<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Aptos;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-ligatures:standardcontextual;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
mso-ligatures:none;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:442113879;
mso-list-type:hybrid;
mso-list-template-ids:-103795458 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l1
{mso-list-id:580335242;
mso-list-type:hybrid;
mso-list-template-ids:1635149612 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l1:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l1:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l1:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l1:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l1:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l1:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l1:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l1:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l1:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l2
{mso-list-id:653221345;
mso-list-type:hybrid;
mso-list-template-ids:871418306 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l2:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l2:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l2:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l2:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l2:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l2:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l2:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l2:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l2:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l3
{mso-list-id:822161258;
mso-list-type:hybrid;
mso-list-template-ids:1111799286 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l3:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:.75in;
text-indent:-.25in;
font-family:Symbol;}
@list l3:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:1.25in;
text-indent:-.25in;
font-family:"Courier New";}
@list l3:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:1.75in;
text-indent:-.25in;
font-family:Wingdings;}
@list l3:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:2.25in;
text-indent:-.25in;
font-family:Symbol;}
@list l3:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:2.75in;
text-indent:-.25in;
font-family:"Courier New";}
@list l3:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:3.25in;
text-indent:-.25in;
font-family:Wingdings;}
@list l3:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:3.75in;
text-indent:-.25in;
font-family:Symbol;}
@list l3:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:4.25in;
text-indent:-.25in;
font-family:"Courier New";}
@list l3:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:4.75in;
text-indent:-.25in;
font-family:Wingdings;}
@list l4
{mso-list-id:1254825697;
mso-list-type:hybrid;
mso-list-template-ids:-1424708180 592897662 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l4:level1
{mso-level-start-at:0;
mso-level-number-format:bullet;
mso-level-text:-;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Calibri",sans-serif;
mso-fareast-font-family:"Times New Roman";}
@list l4:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l4:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l4:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l4:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l4:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l4:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l4:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l4:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l5
{mso-list-id:1433546724;
mso-list-type:hybrid;
mso-list-template-ids:808994848 592897662 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l5:level1
{mso-level-start-at:0;
mso-level-number-format:bullet;
mso-level-text:-;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Calibri",sans-serif;
mso-fareast-font-family:"Times New Roman";}
@list l5:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l5:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l5:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l5:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l5:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l5:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l5:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l5:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link="#0563C1" vlink="#954F72" style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><b><span lang=EN-GB style='font-size:12.0pt'>Meeting Minutes November 30, 2023<o:p></o:p></span></b></p><p class=MsoNormal><span lang=EN-GB style='font-size:12.0pt'>Attendance: Andrea Holland - VikingCloud<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:12.0pt'>Atsushi INABA - GlobalSign<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:12.0pt'>Ben Dewberry - Keyfactor<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:12.0pt'>Brianca Martin - Amazon<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:12.0pt'>Bruce Morton - Entrust<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:12.0pt'>Dean Coclin-DigiCert<o:p></o:p></span></p><p class=MsoNormal><span lang=ES style='font-size:12.0pt'>Dimitris Zacharopoulos - HARICA<o:p></o:p></span></p><p class=MsoNormal><span lang=ES style='font-size:12.0pt'>Eva Van Steenberge - GlobalSign<o:p></o:p></span></p><p class=MsoNormal><span lang=ES style='font-size:12.0pt'>Ian McMillan Microsoft<o:p></o:p></span></p><p class=MsoNormal><span lang=ES style='font-size:12.0pt'>Inigo Barreira - Sectigo<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:12.0pt'>Martijn Katerbarg - Sectigo<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:12.0pt'>Mike Ounsworth - Entrust<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:12.0pt'>Rollin Yu - TrustAsia<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:12.0pt'>Scott Rea - eMudhra<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:12.0pt'>TIM CRAWFORD - BDO<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:12.0pt'>Tim Hollebeek -DigiCert<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:12.0pt'>Trevoli Ponds-White - Amazon Trust Services<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:12.0pt'>Corey Bonnell – DigiCert<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:12.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:12.0pt'>Approval of prior meeting minutes: no recording, minutes done from memory: no comments, approved.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:12.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:12.0pt'>Ballot statuses (Bruce Morton - Entrust)<o:p></o:p></span></p><ul style='margin-top:0in' type=disc><li class=MsoNormal style='mso-list:l2 level1 lfo1'><span lang=EN-GB style='font-size:12.0pt'>21 (Signing Service): delayed based on conversation last time, open discussion, has 90 days to let it fail or put something else out. Currently on hold.<o:p></o:p></span></li><li class=MsoNormal style='mso-list:l2 level1 lfo1'><span lang=EN-GB style='font-size:12.0pt'>High risk ballot: agreement on text, two endorsements, just waiting on current ballot to finish IPR review, then the updates to GitHub can happen.<o:p></o:p></span></li><ul style='margin-top:0in' type=circle><li class=MsoNormal style='mso-list:l2 level2 lfo1'><span lang=EN-GB style='font-size:12.0pt'>Corey: IPR review ends next Monday or around that time.<o:p></o:p></span></li><li class=MsoNormal style='mso-list:l2 level2 lfo1'><span lang=EN-GB style='font-size:12.0pt'>Bruce to send ballot for discussion after Corey sends link. Expected minimal discussion, done before holiday season.<o:p></o:p></span></li></ul><li class=MsoNormal style='mso-list:l2 level1 lfo1'><span lang=EN-GB style='font-size:12.0pt'>Remove EV guideline references: Dimitris Zacharopoulos (HARICA): worked on this, created a new branch, imported as many of the EV references, working against 1.8.0 version of EVGs. We can decide what we do with it.<o:p></o:p></span></li><ul style='margin-top:0in' type=circle><li class=MsoNormal style='mso-list:l2 level2 lfo1'><span lang=EN-GB style='font-size:12.0pt'>Effective date of September 15<sup>th</sup> 2024 for incorporating agencies, but just a placeholder<o:p></o:p></span></li><li class=MsoNormal style='mso-list:l2 level2 lfo1'><span lang=EN-GB style='font-size:12.0pt'>Painful to import EVGs, because they reference themselves. Work in progress. Following Inigo’s recommendations, spotted some issues, reported to Inigo. More at next meeting<o:p></o:p></span></li></ul><li class=MsoNormal style='mso-list:l2 level1 lfo1'><span lang=EN-GB style='font-size:12.0pt'>Charter update: (Martijn Katerbarg – Sectigo): waiting for 19 to end voting, and then kick-off discussion for Forum 20.<o:p></o:p></span></li></ul><p class=MsoNormal style='margin-left:.5in'><span lang=EN-GB style='font-size:12.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:12.0pt'>Dean Coclin-DigiCert:<o:p></o:p></span></p><ul style='margin-top:0in' type=disc><li class=MsoNormal style='mso-list:l0 level1 lfo2'><span lang=EN-GB style='font-size:12.0pt'>ITrus China: Application seems to be in order, roots in Mozilla, but does not deal with Codesign. Are they a codesign issuer, because our by-laws for code signing require that. <o:p></o:p></span></li></ul><ul style='margin-top:0in' type=disc><li class=MsoNormal style='margin-left:.25in;mso-list:l3 level1 lfo3'><span lang=EN-GB style='font-size:12.0pt'>Ian McMillan – Microsoft: not aware they are trusted, and currently not accepting new members, or with very stringent requirements.<o:p></o:p></span></li><li class=MsoNormal style='margin-left:.25in;mso-list:l3 level1 lfo3'><span lang=EN-GB style='font-size:12.0pt'>Dean: Ask ITrus if they are a CodeSign issuer, maybe offer to grant them a different status, interested party or associate member?