[Cscwg-public] Ballot CSC-21: Signing Service Update

Bruce Morton Bruce.Morton at entrust.com
Fri Oct 13 15:04:11 UTC 2023 

I plan to wait a few more days to see if there are any other comments, then issue a version 2 of the ballot assuming the endorsers agree with the change.


Thanks, Bruce.

From: Ian McMillan <ianmcm at microsoft.com>
Sent: Friday, October 13, 2023 10:59 AM
To: Bruce Morton <Bruce.Morton at entrust.com>; cscwg-public at cabforum.org; Martijn Katerbarg <martijn.katerbarg at sectigo.com>
Subject: [EXTERNAL] RE: Ballot CSC-21: Signing Service Update

Agreed, that is a very good clarification. Thanks, Ian From: Cscwg-public <cscwg-public-bounces@ cabforum. org> On Behalf Of Bruce Morton via Cscwg-public Sent: Friday, October 13, 2023 9: 33 AM To: Martijn Katerbarg <martijn. katerbarg@ sectigo. com>;

Agreed, that is a very good clarification.

Thanks,
Ian

From: Cscwg-public <cscwg-public-bounces at cabforum.org<mailto:cscwg-public-bounces at cabforum.org>> On Behalf Of Bruce Morton via Cscwg-public
Sent: Friday, October 13, 2023 9:33 AM
To: Martijn Katerbarg <martijn.katerbarg at sectigo.com<mailto:martijn.katerbarg at sectigo.com>>; cscwg-public at cabforum.org<mailto:cscwg-public at cabforum.org>
Subject: [EXTERNAL] Re: [Cscwg-public] Ballot CSC-21: Signing Service Update

Hi Martijn,

I think this is a good clarification to separate the Signing Service from the Subscriber.


Thanks, Bruce.

From: Martijn Katerbarg <martijn.katerbarg at sectigo.com<mailto:martijn.katerbarg at sectigo.com>>
Sent: Friday, October 13, 2023 9:17 AM
To: Bruce Morton <Bruce.Morton at entrust.com<mailto:Bruce.Morton at entrust.com>>; cscwg-public at cabforum.org<mailto:cscwg-public at cabforum.org>
Subject: [EXTERNAL] Re: Ballot CSC-21: Signing Service Update

Hi Bruce,

I have a concern with the “Signing Service” definition:
“**Signing Service**: An organization that generates the Key Pair and securely manages the Private Key associated with a Subscriber's Code Signing Certificate.”

For subscribers that generate their own private keys and use these for signing (i.e., they manage them) I’m inclined to say that this would define them as a Signing Service.

Should we reword this to “An organization other than the Subscriber or any of its Affiliates, that generates the Key Pair and securely manages the Private Key associated with a Subscriber's Code Signing Certificate”?

Regards,

Martijn


From: Cscwg-public <cscwg-public-bounces at cabforum.org<mailto:cscwg-public-bounces at cabforum.org>> on behalf of Bruce Morton via Cscwg-public <cscwg-public at cabforum.org<mailto:cscwg-public at cabforum.org>>
Date: Thursday, 12 October 2023 at 21:59
To: cscwg-public at cabforum.org<mailto:cscwg-public at cabforum.org> <cscwg-public at cabforum.org<mailto:cscwg-public at cabforum.org>>
Subject: [Cscwg-public] Ballot CSC-21: Signing Service Update
CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.


Purpose of the Ballot
This ballot updates the “Baseline Requirements for the Issuance and Management of Publicly‐Trusted Code Signing Certificates“ version 3.4 in order to clarify language regarding Signing Service and signing requests. The main goals of this ballot are to:

  1.  Clarify the Signing Service definition and the expected deployment model.
  2.  Remove requirements for signing request.
  3.  Change text so Signing Service is not categorized as a Delegated Third Party.
  4.  Not allow Signing Service to transport Private Key to Subscriber.
  5.  Ensure Network Security Requirements are applicable to Signing Service.
  6.  State audit requirements for Signing Service.
The following motion has been proposed by Bruce Morton of Entrust and endorsed by Tim Hollebeek of DigiCert and Ian McMillan.


MOTION BEGINS

This ballot updates the “Baseline Requirements for the Issuance and Management of Publicly‐Trusted Code Signing Certificates” ("Code Signing Baseline Requirements") based on version 3.4. MODIFY the Code Signing Baseline Requirements as specified in the following redline: https://github.com/cabforum/code-signing/compare/93ee9976cdc4e1104952146e3556800459694874..701d195fa95fe49e8a02435fc40fb0a018686866<https://urldefense.com/v3/__https:/github.com/cabforum/code-signing/compare/93ee9976cdc4e1104952146e3556800459694874..701d195fa95fe49e8a02435fc40fb0a018686866__;!!FJ-Y8qCqXTj2!ai_SiHTiSodTE_VWwZi8Z8QT_M2lCkP6nJYlFupqIB2vMo07Rcbx2E0bKw4GyZ1-pOj0h-PvD9Z5okpQ_IY$>


MOTION ENDS
The procedure for this ballot is as follows: Discussion (7 days)


·                 Start Time: 2023-10-12 20:00 UTC

·                 End Time: Not before 2023-10-19 20:00 UTC

Vote for approval (7 days)


·                 Start Time: TBD

·                 End Time: TBD

Any email and files/attachments transmitted with it are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20231013/e757d042/attachment-0001.html>

More information about the Cscwg-public mailing list