<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Aptos;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-ligatures:standardcontextual;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
mso-ligatures:none;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:462043507;
mso-list-template-ids:1926920732;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1
{mso-list-id:510487894;
mso-list-template-ids:-1314326104;}
@list l1:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l1:level3
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level5
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level6
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level8
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level9
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2
{mso-list-id:1411730409;
mso-list-template-ids:-978141234;}
@list l2:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level2
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level3
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level5
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level6
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level8
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level9
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l3
{mso-list-id:1594171029;
mso-list-template-ids:-633846032;}
@list l3:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l3:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l3:level3
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l3:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l3:level5
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l3:level6
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l3:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l3:level8
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l3:level9
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l4
{mso-list-id:1599025031;
mso-list-template-ids:446451784;}
@list l4:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l4:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l4:level3
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l4:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l4:level5
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l4:level6
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l4:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l4:level8
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l4:level9
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l5
{mso-list-id:2134590142;
mso-list-template-ids:2002942758;}
@list l5:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l5:level2
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l5:level3
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l5:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l5:level5
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l5:level6
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l5:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l5:level8
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l5:level9
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link="#0563C1" vlink="#954F72" style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal><span style='font-family:"Aptos",sans-serif'>CSCWG Meeting 2023-10-19<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:"Aptos",sans-serif'>Thursday, October 19, 2023<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:"Aptos",sans-serif'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Aptos",sans-serif'>Attendees:<o:p></o:p></span></p><ul style='margin-top:0in' type=disc><li class=MsoNormal style='mso-list:l2 level1 lfo3'><span style='font-family:"Aptos",sans-serif'>Aaron Poulsen - Amazon Trust Services<o:p></o:p></span></li><li class=MsoNormal style='mso-list:l2 level1 lfo3'><span style='font-family:"Aptos",sans-serif'>Andrea Holland - VikingCloud<o:p></o:p></span></li><li class=MsoNormal style='mso-list:l2 level1 lfo3'><span style='font-family:"Aptos",sans-serif'>Atsushi INABA - GlobalSign<o:p></o:p></span></li><li class=MsoNormal style='mso-list:l2 level1 lfo3'><span style='font-family:"Aptos",sans-serif'>Bruce Morton - Entrust<o:p></o:p></span></li><li class=MsoNormal style='mso-list:l2 level1 lfo3'><span style='font-family:"Aptos",sans-serif'>Corey Bonnell<o:p></o:p></span></li><li class=MsoNormal style='mso-list:l2 level1 lfo3'><span style='font-family:"Aptos",sans-serif'>Dean