[Cscwg-public] FW: CSCWG Final Minutes January 11, 2023

Dean Coclin dean.coclin at digicert.com
Thu Jan 25 21:14:28 UTC 2024

Final minutes of CSCWG meeting Jan 11, 2023

1.      Roll Call

*       Andrea Holland - (VikingCloud)
*       Brianca Martin - (Amazon)
*       Bruce Morton - (Entrust)
*       Corey Bonnell - (DigiCert)
*       Dimitris Zacharopoulos - (HARICA)
*       Eva Vansteenberge - (GlobalSign)
*       Ian McMillan - (Microsoft)
*       Inaba Atsushi - (GlobalSign)
*       Inigo Barreira - (Sectigo)
*       Janet Hines - (VikingCloud)
*       Martijn Katerbarg - (Sectigo)
*       Mohit Kumar - (GlobalSign)
*       Richard Kisley - (IBM)
*       Roberto Quionones - (Intel)
*       Rollin Yu - (TrustAsia)
*       Scott Rea - (eMudhra)
*       Thomas Zermeno - (SSL.com)
*       Tim Hollebeek - (DigiCert)

2.      Antitrust reminder: Read

3.      Approve prior meeting minutes - Nov 30th, Dec 14th : Both minutes were approved

4.      Ballot CSC-21 Signing Service: Discussion/Voting Period : Voting ends tomorrow 12 January 2024. Bruce stated 6 votes were required for quorum, but we only have 5 votes so far. Dimitris advised that the membership tool states the quorum is 5. Bruce stated that he might have counted the meeting attendees improperly, so we will use system quorum number of 5.

5.      Ballot CSC-22 Proposed High Risk Ballot: Discussion/Voting Period: Voting also ends 12 January 2024 and quorum of 5 has been met.

6.      Proposed ballot Remove EV Guideline References status: Dimitris has provided a proposal for review. He will provide a mapping document to assist for review. Would like feedback before proposing a ballot.

7.      Proposed ballot CSCWG charter update status: Martijn stated the ballot closes today and we are exactly on the quorum number.
8.      PCI-HSM certification for Code signing HSMs (Richard K): Richard would like the CSCWG to consider using PCI-HSM as a certification approval method for crypto modules for the CSBRs. PCI-HSM is a robust program which most vendors use. FIPS 140-2 and -3 have a long queue. For instance FIPS has 252 waiting, 8 in process, and only 12 people performing the process, so processing takes 12-18 months processing time. Common Criteria is not universal. PCI-HSM covers the requirements and could be used as an alternative. Dimitris asked what the proposal would apply to - CA or Subscriber keys; Richard did not know where to apply. Ian asked what is the difference between PCI-HSM and FIPS; Richard provided his perspective. Bruce stated that root CAs, subordinate CAs, time-stamp CA, Signing Service use HSMs, but there might not be a demand as this requirement is already met. Would PCI-HSM help to support the Subscriber end to provide more devices for signing code. Dimitris stated that the CSBRs allow FIPS 140 Level 2 for Subscribers, which is lower that level 3, so maybe it would be approved for Subscribers. Ian stated that they would investigate to see if PCI-HSM would acceptable for Subscribers. Dimitris asked if PCI-HSM supports remote key attestation; Richard stated the requirements do not address this requirement. If PCI-HSM is acceptable a member would have to write a ballot. We will wait until there is feedback from Microsoft.

9.      Other business: Bruce was asking if there is new business, since 3 ballots will pass this week? Bruce asked if DigiCert is still planning to provide a CT demo; Corey suggested we review with Ian. Bruce also stated that another topic is time-stamp changes, but this is also Ian's action. It was suggested to work on the EV ballot. Dimitris said the change might be a issue as it could conflict with the BR of BRs process. Tim brought up the question of what we are trying to resolve, but Dimitris suggested that the exercise would remove some EV requirements which do not make sense for CSBRs. Tim asked if the EV Guidelines could be added as an appendix; Dimitris suggested that that would work for the verification requirements, but not the others.

10.     Next meeting -  January 25th

11.     Adjourn

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20240125/c3b3986d/attachment.html>

More information about the Cscwg-public mailing list