<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Calibri Light";
panose-1:2 15 3 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-ligatures:standardcontextual;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:828179382;
mso-list-type:hybrid;
mso-list-template-ids:975354976 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link="#0563C1" vlink="#954F72" style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal><span style='font-family:"Calibri Light",sans-serif'>Final Minutes of the CA/Browser Forum Teleconference <o:p></o:p></span></p><p class=MsoNormal><span style='font-family:"Calibri Light",sans-serif'>March 9, 2023<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:"Calibri Light",sans-serif'><o:p> </o:p></span></p><p class=MsoNormal><b><span style='font-family:"Calibri Light",sans-serif'>Attendees: </span></b><span style='font-family:"Calibri Light",sans-serif'>Dean Coclin (DigiCert), Brianca Martin (Amazon), Rollin Yu (TrustAsia), Bruce Morton (Entrust), Inigo Barriera (Sectigo), Dimitris Zacharopoulos (HARICA), Tomas Gustavsson (Keyfactor), Janet Hines (VikingCloud), Andrea Holland (SecureTrust), Tim Hollebeek (DigiCert), Atsushi Inaba (GlobalSign), Corey Bonnell (DigiCert), Ian McMillan (Microsoft)<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:"Calibri Light",sans-serif'><o:p> </o:p></span></p><ol style='margin-top:0in' start=1 type=1><li class=MsoListParagraph style='margin-left:0in;mso-list:l0 level1 lfo1'><span style='font-family:"Calibri Light",sans-serif'>Assign Minute taker (start recording) <o:p></o:p></span></li><ol style='margin-top:0in' start=1 type=a><li class=MsoListParagraph style='margin-left:0in;mso-list:l0 level2 lfo1'><span style='font-family:"Calibri Light",sans-serif'>Brianca is taking minutes<o:p></o:p></span></li></ol><li class=MsoListParagraph style='margin-left:0in;mso-list:l0 level1 lfo1'><span style='font-family:"Calibri Light",sans-serif'>Antitrust Statement <o:p></o:p></span></li><ol style='margin-top:0in' start=1 type=a><li class=MsoListParagraph style='margin-left:0in;mso-list:l0 level2 lfo1'><span style='font-family:"Calibri Light",sans-serif'>Dean reminded all participants that they must comply with the CA/Browser Forum anti-trust policy, code of conduct, and intellectual property rights agreement. Please contact the chair with any comments or concerns about these policies.<o:p></o:p></span></li></ol><li class=MsoListParagraph style='margin-left:0in;mso-list:l0 level1 lfo1'><span style='font-family:"Calibri Light",sans-serif'>Meeting Minutes<o:p></o:p></span></li><ol style='margin-top:0in' start=1 type=a><li class=MsoListParagraph style='margin-left:0in;mso-list:l0 level2 lfo1'><span style='font-family:"Calibri Light",sans-serif'>February 9<sup>th</sup> meeting minutes pending receipt from Trevoli Ponds (Amazon).<o:p></o:p></span></li><li class=MsoListParagraph style='margin-left:0in;mso-list:l0 level2 lfo1'><span style='font-family:"Calibri Light",sans-serif'>Martijn took minutes at the <span style='color:black'>F2F Meeting on February 28<sup>th</sup>.</span><o:p></o:p></span></li></ol><li class=MsoListParagraph style='margin-left:0in;mso-list:l0 level1 lfo1'><span style='font-family:"Calibri Light",sans-serif'>Agenda - Items discussed in the F2F meeting<o:p></o:p></span></li><ol style='margin-top:0in' start=1 type=a><li class=MsoListParagraph style='margin-left:0in;mso-list:l0 level2 lfo1'><b><span style='font-family:"Calibri Light",sans-serif'>Ian provided an overview from Microsoft’s perspective.<o:p></o:p></span></b></li></ol></ol><p class=MsoListParagraph style='margin-left:1.5in;text-indent:-1.5in;mso-text-indent-alt:-9.0pt;mso-list:l0 level3 lfo1'><![if !supportLists]><span style='font-family:"Calibri Light",sans-serif'><span style='mso-list:Ignore'><span style='font:7.0pt "Times New Roman"'> </span>i.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-family:"Calibri Light",sans-serif'>Subscribers (buy certs, sign code) and consumers (consume the code/application that is signed/application).<o:p></o:p></span></p><p class=MsoListParagraph style='margin-left:1.5in;text-indent:-1.5in;mso-text-indent-alt:-9.0pt;mso-list:l0 level3 lfo1'><![if !supportLists]><span style='font-family:"Calibri Light",sans-serif'><span style='mso-list:Ignore'><span style='font:7.0pt "Times New Roman"'> </span>ii.