[Cscwg-public] Final Minutes of CSCWG Meeting August 27, 2020

Thu Sep 10 09:47:37 MST 2020

Here are the final minutes of the subject call:

1.	Roll call: Bruce Morton, Tim Callan, Tim Crawford, Mike Reilly,
Atsushi Inaba, Rick Smith, Hugh Mercer, Tomas Gustavson
2.	Antitrust statement: Read by Bruce
3.	Minutes for July 30, 2020 and August 13, 2020 were approved
4.	Review Of Parking Lot List:

*	Items owned by Ian were not discussed as Ian did not attend the
meeting.
*	Section 7.2 - Bruce was working on separating the CA and the Signing
Service warranties. Bruce had some questions about trying to understand the
Signing Service model which the document is trying to support. There appears
to be an issue as the EV Guidelines were created with a Signing Authority
which could get a 135 month certificate, but the BRs were created with a
Signing Service which could authenticate Subscribers and host Subscriber
certificates. It was also discussed that an enterprise might be providing s
Signing Service for internal use, but it was suggested that this is really
the Subscriber model. There was no clear consensus on the model we are
trying to present. Further it was discussed that if a cloud-provider if
hosting the keys that this is NOT a Signing Service. It was suggested that
to minimize the issue, the BRs could be edited so that the Signing Service
is only provided by the CA and not by another third party. This would seem
to make it less risky for the end users and easier to audit.
*	Section 14 - Bruce stated that this is a Non-EV versus EV issue and
would make a proposal on this issue at a future meeting.
*	Section 15 - Bruce did review the logging issues for the CAs/Signing
Authorities vs TSA. The problem has now been complicated as the SSL BRs has
updated the logging section for CAs, which might not be applicable to TSAs.
Bruce proposed not to make a change at this time.
*	Section 17.1 - The question was do we still need special audit
requirements for governments. Mike stated that Microsoft is trying to remove
government from the code signing business. When this is resolved, Microsoft
will make a proposal to remove this requirement.
*	Non-EV versus EV items - Bruce proposed that he would go through the
BRs to make comments on all Non-EV vs EV issues to be presented at a future
meeting.
*	Section 17.1 (2) - Until there is both a single BR document and
single WebTrust audit criteria, there may be 2 audit reports for a CA which
does both Non-EV and EV code signing audits. This should resolve itself over
the next year or so.
*	Section 11.8 - This is regarding 2 person control for Non-EV
verification. It was agreed that the BRs are stating that 2 person control
is required for vetting Non-EV code signing certificates. This could be
considered a Non-EV versus EV issue, which will be discussed at a future
meeting.
*	Section 17.8 - This is a Non-EV vs EV issue regarding root key
generation, which will be addressed at the future meeting. It was suggested
that BR 6.1.1.1 could be used for both Non-EV and EV roots.
*	Appendix A - Ian has submitted a proposal to extend SHA-1 to April
2022.

5.	IPR Review period for ballot CSC-2 ends September 2, 2020. There has
been no submissions to date. The new document should be good for use as of
September 3, 2020.
6.	Next meeting:  September 10, 2020 - Since Ian is on vacation, we
decided to push the High Risk discussion to September 24, 2020. The
September 10, 2020 meeting will discuss Non-EV vs EV changes.
7.	Adjourn

Bruce Morton

Vice Chair CSCWG

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20200910/6de12d67/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4916 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20200910/6de12d67/attachment.p7s>