<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-ligatures:standardcontextual;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-ligatures:standardcontextual;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
mso-ligatures:none;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:446044520;
mso-list-template-ids:-1247250956;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1
{mso-list-id:887030538;
mso-list-type:hybrid;
mso-list-template-ids:-1398254268 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l1:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l1:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l1:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l1:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l1:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l1:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l1:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l1:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l1:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link="#0563C1" vlink="#954F72" style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal><b>Code Signing WG Minutes 2023-MAY-18<o:p></o:p></b></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Attendance: <o:p></o:p></p><p class=MsoNormal><span style='font-size:12.0pt;color:#1D1D1D'>Dean Coclin (DigiCert), Martijn Katerbarg (Sectigo), Ben Dewberry (Keyfactor), Roberto Quiñones (Intel), Bruce Morton (Entrust), Tim Hollebeek (DigiCert), Ian McMillan (Microsoft), Tim Crawford (BDO), Atsushi Inaba (GlobalSign), Eva Van Steenberge (GlobalSign), </span><span style='font-size:12.0pt'>Inigo Barreira (Sectigo), Bianca Martin (Amazon), <span style='color:#1D1D1D'>Corey Bonnell (DigiCert), Rollin Yu (TrustAsia), Mohit Kumar (GlobalSign)</span></span><span style='color:#1D1D1D'><o:p></o:p></span></p><p class=MsoNormal><b><span style='font-size:12.0pt;color:#1D1D1D'> </span></b><span style='color:#1D1D1D'><o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p><ul style='margin-top:0in' type=disc><li class=MsoListParagraph style='color:#1D1D1D;margin-left:0in;mso-list:l1 level1 lfo3'><span style='font-size:12.0pt'>The Antitrust statement was read<o:p></o:p></span></li><li class=MsoListParagraph style='color:#1D1D1D;margin-left:0in;mso-list:l1 level1 lfo3'><span style='font-size:12.0pt'>Minutes from May 4<sup>th</sup> approved<o:p></o:p></span></li><li class=MsoListParagraph style='color:#1D1D1D;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:0in;mso-line-height-alt:11.55pt;mso-list:l1 level1 lfo3'><span style='font-size:12.0pt'>Ballot: CSC 18 – Malware base revocation (Martijn)<o:p></o:p></span></li><ul style='margin-top:0in' type=circle><li class=MsoListParagraph style='color:#1D1D1D;margin-left:0in;mso-list:l1 level2 lfo3'><span style='font-size:12.0pt'>In discussion period, voting period ending before meeting is over<o:p></o:p></span></li><li class=MsoListParagraph style='color:#1D1D1D;margin-left:0in;mso-list:l1 level2 lfo3'><span style='font-size:12.0pt'>Dean: tracker shows quorum met<o:p></o:p></span></li></ul><li class=MsoListParagraph style='color:#1D1D1D;margin-left:0in;mso-list:l1 level1 lfo3'><span style='font-size:12.0pt'>Removing SSL BR References<o:p></o:p></span></li><ul style='margin-top:0in' type=circle><li class=MsoListParagraph style='color:#1D1D1D;margin-left:0in;mso-list:l1 level2 lfo3'><span style='font-size:12.0pt'>Martjin: About half docs reviewed for missing definitions. Removed 2 definitions that are not used. A couple may need to be added, will need to discuss<o:p></o:p></span></li></ul><li class=MsoListParagraph style='color:#1D1D1D;margin-left:0in;mso-list:l1 level1 lfo3'><span style='font-size:12.0pt'>Subject Name stability<o:p></o:p></span></li><ul style='margin-top:0in' type=circle><li class=MsoListParagraph style='color:#1D1D1D;margin-left:0in;mso-list:l1 level2 lfo3'><span style='font-size:12.0pt'>Email from new interested party (Mike Hearn)<o:p></o:p></span></li><li class=MsoListParagraph style='color:#1D1D1D;margin-left:0in;mso-list:l1 level2 lfo3'><span style='font-size:12.0pt'>Ian: MSIX (Appx) does hash calculation of the publisher’s name value that is in the manifest and compares it to the full subject name value of signing certificate<o:p></o:p></span></li><ul style='margin-top:0in' type=square><li class=MsoListParagraph style='color:#1D1D1D;margin-left:0in;mso-list:l1 level3 lfo3'><span style='font-size:12.0pt'>Was working fine when only used inside of store distribution. As its been rolled out broadly to allow MSI package into MSIX, they’ve run into this issue for companies that change their name or locale.