[Cscwg-public] Final minutes for 2023-12-14 CSCWG meeting

Dean Coclin dean.coclin at digicert.com
Thu Jan 11 20:02:39 UTC 2024

Final minutes for 2023-12-14 CSCWG meeting



Andrea Holland (VikingCloud), Bruce Morton (Entrust), Corey Bonnell
(DigiCert), Dean Coclin (DigiCert), Ian McMillan (Microsoft), Inaba Atsushi
(GlobalSign), Inigo Barreira (Sectigo), Martijn Katerbarg (Sectigo), Mohit
Kumar (GlobalSign), Richard Kisley (IBM), Roberto Quionones (Intel), Rollin
Yu (TrustAsia), Scott Rea (eMudhra), Tim Crawford (CPA Canada/WebTrust), Tim
Hollebeek (DigiCert)


Bruce read the note well.


Minutes of the November 30th meeting were not approved as they were just
sent out.


- Signing Service Ballot


Bruce mentioned that Ian wanted to reduce the audit requirements for non-CA

signing services. One idea is to use CCM criteria. One challenge is a lack

familiarity with the CCM framework as well as how to map the criteria with

the specific requirements for HSMs.


Tim Crawford mentioned that the netsec-wg wants to use the STAR Alliance

requirements but are currently working through licensing issues.


Bruce has a proposal to move the ballot forward. He would like to retain

the current requirements for audit and address lesser audits in a future

ballot. Tim agreed that this is a good approach, as defining audit

requirements for non-CA Signing Services will be much more complex. Ian

also agreed with this approach.


Bruce proposed that he will bring the Signing Services ballot forward for

formal discussion and voting early next calendar year. There was agreement

on this approach.


- High Risk Ballot


Bruce said the text is complete and there are two endorsers. Bruce asked

if there's any objection to running two ballots concurrently. Martijn,

Tim, and Ian agreed that's fine as long as there's no overlap.


Corey raised a concern about potential complexity with immutable links if

multiple ballots are in flight. He will investigate if this is an actual



- Charter Update


Martijn said the ballot is ready but didn't want to kick off the voting

period during the holidays. He will look to start voting in early



- Any other business


The December 28th meeting is cancelled. The next meeting will be

January 11th.


Richard from IBM suggested that HSMs for code signing be certified

under PCI-HSM in addition to CC and FIPS. Tim said in theory that

should be fine but need to investigate further.


Meeting adjourned.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20240111/dc575a4b/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5197 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20240111/dc575a4b/attachment.p7s>

More information about the Cscwg-public mailing list