<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Aptos;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:12.0pt;
font-family:"Aptos",sans-serif;
mso-ligatures:standardcontextual;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
mso-ligatures:none;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1000474712;
mso-list-template-ids:1910806454;}
@list l1
{mso-list-id:1506701210;
mso-list-template-ids:1390709500;}
@list l1:level1
{mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level2
{mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level3
{mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level4
{mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level5
{mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level6
{mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level7
{mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level8
{mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level9
{mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link="#467886" vlink="#96607D" style='word-wrap:break-word'><div class=WordSection1><div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><b><span lang=EN-IN style='font-size:11.0pt;color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB'>Minutes for CSCWG Call 4 Apr 2024<o:p></o:p></span></b></p><p class=MsoNormal><span lang=EN-IN style='font-size:11.0pt;color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB'><o:p> </o:p></span></p><p class=MsoNormal><b><span lang=EN-IN style='font-size:11.0pt;color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB'>Agenda:<o:p></o:p></span></b></p><p class=MsoNormal><b><span lang=EN-IN style='font-size:11.0pt;color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB'><o:p> </o:p></span></b></p><ol style='margin-top:0in' start=1 type=1><li class=MsoNormal style='color:#212121;mso-list:l1 level1 lfo3'><span lang=EN-IN style='font-family:"Calibri",sans-serif;mso-ligatures:none;mso-fareast-language:EN-GB'>Roll Call</span><span lang=EN-IN style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-ligatures:none;mso-fareast-language:EN-GB'><o:p></o:p></span></li><li class=MsoNormal style='color:#212121;mso-list:l1 level1 lfo3'><span lang=EN-IN style='font-family:"Calibri",sans-serif;mso-ligatures:none;mso-fareast-language:EN-GB'>Antitrust reminder</span><span lang=EN-IN style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-ligatures:none;mso-fareast-language:EN-GB'><o:p></o:p></span></li><li class=MsoNormal style='color:#212121;mso-list:l1 level1 lfo3'><span lang=EN-IN style='font-family:"Calibri",sans-serif;mso-ligatures:none;mso-fareast-language:EN-GB'>Approve prior meeting minutes – F2F (awaiting draft from Andrea), March 21<sup>st</sup> (Brianca)</span><span lang=EN-IN style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-ligatures:none;mso-fareast-language:EN-GB'><o:p></o:p></span></li><li class=MsoNormal style='color:#212121;mso-list:l1 level1 lfo3'><span lang=EN-IN style='font-family:"Calibri",sans-serif;mso-ligatures:none;mso-fareast-language:EN-GB'>Ballot status: Marking the EV CS guidelines obsolete (CSC-23). Do we need an IPR review?</span><span lang=EN-IN style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-ligatures:none;mso-fareast-language:EN-GB'><o:p></o:p></span></li><li class=MsoNormal style='color:#212121;mso-list:l1 level1 lfo3'><span lang=EN-IN style='font-family:"Calibri",sans-serif;mso-ligatures:none;mso-fareast-language:EN-GB'>Proposed ballots: Remove EV Guideline References</span><span lang=EN-IN style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-ligatures:none;mso-fareast-language:EN-GB'><o:p></o:p></span></li><li class=MsoNormal style='color:#212121;mso-list:l1 level1 lfo3'><span lang=EN-IN style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-ligatures:none;mso-fareast-language:EN-GB'>Proposed ballot for Time-stamp Requirements update; CSC-24<o:p></o:p></span></li><li class=MsoNormal style='color:#212121;mso-list:l1 level1 lfo3'><span lang=EN-IN style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-ligatures:none;mso-fareast-language:EN-GB'>Continued discussion on Application for Associate Member status from Keyfactor <o:p></o:p></span></li><li class=MsoNormal style='color:#212121;mso-list:l1 level1 lfo3'><span lang=EN-IN style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-ligatures:none;mso-fareast-language:EN-GB'>Interested Party application from Wangmo Tenzing (as an individual)<o:p></o:p></span></li><li class=MsoNormal style='color:#212121;mso-list:l1 level1 lfo3'><span lang=EN-IN style='font-family:"Calibri",sans-serif;mso-ligatures:none;mso-fareast-language:EN-GB'>Other business</span><span lang=EN-IN style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-ligatures:none;mso-fareast-language:EN-GB'><o:p></o:p></span></li><li class=MsoNormal style='color:#212121;mso-list:l1 level1 lfo3'><span lang=EN-IN style='font-family:"Calibri",sans-serif;mso-ligatures:none;mso-fareast-language:EN-GB'>Next meeting – April 18<sup>th</sup></span><span lang=EN-IN style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-ligatures:none;mso-fareast-language:EN-GB'><o:p></o:p></span></li><li class=MsoNormal style='color:#212121;mso-list:l1 level1 lfo3'><span lang=EN-IN style='font-family:"Calibri",sans-serif;mso-ligatures:none;mso-fareast-language:EN-GB'>Adjourn</span><span lang=EN-IN style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-ligatures:none;mso-fareast-language:EN-GB'><o:p></o:p></span></li></ol><p class=MsoNormal><span lang=EN-IN style='font-size:11.0pt;color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB'><o:p> </o:p></span></p><p class=MsoNormal><b><span lang=EN-IN style='font-size:11.0pt;color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB'><o:p> </o:p></span></b></p><p class=MsoNormal><b><span lang=EN-IN style='font-size:11.0pt;color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB'>Attendees:</span></b><b><span lang=EN-IN style='color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB'><o:p></o:p></span></b></p><p