[Cscwg-public] Final Minutes of CSCWG Sept 24th

Dean Coclin dean.coclin at digicert.com
Thu Oct 8 18:57:52 MST 2020


Final Minutes Sept 24th 

1.	Roll call: Dean Coclin, Atsushi Inaba, Bruce Morton, Tim Crawford,
Ian McMillan, Ken Martin, Ben Wilson, Mike Reilly, Chris Kemmerer, Hugh
Mercer, Joanna Fox, Thomas Zermeno, Daniela Hood
2.	Antitrust statement: Read by Dean
3.	Approval of minutes of last call (Sept 10): Minutes approved and
published to public list
4.	Proposed ballots (Tim): Tim was not on the call but everyone
acknowledged that CSCWG-4 is in the discussion period. Voting will start
next Tuesday
5.	High Risk Requests (Ian and Guests). Ken Martin from DigiCert was
invited to discuss his experience as a prior support manager in dealing with
this issue. Ken described an ongoing battle to prohibit fraudsters from
getting code signing certs including manually reviewing requests that were
affiliated with major software producers, getting photographs of applicants,
and checking applicants against malware databases. Ken suggests that all
requests should be considered "high risk" and that extra scrutiny be built
into the BRs to reflect this. Whatever is decided, the requirements must be
uniform and unambiguous to ensure all CAs treat requests the same. Ian from
Microsoft agreed. Other CAs (Entrust, GoDaddy, Globalsign) described similar
procedures for high risk requests. Dean said the only way to really ensure
malware is not signed is to have it uploaded to a portal before it is signed
to be scanned and to not distribute private keys. Ian said that fraudsters
were able to circumvent a similar procedure used by Apple and hence it's not
foolproof.  Ben suggested that CAs share information about malware and
pointed to an effort in the Forum from several years ago on information
sharing (siswg at cabforum.org <mailto:siswg at cabforum.org>  was the prior mail
list). Ian agreed to review all this information and make some
recommendations on a future call.
6.	Next meeting:  Oct 8th. We will resume the EV vs non-EV discussion
7.	Adjourn

 

Dean Coclin

CSCWG Chair

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20201009/a31b7381/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4916 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20201009/a31b7381/attachment-0001.p7s>


More information about the Cscwg-public mailing list