[Cscwg-public] FW: Draft Minutes of CSCWG call May 20, 2021

Dean Coclin dean.coclin at digicert.com
Thu Jun 17 20:04:41 UTC 2021


 

Final Minutes for May 20, 2021 CSCWG meeting

 

Attendees: 

- Dean Coclin

- Bruce Morton

- Janet Hines

- Tim Hollebeek

- Ian McMillan

- Dimitris Zacharopoulos

- Tim Crawford

- Corey Bonnell

- Atsushi Inaba

- Tomas Gustavsson

- Sebastian Schulz

- Roberto Quinones

- Iñigo Barreira

 

Minute-taker: Tomas Gustavsson

 

Roberto Quinones is participating for the first time for Intel, who is an
associate member.

 

Antitrust statement was read by Dean.

 

 

Minutes for May 6 meeting were approved.

 

 

Certificate policy OID for time stamping update: It was discussed that the
OID was specific for code signing. It does not inhibit or do anything to
other types of certificates. Bruce said in the OID structure it's under the
code signing arc and the purpose is to identify certificates issued in
accordance with the CS BRs. The aim is to fix a problem as there is no OID
for it today. Tim Hollebeek and Ian McMillan called out that they are in
favor of the proposed OID, and to add it to the document. Bruce noted that
there is no change of scope and Tim noted that it actually clarifies the
scope what is intended for code signing.

 

Clean-up ballot:

A small set of people had action items since the last meeting discussing the
clean up ballot. Dimitris have completed his action item, Bruce and Tim
Hollebeek have not completed theirs yet. Bruce aims to address items  during
next week, after that Bruce will clean up the comments and send it out to
the group for review. Some comments in the document will not be part of the
clean up ballot, but be addressed as separate ballots.

 

 

BR SSL version numbers in CSBR:

No action has been taken since the last discussion. The problem is that
there needs to be a lot of review and it may be better to keep the version
that we have but do a ballot to input into the CS BRs what we want from the
SSL BR. Bruce said the logging requirements from the SSL BRs is something
the CS BRs want to take advantage of. Dimitris noted that requirement
changes need to have a future effective date. There was a discussion about
the requirement from the SSL BRs of disclosing of data sources, registration
and incorporating agencies and log retention, that may need to have
affective dates for CAs that issue code signing certificates but not SSL
certificates. A discussion on effective dates followed. Tim noted that if
there is no rush, 6 months is the de-facto standard for the effective date
period.

Ian volunteered to make a suggestion for a ballot for log retention and Tim
agreed to review.

Bruce suggested when a ballot gets approved from the server group that
affects on of the CS documents we should assess the impact if it is
something we want to include, for example domain validation changes have no
impact on CS while weak keys probably have. This was supported by Ian.

 

Key Protection:

Ian talked about the future plans for key protection is to incorporate
language specific to cloud protected keys. The verification of the
subscriber protection level is the interesting part. How a CA can witness
key generation, subscriber provides a suitable IT audit. Tim asked about
what the long term vision is, if subscribers should move to cloud services.
Ian said that it was that key generation and key protection was done inside
a hardware crypto module.

Ian mentioned that he prefer not to have pre-installed keys shipped to
customer, based on how that could affect provenance during shipping. There
was a discussion between Ian and Dimitris on the benefits, drawbacks and
processes of CAs shipping crypto modules with pre-generated keys to
subscribers if there is a risk or not, as the typical process is the
pre-installed keys are shipped before certificate is issued and there are
benefits of verification of the key generation when the CA knows the key was
generated inside the hardware crypto module. There was agreement that this
was a good process where the subscriber crypto module does not have remote
key attestation.

 

 

Signing Service:

Bruce said that there was a discussion if a separate formal or informal
group should split out to sort out the signing service. The BRs is confusing
in some ways for signing services and there was agreement that different
models should be clarified. It was agreed to gather interested people to
lead a specific focused call for signing service, Bruce said he don't mind
leading this call gathering volunteers. The first target is to make a
presentation on this call or the F2F.

 

Minute takers for the next four meetings:

June 3: Corey Bonnell, followed by

Sebastian Schulz

Janet Hines

Iñigo Barreira

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20210617/05bad1ca/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4916 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20210617/05bad1ca/attachment.p7s>


More information about the Cscwg-public mailing list