[Cscwg-public] Final Code Signing Working Group Minutes - 10 October 2019

Dean Coclin dean.coclin at digicert.com
Thu Oct 24 20:04:33 MST 2019


Meeting Minutes


1.	Call to Order - Assign Note taker (need a volunteer) - Bruce Morton
2.	Reading of Anti-Trust Statement - complete
3.	Roll Call - Bruce Morton, Tim Callen, Jason Cooper, Gordon Bock,
Hugh Mercer, Daniela Hood, Rich Smith, and Jeff Ward
4.	Approval of prior minutes - Minutes from 12 September 2019 were
5.	Potential new members status - No new members were discussed
6.	Potential changes 

a.	SHA-1 prohibition to May 31, 2020 -  Jason Cooper will action
drafting a ballot.
b.	Combine EV CS and BR CS into one document

                                                               i.      Bruce
Morton and Jason Cooper reviewed the BR and EV Code Signing documents and
have created a table indicating what can be merged and where some
differences are. Bruce and Jason consider the documents can be merged.

                                                             ii.      Some
differences are that one document discusses Signing Service and the other
discusses Signing Authority. The Signing Authority may have a certificate
for as long as 135 months.  No CA on the call stated that they are a Signing

                                                           iii.      Jason
suggested that we could do a survey with the CAs to try to establish the
current status. This may be important, for instance, if no CA is a Signing
Authority, then perhaps this role can be removed. If no CA has a CPS to RFC
2527, then this requirement can be removed.

                                                           iv.      Two
methods to merge were discussed: 

1) Migrate BR and EV together and create a new document in the current
format, then migrate to RFC 3647 format as a second project; or 

2) Start with the SSL BRs which is already in RFC3647 format and change to
incorporate the BR and EV Code Signing requirements. This proposal would
take advantage of all the changes which have been done to the SSL BRs; it
would also change the format.

                                                             v.      It was
discussed whether the new document should be stand alone and not have the
references to the SSL BRs and the SSL EV Guidelines. The advantage is that
code signing would not have the risk of changes from the SCWG. The
disadvantage is that the CSWG would have to maintain all of these clauses,
which might be an issue for a working group with a low number of members.
After further discussion, it was suggested that we keep the references to
the SSL BR/EV documents, changes to those documents would be accepted by
default. The CSWG would monitor those changes by tracking closed SCWG
ballots through a standard agenda item for the bi-weekly meetings. If the
ballot was acceptable, then no impact, but if the ballot was unacceptable,
then a change would be required to the CSWG document. 

                                                           vi.      It was
discussed that this would be a long project which would not address code
signing security issues. It was suggested that security issues would have to
eb addressed in parallel and also that the merging of the document may
indicate security items which need to be addressed.

7.	Any other business - no other business was discussed
8.	Adjourned.





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/cscwg-public/attachments/20191025/b1b84c88/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4916 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/cscwg-public/attachments/20191025/b1b84c88/attachment-0001.p7s>

More information about the Cscwg-public mailing list