the CSCWG scope. If someone wants to disagree, they need to point to specific language in the charter.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Bruce: Next item is Common Criteria. Adriano sent out an email about this. Do we want to discuss now?<o:p></o:p></p><p class=MsoNormal>Adriano: I tried to explain how one can make the argument about the security objectives. I received feedback from Dimitris that it's complex. I provided an example of a product that is not acceptable, but others may make a different determination.<o:p></o:p></p><p class=MsoNormal>Dimitris: I agree that we should specify the Common Criteria report further, but we need to provide guidance to CAs and auditors to know where to look by either providing examples or pointers to the lists produced by the European Commission.<o:p></o:p></p><p class=MsoNormal>Adriano: I don't like the idea of a specific list of products.<o:p></o:p></p><p class=MsoNormal>Dimitris: We're not going to create that list; we're just going to point to a list that others have created. It's no different than pointing to NIST certifications.<o:p></o:p></p><p class=MsoNormal>Adriano: The CC Portal lists hundreds of devices and it is likely difficult for the average person to determine whether the listed certificates provide the assurance of the security functions that we need.<o:p></o:p></p><p class=MsoNormal>Dimitris: The European Commission website with the list of QCSDs and QSDs are suitable for EV Code Signing. Inigo agreed as well. My concern is that without any guidance, CAs will be in a difficult situation to find these functions.<o:p></o:p></p><p class=MsoNormal>Bruce: It sounds like one method will take care of 90% of the use cases. If the device is not on the QCSD and QSD lists, then it's difficult to find the right information.<o:p></o:p></p><p class=MsoNormal>Dimitris: The difficult part will be to define the required security functions in the CSBRs so that CAs can use the other lists.<o:p></o:p></p><p class=MsoNormal>Bruce: What's our next steps?<o:p></o:p></p><p class=MsoNormal>Dimitris: I can work with Adriano on language. I don't think this is a cleanup ballot item.<o:p></o:p></p><p class=MsoNormal>Bruce: Would be best to include in Ian's key protection ballot.<o:p></o:p></p><p class=MsoNormal>Tim: Having a list of known good things would really help out auditors and CAs. If your device isn't on the list, then it's up to you to prove it's compliant.<o:p></o:p></p><p class=MsoNormal>Bruce: It would be best to have the vendor show how they're compliant. Otherwise it sounds like "any other method" validation.<o:p></o:p></p><p class=MsoNormal>Tim: Part of the problem is that we don't even have language on what you should be evaluating. Almost everyone punts on this because it's very hard to do.<o:p></o:p></p><p class=MsoNormal>Dimitris: I'll take an action item to work with Adriano to develop language. We agree that a list of approved devices would be very helpful and vendors will need to prove how they meet the requirements.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Bruce: Next item is key protection ballot.<o:p></o:p></p><p class=MsoNormal>Ian: I will wait until after the cleanup ballot to bring this one and I think we need to incorporate what Adriano and Dimitris just discussed about lists of approved devices.<o:p></o:p></p><p class=MsoNormal>Bruce: I think we need more discussion on this. First part is the requirements, and the second part is how you meet the requirements. I think that's the longer part of the discussion.<o:p></o:p></p><p class=MsoNormal>Tim: What is comes down to is that the device needed to be audited for hardware key protection. If it wasn't audited for hardware key protection, then it's unsuitable for our needs.<o:p></o:p></p><p class=MsoNormal>Ian: For cloud key protection, they have logs for key generation; these logs will show the protection level of the key. This can be provided to the CA. I reached out to AWS and GCP to see if we can develop a standard key attestation. But for now, there are logs.<o:p></o:p></p><p class=MsoNormal>Tim: Did these cloud providers say whether these logs can be provided to others directly?<o:p></o:p></p><p class=MsoNormal>Ian: Just to the Applicant.<o:p></o:p></p><p class=MsoNormal>Tim: Are we worried about the Applicant tampering with the log?<o:p></o:p></p><p class=MsoNormal>Ian: I agree that's a concern but unfortunately there's nothing better now.<o:p></o:p></p><p class=MsoNormal>Tim: If it's a stop-gap until better solutions are available, then this would be good.<o:p></o:p></p><p class=MsoNormal>Ian: Various cloud providers are starting to provide attestation services. The problem is what scenarios they're supporting.<o:p></o:p></p><p class=MsoNormal>Dimitris: I think it depends on level of assurance. Today we have the Subscriber Agreement, which is a pinky-swear. But some CAs don't accept just that; some CAs require witnessing a "mini" key ceremony.<o:p></o:p></p><p class=MsoNormal>Tim: We discussed internally that we'd be willing to witness the generation on Zoom, for example.<o:p></o:p></p><p class=MsoNormal>Dimitris: That makes sense, because it's better than nothing. It's more painful because your engineers need to witness, but some CAs do require this.<o:p></o:p></p><p class=MsoNormal>Tim: Coordinating these types of meetings is something that CAs do every day.<o:p></o:p></p><p class=MsoNormal>Ian: We'd be happy if MUST provide log and SHOULD witness the "ceremony".<o:p></o:p></p><p class=MsoNormal>Bruce: We need to come up with a list of way of verifying the various storage methods. May not need to add the list directly in the CSBRs, but make it available to CAs and auditors.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Bruce: Next agenda item is the cleanup ballot. We'll take another week or two to refine and then circulate to the group for discussion.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Bruce: Any other business?<o:p></o:p></p><p class=MsoNormal>Ian: One thing that came up with the cleanup ballot is the BR version. Right now we reference BR v1.6.9. We discussed bumping that up to a newer version. Especially, v1.7.3, which has SC28, which deals with log retention requirements. If we can incorporate that, that will save CAs a lot of storage space.<o:p></o:p></p><p class=MsoNormal>Bruce: We should synchronize, because it's hard to do different things for different certificates (TLS vs. CS).<o:p></o:p></p><p class=MsoNormal>Ian: Worried someone might have an incident because they changed their log retention period to 2 years but now they're out of compliance with the CSBRs (7 years).<o:p></o:p></p><p class=MsoNormal>Dimitris: There is a significant risk here; someone will need to investigate all the redlines from v1.6.9 to v1.7.3. There are changes besides logging that may affect Code Signing.<o:p></o:p></p><p class=MsoNormal>Bruce: We need to do the hard work to bring it up to date and then continue to look at the deltas moving forward. One solution is to get our CSBR document in the new document system and incorporate all referenced sections so we can manage the CSBRs separately. That's what S/MIME working group is doing.<o:p></o:p></p><p class=MsoNormal>Tim: Just because we make our own document doesn't mean we can't incorporate changes from time to time.<o:p></o:p></p><p class=MsoNormal>Dimitris: We had the strategy from last year that the interim step that we convert to RFC 3647.<o:p></o:p></p><p class=MsoNormal>Tim: There are things that we can't wait for, such as logging and perhaps other things.<o:p></o:p></p><p class=MsoNormal>Bruce: Can someone provide a delta for all changes in the BRs?<o:p></o:p></p><p class=MsoNormal>Tim: We'll get a link out for everyone.<o:p></o:p></p><p class=MsoNormal>Bruce: We can review and see the changes. I think we want to do that review and make a ballot within the next month or two.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Next meeting is May 6th. Meeting adjourned.<o:p></o:p></p></div></body></html>