[Cscwg-public] CSCWG Final Minutes July 27, 2023

Dean Coclin dean.coclin at digicert.com
Thu Aug 10 18:28:33 UTC 2023

CSCWG Minutes July 27, 2023



Roberto Quiñones - Intel

Brianca Martin - Amazon

Bruce Morton - Entrust

Atsushi INABA - GlobalSign

Dean Coclin-DigiCert

Andrea Holland - VikingCloud

Mohit Kumar - GlobalSign

Scott Rea - eMudhra

Tim Crawford - WebTrust

lan McMillan - Microsoft

Brianca Martin - Amazon



Minutes of the meeting:

Minutes approved for F2F

Interested party application from Adobe was discussed. Legal contact in
Adobe is waiting for Authorization of application. No immediate action on

Adobe has Adobe air so significant to the group. 

CSC Ballot 19 was discussed and need for the votes for Quorum was
highlighted. Request made to members to place the vote.


Ballot on Signing Service:

Bruce circulated the drafts not only for Signing service but also
Timestamping and High Risk ballots. Suggestion made that people should start
taking look, as group would move forward after current ballots are passed
and published. 

Ian to look what is proposed on Timestamping and High risks ballot and share

Digicert to present their views on CT logs for next time as SME were not
available this week.


Proposal on merging EV and OV certificates:

Ian proposed to work on text for combining OV and EV together and find a
middle ground to eliminate need for EV Codesigning certificates. In
principle, standard to be maintained for organization validation that EV
does today and making that as new only standard – calling it OV. 

Question was raised on challenges to subscriber with that. 

Organization identifier scenario in SMIME was discussed as part of this
discussion. In SMIME, Org ID was introduced as single field that has all the
requirements vs EV which has 3-4 fields for same information. So this makes
certificate better than OV and close to EV  in terms of Identity.


Another change discussed was need for verification of certificate requestor,
contractor, signer etc because a lot of effort goes in there. It required in
EV and not for OV today. Also do we need dual verification that is done

Feedback is there that EV is very hard and do they provide the value or not.

As there is no Domain in Codesigning certs so it boils down to the need for
such verifications.

In SMIME BRs, there is no EV just a upgraded level of OV.  SMIME to be
studied further and to be observed in terms of feedback for SMIME for next
few months from SMIME BRs effective date. 

The expected timeline is 5-6 months atleast for this ballot given 3 ballots
ahead already. It’s a big change. 

Also discussed what should be the timeline to issue more than 1 certificate
in a subscription and how to use shorter lived certificates. 


Bruce also raised that CAs should provide feedback how Private Key ballot
landed may be in 1-2 months. He proposed that group should gather feedback
from CAs. Some CAs might be facing same issues, so we should have feedback
loop so we can iron out. This to be added to Agenda item for next time. 


Meeting was adjourned. 





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20230810/2976c2a1/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5197 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20230810/2976c2a1/attachment-0001.p7s>

More information about the Cscwg-public mailing list