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-family:"Calibri Light",sans-serif'>Subscriber process is difficult and expensive, especially in the India dev space for the larger ISVs, but they are transitioning CI/CD pipelines into cloud spaces, which presents a challenge for private key protection. Subscribers should be able to take advantage of signing services (private key protection services) should be available for them to use. Even when they get their private keys and secure them, complexity comes in as to when it should be used. Some sign everything, which means providing access to their, their private keys across a wider range of their engineers and, and their infrastructure in many of those cases. For TLS, we go through certificate and key lifecycle management, it’s just hard.<o:p></o:p></span></p><p class=MsoListParagraph style='margin-left:1.5in;text-indent:-1.5in;mso-text-indent-alt:-9.0pt;mso-list:l0 level3 lfo1'><![if !supportLists]><b><span style='font-family:"Calibri Light",sans-serif'><span style='mso-list:Ignore'><span style='font:7.0pt "Times New Roman"'> </span>iii.<span style='font:7.0pt "Times New Roman"'> </span></span></span></b><![endif]><span style='font-family:"Calibri Light",sans-serif'>For consumer end, there is too munch unsigned code (30% code windows code in 2019). Among the unsigned code is malware, 92% unsigned, less than 1% is signed with a valid cert and signature. 7% is not signed properly plays on the social engineering aspect - signature presence for a certificate is displayed in in various forms. Effectiveness and timeliness of revocation is a challenge – time to detect and remediate. What is the impact of revocation? Transitioning to shorter lived certificates for store apps, revocation is possible without impact issues but still comes with challenges. Focus is all the way from the time that we're trying to get subscribers to sign up and do code signing securely all the way to consumers consuming it and how we leverage the remediation actions such as revocation.<b><o:p></o:p></b></span></p><p class=MsoListParagraph style='margin-left:1.5in;text-indent:-1.5in;mso-text-indent-alt:-9.0pt;mso-list:l0 level3 lfo1'><![if !supportLists]><span style='font-family:"Calibri Light",sans-serif'><span style='mso-list:Ignore'><span style='font:7.0pt "Times New Roman"'> </span>iv.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-family:"Calibri Light",sans-serif'>Bruce asked which of those items we can deal with and stated that if code is unsigned, we should reject it and not install it.<o:p></o:p></span></p><p class=MsoListParagraph style='margin-left:1.5in;text-indent:-1.5in;mso-text-indent-alt:-9.0pt;mso-list:l0 level3 lfo1'><![if !supportLists]><span style='font-family:"Calibri Light",sans-serif'><span style='mso-list:Ignore'><span style='font:7.0pt "Times New Roman"'> </span>v.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-family:"Calibri Light",sans-serif'>Ian stated that Windows 11 2022 H2 introduced a new feature called smart app control. If any piece of code is unsigned, it must have a good enough reputation with Microsoft’s cloud protection service for it to be able to run. If it doesn’t, it will not run, unless it’s signed with a publicly trusted code signing certificate.<o:p></o:p></span></p><p class=MsoListParagraph style='margin-left:1.5in;text-indent:-1.5in;mso-text-indent-alt:-9.0pt;mso-list:l0 level3 lfo1'><![if !supportLists]><span style='font-family:"Calibri Light",sans-serif'><span style='mso-list:Ignore'><span style='font:7.0pt "Times New Roman"'> </span>vi.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-family:"Calibri Light",sans-serif'>Dimitris stated he thought there was some kind of a reputation building based on the identity of the certificate (company in the subject of the certificate).<o:p></o:p></span></p><p class=MsoListParagraph style='margin-left:1.5in;text-indent:-1.5in;mso-text-indent-alt:-9.0pt;mso-list:l0 level3 lfo1'><![if !supportLists]><span style='font-family:"Calibri Light",sans-serif'><span style='mso-list:Ignore'><span style='font:7.0pt "Times New Roman"'> </span>vii.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-family:"Calibri Light",sans-serif'>Ian stated that is correct but only after you've signed after you signed. Message to developers is to gain reputation, they can submit the Microsoft Defender file submission portal, but that can take time. There is no timeline around when reputation might be built or if it'll be enough from that 1 submission. The overwhelming messages sign your code.