From Mike.Reilly at microsoft.com Tue May 4 20:30:33 2021 From: Mike.Reilly at microsoft.com (Mike Reilly (SECURITY)) Date: Tue, 4 May 2021 20:30:33 +0000 Subject: [cabfpub] [Cscwg-public] [EXTERNAL] Re: Code signing and Time stamping In-Reply-To: <0100017923b14ff9-a4d4a1be-c8d5-45ed-83fa-74728a32d970-000000@email.amazonses.com> References: <01000178ebd4b7ef-bf5e2394-ffff-4eb5-9fce-802f896debad-000000@email.amazonses.com> <01000178f00ad43c-07f8b045-e990-4aee-8fcf-f8b1c3f8a17c-000000@email.amazonses.com> <010001790e54be8b-2e61b099-6964-4fab-87a0-50aebcb06dd2-000000@email.amazonses.com> <010001791ce27f33-10971afe-9e09-4f87-ac78-2ac0a1a0a93c-000000@email.amazonses.com> <010001791d01773f-37c2f636-07e3-45a2-a80d-2903f4c6109e-000000@email.amazonses.com>, <010001791d1579bb-5b1bc27b-1047-4865-9403-d04255d3c7b4-000000@email.amazonses.com> <010001791e0f3b38-05f4964e-0fc3-4620-9092-d5c10a4bdaf0-000000@email.amazonses.com> <010001791e1e3533-133e71f9-d724-418e-9c41-d34c962cd717-000000@email.amazonses.com> <0100017923b14ff9-a4d4a1be-c8d5-45ed-83fa-74728a32d970-000000@email.amazonses.com> Message-ID: @Ian McMillan and concur with this approach for the CSWG, specifically adding a policy OID for TS services intended to be CS BR compliant. Thanks, Mike From: Public On Behalf Of Tim Hollebeek via Public Sent: Friday, April 30, 2021 9:52 AM To: Doug Beattie ; CABforum1 ; Rob Stradling ; Sebastian Schulz Subject: Re: [cabfpub] [Cscwg-public] [EXTERNAL] Re: Code signing and Time stamping This was the approach that was discussed in the CS WG. We were going to add a policy identifier that would help distinguish between timestamping services intended to be CS BR compliant, and generic timestamping services. -Tim From: Public > On Behalf Of Doug Beattie via Public Sent: Thursday, April 29, 2021 10:53 AM To: Rob Stradling >; CABforum1 >; Sebastian Schulz > Subject: Re: [cabfpub] [Cscwg-public] [EXTERNAL] Re: Code signing and Time stamping Maybe the use of Policy Identifiers is a good way to assert that your TSA service complies with the CABF Code signing BRs, but that does not preclude other uses? From: Public > On Behalf Of Rob Stradling via Public Sent: Thursday, April 29, 2021 10:36 AM To: public at cabforum.org; Sebastian Schulz > Subject: Re: [cabfpub] [Cscwg-public] [EXTERNAL] Re: Code signing and Time stamping > I don't think the creation of another WG would be justified or useful Practically, that may well be the case, but I think it's right to arrive at that conclusion by going through this thought process rather than circumventing it. > I don't see an issue with the CS WG defining requirements for timestamping as long as it's very clear that this is ONLY for timestamping used with CodeSigning certificates so that is no violation of the scope of the WG. Policing "ONLY for timestamping used with CodeSigning certificates" seems like it would be hard. A timestamping server has no idea whether it's being asked to timestamp signed code or some other "datum" (to quote RFC3161). Sectigo's publicly-trusted RFC3161 timestamping service (and the timestamping certificates that it uses) is expected to be used in conjunction with both Code Signing and Document Signing. ________________________________ From: Public > on behalf of Sebastian Schulz via Public > Sent: 29 April 2021 11:03 To: public at cabforum.org > Subject: Re: [cabfpub] [Cscwg-public] [EXTERNAL] Re: Code signing and Time stamping CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. I can't think of anything else except proprietary systems that use timestamping in for example Supply Chain Management and rely on CA issued timestamps due to the complexity of Enterprises building on-premise TSAs. When it comes to Adobe, they also trust other, non-qualified timestamps: "When a Time Stamping Authority is imposed or recommended to the signers by the Member, it must follow state of the art security policies and provide proper timestamps. The time-stamping practices and policies must be provided to Adobe and Adobe reserve the right to not accept the Time Stamping Authority." From AATL TR v2.0 EE3 I'm not generally opposed, but all