<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Aptos;}
@font-face
{font-family:-apple-system;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-ligatures:standardcontextual;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
mso-ligatures:none;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:164176099;
mso-list-template-ids:-1509651856;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1
{mso-list-id:1245141695;
mso-list-type:hybrid;
mso-list-template-ids:1356391054 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l1:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l1:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l1:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Final minutes of CSCWG meeting Jan 11, 2023<o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Aptos",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<ol style="margin-top:0in" start="1" type="1">
<li class="MsoNormal" style="mso-list:l1 level1 lfo1"><span style="font-size:12.0pt">Roll Call<o:p></o:p></span></li></ol>
<ul type="disc">
<li class="MsoNormal" style="color:#3C4B64;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo2;background:white">
<span style="font-size:10.5pt;font-family:-apple-system;mso-ligatures:none">Andrea Holland - (VikingCloud)<o:p></o:p></span></li><li class="MsoNormal" style="color:#3C4B64;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo2;background:white">
<span style="font-size:10.5pt;font-family:-apple-system;mso-ligatures:none">Brianca Martin - (Amazon)<o:p></o:p></span></li><li class="MsoNormal" style="color:#3C4B64;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo2;background:white">
<span style="font-size:10.5pt;font-family:-apple-system;mso-ligatures:none">Bruce Morton - (Entrust)<o:p></o:p></span></li><li class="MsoNormal" style="color:#3C4B64;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo2;background:white">
<span style="font-size:10.5pt;font-family:-apple-system;mso-ligatures:none">Corey Bonnell - (DigiCert)<o:p></o:p></span></li><li class="MsoNormal" style="color:#3C4B64;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo2;background:white">
<span style="font-size:10.5pt;font-family:-apple-system;mso-ligatures:none">Dimitris Zacharopoulos - (HARICA)<o:p></o:p></span></li><li class="MsoNormal" style="color:#3C4B64;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo2;background:white">
<span style="font-size:10.5pt;font-family:-apple-system;mso-ligatures:none">Eva Vansteenberge - (GlobalSign)<o:p></o:p></span></li><li class="MsoNormal" style="color:#3C4B64;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo2;background:white">
<span style="font-size:10.5pt;font-family:-apple-system;mso-ligatures:none">Ian McMillan - (Microsoft)<o:p></o:p></span></li><li class="MsoNormal" style="color:#3C4B64;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo2;background:white">
<span style="font-size:10.5pt;font-family:-apple-system;mso-ligatures:none">Inaba Atsushi - (GlobalSign)<o:p></o:p></span></li><li class="MsoNormal" style="color:#3C4B64;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo2;background:white">
<span style="font-size:10.5pt;font-family:-apple-system;mso-ligatures:none">Inigo Barreira - (Sectigo)<o:p></o:p></span></li><li class="MsoNormal" style="color:#3C4B64;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo2;background:white">
<span style="font-size:10.5pt;font-family:-apple-system;mso-ligatures:none">Janet Hines - (VikingCloud)<o:p></o:p></span></li><li class="MsoNormal" style="color:#3C4B64;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo2;background:white">
<span style="font-size:10.5pt;font-family:-apple-system;mso-ligatures:none">Martijn Katerbarg - (Sectigo)<o:p></o:p></span></li><li class="MsoNormal" style="color:#3C4B64;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo2;background:white">
<span style="font-size:10.5pt;font-family:-apple-system;mso-ligatures:none">Mohit Kumar - (GlobalSign)<o:p></o:p></span></li><li class="MsoNormal" style="color:#3C4B64;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo2;background:white">
<span style="font-size:10.5pt;font-family:-apple-system;mso-ligatures:none">Richard Kisley - (IBM)<o:p></o:p></span></li><li class="MsoNormal" style="color:#3C4B64;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo2;background:white">
<span style="font-size:10.5pt;font-family:-apple-system;mso-ligatures:none">Roberto Quionones - (Intel)<o:p></o:p></span></li><li class="MsoNormal" style="color:#3C4B64;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo2;background:white">
<span style="font-size:10.5pt;font-family:-apple-system;mso-ligatures:none">Rollin Yu - (TrustAsia)<o:p></o:p></span></li><li class="MsoNormal" style="color:#3C4B64;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo2;background:white">
<span style="font-size:10.5pt;font-family:-apple-system;mso-ligatures:none">Scott Rea - (eMudhra)<o:p></o:p></span></li><li class="MsoNormal" style="color:#3C4B64;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo2;background:white">
<span style="font-size:10.5pt;font-family:-apple-system;mso-ligatures:none">Thomas Zermeno - (SSL.com)<o:p></o:p></span></li><li class="MsoNormal" style="color:#3C4B64;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo2;background:white">
<span style="font-size:10.5pt;font-family:-apple-system;mso-ligatures:none">Tim Hollebeek - (DigiCert)<o:p></o:p></span></li></ul>
<ol style="margin-top:0in" start="2" type="1">
<li class="MsoNormal" style="mso-list:l1 level1 lfo1"><span style="font-size:12.0pt">Antitrust reminder: Read<o:p></o:p></span></li></ol>
<p class="MsoNormal"><o:p> </o:p></p>
<ol style="margin-top:0in" start="3" type="1">
<li class="MsoNormal" style="mso-list:l1 level1 lfo1"><span style="font-size:12.0pt">Approve prior meeting minutes – Nov 30<sup>th</sup>, Dec 14<sup>th</sup></span> :
<span style="font-size:12.0pt">Both minutes were approved<o:p></o:p></span></li></ol>
<p class="MsoNormal"><span style="font-size:12.0pt"><o:p> </o:p></span></p>
<ol style="margin-top:0in" start="4" type="1">
<li class="MsoNormal" style="mso-list:l1 level1 lfo1"><span style="font-size:12.0pt">Ballot CSC-21 Signing Service: Discussion/Voting Period : Voting ends tomorrow 12 January 2024. Bruce stated 6 votes were required for quorum, but we only have 5 votes so far.