<o:p></o:p></span></p><p class=MsoListParagraph style='margin-left:1.5in;text-indent:-1.5in;mso-text-indent-alt:-9.0pt;mso-list:l0 level3 lfo1'><![if !supportLists]><span style='font-family:"Calibri Light",sans-serif'><span style='mso-list:Ignore'><span style='font:7.0pt "Times New Roman"'> </span>viii.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-family:"Calibri Light",sans-serif'>Bruce asked if there were any steps we can do in the working group to support. Problems feel like they are at the Windows end, not the CA end.<o:p></o:p></span></p><p class=MsoListParagraph style='margin-left:1.5in;text-indent:-1.5in;mso-text-indent-alt:-9.0pt;mso-list:l0 level3 lfo1'><![if !supportLists]><span style='font-family:"Calibri Light",sans-serif'><span style='mso-list:Ignore'><span style='font:7.0pt "Times New Roman"'> </span>ix.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-family:"Calibri Light",sans-serif'>Ian asked that we look at identity verification and build in something that allows us to detect when a developer or cert has gone bad. How do we monitor what we have subscribed or issued?<o:p></o:p></span></p><ol style='margin-top:0in' start=4 type=1><ol style='margin-top:0in' start=2 type=a><li class=MsoListParagraph style='margin-left:0in;mso-list:l0 level2 lfo1'><b><span style='font-family:"Calibri Light",sans-serif'>Certificate validity period</span></b><span style='font-family:"Calibri Light",sans-serif'>:<o:p></o:p></span></li></ol></ol><p class=MsoListParagraph style='margin-left:1.5in;text-indent:-1.5in;mso-text-indent-alt:-9.0pt;mso-list:l0 level3 lfo1'><![if !supportLists]><span style='font-family:"Calibri Light",sans-serif'><span style='mso-list:Ignore'><span style='font:7.0pt "Times New Roman"'> </span>i.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-family:"Calibri Light",sans-serif'>Bruce recapped other items we discussed shorter validity period for code signing certificates is better than longer validity period.<o:p></o:p></span></p><p class=MsoListParagraph style='margin-left:1.5in;text-indent:-1.5in;mso-text-indent-alt:-9.0pt;mso-list:l0 level3 lfo1'><![if !supportLists]><span style='font-family:"Calibri Light",sans-serif'><span style='mso-list:Ignore'><span style='font:7.0pt "Times New Roman"'> </span>ii.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-family:"Calibri Light",sans-serif'>Ian mentioned the availability of legit search on the dark web from search to non-search to non-search with reputation, built into them or condition searches, and the cost is not too expensive ($400). <o:p></o:p></span></p><p class=MsoListParagraph style='margin-left:1.5in;text-indent:-1.5in;mso-text-indent-alt:-9.0pt;mso-list:l0 level3 lfo1'><![if !supportLists]><span style='font-family:"Calibri Light",sans-serif'><span style='mso-list:Ignore'><span style='font:7.0pt "Times New Roman"'> </span>iii.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-family:"Calibri Light",sans-serif'>Dimitris stated that one of the biggest arguments for short term certificates is to, uh, be able to have a more granular revocation.<o:p></o:p></span></p><p class=MsoListParagraph style='margin-left:1.5in;text-indent:-1.5in;mso-text-indent-alt:-9.0pt;mso-list:l0 level3 lfo1'><![if !supportLists]><span style='font-family:"Calibri Light",sans-serif'><span style='mso-list:Ignore'><span style='font:7.0pt "Times New Roman"'> </span>iv.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-family:"Calibri Light",sans-serif'>Ian stated for the attacker, how do I reduce their velocity to ROI?<o:p></o:p></span></p><ol style='margin-top:0in' start=4 type=1><ol style='margin-top:0in' start=3 type=a><li class=MsoListParagraph style='margin-left:0in;mso-list:l0 level2 lfo1'><b><span style='font-family:"Calibri Light",sans-serif'>Certificate transparency<o:p></o:p></span></b></li></ol></ol><p class=MsoListParagraph style='margin-left:1.5in;text-indent:-1.5in;mso-text-indent-alt:-9.0pt;mso-list:l0 level3 lfo1'><![if !supportLists]><span style='font-family:"Calibri Light",sans-serif'><span style='mso-list:Ignore'><span style='font:7.0pt "Times New Roman"'> </span>i.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-family:"Calibri Light",sans-serif'>Bruce state that you need a log or some logs you need a policy.