<o:p></o:p></span></li><li class=MsoNormal style='margin-left:.25in;mso-list:l3 level1 lfo3'><span lang=EN-GB style='font-size:12.0pt'>Dimitris: if they applied for it, allow associate, if not applied, then interested party would be best option.<o:p></o:p></span></li><li class=MsoNormal style='margin-left:.25in;mso-list:l3 level1 lfo3'><span lang=EN-GB style='font-size:12.0pt'>Dimitris: just root issuer, not for CodeSign or NetSec.<o:p></o:p></span></li><li class=MsoNormal style='margin-left:.25in;mso-list:l3 level1 lfo3'><span lang=EN-GB style='font-size:12.0pt'>Dean to go back to them. (<b>SUBSEQUENT TO MEETING IT WAS DISCOVERED THAT THE WRONG APPLICANT WAS DISCUSSED. SHOULD HAVE BEEN TrustAsia. They will stay as Associate Member</b>)<o:p></o:p></span></li></ul><ul style='margin-top:0in' type=disc><li class=MsoNormal style='mso-list:l1 level1 lfo4'><span lang=EN-GB style='font-size:12.0pt'>Maria Merkel wants to participate in CodeSign, ServerSign, SMIME, application has been signed. Person, not a company, no reason to object. No concerns noted. Added to mailing list.<o:p></o:p></span></li></ul><p class=MsoNormal style='margin-left:.5in'><span lang=EN-GB style='font-size:12.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:12.0pt'>Next meeting in 2 weeks, no meeting week of 28<sup>th</sup>.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:12.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:12.0pt'>Bruce: Mike Ounsworth has worked for Entrust for quite a few years. He’s active in the R&D functions, quite active in other standards, including post-quantum standards. Moving away from software keys to hardware only keys, but not having a standard for attestations.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:12.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:12.0pt'>Mike Ounsworth – introduction. Software Security Architect at Entrust. IETF participant, protocol designer. Author of one RFC and 14 active internet drafts. Member of IETF Security Area<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:12.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:12.0pt'>Most work is around Post-Quantum, but not talking about that, instead talking about Key Attestation. 2 Active Internet Drafts about this topic, one about CSR attestation, one other, . Discussed in more detail further in the presentation.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:12.0pt'>(See attached presentation)<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:12.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:12.0pt'>Attestation roadblock. <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:12.0pt'>CA/B Forum Code Signing – the intent is great, but how is this proven to a CA? How is a CA supposed to decide which evidence counts and what doesn’t? Mike presented some types of “evidence” and explained the problems – text not being cryptographically sound, audit letters, lists of HSMs, pictures. CAs make do with what is being provided. <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:12.0pt'>Explained that there are practical challenges at the customer side, or customers are using Cloud providers, which have the information but it’s difficult for CAs to access it. Sometimes it becomes apparent that the customer is not using the HSM in FIPS mode or they haven’t made patches, which arguably is the requirement working successfully (maybe, is this really the group we should block from getting certificates, companies that have HSMs, but not in the right configuration, potentially blocking security patches for their own software?).<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:12.0pt'>We don’t have an automated, standard way to determine what hardware a private key is stored on. <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:12.0pt'>Even when they have the hardware, it’s difficult to determine if it’s configured correctly. Customers provide a lot of information which is hard to digest and potentially not relevant. Additionally, customers are not used to the friction in this process, therefore they order their certificates late. Validation specialists are not always technical and have to guide semi-technical customers to verify if the requirement has been met.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:12.0pt'>What we want is clear. Check the CSR, and check that the key is in the right hardware. But how do we get there?<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:12.0pt'>Tim Hollebeek: These options are allowed by the requirements. It’s better to have an option that is easier, better and that works for everyone.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:12.0pt'>Mike: Everyone on the same. Solution is Remote Attestation, often called Key Attestation, but that’s a corner of Remote Attestation, but technology is more powerful.