[Cscwg-public] Ballot CSC-21: Signing Service Update

Thu Oct 19 17:55:28 UTC 2023

Hi Martijn,

We discussed the Signing Service definitions and this is what is proposed, “An organization that generates the Key Pair and securely manages the Private Key associated with a Code Signing Certificate, on behalf of a Subscriber.”

Does this work for you?

Thanks, Bruce.

From: Cscwg-public <cscwg-public-bounces at cabforum.org> On Behalf Of Bruce Morton via Cscwg-public
Sent: Tuesday, October 17, 2023 4:49 PM
To: Tim Hollebeek <tim.hollebeek at digicert.com>; Corey Bonnell <Corey.Bonnell at digicert.com>; cscwg-public at cabforum.org; Martijn Katerbarg <martijn.katerbarg at sectigo.com>
Subject: [EXTERNAL] Re: [Cscwg-public] Ballot CSC-21: Signing Service Update

So I think the allowance is that an entity which operates a CA can use the its Signing Service to generate the its Subscriber keys. Do we need to update the definition? Or put is an note? Or leave as is?

We might be over-churning on this definition. What if a third party operates a Signing Service and issues itself key for Code Signing certificates. Same problem.

I do think that a definition is a short-cut and not a requirement. Our intention of the BRs is to provide requirements for a Signing Service. The intention of the short-cut Signing Service definition was just to say that it is an organization which securely generates and manages the key pair on behalf of a Subscriber. An entity or organization can fill more than one role. As such, the original proposed definition might be OK.

Bruce.

From: Tim Hollebeek <tim.hollebeek at digicert.com<mailto:tim.hollebeek at digicert.com>>
Sent: Tuesday, October 17, 2023 3:45 PM
To: Corey Bonnell <Corey.Bonnell at digicert.com<mailto:Corey.Bonnell at digicert.com>>; cscwg-public at cabforum.org<mailto:cscwg-public at cabforum.org>; Bruce Morton <Bruce.Morton at entrust.com<mailto:Bruce.Morton at entrust.com>>; Martijn Katerbarg <martijn.katerbarg at sectigo.com<mailto:martijn.katerbarg at sectigo.com>>
Subject: [EXTERNAL] RE: Ballot CSC-21: Signing Service Update

I think these are good clarifications.  I think it’s important to make sure the definition of Signing Service accurately encompasses the cases where a Subscriber is relying on the CA to provide key generation and protection, but doesn’t accidentally pull anything inappropriate else into scope.

If the definition and scope are not properly defined, it is almost inevitable that some existing or future requirement will have unexpected and damaging consequences.

-Tim

From: Cscwg-public <cscwg-public-bounces at cabforum.org<mailto:cscwg-public-bounces at cabforum.org>> On Behalf Of Corey Bonnell via Cscwg-public
Sent: Tuesday, October 17, 2023 12:34 PM
To: Bruce Morton <bruce.morton at entrust.com<mailto:bruce.morton at entrust.com>>; Martijn Katerbarg <martijn.katerbarg at sectigo.com<mailto:martijn.katerbarg at sectigo.com>>; cscwg-public at cabforum.org<mailto:cscwg-public at cabforum.org>
Subject: Re: [Cscwg-public] Ballot CSC-21: Signing Service Update

Hi Bruce,
I agree the current definition of Signing Service would encompass the CA’s own Subscriber keys. However, we are proposing to amend the definition to:

“An organization other than the Subscriber or any of its Affiliates, that generates the Key Pair and securely manages the Private Key associated with a Subscriber's Code Signing Certificate”. Under this definition, the CA’s own Signing Service would not qualify as a Signing Service for its own Subscriber key pairs.

Thanks,
Corey

From: Bruce Morton <Bruce.Morton at entrust.com<mailto:Bruce.Morton at entrust.com>>
Sent: Tuesday, October 17, 2023 3:27 PM
To: Corey Bonnell <Corey.Bonnell at digicert.com<mailto:Corey.Bonnell at digicert.com>>; Martijn Katerbarg <martijn.katerbarg at sectigo.com<mailto:martijn.katerbarg at sectigo.com>>; cscwg-public at cabforum.org<mailto:cscwg-public at cabforum.org>
Subject: RE: Ballot CSC-21: Signing Service Update

Hi Corey,

Can you please elaborate why you have the concern?

My first take is an example where a Signing Service must use FIPS 140-2 Level 3 and the Subscriber must use minimum Level 2. So if the Subscriber key was generated by the Signing Service, then Level 3 would apply. I don’t see a conflict as both requirements are met.

I guess I am not understanding why the Signing Service requirements would not apply even if the CA was using the Signing Service for its Subscriber’s keys.

Thanks, Bruce.