<o:p></o:p></span></p><p class=MsoListParagraph style='margin-left:1.5in;text-indent:-1.5in;mso-text-indent-alt:-9.0pt;mso-list:l0 level3 lfo1'><![if !supportLists]><span style='font-family:"Calibri Light",sans-serif'><span style='mso-list:Ignore'><span style='font:7.0pt "Times New Roman"'> </span>ii.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-family:"Calibri Light",sans-serif'>Ian stated he was interested in what the cost is to all of us and if it’s worth it.<o:p></o:p></span></p><p class=MsoListParagraph style='margin-left:1.5in;text-indent:-1.5in;mso-text-indent-alt:-9.0pt;mso-list:l0 level3 lfo1'><![if !supportLists]><span style='font-family:"Calibri Light",sans-serif'><span style='mso-list:Ignore'><span style='font:7.0pt "Times New Roman"'> </span>iii.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-family:"Calibri Light",sans-serif'>Tim stated that the costs are actually relatively low. The biggest cost is actually the amount of time. It would take figuring out how this would work and the policies, and, the contractual requirements of who's logging to who and so it would take a little bit of effort to get it set up. From a tactical point of view, and the cost of actually operating the logs they have been operating them for almost a decade. Not a ton of code signing certs, if we can do it for TLS we can do it foe code signing.<o:p></o:p></span></p><p class=MsoListParagraph style='margin-left:1.5in;text-indent:-1.5in;mso-text-indent-alt:-9.0pt;mso-list:l0 level3 lfo1'><![if !supportLists]><span style='font-family:"Calibri Light",sans-serif'><span style='mso-list:Ignore'><span style='font:7.0pt "Times New Roman"'> </span>iv.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-family:"Calibri Light",sans-serif'>Dean asked about the cost benefit analysis or tax. It seems like to be able to put these out there and have companies monitor for certificates. That might be issued in their name.<o:p></o:p></span></p><p class=MsoListParagraph style='margin-left:1.5in;text-indent:-1.5in;mso-text-indent-alt:-9.0pt;mso-list:l0 level3 lfo1'><![if !supportLists]><span style='font-family:"Calibri Light",sans-serif'><span style='mso-list:Ignore'><span style='font:7.0pt "Times New Roman"'> </span>v.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-family:"Calibri Light",sans-serif'>Tim state that there's not a lot of transparency in the code setting ecosystem and it makes it a lot tougher to make the code sending ecosystem better and one of the things we did learn from our experience with certificate transparency in TLS is it does allow a lot more transparency about what's actually out there and makes it easier to have discussions about how the ecosystem needs to be improved.<o:p></o:p></span></p><p class=MsoListParagraph style='margin-left:1.5in;text-indent:-1.5in;mso-text-indent-alt:-9.0pt;mso-list:l0 level3 lfo1'><![if !supportLists]><span style='font-family:"Calibri Light",sans-serif'><span style='mso-list:Ignore'><span style='font:7.0pt "Times New Roman"'> </span>vi.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-family:"Calibri Light",sans-serif'>Dimitris stated that we need to write down what the problems are trying to solve with certificate transparency, detecting malware is not one of those problems<o:p></o:p></span></p><p class=MsoListParagraph style='margin-left:1.5in;text-indent:-1.5in;mso-text-indent-alt:-9.0pt;mso-list:l0 level3 lfo1'><![if !supportLists]><span style='font-family:"Calibri Light",sans-serif'><span style='mso-list:Ignore'><span style='font:7.0pt "Times New Roman"'> </span>vii.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-family:"Calibri Light",sans-serif'>Tim stated that the one spot where it does provide some benefit is in the event that we do find, let's say, we find a bad actor that's using a certificate issued. The fact that you have all the other certificates from the ecosystem log does help in tracking down if the bad actor had gotten certificates from other CA’s.<o:p></o:p></span></p><p class=MsoListParagraph style='margin-left:1.5in;text-indent:-1.5in;mso-text-indent-alt:-9.0pt;mso-list:l0 level3 lfo1'><![if !supportLists]><span style='font-family:"Calibri Light",sans-serif'><span style='mso-list:Ignore'><span style='font:7.0pt "Times New Roman"'> </span>viii.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-family:"Calibri Light",sans-serif'>Ian stated that he liked the idea of these companies being able to monitor what search have been issued on their name and individuals as well.