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:12.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:12.0pt'>Roadmap on Remote Attestation standards.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:12.0pt'>Side question: how to manage the manufacturer root store?<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:12.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:12.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:12.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:12.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:12.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:12.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:12.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:12.0pt'>Multiple frameworks<o:p></o:p></span></p><ul style='margin-top:0in' type=disc><li class=MsoNormal style='mso-list:l1 level1 lfo4'><span lang=EN-GB style='font-size:12.0pt'>IETF Remote Attestation Procedures (RATS) Architecture<o:p></o:p></span></li><li class=MsoNormal style='mso-list:l1 level1 lfo4'><span lang=EN-GB style='font-size:12.0pt'>Trusted Computing Group (has 2)<o:p></o:p></span></li><ul style='margin-top:0in' type=circle><li class=MsoNormal style='mso-list:l1 level2 lfo4'><span lang=EN-GB style='font-size:12.0pt'>TPM 2.0 Attest, includes Remote Attestation (oldest)<o:p></o:p></span></li><li class=MsoNormal style='mso-list:l1 level2 lfo4'><span style='font-size:12.0pt'>TCG Devise Identifier Composition Engine (Dice) – things on a motherboard authenticating to each other. Robust remote attestation framework<o:p></o:p></span></li></ul><li class=MsoNormal style='mso-list:l1 level1 lfo4'><span style='font-size:12.0pt'>RATS and DICE are pretty closely aligned and more modern.<o:p></o:p></span></li></ul><p class=MsoNormal><span lang=EN-GB style='font-size:12.0pt'>Attester (HSM that holds the private key), creates a CSR, including attestation evidence, goes to CA/RA, which are the relying party who are going to make a decision. Separate role for the verifier that checks the attestation. This may be part of the RA or could be a separate component, and provides an attestation result, on which a relying party can make a decision.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:12.0pt'>Types of attestation data:<o:p></o:p></span></p><ul style='margin-top:0in' type=disc><li class=MsoNormal style='mso-list:l5 level1 lfo5'><span lang=EN-GB style='font-size:12.0pt'>Evidence. <o:p></o:p></span></li><ul style='margin-top:0in' type=circle><li class=MsoNormal style='mso-list:l5 level2 lfo5'><span lang=EN-GB style='font-size:12.0pt'>Platform evidence (evidence of the device as a whole)<o:p></o:p></span></li><li class=MsoNormal style='mso-list:l5 level2 lfo5'><span lang=EN-GB style='font-size:12.0pt'>Key evidence (e.g. imported or not, exportable or not)<o:p></o:p></span></li><li class=MsoNormal style='mso-list:l5 level2 lfo5'><span lang=EN-GB style='font-size:12.0pt'>Signed using an attested key, typically a device manufacturer root anchor (X.509 certificate)<o:p></o:p></span></li></ul><li class=MsoNormal style='mso-list:l5 level1 lfo5'><span lang=EN-GB style='font-size:12.0pt'>Endorsement: a third party making assertions about the device that the device cannot know itself. Usually signed by a trust chain.<o:p></o:p></span></li><li class=MsoNormal style='mso-list:l5 level1 lfo5'><span lang=EN-GB style='font-size:12.0pt'>Reference value: profile of “known good configurations”. Allows the verifier to check the evidence and endorsements. May or may not be signed.<o:p></o:p></span></li></ul><p class=MsoNormal><span lang=EN-GB style='font-size:12.0pt'>Mike provided an explanatory metaphor of checking into an unmanned hotel. The evidence is the selfie. The passport contains a photo, which is the reference. The other information is endorsement. The selfie doesn’t contain name and date of birth.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:12.0pt'>This Attestation is what we are trying to build. Inside the CSR is the regular CSR stuf, plus an evidence statement, including platform evidence and key evidence. Evidence is signed by an attestation key which lives on the device, which chains to a relevant trust anchor. This allows the evidence to be verified and ensures integrity.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:12.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:12.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:12.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:12.0pt'>From the perspective of the HSM vendor: evidence has to be collected and signed by the firmware. Codechange inside the FIPS boundary. Outside script could be spoofed. The Attesting Key has to be placed on the device at manufacturing, has to chain, can’t be used for any other purpose. <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:12.0pt'>This is harder than CSR – outside FIPS boundary.