class=MsoNormal><span lang=EN-IN style='font-size:11.0pt;color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB'>Brian Winters (Identrust), Bruce Morton (Entrust), Corey Bonnell (DigiCert), Dean Coclin (DigiCert), Ian McMillan (Microsoft), Inaba Atsushi (GlobalSign), Inigo Barreira (Sectigo), Marco Schambach - (IdenTrust), Mohit Kumar (GlobalSign), Nome Huang - (TrustAsia), Rollin Yu - (TrustAsia), Scott Rea (eMudhra), Tim Crawford - (CPA Canada/WebTrust), Trevoli Ponds-White - (Amazon),</span><span lang=EN-IN style='color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB'><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-IN style='font-size:11.0pt;color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB'> </span><span lang=EN-IN style='color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB'><o:p></o:p></span></p><p class=MsoNormal><b><span lang=EN-IN style='font-size:11.0pt;color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB'>Minutes:<o:p></o:p></span></b></p><p class=MsoNormal><span lang=EN-IN style='font-size:11.0pt;color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB'>Dean read the note well.</span><span lang=EN-IN style='color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB'><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-IN style='font-size:11.0pt;color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB'> </span><span lang=EN-IN style='color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB'><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-IN style='font-size:11.0pt;color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB'>Meeting minutes for F2F-New Delhi (Andrea Holland) yet to be posted.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-IN style='font-size:11.0pt;color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB'>Meeting minutes for March 21, 2024 Meeting (Brianca Martin) yet to be posted.</span><span lang=EN-IN style='color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB'><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-IN style='font-size:11.0pt;color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB'> </span><span lang=EN-IN style='color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB'><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-IN style='font-size:11.0pt;color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB'>Ballot CSC-23 Marking the EV Code Signing Guidelines SUPERCEDED<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-IN style='font-size:11.0pt;color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB'>(Dean) This ballot passed, but the question has arisen whether there is need for an IPR review since all we are doing is marking these obsolete?<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-IN style='font-size:11.0pt;color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB'>(Bruce) there is nothing to present to lawyers, so what is there to review?<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-IN style='font-size:11.0pt;color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB'>Consensus on call is that IPR Review is not necessary in this case as agreed in WG call.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-IN style='font-size:11.0pt;color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-IN style='font-size:11.0pt;color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB'>Removing EVG references in CSBRs</span><span lang=EN-IN style='color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB'><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-IN style='font-size:11.0pt;color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB'>No recent update or status from Dimitris for removing references to EVGs. Since Dimitris is not on current call, this will be deferred to next meeting.</span><span lang=EN-IN style='color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB'><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-IN style='font-size:11.0pt;color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB'> </span><span lang=EN-IN style='color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB'><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-IN style='font-size:11.0pt;color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB'>Ballot CSC-24 Timestamping Private Key Protection<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-IN style='font-size:11.0pt;color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB'>Ballot was posted for discussion on 2 Apr 2024. Bruce raised concern that potential re-word was required because of NOT catering to Online CAs already in use. Mohit asked for clarification as to whether this only applied to future NEW CAs or whether it anticipated existing CAs to also be covered by the guideline. <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-IN style='font-size:11.0pt;color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB'>It is expected that some amendments will be applied to address the above, and a restart to the discussion period will apply.</span><span lang=EN-IN style='color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB'><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-IN style='font-size:11.0pt;color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB'> </span><span lang=EN-IN style='color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB'><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-IN style='font-size:11.0pt;color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB'>Individual Joiner Request</span><span lang=EN-IN style='color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB'><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-IN style='font-size:11.0pt;color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB'>Wangmo Tenzing from Lawrence Livermore National Lab originally sent IPR Agreement representing the Lab but clarified that this was rather meant to be an individual Interested Party and not as the Lab’s representative. IPRA was withdrawn, and request resubmitted as an individual Interested Party.