<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-ligatures:standardcontextual;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:#0C00;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:828179382;
mso-list-type:hybrid;
mso-list-template-ids:975354976 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link="#0563C1" vlink="#954F72" style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal><b><span style='mso-ligatures:none'>Final F2F Minutes February 28, 2023</span></b><span style='font-size:12.0pt'><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:12.0pt'><o:p> </o:p></span></p><p class=MsoNormal>Attendees: Enrico Entschew (D-Trust), Ben Dewberry (Keyfactor), Alison Titus (Entrust), Tadahiko Ito (SECOM Trust Systems), Lisa Marie Barlow (Entrust), Brianca Martin (Amazon), Vijay Kumar (eMudhra), Chris Kemmerer (SSL.com), Nikolaos Soumelidis (QMSCERT/ACAB-C), Thomas Zermeno (SSL.com), Corey Bonnell (DigiCert), Marcelo Silva (Visa), Aaron Poulsen (Amazon), Janet Hines (VikingCloud), Matthias Wiedenhorst (ACAB/C), George Fergadis (HARICA), Christophe Bonjean (GlobalSign), Eva Van Steenberge (GlobalSign), Nargin Mannan (VikingCloud), Rebecca Kelley (Apple), Martijn Katerbarg (Sectigo), Rob Stradling (Sectigo), Brittany Randall (GoDaddy), Clemens Wanko (ACAB/C), Ilona Jones (Entrust), Inigo Barreira (Sectigo), Dimitris Zacharopoulos (HARICAO), J.P. Hamilton (Cisco), Ben Wilson (Mozilla), Daryn Wright (GoDaddy), Bruce Morton (Entrust), Ian McMillan (Microsoft), Nick France (Sectigo), Paul van Brouwershaven (Entrust), Elaine Bronsther (Sectigo), Ellie Lu (TrustAsia Technologies), Atsushi Inaba (GlobalSign), Adam Jones (Microsoft), Trevoli Ponds-White (Amazon), Dough Beattie (GlobalSign)<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><ol style='margin-top:0in' start=1 type=1><li class=MsoListParagraph style='margin-left:0in;mso-list:l0 level1 lfo1'>Assign Minute taker (start recording)<o:p></o:p></li><ol style='margin-top:0in' start=1 type=a><li class=MsoListParagraph style='margin-left:0in;mso-list:l0 level2 lfo1'>Martijn is taking minutes<o:p></o:p></li></ol><li class=MsoListParagraph style='margin-left:0in;mso-list:l0 level1 lfo1'>Antitrust Statement<o:p></o:p></li><ol style='margin-top:0in' start=1 type=a><li class=MsoListParagraph style='margin-left:0in;mso-list:l0 level2 lfo1'>Bruce read the antitrust statement<o:p></o:p></li></ol><li class=MsoListParagraph style='margin-left:0in;mso-list:l0 level1 lfo1'>Agenda<o:p></o:p></li><ol style='margin-top:0in' start=1 type=a><li class=MsoListParagraph style='margin-left:0in;mso-list:l0 level2 lfo1'>Don added a question on the interrelationship between Code Signing and NetSec:<o:p></o:p></li></ol></ol><p class=MsoListParagraph style='margin-left:1.5in;text-indent:-1.5in;mso-text-indent-alt:-9.0pt;mso-list:l0 level3 lfo1'><![if !supportLists]><span style='mso-list:Ignore'><span style='font:7.0pt "Times New Roman"'> </span>i.<span style='font:7.0pt "Times New Roman"'> </span></span><![endif]>Don: We didn’t see any clear reference in the CSCBRs to the Network Security requirements and has asked to add the same language as the SMBR and BRs use. Bruce stated that will be addressed.<o:p></o:p></p><ol style='margin-top:0in' start=4 type=1><li class=MsoListParagraph style='margin-left:0in;mso-list:l0 level1 lfo1'>Approval of prior meeting minutes<o:p></o:p></li><ol style='margin-top:0in' start=1 type=a><li class=MsoListParagraph style='margin-left:0in;mso-list:l0 level2 lfo1'>January 26<sup>th</sup> minutes are not yet available.<o:p></o:p></li><li class=MsoListParagraph style='margin-left:0in;mso-list:l0 level2 lfo1'>February 9<sup>th</sup> minutes are approved.<o:p></o:p></li></ol><li class=MsoListParagraph style='margin-left:0in;mso-list:l0 level1 lfo1'>Ballot Status<o:p></o:p></li><ol style='margin-top:0in' start=1 type=a><li class=MsoListParagraph style='margin-left:0in;mso-list:l0 level2 lfo1'>Malware ballot: Looking to redraft and expand to the complete revocation section. Set to have a draft ready by the March 23<sup>rd</sup> meeting.