Coclin-DigiCert<o:p></o:p></span></li><li class=MsoNormal style='mso-list:l2 level1 lfo3'><span style='font-family:"Aptos",sans-serif'>Dimitris Zacharopoulos (HARICA)<o:p></o:p></span></li><li class=MsoNormal style='mso-list:l2 level1 lfo3'><span style='font-family:"Aptos",sans-serif'>Ian McMillan - Microsoft<o:p></o:p></span></li><li class=MsoNormal style='mso-list:l2 level1 lfo3'><span style='font-family:"Aptos",sans-serif'>Janet Hines - VikingCloud<o:p></o:p></span></li><li class=MsoNormal style='mso-list:l2 level1 lfo3'><span style='font-family:"Aptos",sans-serif'>Richard Kisley - IBM<o:p></o:p></span></li><li class=MsoNormal style='mso-list:l2 level1 lfo3'><span style='font-family:"Aptos",sans-serif'>Mohit Kumar - GlobalSign<o:p></o:p></span></li><li class=MsoNormal style='mso-list:l2 level1 lfo3'><span style='font-family:"Aptos",sans-serif'>Rollin Yu - TrustAsia<o:p></o:p></span></li><li class=MsoNormal style='mso-list:l2 level1 lfo3'><span style='font-family:"Aptos",sans-serif'>Scott Rea - eMudhra<o:p></o:p></span></li><li class=MsoNormal style='mso-list:l2 level1 lfo3'><span style='font-family:"Aptos",sans-serif'>Tim Crawford – BDO/WebTrust<o:p></o:p></span></li></ul><p class=MsoNormal><span style='font-family:"Aptos",sans-serif'> <o:p></o:p></span></p><p class=MsoNormal><span style='font-family:"Aptos",sans-serif'>Agenda: <o:p></o:p></span></p><ul style='margin-top:0in' type=disc><li class=MsoNormal style='mso-list:l0 level1 lfo6'><span style='font-family:"Aptos",sans-serif'>Assign Minute taker (start recording)<o:p></o:p></span></li><ul style='margin-top:0in' type=circle><li class=MsoNormal style='mso-list:l0 level2 lfo6'><span style='font-family:"Aptos",sans-serif'>Ian McMillan<o:p></o:p></span></li></ul><li class=MsoNormal style='mso-list:l0 level1 lfo6'><span style='font-family:"Aptos",sans-serif'>Roll call<o:p></o:p></span></li><ul style='margin-top:0in' type=circle><li class=MsoNormal style='mso-list:l0 level2 lfo6'><span style='font-family:"Aptos",sans-serif'>Completed by Dean<o:p></o:p></span></li></ul><li class=MsoNormal style='mso-list:l0 level1 lfo6'><span style='font-family:"Aptos",sans-serif'>Antitrust Compliance Statement<o:p></o:p></span></li><ul style='margin-top:0in' type=circle><li class=MsoNormal style='mso-list:l0 level2 lfo6'><span style='font-family:"Aptos",sans-serif'>Completed by Dean<o:p></o:p></span></li></ul><li class=MsoNormal style='mso-list:l0 level1 lfo6'><span style='font-family:"Aptos",sans-serif'>Review Agenda<o:p></o:p></span></li><ul style='margin-top:0in' type=circle><li class=MsoNormal style='mso-list:l0 level2 lfo6'><span style='font-family:"Aptos",sans-serif'>No comments on the agenda<o:p></o:p></span></li></ul><li class=MsoNormal style='mso-list:l0 level1 lfo6'><span style='font-family:"Aptos",sans-serif'>Approval of prior meeting minutes – F2F 5 Oct, Need minutes!<o:p></o:p></span></li><ul style='margin-top:0in' type=circle><li class=MsoNormal style='mso-list:l0 level2 lfo6'><span style='font-family:"Aptos",sans-serif'>Minutes received from Mohit<o:p></o:p></span></li><li class=MsoNormal style='mso-list:l0 level2 lfo6'><span style='font-family:"Aptos",sans-serif'>Need to get other half of the minutes from Tim Callan (Dean to follow up)<o:p></o:p></span></li></ul><li class=MsoNormal style='mso-list:l0 level1 lfo6'><span style='font-family:"Aptos",sans-serif'>Ballot CSC-20 Restore Version Reference to EV Guidelines<o:p></o:p></span></li><ul style='margin-top:0in' type=circle><li class=MsoNormal style='mso-list:l0 level2 lfo6'><span style='font-family:"Aptos",sans-serif'>Voting completed and it has passed with quorum <o:p></o:p></span></li></ul><li class=MsoNormal style='mso-list:l0 level1 lfo6'><span style='font-family:"Aptos",sans-serif'>Ballot CSC-21 Signing Service<o:p></o:p></span></li><ul style='margin-top:0in' type=circle><li class=MsoNormal style='mso-list:l0 level2 lfo6'><span style='font-family:"Aptos",sans-serif'>In discussion period<o:p></o:p></span></li><li class=MsoNormal style='mso-list:l0 level2 lfo6'><span style='font-family:"Aptos",sans-serif'>Comments on the definition of Signing Service<o:p></o:p></span></li><ul style='margin-top:0in' type=disc><li class=MsoNormal style='mso-list:l0 level3 lfo6'><span style='font-family:"Aptos",sans-serif'>This definition must not apply to a subscriber and that includes when the CA is a subscriber itself.