[Cscwg-public] [EXTERNAL] Re: Ballot CSC-21: Signing Service Update

[Bruce Morton]

Hi Faisal,

Thanks for your review. I don’t believe there is a conflict. An enterprise customer or a Subscriber per section 6.2.7.4.1 must protect their private keys “in a Hardware Crypto Module with a unit design form factor certified as conforming to at least FIPS 140‐2 Level 2 or Common Criteria EAL 4+.”

The ballot proposal is a Signing Service, which is not a customer or Subscriber, “SHALL protect Subscriber Private Keys in a Hardware Crypto Module conforming to at least FIPS 140-2 level 3 or Common Criteria EAL 4+.” Note that a Signing Service provides key generation and protection to the Subscribers, if the Subscriber chooses this service. The Signing Service will also still be required to be audited to the requirements of the CSBRs including meeting the NetSec requirements.


Thanks, Bruce.

From: Faisal Razzak <raja.faisal at gmail.com>
Sent: Thursday, October 12, 2023 5:01 PM
To: Bruce Morton <Bruce.Morton at entrust.com>
Cc: cscwg-public at cabforum.org
Subject: Re: [EXTERNAL] Re: [Cscwg-public] Ballot CSC-21: Signing Service Update

Hi Bruce, Thank you for the response & clarification. Few observations: Line 66 is in conflict with Line 1380. Line 66 mentions FIPS 140-2 Level 2 and Line 1380 mentions FIPS 140-2 Level 3 . In my humble opinion, this is a significant change

Hi Bruce,

Thank you for the response & clarification. Few observations:


  1.  Line 66 is in conflict with Line 1380. Line 66 mentions FIPS 140-2 Level 2 and Line 1380 mentions  FIPS 140-2 Level 3 .
  2.  In my humble opinion, this is a significant change for enterprise customers where they need to enforce Level 3 instead of Level 2 for their HSM infrastructure. Is CAB forum planning to give a grace period before this requirement update goes into enforcement ?
  3.  In addition, my past knowledge around working with FIPS 140-2 Level 2 and FIPS 140-2 Level 3 is that automating key generation at Level 3 becomes an issue. I'll circle back on this topic.
Thanks,

Regards,
Faisal Razzak

E-MAIL CONFIDENTIALITY CLAUSE:
This e-mail and the information contained in it is confidential, may be privileged and is intended for the exclusive use of the addressee(s). Any other person is strictly prohibited from using, disclosing, distributing or reproducing it. If you have received this communication in error, please reply by e-mail to the sender and delete or destroy all copies of this message.
CLAUSE DE CONFIDENTIALITÉ POUR LES ENVOIS PAR COURRIEL
Le présent courriel et les renseignements qu'il contient sont confidentiels, peuvent être protégés par le secret professionnel et sont à l'usage exclusif du (des) destinataire(s) susmentionné(s). Toute autre personne est par les présentes avisée qu'illui est strictement interdit d'en faire l'utilisation, la diffusion, la distribution ou la reproduction. Si cette transmission vous est arrivée par erreur, veuillez en aviser immédiatement l'expéditeur par courriel, puis effacer ou détruire toutes les copiesdu présent message.




On Thu, Oct 12, 2023 at 4:33 PM Bruce Morton <Bruce.Morton at entrust.com<mailto:Bruce.Morton at entrust.com>> wrote:
This was intentional as we do not want subscriber keys to be exported from the HSM. We discussed this in one of our meetings. Only one CA had pushback, but after checking agreed with the direction.


Thanks, Bruce.

From: Faisal Razzak <raja.faisal at gmail.com<mailto:raja.faisal at gmail.com>>
Sent: Thursday, October 12, 2023 4:28 PM
To: Bruce Morton <Bruce.Morton at entrust.com<mailto:Bruce.Morton at entrust.com>>; cscwg-public at cabforum.org<mailto:cscwg-public at cabforum.org>
Subject: [EXTERNAL] Re: [Cscwg-public] Ballot CSC-21: Signing Service Update

Good Day everyone, Reading the modified changes for Code Signing Baseline Requirements at: https: //github. com/cabforum/code-signing/compare/93ee9976cdc4e1104952146e3556800459694874. . 701d195fa95fe49e8a02435fc40fb0a018686866 . Line number 1380
Good Day everyone,

Reading the modified changes for Code Signing Baseline Requirements at:https://github.com/cabforum/code-signing/compare/93ee9976cdc4e1104952146e3556800459694874..701d195fa95fe49e8a02435fc40fb0a018686866<https://urldefense.com/v3/__https:/github.com/cabforum/code-signing/compare/93ee9976cdc4e1104952146e3556800459694874..701d195fa95fe49e8a02435fc40fb0a018686866__;!!FJ-Y8qCqXTj2!ai_SiHTiSodTE_VWwZi8Z8QT_M2lCkP6nJYlFupqIB2vMo07Rcbx2E0bKw4GyZ1-pOj0h-PvD9Z5okpQ_IY$> . Line number 1380 now mentions FIPS 140-2 Level 3. Is it an intentional change or typo from the earlier requirement for using FIPS 140-2 Level 2 for Subscriber Private Key associated with Code Signing Certificates?

Thank you,

Regards,
Faisal Razzak

E-MAIL CONFIDENTIALITY CLAUSE:
This e-mail and the information contained in it is confidential, may be privileged and is intended for the exclusive use of the addressee(s). Any other person is strictly prohibited from using, disclosing, distributing or reproducing it. If you have received this communication in error, please reply by e-mail to the sender and delete or destroy all copies of this message.
CLAUSE DE CONFIDENTIALITÉ POUR LES ENVOIS PAR COURRIEL
Le présent courriel et les renseignements qu'il contient sont confidentiels, peuvent être protégés par le secret professionnel et sont à l'usage exclusif du (des) destinataire(s) susmentionné(s). Toute autre personne est par les présentes avisée qu'illui est strictement interdit d'en faire l'utilisation, la diffusion, la distribution ou la reproduction. Si cette transmission vous est arrivée par erreur, veuillez en aviser immédiatement l'expéditeur par courriel, puis effacer ou détruire toutes les copiesdu présent message.




On Thu, Oct 12, 2023 at 3:59 PM Bruce Morton via Cscwg-public <cscwg-public at cabforum.org<mailto:cscwg-public at cabforum.org>> wrote:

Purpose of the Ballot
This ballot updates the “Baseline Requirements for the Issuance and Management of Publicly‐Trusted Code Signing Certificates“ version 3.4 in order to clarify language regarding Signing Service and signing requests. The main goals of this ballot are to:

  1.  Clarify the Signing Service definition and the expected deployment model.
  2.  Remove requirements for signing request.
  3.  Change text so Signing Service is not categorized as a Delegated Third Party.
  4.  Not allow Signing Service to transport Private Key to Subscriber.
  5.  Ensure Network Security Requirements are applicable to Signing Service.
  6.  State audit requirements for Signing Service.
The following motion has been proposed by Bruce Morton of Entrust and endorsed by Tim Hollebeek of DigiCert and Ian McMillan.


MOTION BEGINS

This ballot updates the “Baseline Requirements for the Issuance and Management of Publicly‐Trusted Code Signing Certificates” ("Code Signing Baseline Requirements") based on version 3.4. MODIFY the Code Signing Baseline Requirements as specified in the following redline: https://github.com/cabforum/code-signing/compare/93ee9976cdc4e1104952146e3556800459694874..701d195fa95fe49e8a02435fc40fb0a018686866<https://urldefense.com/v3/__https:/github.com/cabforum/code-signing/compare/93ee9976cdc4e1104952146e3556800459694874..701d195fa95fe49e8a02435fc40fb0a018686866__;!!FJ-Y8qCqXTj2!ai_SiHTiSodTE_VWwZi8Z8QT_M2lCkP6nJYlFupqIB2vMo07Rcbx2E0bKw4GyZ1-pOj0h-PvD9Z5okpQ_IY$>


MOTION ENDS
The procedure for this ballot is as follows: Discussion (7 days)


•                 Start Time: 2023-10-12 20:00 UTC

•                 End Time: Not before 2023-10-19 20:00 UTC

Vote for approval (7 days)


•                 Start Time: TBD

•                End Time: TBD
_______________________________________________
Cscwg-public mailing list
Cscwg-public at cabforum.org<mailto:Cscwg-public at cabforum.org>
https://lists.cabforum.org/mailman/listinfo/cscwg-public<https://urldefense.com/v3/__https:/lists.cabforum.org/mailman/listinfo/cscwg-public__;!!FJ-Y8qCqXTj2!bHPUMRfbHlgaBBihKcnoSbtmIgAwnbK7NmFy47vTtgtRYCwQu0K_tDVCJEY3FxsRYu66SiUm3nS6wLDll_YPM3w$>
Any email and files/attachments transmitted with it are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20231013/beadd507/attachment-0001.html>