in all I don't think the creation of another WG would be justified or useful, other major use cases of timestamping have their major stakeholders outside the CA/B Forum. I don't see an issue with the CS WG defining requirements for timestamping as long as it's very clear that this is ONLY for timestamping used with CodeSigning certificates so that is no violation of the scope of the WG. But I can see how opinions differ. Maybe an item to discuss on the next F2F? Best, Seb Sebastian Schulz Product Manager Client Certificates From: Public > On Behalf Of Adriano Santoni via Public Sent: 29 April 2021 11:42 To: public at cabforum.org Subject: Re: [cabfpub] [Cscwg-public] [EXTERNAL] Re: Code signing and Time stamping Well, considering that Adobe is not currently a CABF member, I see no context wherein time stamping plays a role, other than code signing. Adobe already trusts qualified time stamping providers (according to EU regulations) based on the EU trust lists, in the context of Document Signing, and I am not aware that they may want to also trust time stamps based on different criteria. In theory, time stamping could be used to extend the validity of an S/MIME signature beyond the signing certificate's expiration, but there is no S/MIME client supporting this, and no plans to support it in the future, so this is just theory. After all, S/MIME signatures are not meant for the long-term. Is there any other context that I am overlooking? Adriano Il 29/04/2021 11:07, Rob Stradling via Public ha scritto: Could it be argued, at least conceptually, that there should be a separate CABForum working group dedicated entirely to Time Stamping? After all, the Code Signing ecosystem doesn't have a monopoly on Time Stamping. For example, Adobe software uses Time Stamping in the context of Document Signing. If Adobe wanted to collaborate with CABForum members on Time Stamping certificate profiles, what (assuming Adobe had no interest in Code Signing) would be the best venue for that? (Please note: I'm not advocating any position here; I'm just thinking aloud). ________________________________ From: Cscwg-public

on behalf of Bruce Morton via Cscwg-public

Sent: 26 April 2021 14:18 To: Ben Wilson ; cscwg-public at cabforum.org

; Dean Coclin ; CA/Browser Forum Public Discussion List Subject: Re: [Cscwg-public] [EXTERNAL] Re: [cabfpub] Code signing and Time stamping CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. To follow up, the CSCWG charter includes the following documents: a. EV Code Signing Guidelines, v. 1.4 and subsequent versions b. Version 1.0 Draft of November 19, 2015, Baseline Requirements for the Issuance and Management of Publicly-Trusted Code Signing Certificates (subject to the CSCWG making a written finding that the provenance of such document is sufficiently covered by the Forum's IPR Policy) The documents define requirements or reference: timestamp authority (TSA), timestamps, timestamp implementation method, timestamp certificate, timestamp signed objects, TSA logging, and timestamp key protection. The documents also define the certificate profiles for timestamp root, timestamp subordinate CA and timestamp authority. As such, the CSCWG has considered it is in scope to manage these documents and the requirements associated to allow timestamp signatures with code signed using certificates conforming to the CSBRs. The CSBRs also state, "CAs complying with these Requirements MAY also assert the reserved policy OIDs in such Certificates." The reserved policy OIDs reference those required for Non-EV and EV code signing certificates. The CSBRs do not reference an OID for a timestamp certificate, since the OID has not been reserved. It is also considered appropriate to use all applicable reserved certificate policy OIDs as we consider deploying dedicated PKI hierarchies to support code signing. As such, the CSCWG plans to add the following reserved certificate policy OID to the CSBRs, which may be included in a timestamp certificate, which meets the requirements of the CSBRs: {joint-iso-itu-t(2) international-organizations(23) ca-browser-forum(140) certificate-policies(1) code-signing-requirements(4) timestamping(2)} (2.23.140.1.4.2) Bruce. From: Cscwg-public