<o:p></o:p></span></p><p class=MsoListParagraph style='margin-left:1.5in;text-indent:-1.5in;mso-text-indent-alt:-9.0pt;mso-list:l0 level3 lfo1'><![if !supportLists]><span style='font-family:"Calibri Light",sans-serif'><span style='mso-list:Ignore'><span style='font:7.0pt "Times New Roman"'> </span>ix.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-family:"Calibri Light",sans-serif'>Ian asked if CA’s could see the reason code on the certificate and why it was revoked, have they received a cert from another CA that has been revoked for signing malware.<o:p></o:p></span></p><p class=MsoListParagraph style='margin-left:1.5in;text-indent:-1.5in;mso-text-indent-alt:-9.0pt;mso-list:l0 level3 lfo1'><![if !supportLists]><span style='font-family:"Calibri Light",sans-serif'><span style='mso-list:Ignore'><span style='font:7.0pt "Times New Roman"'> </span>x.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-family:"Calibri Light",sans-serif'>Brianca would like to see us extend that not only for certificates issue in the company's names, but subsidiaries as well.<o:p></o:p></span></p><p class=MsoListParagraph style='margin-left:1.5in;text-indent:-1.5in;mso-text-indent-alt:-9.0pt;mso-list:l0 level3 lfo1'><![if !supportLists]><span style='font-family:"Calibri Light",sans-serif'><span style='mso-list:Ignore'><span style='font:7.0pt "Times New Roman"'> </span>xi.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-family:"Calibri Light",sans-serif'>Bruce mentioned that if I had someone monitoring, so I can allow customers to see if anybody ever gets us here with their name in it. CT and monitoring would not provide value to the customer.<o:p></o:p></span></p><p class=MsoListParagraph style='margin-left:1.5in;text-indent:-1.5in;mso-text-indent-alt:-9.0pt;mso-list:l0 level3 lfo1'><![if !supportLists]><span style='font-family:"Calibri Light",sans-serif'><span style='mso-list:Ignore'><span style='font:7.0pt "Times New Roman"'> </span>xii.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-family:"Calibri Light",sans-serif'>Ian stated that companies are protecting their brand would invest in monitoring.<o:p></o:p></span></p><p class=MsoListParagraph style='margin-left:1.5in;text-indent:-1.5in;mso-text-indent-alt:-9.0pt;mso-list:l0 level3 lfo1'><![if !supportLists]><span style='font-family:"Calibri Light",sans-serif'><span style='mso-list:Ignore'><span style='font:7.0pt "Times New Roman"'> </span>xiii.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-family:"Calibri Light",sans-serif'>Brianca stated that monitoring is valuable be it allows companies, when requirements change to be able to know which certificates that they have been issued that need to comply.<o:p></o:p></span></p><ol style='margin-top:0in' start=4 type=1><ol style='margin-top:0in' start=4 type=a><li class=MsoListParagraph style='margin-left:0in;mso-list:l0 level2 lfo1'><b><span style='font-family:"Calibri Light",sans-serif'>Simplify EV verification<o:p></o:p></span></b></li></ol></ol><p class=MsoListParagraph style='margin-left:1.5in;text-indent:-1.5in;mso-text-indent-alt:-9.0pt;mso-list:l0 level3 lfo1'><![if !supportLists]><span style='font-family:"Calibri Light",sans-serif'><span style='mso-list:Ignore'><span style='font:7.0pt "Times New Roman"'> </span>i.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-family:"Calibri Light",sans-serif'>Bruce noted that the process is complicated and we should figure out how to make it less complicated. <o:p></o:p></span></p><p class=MsoListParagraph style='margin-left:1.5in;text-indent:-1.5in;mso-text-indent-alt:-9.0pt;mso-list:l0 level3 lfo1'><![if !supportLists]><span style='font-family:"Calibri Light",sans-serif'><span style='mso-list:Ignore'><span style='font:7.0pt "Times New Roman"'> </span>ii.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-family:"Calibri Light",sans-serif'>Tim stated that the main thing that has changed a lot with respect to validation is the validation requirements go back to a time when getting a hold of corporate records was involved,</span> <span style='font-family:"Calibri Light",sans-serif'>going down into a basement and going through microfiche and things like that. And the widespread availability of publicly available corporate records that you can just say, hey, here's the jurisdiction. Here's the serial number. We verified it. You can. We'll check in by looking up the records online as well. I mean, a lot of this stuff is just much easier than it was 20 years ago and yes, it could definitely be simplified.