[Cscwg-public] Final minutes of CSCWG November 18

Dean Coclin dean.coclin at digicert.com
Wed Dec 15 18:14:03 UTC 2021

Resending these with a minor correction: added Sebastian Schulz to the roster.


Here are the final minutes of the subject call:

CSC WG Conference Call 2021-11-18

Role Call:

Bruce Morton

Dimitris Zacharopoulos

Inigo Barreira

Andrea Holland

Atsushi Inaba

Correy Bonnell

Chris Kemmerer

Ian McMillan

Kiran Tummala

Tim Hollebeek

Sebastian Schulz

Minutes of the previous Meeting were approved

Discussion regarding SC-50 from Server Working Group:

              - Ballot is concerned with removal of 4.1.1

              - Discussion is postponed until any changes are required

Ballot CSC-12:

              - Ballot has passed, in IPR review through 3rd December

Ballot CSC-6:

- Effective date is set to Sep 1st 2022 based on reccuring feedback from the 

- Date seems reasonable for most CAs but some want to double check time needed 
to implement

- Discussion of proposed changes to 16.3.1:

              - Dimitris points out that the CA shipping crypto modules with 
keys should explicitly be allowed to ship modules with multiple keys

              - Dimitris also points out that the current language would allow 
the CA to import keys to the crypto module

              - Hence, the CA should be required to generate a key inside the 
crypto module

              - Sebastian mentions that since it is already required for the 
subscriber to generate keys on the module, it should follow for CAs to do the 

              - Overall, there is agreement that it would make sense to add 
that requirement explicitly

              - Language on the ballot is being updated slightly, as per 
Dimitris proposal over Email

              - Ian proceeds to discuss the requirements around generating the 
key on a suitable hardware crypto module, with a CSR signed by the 
manufacturer to claim generation of the key on the hardware

              - Discussing whether or not that phrasing might be redundant, 
Tim points out that an auditor would still be able to distinguish

              - Upon a question for the difference between items 2 and 3, 
Dimitris points out that 2 is Remote Key Attestation while 3 is constrained by 
enrolment with a cetain crypto library

              - Regarding item 4, Ian mentions that Microsoft provides 
verification by IT audit for their own CodeSigning

              - Tim Hollebeek mentions that there are some others using this 

              - Dimitris has concerns that the language may be misinterpreted 
by some to provide their own audit (non-FIPS) for the devices

              - Tim mentions that some use non-standard security practices 
that in assurance level exceed what is required by the BR

              - Bruce points out that an audit should ideally show only that a 
suitable device according to BR is used, not introduce evluation of a new 

              - Dimitris still encourages reqording of the paragraph, to 

              - Tim points at that "suitable" needs a more clear-cut 
definition of what is acceptable, are internal IT audits acceptable?

              - For Ian, any audit that would clarify make, model and 
procedures would be sufficient but that didnt come through for the whole group

              - Dimitris is also pointing at item 6, which specifies CA or 
qualified auditor witnessing key creation. Does this overlap with item 4?

              - Through discussion, it becomes clear that number 4 and 6 are 
meant for different purposes (bigger and smaller customers respectively)

              - Tim points out that specifying IT audits would complicate this 
ballot and can be improved upon in the future

              - Dimitris points out item number 8, and how approval might 
conflict with items 1 to 7

              - It's generally agreed that item number 8 is only meant to 
cover methods that are not described by item 1 through 7

              - Regarding item number 8, CAs should also bring up additional 
methods to question at cabforum.org <mailto:question at cabforum.org> . This seems 
mostly important to CAs not participating (of whicht here are many)

              - Looping back to item number 4, Dimitris is asking for 
clarification whether an itnernal or external audit should be used

              - There is discussion around whether and what should be 
clarified now and what should be addressed with a future ballot

              - Dimitris will propose some language for clarification of item 

              - Bruce also raises some concerns regarding reuse, specifically 
for item 4 and 5 (limiting the validity of audits or reports)

              - Bruce is pointing out that reuse is already addressed in 
section 11 (validation)

              - Dimitris is mentioning that there are different reuse periods 
for EV and non-EV

              - Ian believes that the reuse period of EV (13 months) is more 
appropiate, Bruce will update the ballot for items 4, 5 and 7

              - Corey is mentioning that 11.7 also has some specifications 
regarding takeover attacks and wondering whether these should be updated as 

              - Dimitris agrees that it should be updated with the ballot, Ian 
agrees to update

- Discussion regarding CSBR format change:

              - Corey has been distributing an updated mapping document and 
incorporated CSC-11 changes

              - Dimitris agrees that most mapping seems ok so far, with only 
some comments remaining

              - Dimitris comes with a reminder that clarification ballots 
should not introduce normative changes

              - The appendix with certificate profile sections talks about 
Email Protections EKUs being allowed - should this be added to 3647 

              - Corey refers to MS Root program requirements for Email 
protection and Document Signing EKUs

              - Bruce suggests that while not updating with the conversion, 
but introducing a new ballot immediately to make the changes. The group agrees

              - Corey is addressing the delegation of audits as well, with 
Dimitris agreeing that the section needs further discussion (section 14.2.1)

              - For Dimitris, it reads as if delegated RA can be internall 

              - Overall, it doesn't seem like it's a format change issue but 
there's a problem with the existing content not being understood properly

              - If it's not understood, should it not be moved or moved just 
somewhere because some may rely on it?

              - There's agreement that the item needs further discussion and 
updating before introduing a format change

Next Meeting is December 2nd, Meeting is adjourned

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20211215/428d7d9f/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4916 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20211215/428d7d9f/attachment-0001.p7s>

More information about the Cscwg-public mailing list