[Cscwg-public] Final minutes of CSWG call April 25, 2019

Dean Coclin dean.coclin at digicert.com
Thu May 9 13:01:56 MST 2019


Final Minutes CSWG April 25, 2019

 

Attendees: Dean Coclin, Oliver Kuley, Gordon Bock, Robin Alden, Enrico
Entschew, Joanna Fox, Rich Smith, Frank Corday, Chris Hickman, Karthik
(Cisco), Doug Beattie, Jason Cooper

 

Meeting Date 

4/25/2019

 

Order of business

*       Anti-trust statement read

*       Rollcall

*       Approval of prior minutes

 

Agenda

1.       Membership reviewed

2.       Submit notices to Adobe, Oracle, Malware detection community.
Report on status.

a.       Microsoft reached out to Oracle, but had not received a response.
Prior conversation with Oracle indicated a lack of interest/resources to
engage

b.       Still engaging other parties (other than Oracle). Enrico reached
out to Adobe. 

3.       Dean will work on generating current ballot for Code Signing with
Ben

4.       List of revisions.  Desire to maintain document changes in a place
that everyone can access.  Doug will setup a Google docs site so that we can
make improvements to EV and the Code Signing docs.

5.       EV Code Signing updates

a.       Any suggestions for improving EV guidelines? Recent incident in the
press of cert issued to entity in China used to sign malware

b.       Discussion using a face-to-face validation via Skype, Zoom, or in
person for improved validation

                                       i.            Would this actually
stop fraudulently issued certificates? Cybercriminals do not want to be
identified

                                     ii.            This was something that
was previously looked at by Microsoft (Tom Albertson) but was dismissed as
being to onerous.  Do we want to revisit?

1.	Microsoft will evaluate

c.       Validating company primary function

                                       i.            Difficult to do in
countries where business registries do not always capture intent, do we look
at a web page?  Most likely not entirely practical.

d.       Other methods for vetting out cyber criminals will be a discussion
for future topics

e.       EV CS should be used for OS/ecosystems where high privilege actions
are needed. MS Kernal mode is just one example.

 

Meeting adjourned. Next meeting in 2 weeks

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/cscwg-public/attachments/20190509/873a6266/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4916 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/cscwg-public/attachments/20190509/873a6266/attachment-0001.p7s>


More information about the Cscwg-public mailing list