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:12.0pt'>Challenges for the HSM vendor:<o:p></o:p></span></p><ul style='margin-top:0in' type=disc><li class=MsoNormal style='mso-list:l5 level1 lfo5'><span lang=EN-GB style='font-size:12.0pt'>The fact that the evidence has to be collected and signed by firmware means that adding or modifying this functionality forces a recertification of audited codebase. <o:p></o:p></span></li><li class=MsoNormal style='mso-list:l5 level1 lfo5'><span lang=EN-GB style='font-size:12.0pt'>The elements surrounding the Attestation key means that it cannot be retrofitted into existing hardware (“new devices only”). This may be too harsh, in certain circumstances certain elements could be updated via software patches, or the key can be retro-fitted via some key ceremony, but that’s incredibly hard. Not impossible, but not practical.<o:p></o:p></span></li></ul><p class=MsoNormal><span lang=EN-GB style='font-size:12.0pt'>Tim Hollebeek commented that he’d like to push back a little bit on the fact that it would be hard to do it with existing devices. Audited creation of a key is something that we understand pretty well and could do. If we had rules about and then if that key was used to sign various evidence statements, it wouldn't be as good as a manufacturer based solution, but we could design this as a solution that could work.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:12.0pt'>Mike agreed that the language could be softer. There is some existing solution if you want to assign an attestation key from the corporate PKI, that will override the one imbedded. This option exists in some implementations. Talk to your HSM vendors – proprietary and in-field.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:12.0pt'>Tim Hollebeek suggested this could be done without the manufacturer’s support. Everybody has an automated procedure for designating 1 of the keys on the HSM as being the key for this purpose. During the highly secure audited procedureit can be agreed in the audit letter what the hash is, what the public key is. One could design such a system, even without the manufacturer, but yeah, you would eventually be building an entire HSM based attestation and audit scheme on top of the existing stuff, and we don't want to do that. <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:12.0pt'>Mike responded that then you'd have questions, like, having a script external to the HSM, that queries its model number and firmware version.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:12.0pt'>Tim Hollebeek replied that he was assuming that it’s one of these programmable HSMs where some of that information is available inside the device and so as long as you had a key within the device you could do a signature of the internal the data, or simply sign a challenge response would show that you actually are the HSM. <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:12.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:12.0pt'>Mike: Challenge accepted. Language could be softened from cannot be done to it’s tricky.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:12.0pt'>Standardisation status<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:12.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:12.0pt'>Within TCG, very mature. </span><span style='font-size:12.0pt'>Actual data is proprietary but protocol is standardized. DICE is robust, but limited in scope. WebAuthn / Passkey is robust but data tend to be proprietary. <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:12.0pt'>Everything is all over the map, not non-existent, just non-standard. Many HSM vendors have some sort of key-attestation, but the format is non-standard. All reasonable choices, but different choices. Parser per hardware vendor is required. No standardized way to carry attestation in a CSR. This is a next barrier.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:12.0pt'>Two IETF Internet-Drafts being designed. On top of the slide: NIST latched on to this. They will need to provide machine readable versions of the CMVP certificates to fully automate this. We’re asking to provide this in full attestation endorsement format, so the endorsement could be embedded in the CSR fully detached. Not sure if they can host the signing key. They might provide a rest-API. Not quite as good, but probably workable.