<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1381595139;
mso-list-template-ids:-1138715502;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1
{mso-list-id:1401168753;
mso-list-template-ids:-1306214364;}
@list l1:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l1:level3
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level5
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level6
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level8
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level9
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link="#0563C1" vlink="#954F72" style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal><b><span style='font-size:12.0pt'>CSCWG Final Minutes September 8, 2022<o:p></o:p></span></b></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><b>Attendees</b><o:p></o:p></p><p class=MsoNormal>Dean Coclin<o:p></o:p></p><p class=MsoNormal>Roberto Quiņones<o:p></o:p></p><p class=MsoNormal>Joanna Fox<o:p></o:p></p><p class=MsoNormal>Vijay eMudhra<o:p></o:p></p><p class=MsoNormal>Mohit Kumar<o:p></o:p></p><p class=MsoNormal>Ian McMillan<o:p></o:p></p><p class=MsoNormal>Bruce Morton<o:p></o:p></p><p class=MsoNormal>Michael Sykes<o:p></o:p></p><p class=MsoNormal>Atsushi Inaba<o:p></o:p></p><p class=MsoNormal>Tim Hollebeek<o:p></o:p></p><p class=MsoNormal>Iņigo Barreira<o:p></o:p></p><p class=MsoNormal>Tomas Gustavsson<o:p></o:p></p><p class=MsoNormal>Dimitris Zacharopoulos<o:p></o:p></p><p class=MsoNormal>Martjin Katerbarg<o:p></o:p></p><p class=MsoNormal>Janet Hines<o:p></o:p></p><p class=MsoNormal>Andrea Holland<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>Dean read the anti-trust statement.<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>No objection to minutes from Aug-25th, minutes approved. Will be sent to public list.<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>Reminder on CSC 15 , IPR review ends on Sept 18th<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>Topic to discuss:<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><ul style='margin-top:0in' type=disc><li class=MsoNormal style='mso-list:l0 level1 lfo3;vertical-align:middle'>Malware Proposal from Martijn<o:p></o:p></li><ul style='margin-top:0in' type=circle><li class=MsoNormal style='mso-list:l0 level2 lfo3;vertical-align:middle'>nothing new to discuss at this time.<o:p></o:p></li></ul><li class=MsoNormal style='mso-list:l0 level1 lfo3;vertical-align:middle'>Key Protection requirements deadline<o:p></o:p></li><ul style='margin-top:0in' type=circle><li class=MsoNormal style='mso-list:l0 level2 lfo3;vertical-align:middle'>Ian shared that there has been feedback/concerns on deadline approaching fast and not everyone ready to adopt new requirements.<o:p></o:p></li><li class=MsoNormal style='mso-list:l0 level2 lfo3;vertical-align:middle'>Time between publication of requirement to deadline may have been too aggressive. Tim suggests standardizing on general 1 year notice before enforcement<o:p></o:p></li><li class=MsoNormal style='mso-list:l0 level2 lfo3;vertical-align:middle'>In addition to short deadline, market conditions and supply chain issues may be preventing some from adoption new requirements.<o:p></o:p></li><li class=MsoNormal style='mso-list:l0 level2 lfo3;vertical-align:middle'>This group has been aware of topic for a long time, but even after CSBRs are published, most developers do not read them<o:p></o:p></li><li class=MsoNormal style='mso-list:l0 level2 lfo3;vertical-align:middle'>Several points about the communication problem<o:p></o:p></li><ul style='margin-top:0in' type=disc><li class=MsoNormal style='mso-list:l0 level3 lfo3;vertical-align:middle'>Some CAs have been actively reaching out to subscribers about new requirements<o:p></o:p></li><li class=MsoNormal style='mso-list:l0 level3 lfo3;vertical-align:middle'>Moving date does not resolve awareness<o:p></o:p></li><li class=MsoNormal style='mso-list:l0 level3 lfo3;vertical-align:middle'>Batching updates may help to communicate changes<o:p></o:p></li></ul><li class=MsoNormal style='mso-list:l0 level2 lfo3;vertical-align:middle'>Moving date implies not as critical as initially suggested<o:p></o:p></li><li class=MsoNormal style='mso-list:l0 level2 lfo3;vertical-align:middle'>It was suggested that we could keep original date and use an exception process<o:p></o:p></li><ul style='margin-top:0in' type=disc><li class=MsoNormal style='mso-list:l0 level3 lfo3;vertical-align:middle'>Exception processes have not worked well in the past.<o:p></o:p></li><li class=MsoNormal style='mso-list:l0 level3 lfo3;vertical-align:middle'>They may be inconsistent and public review creates more risk<o:p></o:p></li><li class=MsoNormal style='mso-list:l0 level3 lfo3;vertical-align:middle'>Goal should be to avoid an exception process<o:p></o:p></li><li class=MsoNormal style='mso-list:l0 level3 lfo3;vertical-align:middle'>Creating conditional rules for issuance under exceptions adds additional complexity requirement for CAs in short time. Better to just move out the date<o:p></o:p></li></ul><li class=MsoNormal style='mso-list:l0 level2 lfo3;vertical-align:middle'>Ian will write ballot draft and send out sept-9th to get discussion period moving and collect endorsers. Tim and Bruce offered to endorse<o:p></o:p></li></ul><li class=MsoNormal style='mso-list:l0 level1 lfo3;vertical-align:middle'>Signing Service discussion<o:p></o:p></li><ul style='margin-top:0in' type=circle><li class=MsoNormal style='mso-list:l0 level2 lfo3;vertical-align:middle'>Bruce: Corey has published info in GitHub for anybody to review. Discussing separating audit criteria for CA vs signing service vs timestamp authority. Looking for help to review it. <o:p></o:p></li></ul><li class=MsoNormal style='mso-list:l0 level1 lfo3;vertical-align:middle'> Timestamping<o:p></o:p></li><ul style='margin-top:0in' type=circle><li class=MsoNormal style='mso-list:l0 level2 lfo3;vertical-align:middle'>Ian: will work on draft to require TSA CA issuing timestamp and entity certs, be protected offline, and reduce validity period of those timestamp and entity cert, to no more than 6 years. <o:p></o:p></li><li class=MsoNormal style='mso-list:l0 level2 lfo3;vertical-align:middle'>It should cover period for Java using yearly new key. We can send message to Oracle on intent, to get their feedback.<o:p></o:p></li></ul><li class=MsoNormal style='mso-list:l0 level1 lfo3;vertical-align:middle'>Other business<o:p></o:p></li><ul style='margin-top:0in' type=circle><li class=MsoNormal style='mso-list:l0 level2 lfo3;vertical-align:middle'>Anyone that will attend Berlin should sign up now to allow for planning for limited spots. Some guests or companies with multiple spots may be asked to limit attendance since only 60 spots available.<o:p></o:p></li></ul></ul><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>Next meeting will be September 22nd<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>Meeting adjourned<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p></div></body></html>