ABCDEFGHIJKLMNOPQRSTUVWXYZ
1
SectionDescriptionOwnerPriorityCommentsBallotStatus
2
7.2Signing Service warranties should be separated from the CA warrantiesBruce/Ian1Will be address in Signing Service update ballotOpen
3
8.2For discussion, “Subsequent signature validation MAY ignore revocation, especially if rejecting the Code will cause the device to fail to boot.”Ian2Section deletedCSC-9Closed
4
8.5Do we need the Insurance requirement?Mike37/16-Mike believes this can be dropped. It comes from the EV SSL Guideline $2M/$5M. 7/30-Since it comes directly from EV TLS, agree to leave it in.Closed
5
9.3.1Create timestamp certificate policy OIDBruce2CSC-9Closed
6
9.2.4Should we address including givenName and surName in certificates?47/30- Ian to go back to platform team to check behavior. What does Microsoft need? Impacts? Value? Currently in Org field. Do we need this?Open
7
11.1.1Discuss item 4, “If the Subject’s or Subject’s Affiliate’s, Parent Company’s, or Subsidiary Company’s date of formation, as indicated by either a QIIS or QGIS, was less than three years prior to the date of the Certificate Request, verify the identity of the Certificate Requester.”Ian4CSC-9Closed
8
11.1.2How to identify individuals working on open source code as part of a consortium?Ian3Brought up by Microsoft rep at virtual F2F. Hard to get EV for these entities. Is there another way? Need separate meeting to brainstorm. Many open source people need these.Open
9
11.2Should EV Guidelines section 11.5 regarding Verified Method of Communication be addressed?Bruce2Bruce presented recommendation on 6/18/20
CLOSED, in new document		CSC-2Closed
10
11.5High risk certificate requests should either be removed or updated to provide common methods for all CAs.Ian2Open
11
14Consolidate Employee and Third Party requirements for Non-EV and EV Certificates.Dean/Bruce3Where it says “For EV”, is there a reason for it to be different than non-EV? Should consolidate

Bruce to propose a ballot to resolve CSCWG-7		CSC-7Closed
12
15Consolidate Data Records for CAs, Signing Authorities, and Time-stamp Authorities.Ian1Look at BR 5.4.1 and compare to what we list for TSA to see how it can be improved.CSC-10Closed
13
13.2.1CRL language says "MUST issue CRLs" which is not clear which CAs must issue CRLsTim H/Ian/Bruce2CSC-9Closed
14
13.2.2Incorrect reference. Change "after revoking a Subordinate CA Certificate" to "after revoking a Timestamp Certificate"Ian/Bruce TimH2CSC-9Closed
15
16.3Subscriber private key protection should be updated. Cloud-based key protection should be considered.Ian1Presented on 6/18/20. Recommend removing CC and adding eIDAS. Outcome is that the reqts for keys would be the same for EV and non EV. Ian to propose language.CSC-6Open
16
17.1Review if special audit criteria is needed for Government CAs.Mike37/16-Going forward all CAs will need WebTrust/ETSI audits. Microsoft will advise in the future when ready to remove. MSFT working with Webtrust team. No Change.Closed
17
Review all EV specific requirements to see if they can apply to non-EVGroupPlan a future meeting to work through the BRs to discuss each difference. Bruce can pre-review and add comments to BRs.

Complete - Bruce will propose a ballot to close		CSC-7Closed
18
17.1 (2)Indicate allowance for EV and non EV public codesigning reportTim Crawford1Will need to address when WebTrust releases the new audit criteria for the merged BRsClosed
19
13.1.5.3.3.b.iiIf no response is received after 7 days, the CA must revoke the certificate except if the CA has documented proof (e.g., OCSP logs) that this will cause significant impact to the general publicDaniella2Change to: If no response is received after 7 days, the CA must revoke the certificate except if the CA has documented proof (e.g., OCSP logs) that the revocation will cause significant impact to the general public.CSC-9Closed
20
13.2.1Change “blacklist” to “blocklist”Dean2Ballot required to change "blacklist" to "blocklist" Text was removed per CSC-8.CSC-8Closed
21
16.3Section 16.3 item 2 reads:
"A hardware crypto module with a unit design form factor certified as conforming to at least FIPS 140 Level 2, Common Criteria EAL 4+, or equivalent. "
That should probably have been:
"A hardware crypto module with a unit design form factor certified as conforming to at least FIPS 140-2 Level 2, Common Criteria EAL 4+, or equivalent. "		Bruce2Add to clean-up ballotCSC-9Closed
22
1.2Effective date for CSC-7 should not be 1 July 2021Bruce2Effective date shouod be 8 March 2021 which is the date the IP review was completedCSC-8Closed
23
11.8Two person controlTim CReview what CAs are doing today. Can review when we resolve the differences between Non-EV and EV.