On Behalf Of Ben Wilson via Cscwg-public Sent: Tuesday, April 20, 2021 12:09 PM To: Dean Coclin ; CA/Browser Forum Public Discussion List Cc: cscwg-public at cabforum.org Subject: [EXTERNAL] Re: [Cscwg-public] [cabfpub] Code signing and Time stamping WARNING: This email originated outside of Entrust. DO NOT CLICK links or attachments unless you trust the sender and know the content is safe. ________________________________ Just a few thoughts to move this conversation forward, and speaking as a CSCWG interested party and not to advocate any position of Mozilla, I think the answer depends on how strict or flexible the CABF wants to be as an organization when it comes to interpreting the scope of a working group charter. It seems that the mention of time stamping in a code signing work product would be allowed even under a strict interpretation. While creating standards for issuing and managing time stamping certificates would certainly be out of scope with a flexible interpretation. The Scope in the Charter does not expressly include or exclude the assignment of a time stamping OID for time stamping certificates. https://cabforum.org/2019/03/26/code-signing-certificate-wg-charter/#1-Scope Included in the scope is "Version 1.0 Draft of November 19, 2015, Baseline Requirements for the Issuance and Management of Publicly-Trusted Code Signing Certificates (subject to the CSCWG making a written finding that the provenance of such document is sufficiently covered by the Forum's IPR Policy)." Time stamping was discussed in that draft, and I recall that the CSCWG did make the required written finding of provenance. Is the assignment of a timestamping OID a logical outcome of the continued work on that earlier document? Ben On Mon, Apr 19, 2021 at 2:31 PM Dean Coclin via Public > wrote: A discussion on last week's CA/B call about code signing and time stamping brought up a question as to whether the latter was in scope of the CSCWG charter (https://cabforum.org/2019/03/26/code-signing-certificate-wg-charter/). Bruce said there was no CP OID for time stamping and that the group wanted to create one IAW with the CA/B Forum registry. Ryan was concerned that this was outside the CSCWG charter as it was not specifically mentioned therein. Dimitris commented that it was included in charter scope 1a which pulls in the EV CS guidelines where time stamping is specified. Ryan did not seem convinced and asked that the discussion continue on the list. The working group has not had a chance to discuss this since the Forum meeting but plans to do so on the next call. I've included the CS Public list on this thread since the topic is of interest to members/observers there. If a respondent does not have posting rights, I can re-post for them. Dean _______________________________________________ Public mailing list Public at cabforum.org https://lists.cabforum.org/mailman/listinfo/public _______________________________________________ Public mailing list Public at cabforum.org https://lists.cabforum.org/mailman/listinfo/public -------------- next part -------------- An HTML attachment was scrubbed... URL: From dean.coclin at digicert.com Mon May 10 15:47:23 2021 From: dean.coclin at digicert.com (Dean Coclin) Date: Mon, 10 May 2021 15:47:23 +0000 Subject: [cabfpub] Draft CA/Browser Forum agenda - Thursday, May 13, 2021 at 11:30 am Eastern Time Message-ID: Here is the draft agenda for the subject call: CA/Browser Forum Agenda Time Start(ET) Stop Item Description Presenters 0:02 11:30 11:32 1. Roll Call Dean 0:01 11:32 11:33 2. Read Antitrust Statement 0:01 11:33 11:34 3. Review Agenda Dean 0:01 11:34 11:35 4. Approval of minutes of last call Dean 0:05 11:35 11:40 5. Forum Infrastructure Subcommittee update Jos 0:05 11:40 11:45 6. Code Signing Certificate Working Group update Bruce 0:05 11:45 11:50 7. S/MIME Certificate Working Group update Stephen 0:05 11:50 11:55 8. Guest speaker for F2F: David Maimon Dean 0:04 11:55 11:59 9 Any Other Business - Doodle poll for October F2F 0:01 