<o:p></o:p></span></li><li class=MsoNormal style='mso-list:l0 level3 lfo6'><span style='font-family:"Aptos",sans-serif'>Current definition seems to not be clear for CAs that leverage a Signing Service they provide and how the Subscriber Agreement would apply or not in this case.<o:p></o:p></span></li><ul style='margin-top:0in' type=square><li class=MsoNormal style='mso-list:l0 level4 lfo6'><span style='font-family:"Aptos",sans-serif'>Microsoft has a case where the Signing Service does a Subscriber Agreement with the CA service team with a separation of duties between the teams, so there is precedence for this behavior.<o:p></o:p></span></li></ul><li class=MsoNormal style='mso-list:l0 level3 lfo6'><span style='font-family:"Aptos",sans-serif'>Signing Service does not include a subscriber's managed signing service.<o:p></o:p></span></li><li class=MsoNormal style='mso-list:l0 level3 lfo6'><span style='font-family:"Aptos",sans-serif'>New proposed definition: An organization that generates the key pair and securely manages the private key associated with the code signing certificate on behalf of the subscriber.<o:p></o:p></span></li></ul><li class=MsoNormal style='mso-list:l0 level2 lfo6'><span style='font-family:"Aptos",sans-serif'>Audit Requirements and Audit Dates<o:p></o:p></span></li><ul style='margin-top:0in' type=disc><li class=MsoNormal style='mso-list:l0 level3 lfo6'><span style='font-family:"Aptos",sans-serif'>We should consider an effective date to allow for Signing Services to comply with the requirements<o:p></o:p></span></li><ul style='margin-top:0in' type=square><li class=MsoNormal style='mso-list:l0 level4 lfo6'><span style='font-family:"Aptos",sans-serif'>There should a ramp up period or include it in the next audit period so not to include it current audit periods.<o:p></o:p></span></li><li class=MsoNormal style='mso-list:l0 level4 lfo6'><span style='font-family:"Aptos",sans-serif'>We need to give CAs runway to get this into their audit plans<o:p></o:p></span></li><li class=MsoNormal style='mso-list:l0 level4 lfo6'><span style='font-family:"Aptos",sans-serif'>We should provide an effective date of 6 months from the projected ballot completion timeframe (e.g. June 1, 2024) for the audits starting after that effective date.<o:p></o:p></span></li></ul><li class=MsoNormal style='mso-list:l0 level3 lfo6'><span style='font-family:"Aptos",sans-serif'>Section 8.4 currently requires a Signing Service to comply with the audit requirements for a CA or a Delegated 3rd Party<o:p></o:p></span></li><ul style='margin-top:0in' type=square><li class=MsoNormal style='mso-list:l0 level4 lfo6'><span style='font-family:"Aptos",sans-serif'>Is it possible that CSBRs say Signing Services must comply with the requirements including audits for the NetSec BRs, but they are not?<o:p></o:p></span></li><li class=MsoNormal style='mso-list:l0 level4 lfo6'><span style='font-family:"Aptos",sans-serif'>How does a CA know there is a Signing Service or not?<o:p></o:p></span></li><ul style='margin-top:0in' type=disc><li class=MsoNormal style='mso-list:l0 level5 lfo6'><span style='font-family:"Aptos",sans-serif'>Resellers come into the picture here<o:p></o:p></span></li><li class=MsoNormal style='mso-list:l0 level5 lfo6'><span style='font-family:"Aptos",sans-serif'>Previously we questioned if Signing Services should have these audit requirements and we talked ourselves into it.<o:p></o:p></span></li><li class=MsoNormal style='mso-list:l0 level5 lfo6'><span style='font-family:"Aptos",sans-serif'>We can lean on the Subscriber Agreement and Subscriber Warranties to push the audit requirements onto 3rd party Signing Services and Resellers<o:p></o:p></span></li></ul><li class=MsoNormal style='mso-list:l0 level4 lfo6'><span style='font-family:"Aptos",sans-serif'>How are these enforced?