Two person control is required for both Non and EV certificates. Bruce will propose a ballot to resolve.		CSC-7Closed
24
17.8Key Gen: This section creates a bit of an issue, because BR 6.1.1.1 provides requirements for all CA key generation, but EVG 17.7 only speaks to root CA keys. This would seem to indicate there are no requirements around EV issuing CA generations.Tim CTim: My recommendation would be all CA key generation follows BR 6.1.1.1.
Review what CAs are doing now

Non-EV vs EV discussion

Bruce will propose ballot to close		CSC-7Closed
25
9.2.3Cleanup to change: For Non-EV Code Signing Certificates, this field MUST not be
present in a Code Signing Certificate		InabaCleanupThis field MUST not be present in a Code Signing CertificateCSC-7Closed
26
Appendix A Timestamp TokensSHA-1IanIan to propose a change to this section. SHA-1 to be allowed to be used until April 2022 for this purpose (timestamp token-legacy implementations). Supports .NET framework versions 4.7.2 and olderCSC-4Closed
27
GeneralMake references to BRs version specificTim HSection 4 of Definitions calls our specific versions of the BRs and EV guidelinesCSC-2Closed
28
Appendix ASHA-1 and 3072 per Corey email, https://lists.cabforum.org/pipermail/cscwg-public/2020-December/000250.htmlCorey2Certificate requirement - Existing roots may be 3072, new roots must be 4096; Subordinate CA minimum is 3072, new must be 4096; Code Signing or Time-stamping certificate minimum is 3072, but may be 4096
Cross-certificate to extend ubiquity for a new root may be issued from 2048 root. Cross-certificate must expire by 31 December 2030 or Microsoft could apply a “not before’ date.
SHA-1 - CAs can support SHA-1 revocation responses after the sunset date (confirm date); SHA-1 Time-stamp certificates can be issued until 30 April 2022		CSC-9Closed
29
4SSL BR and SSL EV Guidelines versionsBruce2Need plan to update CSBRs with latest acceptable versions of the SSL BR/EVGsOpen
30
Appendix ACertified tokens which support 3072/4096. The industry does not appear to have many tokens which meet the CSBR requirements.1No actionClosed
31
13Certificate suspensionDimitris2Reference to SSL BRs may make the requirement about certificate suspension unclear. Could be resolved with a ballot indicating that certificate suspension is not allowedOpen
32
13.2 and Appendix BCRL/OCSP requirements for code signing and time-stamping certificatesIan1Ballot to make CRL mandatory and OCSP optionalCSC-8Closed
33
11.2.1CSBR 11.2.1 has incorrect language which states, "A Timestamp Authority is NOT REQUIRED to validate in any way data submitted to it for timestamping. It simply adds the time to the data that are presented to it, signs the result and appends its own Timestamp Certificate."
Corey/Ian2Ian to correct in ballot CSC-8CSC-8Closed
34
AllMove CSBRs to RFC 3647 format and into pandoc formatCorey1Open
35
9.2.1CSBR 9.2.1 states “No stipulation”. Update CSBRs to ensure SAN is not
allowed.		Tim H2Open
36
Dedicated Root HierachyBruce2It was agreed that a Dedicated Root PKI hierchy could have a single root which could have seperate Subordinate CAs which can issue Non-EV Code Siging, EV Code Signing and Time-stamping certificates.Closed
37
Appendix CCode Signing dedicated root. If used can it cover the CSBRs and also have Non-EV, EV and TS subordinate CAs. Also, Appendix C is referencing the SSL BRs for test certificates which would require SSL test certificates.Bruce/Corey2CSC-9Closed
38
11.1.1Tim states, I’m hearing from our code signing validation people that 11.1.1, which refers to non-EV CS certificates, has a requirement for additional validation for companies less than three years old (we’ve discussed this recently), but this requirement is missing for EV code signing certificates.Tim H2Ballot to resolve that non-EV requirement is higher tha EV requirementOpen
39
9.2.Email address in subject DNTim H2Open
40
13.2.1Invalidity DateCorey1Windows does not support Invalidity Date. Ballot to provide calrification in CSBRs.CSC-12Closed
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100