11:59 12:00 10. Next call: May 27th Adjourn; F2F Meeting Schedule: * 2021: June 15-17- Virtual, October- Tentative-Minneapolis (OATI) * 2022: Mar-April - TBD, June - TBD, Sept - Berlin -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4916 bytes Desc: not available URL: From dean.coclin at digicert.com Wed May 12 15:40:18 2021 From: dean.coclin at digicert.com (Dean Coclin) Date: Wed, 12 May 2021 15:40:18 +0000 Subject: [cabfpub] Final CA/Browser Forum agenda - Thursday, May 13, 2021 at 11:30 am Eastern Time Message-ID: Here is the final agenda for the subject call: CA/Browser Forum Agenda Time Start(ET) Stop Item Description Presenters 0:02 11:30 11:32 1. Roll Call Dean 0:01 11:32 11:33 2. Read Antitrust Statement 0:01 11:33 11:34 3. Review Agenda Dean 0:01 11:34 11:35 4. Approval of minutes of last call Dean 0:05 11:35 11:40 5. Forum Infrastructure Subcommittee update Jos 0:05 11:40 11:45 6. Code Signing Certificate Working Group update Bruce 0:05 11:45 11:50 7. S/MIME Certificate Working Group update Stephen 0:05 11:50 11:55 8. Guest speaker for F2F: David Maimon Dean 0:04 11:55 11:59 9 Any Other Business - Doodle poll for October F2F 0:01 11:59 12:00 10. Next call: May 27th Adjourn; F2F Meeting Schedule: * 2021: June 15-17- Virtual, October- Tentative-Minneapolis (OATI) * 2022: Mar-April - TBD, June - TBD, Sept - Berlin -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4916 bytes Desc: not available URL: From dean.coclin at digicert.com Thu May 13 15:38:49 2021 From: dean.coclin at digicert.com (Dean Coclin) Date: Thu, 13 May 2021 15:38:49 +0000 Subject: [cabfpub] Final Minutes from CA/B Forum Call April 29, 2021 Message-ID: Here are the Final minutes of the subject call: Attendance: Aaron Gable (Let's Encrypt), Abdul Hakeem Putra (MSC Trustgate), Adrian Mueller (SwissSign), Ali Gholami (Telia), Andrea Holland (SecureTrust), Ben Wilson (Mozilla), Bruce Morton (Entrust), Chris Kemmerer (SSL.com), Clint Wilson (Apple), Corey Bonnell (DigiCert), Curt Spann (Apple), Dean Coclin (Digicert), Dimitris Zacharopoulos (HARICA), Doug Beattie (GlobalSign), Dustin Hollenback (Microsoft), Enrico Entschew (D-TRUST), Hazhar Ismail (MSC Trustgate), Inaba Atsushi (GlobalSign), Inigo Barreira (Sectigo), Janet Hines (SecureTrust), Johnny Reading (GoDaddy), Jos Purvis (Cisco Systems), Karina Sirota (Microsoft), Mike Reilly (Microsoft), Neil Dunbar (TrustCor Systems), Niko Carpenter (SecureTrust), Paul van Brouwershaven (Entrust), Pedro Fuentes (OISTE Foundation), Peter Miskovic (Disig), Rae Ann Gonzales (GoDaddy), Rebecca Kelley (Apple), Ryan Sleevi (Google), Shelley Brewer (Digicert), Stephen Davidson (Digicert), Tadahiko Ito (SECOM Trust Systems), Tim Hollebeek (Digicert), Tobias Josefowitz (Opera Software AS), Trevoli Ponds-White (Amazon), Wayne Thayer (Mozilla), Wendy Brown (US Federal PKI Management Authority), Natalia Kotliarsky (SecureTrust), Maileen Del Rosario (GoDaddy), Brittany Randall (GoDaddy) Anti-Trust statement read, no changes to the agenda 1. Infrastructure subcommittee update given by Jos 1. The anti-spam measures weren't on and have been turned on. All of the emails for the infrastructure group are going to infrabot, so if people want to join the email list, they should ask. The group is also working are getting rid of bounced email address. If there are any issues with not getting emails, reach out to the infrastructure working groups. Check with the corporate email providers as they may have done some blockers as well. 2. Tried to get digest emails working on Gitlab. Have a test website for the revisions to the CABForum site. 3. Started to dig into membership management and the membership spread sheet. 4. There is some discussion around interested parties and getting their input. Wayne has added information on the site that becoming an interested party is the right way to go about it. 2. Code Signing Working Group given by Bruce 1. Discussed how timestamping works and whether it is in the charter. Nothing has been resolved yet. Discussion will continue in the working group. 2. Restore clean up ballot: having some challenges with version control and moving forward. 