<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-ligatures:standardcontextual;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:8.0pt;
margin-left:.5in;
mso-add-space:auto;
line-height:105%;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-ligatures:standardcontextual;}
p.MsoListParagraphCxSpFirst, li.MsoListParagraphCxSpFirst, div.MsoListParagraphCxSpFirst
{mso-style-priority:34;
mso-style-type:export-only;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
mso-add-space:auto;
line-height:105%;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-ligatures:standardcontextual;}
p.MsoListParagraphCxSpMiddle, li.MsoListParagraphCxSpMiddle, div.MsoListParagraphCxSpMiddle
{mso-style-priority:34;
mso-style-type:export-only;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
mso-add-space:auto;
line-height:105%;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-ligatures:standardcontextual;}
p.MsoListParagraphCxSpLast, li.MsoListParagraphCxSpLast, div.MsoListParagraphCxSpLast
{mso-style-priority:34;
mso-style-type:export-only;
margin-top:0in;
margin-right:0in;
margin-bottom:8.0pt;
margin-left:.5in;
mso-add-space:auto;
line-height:105%;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-ligatures:standardcontextual;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
mso-ligatures:none;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:538250620;
mso-list-type:hybrid;
mso-list-template-ids:846771592 -1728127722 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l0:level1
{mso-level-start-at:30;
mso-level-number-format:bullet;
mso-level-text:\F0E8;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;
mso-fareast-font-family:Calibri;
mso-bidi-font-family:"Times New Roman";}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l1
{mso-list-id:1890607107;
mso-list-template-ids:514592622;}
@list l1:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level2
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level3
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level5
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level6
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level8
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level9
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link="#0563C1" vlink="#954F72" style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal><b><u>Minutes of Codesigning WG meet on Sep 7<sup>th</sup>, 2023<o:p></o:p></u></b></p><p class=MsoNormal><b><u><o:p><span style='text-decoration:none'> </span></o:p></u></b></p><p class=MsoNormal><b><u>Attendees:<o:p></o:p></u></b></p><p class=MsoNormal><span style='mso-ligatures:none'>Atsushi Inaba - GlobalSign<o:p></o:p></span></p><p class=MsoNormal><span style='mso-ligatures:none'>Keshava N - eMudhra<o:p></o:p></span></p><p class=MsoNormal><span style='mso-ligatures:none'>Inigo Barreira - Sectigo<o:p></o:p></span></p><p class=MsoNormal><span style='mso-ligatures:none'>Dimitris Zacharopoulos - Harica<o:p></o:p></span></p><p class=MsoNormal><span style='mso-ligatures:none'>Martijn Katerbarg - Sectigo<o:p></o:p></span></p><p class=MsoNormal><span style='mso-ligatures:none'>Ian McMillan Microsoft<o:p></o:p></span></p><p class=MsoNormal><span style='mso-ligatures:none'>Brianca Martin - Amazon<o:p></o:p></span></p><p class=MsoNormal><span style='mso-ligatures:none'>Mohit Kumar - GlobalSign<o:p></o:p></span></p><p class=MsoNormal><span style='mso-ligatures:none'>Bruce Morton - Entrust<o:p></o:p></span></p><p class=MsoNormal><span style='mso-ligatures:none'>Scott Rea - eMudhra<o:p></o:p></span></p><p class=MsoNormal><span style='mso-ligatures:none'>Andrea Holland - VikingCloud<o:p></o:p></span></p><p class=MsoNormal><span style='mso-ligatures:none'>Corey Bonnell - DigiCert<o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><b><u>Discussion Points:<o:p></o:p></u></b></p><p class=MsoNormal>Prior minutes approval – 24-Aug-2023 minutes approved with no objection <o:p></o:p></p><p class=MsoNormal><b><u>Ballot Status<o:p></o:p></u></b></p><p class=MsoNormal>Ballot 19 is completed and effective 5-Sep-23 and new Code Signing BR version is published with updates from this ballot.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Signing Service Ballot – Updated draft based on previous ballots. Includes lot of cleanups, simplifying the language and not change any scope. The objective was to clear that Signing service is not supposed to do validation. Validation is expected from Certificate Authority and Signing service is expected to protect private keys on behalf of subscriber<o:p></o:p></p><p class=MsoNormal><u>Summary of Major updates for Signing Service:<o:p></o:p></u></p><ul style='margin-top:0in' type=disc><li class=MsoListParagraphCxSpFirst style='margin-left:0in;mso-add-space:auto;mso-list:l0 level1 lfo3'>Made clear signing service is not delegated third party. It is not an obligation for CA or CA doesn’t have to do it or delegate. It is optional for CA.<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:0in;mso-add-space:auto;mso-list:l0 level1 lfo3'>Change in definition of Signing service to include generation of key pair and its management as main job for signing service<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:0in;mso-add-space:auto;mso-list:l0 level1 lfo3'>Added section to ensure that Signing service don’t transfer keys to subscriber<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:0in;mso-add-space:auto;mso-list:l0 level1 lfo3'>Changed reference to Signing Key as Private Key where applicable<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:0in;mso-add-space:auto;mso-list:l0 level1 lfo3'>Improved content to avoid the interpretation that Signing service must do malware scans for all codes being signed<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:0in;mso-add-space:auto;mso-list:l0 level1 lfo3'>Broke the audit requirements between CA, Signing service and Timestamping<o:p></o:p></li></ul><p class=MsoListParagraphCxSpLast><o:p> </o:p></p><p class=MsoNormal>High Risk ballot – To be postponed for now and to be taken up later. <o:p></o:p></p><p class=MsoNormal><b><u><o:p><span style='text-decoration:none'> </span></o:p></u></b></p><p class=MsoNormal><b><u>Discussion on need for charter update for TSA certificates<o:p></o:p></u></b></p><p class=MsoNormal>Dimitris brought to group attention that it was agreed at forum level that Codesigning Working group can work on requirements for TSA related to Code Signing and is in scope.<o:p></o:p></p><p class=MsoNormal>Martjin suggested that unless we have technical controls to figure out which Timestamp certificates or authority is being used for Codesigning vs not used for codesigning, it is difficult to differentiate.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>It was highlighted that we have policy OIDs for Timestamp certificates to be used for Codesigning. There was discussion if these are mandatory and if its stated explicitly. It was called out that if policy OID is not being used in Timestamping certificate, it technically still works for codesigning. <o:p></o:p></p><p class=MsoNormal>But there is still difference in opinions if timestamping requirements are in scope or need the charter update, since it is not clear. <o:p></o:p></p><p class=MsoNormal>Action item was decided to review and update charter and consider timestamp certificates/TSA requirements for Codesigning<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p></div></body></html>