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:12.0pt'>LAMPS draft adopted in August, very close to Working Group Last Call. Quite fast-moving. Take whatever attestation you have, and place it in the CSR, agnostics. Pick an OID to identify the EvidenceStatement type. Layer of EvidenceStatement, defined for different types of CSRs. One or more evidence bundles, then evidence statements and certificate type. Designing with light devices in mind. <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:12.0pt'>Structure might seem weird, the reason for that is that the technology is going to grow to support use-cases where the device might have platform level attestation key that lives in the root of the device that signs platform attestations. In the HSM partition, it may make sense to have the key attestation in the partition. This is why it’s an evidence bundle, otherwise you may end up duplicating certificates, where the platform and the manufacturing certificates will have to go in twice. This structure allows for performance optimisation. It also makes the verifier’s job easier. <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:12.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:12.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:12.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:12.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:12.0pt;mso-ligatures:none'><img width=624 height=350 style='width:6.5in;height:3.6458in' id="Picture_x0020_3" src="cid:image001.png@01DA2DC1.CCF77B40"></span><span lang=EN-GB style='font-size:12.0pt'><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:12.0pt'>Observations:<o:p></o:p></span></p><ul style='margin-top:0in' type=disc><li class=MsoNormal style='mso-list:l4 level1 lfo6'><span lang=EN-GB style='font-size:12.0pt'>For CSRs, not for certificates.<o:p></o:p></span></li><li class=MsoNormal style='mso-list:l4 level1 lfo6'><span lang=EN-GB style='font-size:12.0pt'>There are legitimate reasons to want to put this information in the certificate. But this is not what this is. There are some security and privacy implications, particularly with public trust and publication in CT logs.<o:p></o:p></span></li><li class=MsoNormal style='mso-list:l4 level1 lfo6'><span lang=EN-GB style='font-size:12.0pt'>Size: one or more certificate chains in the certificates.<o:p></o:p></span></li><li class=MsoNormal style='mso-list:l4 level1 lfo6'><span lang=EN-GB style='font-size:12.0pt'>Manage the trust store for both evidence and endorsement statements. Question is: who manages this?<o:p></o:p></span></li><ul style='margin-top:0in' type=circle><li class=MsoNormal style='mso-list:l4 level2 lfo6'><span lang=EN-GB style='font-size:12.0pt'>Each CA separately?<o:p></o:p></span></li><li class=MsoNormal style='mso-list:l4 level2 lfo6'><span lang=EN-GB style='font-size:12.0pt'>Centralized? Gets tricky: Webtrust Certified Manufacture Facility Audit? Big manufacturers are probably trusted, but as you get down to smaller vendors who people haven’t heard of, how does one decide if their manufacturing facility is worthy of public trust?<o:p></o:p></span></li><li class=MsoNormal style='mso-list:l4 level2 lfo6'><span lang=EN-GB style='font-size:12.0pt'>Anti-trust: could be seen as first step of locking down the internet. Could be an existential treat to the very concept of open internet. E.g. Only allow Netflix from Netflix-certified Android device. What we’re doing here is reasonable, but people will be watching this as a gate-way technology to more restrictive behaviours.<o:p></o:p></span></li><li class=MsoNormal style='mso-list:l4 level2 lfo6'><span lang=EN-GB style='font-size:12.0pt'>Policy and politics problem.<o:p></o:p></span></li></ul></ul><p class=MsoNormal><span style='font-size:12.0pt'>Tim Hollebeek: From a CA/B Forum perspective, it’s out of scope. Scope is limited to certificates that are trusted by the certificate consumers, who participate in this forum. That is the appropriate people to manage the requirements around what attestations they are willing to accept.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:12.0pt'>And, of course, they could ask this group to come up with a set of minimum requirements and procedures for verifying them that a such a hardware manufacturer might need to meet in order to participate in the program that they are running, using the requirements produced by this particular forum, but this particular forum is not involved in the assessment of anybody who chooses to be assessed for the purposes of being trusted by a certificate consumer who consumes the requirements.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:12.0pt'>Dimitris Zacharopoulos (HARICA): Forum does not police the eco-system and doesn’t supervises anyone. We’ve seen something similar in FIDO alliance: metadata service, all manufacturers are sharing their keys. Not sure how someone can add their device keys. Sounds like a similar problem. Are the manufacturers in the IETF group considering something like this?<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:12.0pt'>Mike: Sort of comes up, they are waiting for someone to tell them where to submit their root keys to. Option 1 is the default option (CA based). Unless we find a centralized way.