[Cscwg-public] Final minutes of CSCWG November 18

Dean Coclin dean.coclin at digicert.com
Tue Dec 14 20:18:58 UTC 2021

Here are the final minutes of the subject call:

CSC WG Conference Call 2021-11-18

Role Call:

Bruce Morton

Dimitris Zacharopoulos

Inigo Barreira

Andrea Holland

Atsushi Inaba

Correy Bonnell

Chris Kemmerer

Ian McMillan

Kiran Tummala

Tim Hollebeek

Minutes of the previous Meeting were approved

Discussion regarding SC-50 from Server Working Group:

              - Ballot is concerned with removal of 4.1.1

              - Discussion is postponed until any changes are required

Ballot CSC-12:

              - Ballot has passed, in IPR review through 3rd December

Ballot CSC-6:

- Effective date is set to Sep 1st 2022 based on reccuring feedback from the 

- Date seems reasonable for most CAs but some want to double check time needed 
to implement

- Discussion of proposed changes to 16.3.1:

              - Dimitris points out that the CA shipping crypto modules with 
keys should explicitly be allowed to ship modules with multiple keys

              - Dimitris also points out that the current language would allow 
the CA to import keys to the crypto module

              - Hence, the CA should be required to generate a key inside the 
crypto module

              - Sebastian mentions that since it is already required for the 
subscriber to generate keys on the module, it should follow for CAs to do the 

              - Overall, there is agreement that it would make sense to add 
that requirement explicitly

              - Language on the ballot is being updated slightly, as per 
Dimitris proposal over Email

              - Ian proceeds to discuss the requirements around generating the 
key on a suitable hardware crypto module, with a CSR signed by the 
manufacturer to claim generation of the key on the hardware

              - Discussing whether or not that phrasing might be redundant, 
Tim points out that an auditor would still be able to distinguish

              - Upon a question for the difference between items 2 and 3, 
Dimitris points out that 2 is Remote Key Attestation while 3 is constrained by 
enrolment with a cetain crypto library

              - Regarding item 4, Ian mentions that Microsoft provides 
verification by IT audit for their own CodeSigning

              - Tim Hollebeek mentions that there are some others using this 

              - Dimitris has concerns that the language may be misinterpreted 
by some to provide their own audit (non-FIPS) for the devices

              - Tim mentions that some use non-standard security practices 
that in assurance level exceed what is required by the BR

              - Bruce points out that an audit should ideally show only that a 
suitable device according to BR is used, not introduce evluation of a new 

              - Dimitris still encourages reqording of the paragraph, to 

              - Tim points at that "suitable" needs a more clear-cut 
definition of what is acceptable, are internal IT audits acceptable?

              - For Ian, any audit that would clarify make, model and 
procedures would be sufficient but that didnt come through for the whole group

              - Dimitris is also pointing at item 6, which specifies CA or 
qualified auditor witnessing key creation. Does this overlap with item 4?

              - Through discussion, it becomes clear that number 4 and 6 are 
meant for different purposes (bigger and smaller customers respectively)

              - Tim points out that specifying IT audits would complicate this 
ballot and can be improved upon in the future

              - Dimitris points out item number 8, and how approval might 
conflict with items 1 to 7

              - It's generally agreed that item number 8 is only meant to 
cover methods that are not described by item 1 through 7

              - Regarding item number 8, CAs should also bring up additional 
methods to question at cabforum.org <mailto:question at cabforum.org> . This seems 
mostly important to CAs not participating (of whicht here are many)

              - Looping back to item number 4, Dimitris is asking for 
clarification whether an itnernal or external audit should be used

              - There is discussion around whether and what should be 
clarified now and what should be addressed with a future ballot

              - Dimitris will propose some language for clarification of item 

              - Bruce also raises some concerns regarding reuse, specifically 
for item 4 and 5 (limiting the validity of audits or reports)

              - Bruce is pointing out that reuse is already addressed in 
section 11 (validation)

              - Dimitris is mentioning that there are different reuse periods 
for EV and non-EV

              - Ian believes that the reuse period of EV (13 months) is more 
appropiate, Bruce will update the ballot for items 4, 5 and 7

              - Corey is mentioning that 11.7 also has some specifications 
regarding takeover attacks and wondering whether these should be updated as 

              - Dimitris agrees that it should be updated with the ballot, Ian 
agrees to update

- Discussion regarding CSBR format change:

              - Corey has been distributing an updated mapping document and 
incorporated CSC-11 changes

              - Dimitris agrees that most mapping seems ok so far, with only 
some comments remaining

              - Dimitris comes with a reminder that clarification ballots 
should not introduce normative changes

              - The appendix with certificate profile sections talks about 
Email Protections EKUs being allowed - should this be added to 3647 

              - Corey refers to MS Root program requirements for Email 
protection and Document Signing EKUs

              - Bruce suggests that while not updating with the conversion, 
but introducing a new ballot immediately to make the changes. The group agrees

              - Corey is addressing the delegation of audits as well, with 
Dimitris agreeing that the section needs further discussion (section 14.2.1)

              - For Dimitris, it reads as if delegated RA can be internall 

              - Overall, it doesn't seem like it's a format change issue but 
there's a problem with the existing content not being understood properly

              - If it's not understood, should it not be moved or moved just 
somewhere because some may rely on it?

              - There's agreement that the item needs further discussion and 
updating before introduing a format change

Next Meeting is December 2nd, Meeting is adjourned

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20211214/cba3588f/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4916 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20211214/cba3588f/attachment-0001.p7s>

More information about the Cscwg-public mailing list