<o:p></o:p></li><li class=MsoListParagraph style='margin-left:0in;mso-list:l0 level2 lfo1'>Signing Service ballot: To be change to Subscriber Key Protection Service. No progress on this yet since the last call. Tim has gone through and added comments which we need to work through.<o:p></o:p></li><li class=MsoListParagraph style='margin-left:0in;mso-list:l0 level2 lfo1'>Remove BR References ballot: Dimitris has added more items after feedback over the last two meetings. We will need to discuss on which bits we need to import for certain sections.<br>There was a discussion on why we currently reference a specific BR version, yet “the latest” Network Security requirements. <o:p></o:p></li></ol><li class=MsoListParagraph style='margin-left:0in;mso-list:l0 level1 lfo1'>Code Signing Ecosystem Status<o:p></o:p></li><ol style='margin-top:0in' start=1 type=a><li class=MsoListParagraph style='margin-left:0in;mso-list:l0 level2 lfo1'>Microsoft to provide Code Signing ecosystem issues from Root program, Windows and Azure perspective<o:p></o:p></li></ol></ol><p class=MsoListParagraph style='margin-left:1.5in;text-indent:-1.5in;mso-text-indent-alt:-9.0pt;mso-list:l0 level3 lfo1'><![if !supportLists]><span style='mso-list:Ignore'><span style='font:7.0pt "Times New Roman"'> </span>i.<span style='font:7.0pt "Times New Roman"'> </span></span><![endif]>Ian gave a presentation on the challenges in Code Signing. <o:p></o:p></p><p class=MsoListParagraph style='margin-left:1.5in;text-indent:-1.5in;mso-text-indent-alt:-9.0pt;mso-list:l0 level3 lfo1'><![if !supportLists]><span style='mso-list:Ignore'><span style='font:7.0pt "Times New Roman"'> </span>ii.<span style='font:7.0pt "Times New Roman"'> </span></span><![endif]>A question was raised on the subject of State Threat Actors: Is there an estimate on the percentage of signed malware from state actors?<o:p></o:p></p><ol style='margin-top:0in' start=6 type=1><ol style='margin-top:0in' start=1 type=a><ol style='margin-top:0in' start=2 type=i><ol style='margin-top:0in' start=1 type=1><li class=MsoListParagraph style='margin-left:0in;mso-list:l0 level4 lfo1'>Ian: We don’t have a clear estimate on that in terms of a percentage, but expect it is a small percentage<o:p></o:p></li></ol></ol></ol></ol><p class=MsoListParagraph style='margin-left:1.5in;text-indent:-1.5in;mso-text-indent-alt:-9.0pt;mso-list:l0 level3 lfo1'><![if !supportLists]><span style='mso-list:Ignore'><span style='font:7.0pt "Times New Roman"'> </span>iii.<span style='font:7.0pt "Times New Roman"'> </span></span><![endif]>Leo raises the issue of customers still being hesitant on using signing services and wanting to keep using the certificate using “the old fashioned” way. It’s a heavy lift to get people to change their mindset.<o:p></o:p></p><ol style='margin-top:0in' start=6 type=1><ol style='margin-top:0in' start=1 type=a><ol style='margin-top:0in' start=3 type=i><ol style='margin-top:0in' start=1 type=1><li class=MsoListParagraph style='margin-left:0in;mso-list:l0 level4 lfo1'>Ian: We do contribute to open source projects that enable and offer easier use of signing services.<o:p></o:p></li></ol></ol></ol></ol><p class=MsoListParagraph style='margin-left:1.5in;text-indent:-1.5in;mso-text-indent-alt:-9.0pt;mso-list:l0 level3 lfo1'><![if !supportLists]><span style='mso-list:Ignore'><span style='font:7.0pt "Times New Roman"'> </span>iv.<span style='font:7.0pt "Times New Roman"'> </span></span><![endif]>Trevoli: For developers, certificates and keys is something they want to spend as little time as possible on. As such they will keep resisting changes unless it leads to both less time spent and more security.<o:p></o:p></p><p class=MsoListParagraph style='margin-left:1.5in;text-indent:-1.5in;mso-text-indent-alt:-9.0pt;mso-list:l0 level3 lfo1'><![if !supportLists]><span style='mso-list:Ignore'><span style='font:7.0pt "Times New Roman"'> </span>v.<span style='font:7.0pt "Times New Roman"'> </span></span><![endif]>Dimitris: I’d like to know what Ian’s visions are in regards to Certificate Transparency.