Dimitris advised that the membership tool states the quorum is 5. Bruce stated that he might have counted the meeting attendees improperly, so we will use system quorum number of 5.<o:p></o:p></span></li></ol>
<p class="MsoNormal"><o:p> </o:p></p>
<ol style="margin-top:0in" start="5" type="1">
<li class="MsoNormal" style="mso-list:l1 level1 lfo1"><span style="font-size:12.0pt">Ballot CSC-22 Proposed High Risk Ballot: Discussion/Voting Period: Voting also ends 12 January 2024 and quorum of 5 has been met.<o:p></o:p></span></li></ol>
<p class="MsoNormal"><o:p> </o:p></p>
<ol style="margin-top:0in" start="6" type="1">
<li class="MsoNormal" style="mso-list:l1 level1 lfo1"><span style="font-size:12.0pt">Proposed ballot Remove EV Guideline References status: Dimitris has provided a proposal for review. He will provide a mapping document to assist for review. Would like feedback
before proposing a ballot.<o:p></o:p></span></li></ol>
<p class="MsoNormal"><o:p> </o:p></p>
<ol style="margin-top:0in" start="7" type="1">
<li class="MsoNormal" style="mso-list:l1 level1 lfo1"><span style="font-size:12.0pt">Proposed ballot CSCWG charter update status: Martijn stated the ballot closes today and we are exactly on the quorum number.<o:p></o:p></span></li><li class="MsoNormal" style="mso-list:l1 level1 lfo1"><span style="font-size:12.0pt">PCI-HSM certification for Code signing HSMs (Richard K): Richard would like the CSCWG to consider using PCI-HSM as a certification approval method for crypto modules for the
CSBRs. PCI-HSM is a robust program which most vendors use. FIPS 140-2 and -3 have a long queue. For instance FIPS has 252 waiting, 8 in process, and only 12 people performing the process, so processing takes 12-18 months processing time. Common Criteria is
not universal. PCI-HSM covers the requirements and could be used as an alternative. Dimitris asked what the proposal would apply to – CA or Subscriber keys; Richard did not know where to apply. Ian asked what is the difference between PCI-HSM and FIPS; Richard
provided his perspective. Bruce stated that root CAs, subordinate CAs, time-stamp CA, Signing Service use HSMs, but there might not be a demand as this requirement is already met. Would PCI-HSM help to support the Subscriber end to provide more devices for
signing code. Dimitris stated that the CSBRs allow FIPS 140 Level 2 for Subscribers, which is lower that level 3, so maybe it would be approved for Subscribers. Ian stated that they would investigate to see if PCI-HSM would acceptable for Subscribers. Dimitris
asked if PCI-HSM supports remote key attestation; Richard stated the requirements do not address this requirement. If PCI-HSM is acceptable a member would have to write a ballot. We will wait until there is feedback from Microsoft.<o:p></o:p></span></li></ol>
<p class="MsoNormal"><o:p> </o:p></p>
<ol style="margin-top:0in" start="9" type="1">
<li class="MsoNormal" style="mso-list:l1 level1 lfo1"><span style="font-size:12.0pt">Other business: Bruce was asking if there is new business, since 3 ballots will pass this week? Bruce asked if DigiCert is still planning to provide a CT demo; Corey suggested
we review with Ian. Bruce also stated that another topic is time-stamp changes, but this is also Ian’s action. It was suggested to work on the EV ballot. Dimitris said the change might be a issue as it could conflict with the BR of BRs process. Tim brought
up the question of what we are trying to resolve, but Dimitris suggested that the exercise would remove some EV requirements which do not make sense for CSBRs. Tim asked if the EV Guidelines could be added as an appendix; Dimitris suggested that that would
work for the verification requirements, but not the others.<o:p></o:p></span></li></ol>
<p class="MsoNormal"><o:p> </o:p></p>
<ol style="margin-top:0in" start="10" type="1">
<li class="MsoNormal" style="mso-list:l1 level1 lfo1"><span style="font-size:12.0pt">Next meeting – January 25<sup>th</sup>
<o:p></o:p></span></li></ol>
<p class="MsoNormal"><o:p> </o:p></p>
<ol style="margin-top:0in" start="11" type="1">
<li class="MsoNormal" style="mso-list:l1 level1 lfo1"><span style="font-size:12.0pt">Adjourn<o:p></o:p></span></li></ol>
<div>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif;color:#48565E;mso-ligatures:none"><o:p> </o:p></span></p>
</div>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Aptos",sans-serif;mso-ligatures:none"><o:p> </o:p></span></p>
</div>
</body>
</html>