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-IN style='font-size:11.0pt;color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB'>No objections from WG to accept Wangmo as individual Interested Party. </span><span lang=EN-IN style='color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB'><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-IN style='font-size:11.0pt;color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB'> </span><span lang=EN-IN style='color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB'><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-IN style='font-size:11.0pt;color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB'>Associate Member Application<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-IN style='font-size:11.0pt;color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB'>Follow on from previous meeting (and F2F meeting) where discussion was held regarding Key Factor’s application to become an Associated Member. <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-IN style='font-size:11.0pt;color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB'>No objections from WG to accept Key Factor as Associate Members.</span><span lang=EN-IN style='color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB'><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-IN style='font-size:11.0pt;color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB'> </span><span lang=EN-IN style='color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB'><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-IN style='font-size:11.0pt;color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB'>Other Business: EV vs OV for Code Signing<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-IN style='font-size:11.0pt;color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB'>Request Microsoft to clarify their treatment of OV vs EV CS certs and where there is differentiation. (Ian) The only place of differentiation is on-boarding for the Hardware Developer Centre Partner Program, which makes a requirement for EV. There are no other current differentiation anywhere.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-IN style='font-size:11.0pt;color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB'>Question from Bruce on how this is validated? (Ian) We are not looking at the OID in the cert, we are more looking at the issuing CA, since its only on application to the program. Microsoft is currently reviewing with the Hardware Developer Centre folks to work out how this will be dealt with in future.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-IN style='font-size:11.0pt;color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB'>Clarification requested from Bruce on whether its the case that EV no longer helps with Reputation? (Ian) It is not the signer’s reputation that is paramount rather than the credentials they are using.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-IN style='font-size:11.0pt;color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB'>Clarification from Bruce as to whether Microsoft values SubjectInfo in EV certs? (Ian) There is not a focus to put any value on EV-specific fields.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-IN style='font-size:11.0pt;color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB'>Clarification from Mohit as to whether that implies a move to OV in future? (Ian) Microsoft is evaluating the bar between OV and EV and looking to strike a balance between EV rigor and the effort for organizations around the world to get it. We are trying to make it as simple as possible for the ecosystem. So we are evaluating if an EV uplift is worth the value…<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-IN style='font-size:11.0pt;color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB'>Suggestion from Bruce: take current BRs, and remove all EV related content and see if it makes sense or whether the extra EV stuff is actually still needed?<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-IN style='font-size:11.0pt;color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB'>(Ian) The biggest challenge is how to provide clear communications to developers about which certificate is required.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-IN style='font-size:11.0pt;color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB'>(Bruce) Perhaps the better approach is to decide where to go with this, and then just work towards that.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-IN style='font-size:11.0pt;color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB'>Some discussion ensued about current validation of Organizations across all the CABF working groups, and Bruce pointed out we already have 3 ways today, and surely there was little value introducing a 4<sup>th</sup> specific to CS. To have further discussion at the next F2F.</span><span lang=EN-IN style='color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB'><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-IN style='font-size:11.0pt;color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB'> </span><span lang=EN-IN style='color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB'><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-IN style='font-size:11.0pt;color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB'>Meeting adjourned. Next meeting April 18<sup>th</sup>.</span><span lang=EN-IN style='color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB'><o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span lang=EN-IN style='font-size:11.0pt;font-family:"Arial",sans-serif;color:#48565E;mso-ligatures:none'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-IN style='font-size:11.0pt;mso-ligatures:none'><o:p> </o:p></span></p></div><p class=MsoNormal><span lang=EN-IN><o:p> </o:p></span></p></div></body></html>