<o:p></o:p></p><ol style='margin-top:0in' start=6 type=1><ol style='margin-top:0in' start=1 type=a><ol style='margin-top:0in' start=5 type=i><ol style='margin-top:0in' start=1 type=1><li class=MsoListParagraph style='margin-left:0in;mso-list:l0 level4 lfo1'>Ian: There’s a big opportunity to solving the CA hopping by malicious actors due the identities listed in CT. CAs and other parties can perform further investigations before issuing a certificate.<o:p></o:p></li><li class=MsoListParagraph style='margin-left:0in;mso-list:l0 level4 lfo1'>The point is raised that this is not a proactive method, but it would help by “burning” a malicious actor’s identity which they may have built up over a longer period of time.<o:p></o:p></li></ol></ol></ol></ol><p class=MsoListParagraph style='margin-left:2.0in'><o:p> </o:p></p><ol style='margin-top:0in' start=6 type=1><ol style='margin-top:0in' start=2 type=a><li class=MsoListParagraph style='margin-left:0in;mso-list:l0 level2 lfo1'>CAs to contribute problem issues based on whatever including incidents, implementation, clarification, audit perspective<o:p></o:p></li></ol></ol><p class=MsoListParagraph style='margin-left:1.5in;text-indent:-1.5in;mso-text-indent-alt:-9.0pt;mso-list:l0 level3 lfo1'><![if !supportLists]><span style='mso-list:Ignore'><span style='font:7.0pt "Times New Roman"'> </span>i.<span style='font:7.0pt "Times New Roman"'> </span></span><![endif]>Bruce raised the issue of “High Risk” language in the CSCBRs. There appears to be no common thing between CAs on how it should be done. It’s pointed out that the High Risk region section is also empty.<o:p></o:p></p><p class=MsoListParagraph style='margin-left:1.5in;text-indent:-1.5in;mso-text-indent-alt:-9.0pt;mso-list:l0 level3 lfo1'><![if !supportLists]><span style='mso-list:Ignore'><span style='font:7.0pt "Times New Roman"'> </span>ii.<span style='font:7.0pt "Times New Roman"'> </span></span><![endif]>Dimitris: Maybe as a group we should agree on which sources for company registrations we should be using. By this we could set which sources are considered good, and have all CAs share the same base. <o:p></o:p></p><ol style='margin-top:0in' start=6 type=1><ol style='margin-top:0in' start=2 type=a><ol style='margin-top:0in' start=2 type=i><ol style='margin-top:0in' start=1 type=1><li class=MsoListParagraph style='margin-left:0in;mso-list:l0 level4 lfo1'>Bruce: The problem there may be that there could only be one source for a specific region. Maybe the source is not that good, but if it is the only one, there is no alternative.<o:p></o:p></li><li class=MsoListParagraph style='margin-left:0in;mso-list:l0 level4 lfo1'>Chris added that maybe in those cases we should look at requesting more details such as having a bank account.<o:p></o:p></li><li class=MsoListParagraph style='margin-left:0in;mso-list:l0 level4 lfo1'>Ian states that malicious actors will wait 3 years or more before purchasing the certificates, just to have their company registration build up a status. They’re willing to play the long game.<o:p></o:p></li></ol></ol></ol></ol><p class=MsoListParagraph style='margin-left:1.5in;text-indent:-1.5in;mso-text-indent-alt:-9.0pt;mso-list:l0 level3 lfo1'><![if !supportLists]><span style='mso-list:Ignore'><span style='font:7.0pt "Times New Roman"'> </span>iii.<span style='font:7.0pt "Times New Roman"'> </span></span><![endif]>Dimitris: I believe CT is the wrong tool to lower the amount of signed malware. Microsoft could play a key role into this however. MS is already consuming all those certificates and knows when malicious code has been signed. If there’s a way to communicate that to CAs, that also removes any legal issues CA’s might have because it will be the Certificate Consumer for which we have a contract with. Chris seconds this.<o:p></o:p></p><ol style='margin-top:0in' start=6 type=1><ol style='margin-top:0in' start=2 type=a><ol style='margin-top:0in' start=3 type=i><ol style='margin-top:0in' start=1 type=1><li class=MsoListParagraph style='margin-left:0in;mso-list:l0 level4 lfo1'>Ian agrees, but cannot currently give any details on what the root program will and can legally do about this.