[Cscwg-public] Final CSCWG May 2nd, 2024 Minutes

Fri May 17 15:51:45 UTC 2024

I would like to clarify this part of the notes which I see are incorrect....

"- Corey raised issue regarding Microsoft's Trusted Signing Service introduces custom EKU into CS certificates to uniquely identify the publisher (face-to-face or future meeting).  Potential breakage for publisher.  Per publisher EKU is potential solution to prevent breakage.
Ian discussed Windows Security Center involvement on this issue.  Only 1st party CAs for integrity checks. " 

The ask from Corey was whether there is a pattern we'd be interested in establishing as part of the CSBRs (not something we should call an "issue"), and I am still evaluating if this is a pattern we'd like to establish in the CSBRs with our internal folks. The EKUs used by Trusted Signing are not a potential breakage for publishers and the per publisher EKU is needed for our /INTEGRITYCHECK (https://learn.microsoft.com/en-us/cpp/build/reference/integritycheck-require-signature-check?view=msvc-170)  signing required by Microsoft Partner programs where the cross-signing program is now deprecated (https://learn.microsoft.com/en-us/windows-hardware/drivers/install/deprecation-of-software-publisher-certificates-and-commercial-release-certificates). Windows Security Center may also support the usage for these same Partner programs. 

Thanks,
Ian

-----Original Message-----
From: Cscwg-public <cscwg-public-bounces at cabforum.org> On Behalf Of Dean Coclin via Cscwg-public
Sent: Thursday, May 16, 2024 12:57 PM
To: Dean Coclin via Cscwg-public <cscwg-public at cabforum.org>
Subject: [EXTERNAL] [Cscwg-public] Final CSCWG May 2nd, 2024 Minutes

Attendees:
Dimitris (HARICA),
Corey Bonnell (DigiCert),,
Thomas Zermeno (SSL.com),
Scott Rea (eMudhra),
Bruce Morton (Entrust),
Andrea Holland (VikingCloud),
Rebecca Kelley (SSL.com),
Brian Winters (IdenTrust),
Ian McMillan (Microsoft),
Mohit Kumar (GlobalSign),
Marco Schambach (IdenTrust),
Richard Kisley (IBM),
Brianca Martin (Amazon),
Martijn Katerbarg (Sectigo),
Wangmo Tenzing (Wangmo Tenzing),
Tim Hollebeek (DigiCert),
Janet Hines (VikingCloud),
Atsushi INABA (GlobalSign),
Dean Coclin (DigiCert),
Inigo Barreira (Sectigo),
Janet Hines (VikingCloud)

Minute-taker: Brian Winters

AntiTrust Reminder read by Dean Coclin.

Face-to-face meeting minutes approved.

April 18th Minutes approved.

* EVCS Guidelines ballot CSC-23:

Bruce Morton indicated possible new requirement raised by Martijn.  Martijn requested input by Dimitris, not on the call yet.
Cory stated that the language sometimes indicates EV Code Signing certificate and in other places uses the term certificates.
Bruce asked what is the new requirement?  Cory indicated the Subject Org ID requirement.  We are introducing new language about what the Org ID may contain.
Bruce suggested a new ballot regarding the Org ID changes.  Agreed upon by Ian, and Andrea Holland.
Dean mentioned having seen an open pull request to remove the Org ID changes.  Pull request has comments by Dimitris and Corey Bonnell.
Corey stated that Dimitris is the main driver on this ballot.

Dimitris joined late and commented on new requirement as done on purpose, to be effective sometime after September to be consistent with new EV guidelines.
Bruce commented Org Id might be better to add later after adapting to new MS EV Guidelines.  Dimitris stated he is ok with removing it now and adding it later.  But thinks it could also be added now as optional.  Cory expressed some customers might be already using Org Id and may have incompatibilities with new Org Id standards.  Dimitris stated the September effective date allows time for those customers to adapt.  Andrea asked Dimitris if it's acceptable to create a separate ballot for the Org Id field.  Tim commented achieving parity with TLS working group might be just updating requirements for sake of updating requirements.  We should really solve the problem.  We should find the best way to identify the globally unique publisher signing code.  Most relying party software doesn't utilize Org Id field.  Tim urged separating this into a new ballot.  Dimitris eventually agreed.

Bruce asked Dimitris about the Due Diligence requirement.  Martijn commented about portions of it being in scope.  Expressed concern about the term Nullified in the language.

* Timestamping Ballot CSC-24

Martijn raised topic about language to prevent CAs from issuing Timestamp certificates from already issued SubCAs in an online state.  Language was introduced on April 22nd, yet no comments produced.  Planned to effect certificates issued on or after April 15, 2025.

* Face-to-Face meeting planning

Dean Coclin asked for suggestions for items to discuss.

- Ian suggested the topic "maximum certificate validity periods for CS certificates".  Impact of reducing max validity from 39 to 15 or 24 months duration.  What is the sweat spot for max validity periods.
- Bruce wants to discuss Microsoft's planned changes to EV CS certificates.
Ian agreed this is an important topic.  Tentative plan is one certificate type, albeit Individual validated and Organization validated.  Dean pointed out another notable example of Microsoft EV CS use hardware related scenario.
- Corey raised issue regarding Microsoft's Trusted Signing Service introduces custom EKU into CS certificates to uniquely identify the publisher (face-to-face or future meeting).  Potential breakage for publisher.  Per publisher EKU is potential solution to prevent breakage.
Ian discussed Windows Security Center involvement on this issue.  Only 1st party CAs for integrity checks.
- Martijn,  CT for code signing time allowing.

* Other business

Next Meeting May 16th.

Following will be the Face-to-face meeting in Italy.

* Topic for next meeting

- PCI-HSM Acceptance for CA HSM evaluations (Richard Kisley).