[Cscwg-public] [EXTERNAL] Re: Ballot CSC-21: Signing Service Update

Thu Oct 12 20:33:15 UTC 2023

This was intentional as we do not want subscriber keys to be exported from the HSM. We discussed this in one of our meetings. Only one CA had pushback, but after checking agreed with the direction.

Thanks, Bruce.

From: Faisal Razzak <raja.faisal at gmail.com>
Sent: Thursday, October 12, 2023 4:28 PM
To: Bruce Morton <Bruce.Morton at entrust.com>; cscwg-public at cabforum.org
Subject: [EXTERNAL] Re: [Cscwg-public] Ballot CSC-21: Signing Service Update

Good Day everyone, Reading the modified changes for Code Signing Baseline Requirements at: https: //github. com/cabforum/code-signing/compare/93ee9976cdc4e1104952146e3556800459694874. . 701d195fa95fe49e8a02435fc40fb0a018686866 . Line number 1380

Good Day everyone,

Reading the modified changes for Code Signing Baseline Requirements at:https://github.com/cabforum/code-signing/compare/93ee9976cdc4e1104952146e3556800459694874..701d195fa95fe49e8a02435fc40fb0a018686866<https://urldefense.com/v3/__https:/github.com/cabforum/code-signing/compare/93ee9976cdc4e1104952146e3556800459694874..701d195fa95fe49e8a02435fc40fb0a018686866__;!!FJ-Y8qCqXTj2!ai_SiHTiSodTE_VWwZi8Z8QT_M2lCkP6nJYlFupqIB2vMo07Rcbx2E0bKw4GyZ1-pOj0h-PvD9Z5okpQ_IY$> . Line number 1380 now mentions FIPS 140-2 Level 3. Is it an intentional change or typo from the earlier requirement for using FIPS 140-2 Level 2 for Subscriber Private Key associated with Code Signing Certificates?

Thank you,

Regards,
Faisal Razzak

E-MAIL CONFIDENTIALITY CLAUSE:
This e-mail and the information contained in it is confidential, may be privileged and is intended for the exclusive use of the addressee(s). Any other person is strictly prohibited from using, disclosing, distributing or reproducing it. If you have received this communication in error, please reply by e-mail to the sender and delete or destroy all copies of this message.
CLAUSE DE CONFIDENTIALITÉ POUR LES ENVOIS PAR COURRIEL
Le présent courriel et les renseignements qu'il contient sont confidentiels, peuvent être protégés par le secret professionnel et sont à l'usage exclusif du (des) destinataire(s) susmentionné(s). Toute autre personne est par les présentes avisée qu'illui est strictement interdit d'en faire l'utilisation, la diffusion, la distribution ou la reproduction. Si cette transmission vous est arrivée par erreur, veuillez en aviser immédiatement l'expéditeur par courriel, puis effacer ou détruire toutes les copiesdu présent message.

On Thu, Oct 12, 2023 at 3:59 PM Bruce Morton via Cscwg-public <cscwg-public at cabforum.org<mailto:cscwg-public at cabforum.org>> wrote:

Purpose of the Ballot
This ballot updates the “Baseline Requirements for the Issuance and Management of Publicly‐Trusted Code Signing Certificates“ version 3.4 in order to clarify language regarding Signing Service and signing requests. The main goals of this ballot are to:

  1.  Clarify the Signing Service definition and the expected deployment model.
  2.  Remove requirements for signing request.
  3.  Change text so Signing Service is not categorized as a Delegated Third Party.
  4.  Not allow Signing Service to transport Private Key to Subscriber.
  5.  Ensure Network Security Requirements are applicable to Signing Service.
  6.  State audit requirements for Signing Service.
The following motion has been proposed by Bruce Morton of Entrust and endorsed by Tim Hollebeek of DigiCert and Ian McMillan.

MOTION BEGINS

This ballot updates the “Baseline Requirements for the Issuance and Management of Publicly‐Trusted Code Signing Certificates” ("Code Signing Baseline Requirements") based on version 3.4. MODIFY the Code Signing Baseline Requirements as specified in the following redline: https://github.com/cabforum/code-signing/compare/93ee9976cdc4e1104952146e3556800459694874..701d195fa95fe49e8a02435fc40fb0a018686866<https://urldefense.com/v3/__https:/github.com/cabforum/code-signing/compare/93ee9976cdc4e1104952146e3556800459694874..701d195fa95fe49e8a02435fc40fb0a018686866__;!!FJ-Y8qCqXTj2!ai_SiHTiSodTE_VWwZi8Z8QT_M2lCkP6nJYlFupqIB2vMo07Rcbx2E0bKw4GyZ1-pOj0h-PvD9Z5okpQ_IY$>

MOTION ENDS
The procedure for this ballot is as follows: Discussion (7 days)

•                 Start Time: 2023-10-12 20:00 UTC

•                 End Time: Not before 2023-10-19 20:00 UTC

Vote for approval (7 days)

•                 Start Time: TBD

•                End Time: TBD
_______________________________________________
Cscwg-public mailing list
Cscwg-public at cabforum.org<mailto:Cscwg-public at cabforum.org>
https://lists.cabforum.org/mailman/listinfo/cscwg-public<https://urldefense.com/v3/__https:/lists.cabforum.org/mailman/listinfo/cscwg-public__;!!FJ-Y8qCqXTj2!bHPUMRfbHlgaBBihKcnoSbtmIgAwnbK7NmFy47vTtgtRYCwQu0K_tDVCJEY3FxsRYu66SiUm3nS6wLDll_YPM3w$>
Any email and files/attachments transmitted with it are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20231012/929b7417/attachment-0001.html>