<o:p></o:p></span></li><li class=MsoListParagraph style='color:#1D1D1D;margin-left:0in;mso-list:l1 level3 lfo3'><span style='font-size:12.0pt'>New packages would validate fine but presents inability to update existing apps because it depends on Package Name alignment.<o:p></o:p></span></li><li class=MsoListParagraph style='color:#1D1D1D;margin-left:0in;mso-list:l1 level3 lfo3'><span style='font-size:12.0pt'>This is Microsoft MSIX issue, not a broad certificate issuance problem.<o:p></o:p></span></li></ul><li class=MsoListParagraph style='color:#1D1D1D;margin-left:0in;mso-list:l1 level2 lfo3'><span style='font-size:12.0pt'>Tim: This is example of using [subject] name instead of global identifier and this has all the issues that are well known.<o:p></o:p></span></li><li class=MsoListParagraph style='color:#1D1D1D;margin-left:0in;mso-list:l1 level2 lfo3'><span style='font-size:12.0pt'>Bruce: Even global identifier might change if company changes name, like with SSL and org ID<o:p></o:p></span></li><li class=MsoListParagraph style='color:#1D1D1D;margin-left:0in;mso-list:l1 level2 lfo3'><span style='font-size:12.0pt'>Ian: Apple and Google offer ways to uniquely identify orgs. If Microsoft offered something similar, it would not be something that Public CAs should have to do.<o:p></o:p></span></li><li class=MsoListParagraph style='color:#1D1D1D;margin-left:0in;mso-list:l1 level2 lfo3'><span style='font-size:12.0pt'>Ian will draft a response to this email<o:p></o:p></span></li></ul><li class=MsoListParagraph style='color:#1D1D1D;margin-left:0in;mso-list:l1 level1 lfo3'><span style='font-size:12.0pt'>June F2F is June 6<sup>th</sup> afternoon.<o:p></o:p></span></li><ul style='margin-top:0in' type=circle><li class=MsoListParagraph style='margin-left:0in;mso-list:l1 level2 lfo3'><span style='font-size:12.0pt;color:#1D1D1D'>Dean moves to cancel call scheduled for Jun 1<sup>st</sup>. No objections</span><o:p></o:p></li><li class=MsoListParagraph style='margin-left:0in;mso-list:l1 level2 lfo3'><span style='font-size:12.0pt;color:#1D1D1D'>Agenda for F2F</span><o:p></o:p></li><ul style='margin-top:0in' type=square><li class=MsoListParagraph style='margin-left:0in;mso-list:l1 level3 lfo3'><span style='font-size:12.0pt;color:#1D1D1D'>Time: 1:45pm to 3:45pm (nothing scheduled after this, so could keep going)</span><o:p></o:p></li><li class=MsoListParagraph style='margin-left:0in;mso-list:l1 level3 lfo3'><span style='font-size:12.0pt;color:#1D1D1D'>Ian: no guest speaker for code signing workgroup. Roy Williams is going to talk about Secure Supply Chain Integrity, Trust and Transparency.</span><o:p></o:p></li><li class=MsoListParagraph style='margin-left:0in;mso-list:l1 level3 lfo3'><span style='font-size:12.0pt;color:#1D1D1D'>Bruce: Spend some time reviewing time stamping changes Ian is proposing. Discuss EV Certificates. Continue discussion on Certificate Transparency</span><o:p></o:p></li><li class=MsoListParagraph style='margin-left:0in;mso-list:l1 level3 lfo3'><span style='font-size:12.0pt;color:#1D1D1D'>Dean may not be able to attend in person, Bruce can facilitate</span><o:p></o:p></li></ul></ul></ul><p class=MsoNormal><span style='font-size:12.0pt'><o:p> </o:p></span></p><div><p class=MsoNormal><span style='font-family:"Arial",sans-serif;color:#48565E;mso-ligatures:none'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Arial",sans-serif;color:#48565E;mso-ligatures:none'><o:p> </o:p></span></p><p class=MsoNormal><span style='mso-ligatures:none'><o:p> </o:p></span></p></div><p class=MsoNormal>Dean Coclin<o:p></o:p></p><p class=MsoNormal><span style='font-size:12.0pt'>CSCWG Chair<o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p></div></body></html>