<o:p></o:p></span></li><ul style='margin-top:0in' type=disc><li class=MsoNormal style='mso-list:l0 level5 lfo6'><span style='font-family:"Aptos",sans-serif'>3 scenarios here…<o:p></o:p></span></li><ul style='margin-top:0in' type=disc><li class=MsoNormal style='mso-list:l0 level6 lfo6'><span style='font-family:"Aptos",sans-serif'>CA that provides a Signing Service to Subscribers<o:p></o:p></span></li><ul style='margin-top:0in' type=disc><li class=MsoNormal style='mso-list:l0 level7 lfo6'><span style='font-family:"Aptos",sans-serif'>Assumption is these are already being audited<o:p></o:p></span></li></ul><li class=MsoNormal style='mso-list:l0 level6 lfo6'><span style='font-family:"Aptos",sans-serif'>CA that partners with a 3rd Party Signing Service to the CA subscribers<o:p></o:p></span></li><li class=MsoNormal style='mso-list:l0 level6 lfo6'><span style='font-family:"Aptos",sans-serif'>Subscriber uses a unaffiliated 3rd Party Signing Service to use a CA issued code signing certificate (CA may or may not be aware there is a signing service in the loop unless the Subscriber notifies the CA)<o:p></o:p></span></li><ul style='margin-top:0in' type=disc><li class=MsoNormal style='mso-list:l0 level7 lfo6'><span style='font-family:"Aptos",sans-serif'>More or less a private key protection service<o:p></o:p></span></li><li class=MsoNormal style='mso-list:l0 level7 lfo6'><span style='font-family:"Aptos",sans-serif'>This is not easy here to tell when 3rd party Signing Service is involved<o:p></o:p></span></li></ul></ul><li class=MsoNormal style='mso-list:l0 level5 lfo6'><span style='font-family:"Aptos",sans-serif'>First focus on Signing Services that CAs know about, but this will not be equivalent<o:p></o:p></span></li><ul style='margin-top:0in' type=disc><li class=MsoNormal style='mso-list:l0 level6 lfo6'><span style='font-family:"Aptos",sans-serif'>CAs with a Signing Service has the hardest compliance challenge, but a unaffiliated 3rd party Signing Service (Reseller) would not have the same requirements<o:p></o:p></span></li><li class=MsoNormal style='mso-list:l0 level6 lfo6'><span style='font-family:"Aptos",sans-serif'>We should consider dropping these audit requirements on the Signing Services and focus on the subscriber private key protection requirements<o:p></o:p></span></li><ul style='margin-top:0in' type=disc><li class=MsoNormal style='mso-list:l0 level7 lfo6'><span style='font-family:"Aptos",sans-serif'>The one point we are considering is the Signing Service risk with a multi-tenant service, this is the same as Resellers.<o:p></o:p></span></li><li class=MsoNormal style='mso-list:l0 level7 lfo6'><span style='font-family:"Aptos",sans-serif'>Can we look at prohibiting Resellers from having an unaudited Signing Service?<o:p></o:p></span></li></ul><li class=MsoNormal style='mso-list:l0 level6 lfo6'><span style='font-family:"Aptos",sans-serif'>We made a lot of progress here so we should consider moving forward as-is<o:p></o:p></span></li></ul></ul></ul><li class=MsoNormal style='mso-list:l0 level3 lfo6'><span style='font-family:"Aptos",sans-serif'>Consider using the S/MIME BR language for effective date, Bruce/Corey to review that language <o:p></o:p></span></li></ul></ul></ul><ul style='margin-top:0in' type=disc><li class=MsoNormal style='mso-list:l3 level1 lfo9'><span style='font-family:"Aptos",sans-serif'>Proposed Ballot High Risk<o:p></o:p></span></li><ul style='margin-top:0in' type=circle><li class=MsoNormal style='mso-list:l3 level2 lfo9'><span style='font-family:"Aptos",sans-serif'>No updates until CSC-21 is completed<o:p></o:p></span></li></ul><li class=MsoNormal style='mso-list:l3 level1 lfo9'><span style='font-family:"Aptos",sans-serif'>Proposed ballot Remove EV Guideline References<o:p></o:p></span></li><ul style='margin-top:0in' type=circle><li class=MsoNormal style='mso-list:l3 level2 lfo9'><span style='font-family:"Aptos",sans-serif'>Will pick this up once we have all the notes from the F2F discussion<o:p></o:p></span></li></ul><li class=MsoNormal style='mso-list:l3 level1 lfo9'><span style='font-family:"Aptos",sans-serif'>Proposed ballot CSCWG Charter Update<o:p></o:p></span></li><ul style='margin-top:0in' type=circle><li class=MsoNormal style='mso-list:l3 level2 lfo9'><span style='font-family:"Aptos",sans-serif'>Need Martijn to update here<o:p></o:p></span></li></ul><li class=MsoNormal style='mso-list:l3 level1 lfo9'><span style='font-family:"Aptos",sans-serif'>Other business<o:p></o:p></span></li><ul style='margin-top:0in' type=circle><li class=MsoNormal style='mso-list:l3 level2 lfo9'><span style='font-family:"Aptos",sans-serif'>None<o:p></o:p></span></li></ul><li class=MsoNormal style='mso-list:l3 level1 lfo9'><span style='font-family:"Aptos",sans-serif'>Next meeting – 2 November<o:p></o:p></span></li></ul><p class=MsoNormal><span style='font-family:"Aptos",sans-serif'><o:p> </o:p></span></p><p class=MsoNormal><o:p> </o:p></p></div></body></html>