[Cscwg-public] Final minutes of CSCWG call Nov 19, 2020

Fri Dec 4 20:58:39 UTC 2020

These are the approved minutes of the subject call:

Attendees: Dean Coclin, Atsushi Inaba, Tomas Gustavson, Tadahiko Ito, Mike
Reilly, Bruce Morton, Joanna Fox, Daniela Hood, Corey Bonnell, Tim Crawford,
Jeff Ward, Chris Kemmerer, Hugh Mercer, Nicole Murray, Tim Hollebeek, Ian
McMillan (joined after 30 mins).

1.	Antitrust statement was read
2.	Prior minutes approved with minor correction on next meeting date
3.	Pre-ballot CSCWG-7: Needs ballot endorsers. Dean asked everyone to
review the ballot over the next two weeks and consider endorsing
4.	Discussion of Tadahiko email:

Are following statements (1) to (3) all True?

1.	On Appendix A (2) of BR for Code sign, it says it is for "Timestamp
Root, Subordinate CA, and Timestamp Certificates".

"Timestamp Certificates" include "TSA certificates (Defined in RFC3161)"

Discussion: Yes, we believe this is true as stated. 

2)on Appendix A (3), It only say about hash, but not for RSA key length.

It is only because requirement for RSA key length is defined in (2), so
there is not anything to say about RSA key.

Hence, "signed value" which is signed by TSA certificate to Timestamp token
need to be more than 3072 bits.

              Discussion result: In table 3, the transition date for hashing
algorithm is April 30, 2022, but in Table 2, the key size change is June 1,
2021 for 3072 key size. Hence the distinction.

(3) Appendix A (3) is only for "The digest algorithms used to sign Timestamp
tokens ", so (for example) some IDs which is derived with sha1 and written
inside of timestamp token is not scope of that requirement.

Discussion result: Yes, we believe this is true (with an asterisk). It's not
possible to determine what is written inside the TS token. If it were HMAC
SHA1 it is YES.

5.	Discussion of Tomas topic: Section on key protection (16.2). Tomas
had reached out to HW vendors that make the silicon for the HW security
modules. They need clear explanations of what is expected. Not sure if this
is something this forum should do. Decided to hold off discussion until Ian
joins the call
6.	Parking lot list: reviewed a few items but some needed Ian's
assistance so further discussion was postponed. Audit regimes were discussed
but that is still evolving. Updated the latest status here:
https://drive.google.com/file/d/1aJTWNj28ENBKRNowIgR1AsvRTD63jU47/view?usp=s
haring
7.	Requirement for 3072 roots in June 2021: Daniela said this is
problematic if the root needs to be 3072. Could affect 6,000 customers. Ian
said the whole chain will need to be minimum 3072, including the root. CAs
that don't have this will need to get this in place. Bruce said this is fine
for Microsoft but would also affect other applications like Java. Discussion
around the problem of getting new roots in place in time (requirement was
not clear in the document). People didn't think that the root needed to be
that size. Daniela asked about pushing the date out further to accommodate
CAs that don't have 3072 roots yet. Ian said he would go back and review the
impact by the next call. Corey asked about using the lifetime signing OID to
help solve this issue. Ian didn't think that would be a good customer
experience as the developer would have to get another cert and resign
everything with the cert that had the lifetime signing OID.  Tim said we
should look at the overall 10 year requirements for code signing at a
separate meeting. 
8.	Short discussion on FIPS 140-2 vs -3 reqts. Ian would like to add -3
but we will pick this up on the next call.
9.	Next call December 3rd
10.	Adjourned

Dean Coclin

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20201204/0be08ff6/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4916 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20201204/0be08ff6/attachment.p7s>