<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link="#0563C1" vlink="#954F72" style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal><span style='font-size:12.0pt'><o:p> </o:p></span></p><p class=MsoNormal>Attendees:<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Andrea Holland<o:p></o:p></p><p class=MsoNormal>Atsushi Inaba<o:p></o:p></p><p class=MsoNormal>Bruce Morton<o:p></o:p></p><p class=MsoNormal>Christophe Bonjean<o:p></o:p></p><p class=MsoNormal>Corey Bonnell<o:p></o:p></p><p class=MsoNormal>Ian McMillan<o:p></o:p></p><p class=MsoNormal>Inigo Barreira<o:p></o:p></p><p class=MsoNormal>Janet Hines<o:p></o:p></p><p class=MsoNormal>Joanna Fox<o:p></o:p></p><p class=MsoNormal>Lynn Jeun<o:p></o:p></p><p class=MsoNormal>Martijn Katerbarg<o:p></o:p></p><p class=MsoNormal>Mohit Kumar<o:p></o:p></p><p class=MsoNormal>Tim Crawford<o:p></o:p></p><p class=MsoNormal>Tim Hollebeek<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Bruce read the anti-trust statement.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Meeting minutes for 2022-08-11 were approved.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>* Malware revocation ballot *<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Martijn said there were updates in Github (<a href="https://github.com/cabforum/code-signing/pull/10">https://github.com/cabforum/code-signing/pull/10</a>). Christophe and Corey have been providing feedback.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>There was a discussion on the existing sentence "The CA SHOULD indicate whether its investigation found that the Suspect Code was a false positive or an inadvertent signing". Tim and Ian agreed that the sentence is redundant and can be removed.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Tim raised a concern with requirements when "the CA is made aware", as the definition of "awareness" is not clear. Tim suggested that receipt of a Certificate Problem Report is sufficient "awareness" for the CA and volunteered to develop language to capture the concept.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Christophe asked if the expectation is that CA should only reach out to Application Software Suppliers in the case of confirmed Suspect Code, or a case still under investigation? Ian clarified that only confirmed cases should be shared with Application Software Suppliers.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Christophe also raised the concern that there may be cases where both 4.9.1.1 and 4.9.1.3 is applicable and where it is undesired to contact the Subscriber prior to revocation. Tim and Ian agreed that these are valid cases and we should not explicitly require contact to the Subscriber.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Christophe and Tim discussed whether the requirements should dictate how proof of key compromise can be demonstrated. Tim mentioned that there is no standardized way, currently. Bruce mentioned that the TLS BRs require disclosure of the CA's accepted methods of proving compromise.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>* Signing Service Ballot *<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Bruce provided the ballot text to Corey, who added it to Github (<a href="https://github.com/cabforum/code-signing/pull/12">https://github.com/cabforum/code-signing/pull/12</a>). There is an open item for someone with ETSI expertise to evaluate the audit scheme requirements for Signing Services. Bruce asked the group to review the PR.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>* Timestamping *<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Ian will reach out to Tim on developing a concrete proposal.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>* Any other business *<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>None.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Next meeting is September 8th. Meeting adjourned.<span style='font-family:"Arial",sans-serif;color:#686869'><o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p></div></body></html>