<o:p></o:p></span></p><p class=MsoListParagraph style='margin-left:1.5in;text-indent:-1.5in;mso-text-indent-alt:-9.0pt;mso-list:l0 level3 lfo1'><![if !supportLists]><span style='font-family:"Calibri Light",sans-serif'><span style='mso-list:Ignore'><span style='font:7.0pt "Times New Roman"'> </span>iii.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-family:"Calibri Light",sans-serif'>Ian stated that the due diligence with a person peer review could be corrupted.<o:p></o:p></span></p><p class=MsoListParagraph style='margin-left:1.5in;text-indent:-1.5in;mso-text-indent-alt:-9.0pt;mso-list:l0 level3 lfo1'><![if !supportLists]><span style='font-family:"Calibri Light",sans-serif'><span style='mso-list:Ignore'><span style='font:7.0pt "Times New Roman"'> </span>iv.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-family:"Calibri Light",sans-serif'>Dimitris stat that they are less corruptible and asked if the comment was for automated identity proofing.<o:p></o:p></span></p><p class=MsoListParagraph style='margin-left:1.5in;text-indent:-1.5in;mso-text-indent-alt:-9.0pt;mso-list:l0 level3 lfo1'><![if !supportLists]><span style='font-family:"Calibri Light",sans-serif'><span style='mso-list:Ignore'><span style='font:7.0pt "Times New Roman"'> </span>v.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-family:"Calibri Light",sans-serif'>Ian stated yes, but the true Id technology to leverage attestations. There is likely a better solution.<o:p></o:p></span></p><p class=MsoListParagraph style='margin-left:1.5in;text-indent:-1.5in;mso-text-indent-alt:-9.0pt;mso-list:l0 level3 lfo1'><![if !supportLists]><span style='font-family:"Calibri Light",sans-serif'><span style='mso-list:Ignore'><span style='font:7.0pt "Times New Roman"'> </span>vi.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-family:"Calibri Light",sans-serif'>Bruce said we should clean up EV from the CA/B forum point of view.<o:p></o:p></span></p><ol style='margin-top:0in' start=5 type=1><li class=MsoListParagraph style='margin-left:0in;mso-list:l0 level1 lfo1'><span style='font-family:"Calibri Light",sans-serif'>Ballot Status <o:p></o:p></span></li><ol style='margin-top:0in' start=1 type=a><li class=MsoListParagraph style='margin-left:0in;mso-list:l0 level2 lfo1'><b><span style='font-family:"Calibri Light",sans-serif'>Malware based verification ballot</span></b><span style='font-family:"Calibri Light",sans-serif'>: Bruce stated that the new direction is to make it in line with how we have revocation done in the SSL BRs and add in the extra items around if suspect code gets signed.<o:p></o:p></span></li><li class=MsoListParagraph style='margin-left:0in;mso-list:l0 level2 lfo1'><b><span style='font-family:"Calibri Light",sans-serif'>Signing Service ballot</span></b><span style='font-family:"Calibri Light",sans-serif'>: Tim added a review to the latest ballot on GitHub, only 1 or 2 issues that need a little more work, around audits and scoping. Plan to tidy it up in a week or two. Take items that are more complicated out of scope from this ballot. Everyone should make comments by the next meeting.<o:p></o:p></span></li><li class=MsoListParagraph style='margin-left:0in;mso-list:l0 level2 lfo1'><b><span style='font-family:"Calibri Light",sans-serif'>Remove BR References ballot</span></b><span style='font-family:"Calibri Light",sans-serif'>: Dimitris and Cory discussed changes and pushed them to the branch on GitHub. <o:p></o:p></span></li></ol><li class=MsoListParagraph style='margin-left:0in;mso-list:l0 level1 lfo1'><span style='font-family:"Calibri Light",sans-serif'>Next Meeting<o:p></o:p></span></li><ol style='margin-top:0in' start=1 type=a><li class=MsoListParagraph style='margin-left:0in;mso-list:l0 level2 lfo1'><span style='font-family:"Calibri Light",sans-serif'>March 23, 2023.<o:p></o:p></span></li></ol></ol><p class=MsoNormal><span style='font-family:"Calibri Light",sans-serif'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Calibri Light",sans-serif'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Calibri Light",sans-serif'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Calibri Light",sans-serif'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:12.0pt'><o:p> </o:p></span></p><div><p class=MsoNormal><span style='mso-ligatures:none'><o:p> </o:p></span></p></div><p class=MsoNormal><o:p> </o:p></p></div></body></html>