<o:p></o:p></li></ol></ol><li class=MsoListParagraph style='margin-left:0in;mso-list:l0 level2 lfo1'>Whiteboard ideas and approaches which could be implemented to address discuss issues<o:p></o:p></li></ol></ol><p class=MsoListParagraph style='margin-left:1.5in;text-indent:-1.5in;mso-text-indent-alt:-9.0pt;mso-list:l0 level3 lfo1'><![if !supportLists]><span style='mso-list:Ignore'><span style='font:7.0pt "Times New Roman"'> </span>i.<span style='font:7.0pt "Times New Roman"'> </span></span><![endif]>Shorter maximum certificate validity period<o:p></o:p></p><ol style='margin-top:0in' start=6 type=1><ol style='margin-top:0in' start=3 type=a><ol style='margin-top:0in' start=1 type=i><ol style='margin-top:0in' start=1 type=1><li class=MsoListParagraph style='margin-left:0in;mso-list:l0 level4 lfo1'>Leo raises the question about if very short validity periods are offered, such as just 1 day, would there be an option to soften the requirement on using FIPS devices?<o:p></o:p></li><ol style='margin-top:0in' start=1 type=a><li class=MsoListParagraph style='margin-left:0in;mso-list:l0 level5 lfo1'>Ian stated that no, that would not be an option is his opinion.<o:p></o:p></li></ol></ol></ol></ol></ol><p class=MsoListParagraph style='margin-left:1.5in;text-indent:-1.5in;mso-text-indent-alt:-9.0pt;mso-list:l0 level3 lfo1'><![if !supportLists]><span style='mso-list:Ignore'><span style='font:7.0pt "Times New Roman"'> </span>ii.<span style='font:7.0pt "Times New Roman"'> </span></span><![endif]>Certificate Transparency<o:p></o:p></p><p class=MsoListParagraph style='margin-left:1.5in;text-indent:-1.5in;mso-text-indent-alt:-9.0pt;mso-list:l0 level3 lfo1'><![if !supportLists]><span style='mso-list:Ignore'><span style='font:7.0pt "Times New Roman"'> </span>iii.<span style='font:7.0pt "Times New Roman"'> </span></span><![endif]>Stop constant reports of suspect code<o:p></o:p></p><ol style='margin-top:0in' start=6 type=1><ol style='margin-top:0in' start=3 type=a><ol style='margin-top:0in' start=3 type=i><ol style='margin-top:0in' start=1 type=1><li class=MsoListParagraph style='margin-left:0in;mso-list:l0 level4 lfo1'>Corey raises that historically there have also been reports of suspect code that were used, weaponized, against companies in order to have a certificate revoked. It is hard for CAs to determine when something is suspect code or not.<o:p></o:p></li><li class=MsoListParagraph style='margin-left:0in;mso-list:l0 level4 lfo1'>Bruce suggests maybe CAs should use something like Virustotal by adding software there and see the outcome<o:p></o:p></li><li class=MsoListParagraph style='margin-left:0in;mso-list:l0 level4 lfo1'>Martijn adds that even that is not waterproof as it does have false positives and varies from hour to hour. CA’s are not malware specialists. If even the experts have false positives, how are we supposed to have it 100% correct.<o:p></o:p></li><li class=MsoListParagraph style='margin-left:0in;mso-list:l0 level4 lfo1'>Eva adds that they also run into the same issues. However sometimes it seems like this is more about a Subscriber and investigating them or get in touch with them. Several times when we’ve done a revocation, malicious actors will ask us why we revoked, instead of asking what has happened. It seems actors are trying to figure out how we detected them.<o:p></o:p></li></ol></ol></ol></ol><p class=MsoListParagraph style='margin-left:1.5in;text-indent:-1.5in;mso-text-indent-alt:-9.0pt;mso-list:l0 level3 lfo1'><![if !supportLists]><span style='mso-list:Ignore'><span style='font:7.0pt "Times New Roman"'> </span>iv.<span style='font:7.0pt "Times New Roman"'> </span></span><![endif]>Post suspect code in the same repository<o:p></o:p></p><p class=MsoListParagraph style='margin-left:1.5in;text-indent:-1.5in;mso-text-indent-alt:-9.0pt;mso-list:l0 level3 lfo1'><![if !supportLists]><span style='mso-list:Ignore'><span style='font:7.0pt "Times New Roman"'> </span>v.<span style='font:7.0pt "Times New Roman"'> </span></span><![endif]>CAA<o:p></o:p></p><p class=MsoListParagraph style='margin-left:1.5in;text-indent:-1.5in;mso-text-indent-alt:-9.0pt;mso-list:l0 level3 lfo1'><![if !supportLists]><span style='mso-list:Ignore'><span style='font:7.0pt "Times New Roman"'> </span>vi.