From: Corey Bonnell <Corey.Bonnell at digicert.com<mailto:Corey.Bonnell at digicert.com>>
Sent: Tuesday, October 17, 2023 3:06 PM
To: Martijn Katerbarg <martijn.katerbarg at sectigo.com<mailto:martijn.katerbarg at sectigo.com>>; cscwg-public at cabforum.org<mailto:cscwg-public at cabforum.org>; Bruce Morton <Bruce.Morton at entrust.com<mailto:Bruce.Morton at entrust.com>>
Subject: [EXTERNAL] RE: Ballot CSC-21: Signing Service Update

In the case where the CA is generating its own Key Pairs to issue itself code signing certificates, their obligations for key protection would be outlined in the sections pertaining to Subscriber Key Pair protection, even if the Private Key so happens to reside in a Signing Service that they run. I think this is fine but want to ensure there’s agreement on this interpretation.

Thoughts?

Thanks,
Corey
From: Cscwg-public <cscwg-public-bounces at cabforum.org<mailto:cscwg-public-bounces at cabforum.org>> On Behalf Of Martijn Katerbarg via Cscwg-public
Sent: Friday, October 13, 2023 9:17 AM
To: Bruce Morton <bruce.morton at entrust.com<mailto:bruce.morton at entrust.com>>; cscwg-public at cabforum.org<mailto:cscwg-public at cabforum.org>
Subject: Re: [Cscwg-public] Ballot CSC-21: Signing Service Update

Hi Bruce,

I have a concern with the “Signing Service” definition:
“**Signing Service**: An organization that generates the Key Pair and securely manages the Private Key associated with a Subscriber's Code Signing Certificate.”

For subscribers that generate their own private keys and use these for signing (i.e., they manage them) I’m inclined to say that this would define them as a Signing Service.

Should we reword this to “An organization other than the Subscriber or any of its Affiliates, that generates the Key Pair and securely manages the Private Key associated with a Subscriber's Code Signing Certificate”?

Regards,

Martijn

From: Cscwg-public <cscwg-public-bounces at cabforum.org<mailto:cscwg-public-bounces at cabforum.org>> on behalf of Bruce Morton via Cscwg-public <cscwg-public at cabforum.org<mailto:cscwg-public at cabforum.org>>
Date: Thursday, 12 October 2023 at 21:59
To: cscwg-public at cabforum.org<mailto:cscwg-public at cabforum.org> <cscwg-public at cabforum.org<mailto:cscwg-public at cabforum.org>>
Subject: [Cscwg-public] Ballot CSC-21: Signing Service Update
CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.

Purpose of the Ballot
This ballot updates the “Baseline Requirements for the Issuance and Management of Publicly‐Trusted Code Signing Certificates“ version 3.4 in order to clarify language regarding Signing Service and signing requests. The main goals of this ballot are to:

  1.  Clarify the Signing Service definition and the expected deployment model.
  2.  Remove requirements for signing request.
  3.  Change text so Signing Service is not categorized as a Delegated Third Party.
  4.  Not allow Signing Service to transport Private Key to Subscriber.
  5.  Ensure Network Security Requirements are applicable to Signing Service.
  6.  State audit requirements for Signing Service.
The following motion has been proposed by Bruce Morton of Entrust and endorsed by Tim Hollebeek of DigiCert and Ian McMillan.

MOTION BEGINS

This ballot updates the “Baseline Requirements for the Issuance and Management of Publicly‐Trusted Code Signing Certificates” ("Code Signing Baseline Requirements") based on version 3.4. MODIFY the Code Signing Baseline Requirements as specified in the following redline: https://github.com/cabforum/code-signing/compare/93ee9976cdc4e1104952146e3556800459694874..701d195fa95fe49e8a02435fc40fb0a018686866<https://url.avanan.click/v2/___https:/urldefense.com/v3/__https:/github.com/cabforum/code-signing/compare/93ee9976cdc4e1104952146e3556800459694874..701d195fa95fe49e8a02435fc40fb0a018686866__;!!FJ-Y8qCqXTj2!ai_SiHTiSodTE_VWwZi8Z8QT_M2lCkP6nJYlFupqIB2vMo07Rcbx2E0bKw4GyZ1-pOj0h-PvD9Z5okpQ_IY$___.YXAzOmRpZ2ljZXJ0OmE6bzpiZjFlN2QwMWExMzg3MTlkZjRjMGM1ZTcyOGQwMzk5Nzo2Ojk3ZGE6MjI3ZTJmZTM1NjM2OTBlOGU0ZDIyMzAwZDYyNTc0YjY4NzM0OTEzM2FiZWU0ZDhhMTNhMDMxNmI4ZDBlMDA2MjpoOkY>

MOTION ENDS
The procedure for this ballot is as follows: Discussion (7 days)

·                 Start Time: 2023-10-12 20:00 UTC

·                 End Time: Not before 2023-10-19 20:00 UTC

Vote for approval (7 days)

·                 Start Time: TBD

·                 End Time: TBD

Any email and files/attachments transmitted with it are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20231019/2bdfece1/attachment-0001.html>