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:12.0pt'>Dimitris Zacharopoulos (HARICA): An easier way would be something like the bigger consortium or the CA/B Forum to have pointers to every HSM manufacturer page where they, they share their keys. And create a repository in an informative way. No decisions. Just the table with pointers.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:12.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:12.0pt'>Mike Ounsworth: And inclusion in that wiki is really just open?<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:12.0pt'>Tim Hollebeek: Yes. That would be especially useful because we don't even have a standard yet. Hopefully, we will have the standard in 6 months. This is all great work and there's going to be follow on work related to this. Because of course, at this point, you just get a blob in your CSR. Hardware manufacturers are still all over the map on what the format is. And how you would consume that is going to be one of the next problems we're going to have to solve <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:12.0pt'>As we have emerging standards in this area, it would be very useful to have a wiki that basically just says the following manufacturers claim to comply with RFC 9999 Security Attestation. And then we will be able to say, here's the list of manufacturers who have adopted 1 of these standardized solutions. We can now talk to them about how their technology works and how we might integrate it with.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:12.0pt'>Dimitris Zacharopoulos (HARICA): But we're still looking at the years ahead because these devices need to be re-certified and that takes time. <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:12.0pt'>Mike: Yes and no.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:12.0pt'>The people with checkmarks can already do it, those devices can already produce attestations in their own proprietary format. Within the next 6 months, we'll have an RFC for how to take these and bundle them into a standardized CSR attribute and that's that's enough to get automation value here. The CA would still need a per vendor parser, but at least the way to transport that data across is standardized. Once you can put it in CSR, then you can do Acme then you can do whatever takes CSRs. This is a this year type delivery and I think we can get some automation immediately.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:12.0pt'>To Tim’s second point, we're also working on a standardized evidence format to solve the “all over the map problem”. This is much less mature. We just put out the 1st version of it, 3 weeks ago. We've sort of got the platform attestation elements nailed down: which hardware model / software model is it in? Is it in debug mode? Do you need to say anything about your FIPS configuration or CC configuration? <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:12.0pt'>We're about to start on the key properties, defining, non-exportable and imported. Looking what we can borrow that already exists. This one is the one that will take years. At least a year for us to even agree on the semantics of this document and get it published as an RFC. This will be device only or patching. Yeah. <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:12.0pt'>However, taking what you already can produce today and putting it in the standardized CSR, that should be doable this year.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:12.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:12.0pt'>Dean Coclin-DigiCert<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:12.0pt'>Wonderful presentation. Thank you very much for taking the time with us to share this information and certainly as eye opening to myself and I'm sure others as well. I think if you're available for future meetings to maybe answer future questions.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:12.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:12.0pt'>We had 3 people joined that are not in the original attendance been Scott, Ray and Tim Crawford. We'll add those in <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:12.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:12.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:12.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:12.0pt'><o:p> </o:p></span></p><div><p class=MsoNormal><b><span style='font-family:"Arial",sans-serif;color:#0174C3;mso-ligatures:none'>Dean Coclin <o:p></o:p></span></b></p><p class=MsoNormal><span style='font-family:"Arial",sans-serif;color:#48565E;mso-ligatures:none'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Arial",sans-serif;color:#48565E;mso-ligatures:none'><o:p> </o:p></span></p><p class=MsoNormal><span style='mso-ligatures:none'><o:p> </o:p></span></p></div><p class=MsoNormal><o:p> </o:p></p></div></body></html>