<span style='font:7.0pt "Times New Roman"'> </span></span><![endif]>Verification escalation to EV or F2F<o:p></o:p></p><ol style='margin-top:0in' start=6 type=1><ol style='margin-top:0in' start=3 type=a><ol style='margin-top:0in' start=6 type=i><ol style='margin-top:0in' start=1 type=1><li class=MsoListParagraph style='margin-left:0in;mso-list:l0 level4 lfo1'>Bruce brings up the possibility of adding F2F checks or more EV like validation for all certificates in order to reduce the amount of malware signed.<o:p></o:p></li><li class=MsoListParagraph style='margin-left:0in;mso-list:l0 level4 lfo1'>Martijn adds that, how much do we expect this to help if threat actors are willing to wait 3-5 years. Potentially it’s part of several improvements that all together make it harder. There doesn’t appear to be one single solution.<o:p></o:p></li><li class=MsoListParagraph style='margin-left:0in;mso-list:l0 level4 lfo1'>Corey adds a notion of requiring something like a notary public, however that would also increase the burden on any legitimate company.<o:p></o:p></li><li class=MsoListParagraph style='margin-left:0in;mso-list:l0 level4 lfo1'>Ian: Maybe we should be looking ad Identity verification solutions, such as TrueID.<o:p></o:p></li><li class=MsoListParagraph style='margin-left:0in;mso-list:l0 level4 lfo1'>Corey: That would also add to automation of identity checking.<o:p></o:p></li></ol></ol></ol></ol><p class=MsoListParagraph style='margin-left:1.5in;text-indent:-1.5in;mso-text-indent-alt:-9.0pt;mso-list:l0 level3 lfo1'><![if !supportLists]><span style='mso-list:Ignore'><span style='font:7.0pt "Times New Roman"'> </span>vii.<span style='font:7.0pt "Times New Roman"'> </span></span><![endif]>Simplify EV verification<o:p></o:p></p><ol style='margin-top:0in' start=6 type=1><ol style='margin-top:0in' start=3 type=a><ol style='margin-top:0in' start=7 type=i><ol style='margin-top:0in' start=1 type=1><li class=MsoListParagraph style='margin-left:0in;mso-list:l0 level4 lfo1'>Ian: The CSCBRs currently have a requirement for a second reviewer for EV certificates. This struck me as an option to exploit corruption. Automation instead would be a much more safe practice.<o:p></o:p></li><li class=MsoListParagraph style='margin-left:0in;mso-list:l0 level4 lfo1'>Bruce: Should we be using more automation such as LEIs for vetting? I think EV probably needs to be more streamlined as a lot of the language is probably about 15 years old by now, and very much built on a legal framework.<o:p></o:p></li><li class=MsoListParagraph style='margin-left:0in;mso-list:l0 level4 lfo1'>Trevoli: I don’t think the issue is perse how many people are involved, but more about how could we be using tooling.<o:p></o:p></li></ol></ol></ol><li class=MsoListParagraph style='margin-left:0in;mso-list:l0 level1 lfo1'>Other Items<o:p></o:p></li><ol style='margin-top:0in' start=1 type=a><li class=MsoListParagraph style='margin-left:0in;mso-list:l0 level2 lfo1'>Bruce was asked to give a presentation on the CA/B Forum Code Signing WG in Toronto. Does anyone have any objections to this? (There are none).<o:p></o:p></li><li class=MsoListParagraph style='margin-left:0in;mso-list:l0 level2 lfo1'>Chris: Question for Ian, is there any estimate on the size of the malware community?<o:p></o:p></li></ol></ol><p class=MsoListParagraph style='margin-left:1.5in;text-indent:-1.5in;mso-text-indent-alt:-9.0pt;mso-list:l0 level3 lfo1'><![if !supportLists]><span style='mso-list:Ignore'><span style='font:7.0pt "Times New Roman"'> </span>i.<span style='font:7.0pt "Times New Roman"'> </span></span><![endif]>Ian: Recently through data from Reversing Labs, we’ve seen about 20K code signing certificates used in malware. That’s less than 1 percent of all code signing certificate, but still a large number. <o:p></o:p></p><ol style='margin-top:0in' start=8 type=1><li class=MsoListParagraph style='margin-left:0in;mso-list:l0 level1 lfo1'>Next Meeting<o:p></o:p></li><ol style='margin-top:0in' start=1 type=a><li class=MsoListParagraph style='margin-left:0in;mso-list:l0 level2 lfo1'>March 9<sup>th</sup>, 2023.<o:p></o:p></li></ol></ol><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p></div></body></html>