[Cscwg-public] Final Codesigning Working Group minutes- 7-Sep-2023

Dean Coclin dean.coclin at digicert.com
Thu Oct 5 22:13:52 UTC 2023 

Minutes of Codesigning WG meet on Sep 7th, 2023

 

Attendees:

Atsushi Inaba - GlobalSign

Keshava N - eMudhra

Inigo Barreira - Sectigo

Dimitris Zacharopoulos - Harica

Martijn Katerbarg - Sectigo

Ian McMillan Microsoft

Brianca Martin - Amazon

Mohit Kumar - GlobalSign

Bruce Morton - Entrust

Scott Rea - eMudhra

Andrea Holland - VikingCloud

Corey Bonnell - DigiCert

 

Discussion Points:

Prior minutes approval - 24-Aug-2023 minutes approved with no objection 

Ballot Status

Ballot 19 is completed and effective 5-Sep-23 and new Code Signing BR
version is published with updates from this ballot.

 

Signing Service Ballot - Updated draft based on previous ballots. Includes
lot of cleanups, simplifying the language and not change any scope. The
objective was to clear that Signing service is not supposed to do
validation. Validation is expected from Certificate Authority and Signing
service is expected to protect private keys on behalf of subscriber

Summary of Major updates for Signing Service:

*	Made clear signing service is not delegated third party. It is not
an obligation for CA or CA doesn't have to do it or delegate. It is optional
for CA.
*	Change in definition of Signing service to include generation of key
pair and its management as main job for signing service
*	Added section to ensure that Signing service don't transfer keys to
subscriber
*	Changed reference to Signing Key as Private Key where applicable
*	Improved content to avoid the interpretation that Signing service
must do malware scans for all codes being signed
*	Broke the audit requirements between CA, Signing service and
Timestamping

 

High Risk ballot - To be postponed for now and to be taken up later. 

 

Discussion on need for charter update for TSA certificates

Dimitris  brought to group attention that it was agreed at forum level that
Codesigning Working group can work on requirements for TSA related to Code
Signing and is in scope.

Martjin suggested that unless we have technical controls to figure out which
Timestamp certificates or authority is being used for Codesigning vs not
used for codesigning, it is difficult to differentiate.

 

It was highlighted that we have policy OIDs for Timestamp certificates to be
used for Codesigning. There was discussion if these are mandatory and if its
stated explicitly. It was called out that if policy OID is not being used in
Timestamping certificate, it technically still works for codesigning. 

But there is still difference in opinions if timestamping requirements are
in scope or need the charter update, since it is not clear. 

Action item was decided to review and update charter and consider timestamp
certificates/TSA requirements for Codesigning

 

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20231005/e9944303/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5197 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20231005/e9944303/attachment-0001.p7s>

More information about the Cscwg-public mailing list