[Cscwg-public] Final Minutes of CSCWG meeting Jan 28, 2021

Dean Coclin dean.coclin at digicert.com
Thu Feb 11 18:39:23 UTC 2021 

Here are the final minutes of the subject call:

 

1.	Attendees: Dean Coclin, Atsushi Inaba, Daniella Hood, Bruce Morton,
Ian McMillan, Sebastian Schulz, Dimitris Zacharopoulos, Tim Crawford,
Karthik Ramasamy, Karina Sirota
2.	AntiTrust statement was read by Dean
3.	Minutes from prior call approved and will be sent to public list
4.	Ballot Status: Bruce will send a reminder to vote on CSCWG-7 to the
list. Dimitris reminded us that only voting members are counted for quorum
purposes.
5.	Discussion of High risk requests and key protection: Ian presented
these two topics with suggestions for improvement. For High risk requests,
the proposal was to make this more consistent across the board. For any cert
request, the CA should check their internal database to see if a prior
request had been rejected. Section 11.7 deals with how to process it. For
example, Solar Winds would have been considered a high risk request because
they signed malicious code. This section says that due to a "takeover
attack", they would then have to use a stronger key protection (16.3). Ian
also commented that this section says if you have 2 takeover attacks, the CA
cannot issue the cert. He felt this was too harsh and suggested that
approval be sought from the platform provider. A discussion then ensued on
someone hosting a database of such requests (which we've discussed before).
Ian suggested "Reversing Labs" could be such a candidate, where CAs could
check before issuing. Dimitris suggested something like the "London
Protocol". Bruce will discuss this with Chris Bailey.
6.	A discussion about notifying companies if a cert is requested in
their name. Ian said he would want to know if anyone (including Microsoft
employees) requested a cert in Microsoft's name. Dean said that was likely
true of other companies like Oracle and Adobe. Perhaps something like CAA
would be needed here.
7.	Ian discussed his proposal for key protection. He would like to
change the "FIPS or equivalent" text to just FIPS. Bruce said Common
Criteria versions should be considered. Dimitris said the CC EAL4+ is higher
than FIPS 140-2 Level 2. It was mentioned that Adobe uses this standard. Ian
will consider adding CC EAL 4+ and ETSI CEN while removing "or equivalent"
8.	Tim asked how one would prove that keys were generated properly for
audit purposes. Ian will revise 16.2 (3) based on an attestation from the
customers. A discussion around subscriber obligations followed and what
happens when they don't adhere. Should the CA mandate no key possession by
the customer and enforce a cloud based solution?
9.	Discussion ended as time was called
10.	Next meeting Feb 11th

 

 

Dean Coclin

Chair CSCWG

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20210211/f99201a5/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4916 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20210211/f99201a5/attachment.p7s>

More information about the Cscwg-public mailing list