[Cscwg-public] Final CSCWG minutes Sept 8, 2022

Dean Coclin dean.coclin at digicert.com
Thu Sep 22 17:43:57 UTC 2022 

CSCWG Final Minutes September 8, 2022

 

Attendees

Dean Coclin

Roberto Quiñones

Joanna Fox

Vijay eMudhra

Mohit Kumar

Ian McMillan

Bruce Morton

Michael Sykes

Atsushi Inaba

Tim Hollebeek

Iñigo Barreira

Tomas Gustavsson

Dimitris Zacharopoulos

Martjin Katerbarg

Janet Hines

Andrea Holland

 

 

Dean read the anti-trust statement.

 

No objection to minutes from Aug-25th, minutes approved. Will be sent to
public list.

 

Reminder on CSC 15 , IPR review ends on Sept 18th

 

Topic to discuss:

 

*	Malware Proposal from Martijn

*	nothing new to discuss at this time.

*	Key Protection requirements deadline

*	Ian shared that there has been feedback/concerns on deadline
approaching fast and not everyone ready to adopt new requirements.
*	Time between publication of requirement to deadline may have been
too aggressive. Tim suggests standardizing on general 1 year notice before
enforcement
*	In addition to short deadline, market conditions and supply chain
issues may be preventing some from adoption new requirements.
*	This group has been aware of topic for a long time, but even after
CSBRs are published, most developers do not read them
*	Several points about the communication problem

*	Some CAs have been actively reaching out to subscribers about new
requirements
*	Moving date does not resolve awareness
*	Batching updates may help to communicate changes

*	Moving date implies not as critical as initially suggested
*	It was suggested that we could keep original date and use an
exception process

*	Exception processes have not worked well in the past.
*	They may be inconsistent and public review creates more risk
*	Goal should be to avoid an exception process
*	Creating conditional rules for issuance under exceptions adds
additional complexity requirement for CAs in short time. Better to just move
out the date

*	Ian will write ballot draft and send out sept-9th to get discussion
period moving and collect endorsers. Tim and Bruce offered to endorse

*	Signing Service discussion

*	Bruce: Corey has published info in GitHub for anybody to review.
Discussing separating audit criteria for CA vs signing service vs timestamp
authority. Looking for help to review it. 

*	 Timestamping

*	Ian: will work on draft to require TSA CA issuing timestamp and
entity certs,  be protected offline, and reduce validity period of those
timestamp and entity cert,  to no more than 6 years. 
*	It should cover period for Java using yearly new key. We can send
message to Oracle on intent, to get their feedback.

*	Other business

*	Anyone that will attend Berlin should sign up now to allow for
planning for limited spots.  Some guests or companies with multiple spots
may be asked to limit attendance since only 60 spots available.

 

Next meeting will be September 22nd

 

Meeting adjourned

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20220922/ae71ff04/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4916 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20220922/ae71ff04/attachment-0001.p7s>

More information about the Cscwg-public mailing list