3. SMIME working group given by Stephen 1. Going through using the TLS baseline as a model for the SMIME. There is language regarding government entities. Is the content in section 8.4 still relevant and is it relevant for CAs that have the email trust bit? Will be reaching out to CAs 2. Doing some research on how different consumer products take in SMIME certificates and other fields. 3. Ongoing discussion related to the SAN field, in particular the use of the other name. This would be related to the legacy profile rather than the strict profile. Continue discussion in calls this upcoming week. 4. Targeting having a rough draft before the June face-to-face. 4. June Face to Face 1. Had discussion on different dates and time structure. Will be setting a meeting with working groups to discuss. 2. One guest speaker has already been found 5. Any other business? 1. Dimitris: Is there any plans on tackling the working group charter alignment? The charters are not aligned, particularly the SMIME. a. Not aware of any discussion but is a good idea. A task group has been proposed to do this and will be scheduled for the future. 6. Next call is May 13th -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4916 bytes Desc: not available URL: From dean.coclin at digicert.com Mon May 24 20:16:05 2021 From: dean.coclin at digicert.com (Dean Coclin) Date: Mon, 24 May 2021 20:16:05 +0000 Subject: [cabfpub] Draft CA/Browser Forum agenda - Thursday, May 27, 2021 at 11:30 am Eastern Time Message-ID: Here is the draft agenda for the subject call: CA/Browser Forum Agenda Time Start(ET) Stop Item Description Presenters 0:02 11:30 11:32 1. Roll Call Dean 0:01 11:32 11:33 2. Read Antitrust Statement 0:01 11:33 11:34 3. Review Agenda Dean 0:01 11:34 11:35 4. Approval of minutes of last call Dean 0:05 11:35 11:40 5. Forum Infrastructure Subcommittee update Jos 0:05 11:40 11:45 6. Code Signing Certificate Working Group update Bruce 0:05 11:45 11:50 7. S/MIME Certificate Working Group update Stephen 0:05 11:50 11:55 8. Membership Application of Japan Registry Services Dean 0:04 11:55 11:59 9 Any Other Business - Doodle poll for October F2F 0:01 11:59 12:00 10. Next call: June 10th Adjourn; F2F Meeting Schedule: * 2021: June 15-17- Virtual, October- Tentative-Minneapolis (OATI) * 2022: Mar-April - TBD, June - TBD, Sept - Berlin -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4916 bytes Desc: not available URL: From jopurvis at cisco.com Mon May 24 21:12:24 2021 From: jopurvis at cisco.com (Jos Purvis (jopurvis)) Date: Mon, 24 May 2021 21:12:24 +0000 Subject: [cabfpub] Final Minutes from CA/B Forum Call April 29, 2021 In-Reply-To: <0100017966619bf8-bd485334-4baa-4228-ba7b-ad4a37a79738-000000@email.amazonses.com> References: <0100017966619bf8-bd485334-4baa-4228-ba7b-ad4a37a79738-000000@email.amazonses.com> Message-ID: An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 6089 bytes Desc: not available URL: From dean.coclin at digicert.com Tue May 25 15:00:21 2021 From: dean.coclin at digicert.com (Dean Coclin) Date: Tue, 25 May 2021 15:00:21 +0000 Subject: [cabfpub] Final CA/Browser Forum agenda - Thursday, May 27, 2021 at 11:30 am Eastern Time Message-ID: Here is the final agenda for the subject call: CA/Browser Forum Agenda Time Start(ET) Stop Item Description Presenters 0:02 11:30 11:32 1. Roll Call Dean 0:01 11:32 11:33 2. Read Antitrust Statement 0:01 11:33 11:34 3. Review Agenda Dean 0:01 11:34 11:35 4. Approval of minutes of last call Dean 0:05 11:35 11:40 5. Forum Infrastructure Subcommittee update Jos 0:05 11:40 11:45 6. Code Signing Certificate Working Group update Bruce 0:05 11:45 11:50 7. S/MIME Certificate Working Group update Stephen 0:05 11:50 11:55 8. Membership Application of Japan Registry Services Dean 0:04 11:55 11:59 9 Any Other Business - Doodle poll for October F2F 0:01 11:59 12:00 10. Next call: June 10th Adjourn; F2F Meeting Schedule: * 2021: June 15-17- Virtual, October- Tentative-Minneapolis (OATI) * 2022: Mar-April - TBD, June - TBD, Sept - Berlin -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4916 bytes Desc: not available URL: