[Cscwg-public] FW: Ballot CSC-21: Signing Service Update

Bruce Morton Bruce.Morton at entrust.com
Mon Oct 30 18:02:50 UTC 2023 

Ian has provided some feedback on the Signing Service ballot. Let’s plan to discuss on the working group call this week.


Thanks, Bruce.

From: Ian McMillan <ianmcm at microsoft.com>
Sent: Monday, October 30, 2023 1:30 PM
To: Bruce Morton <Bruce.Morton at entrust.com>; Dean Coclin <dean.coclin at digicert.com>
Subject: [EXTERNAL] RE: Ballot CSC-21: Signing Service Update

Hi Bruce, Sorry for the delay. I think my current struggle is with the applicability of the NetSec BRs audit for Signing Service (and WebTrust for CA really). I really see the “Signing Service” as a representative of the subscriber in terms
Hi Bruce,

Sorry for the delay.

I think my current struggle is with the applicability of the NetSec BRs audit for Signing Service (and WebTrust for CA really). I really see the “Signing Service” as a representative of the subscriber in terms of providing key protection services and providing an interface to securely sign code with a certificate issued for signing, so the only requirements I am seeing are applicable are the private key protection requirements. Even when a CA’s parent organization is providing a signing service option to subscribers, that entity is all about protecting the private key for the subscriber and is really not part of the “Certificate System” as you might interpret the definition in the NetSec BRs. Today, Signing Services that are not offered by CAs are not audited under these criteria (e.g. Venafi, SignPath, etc.), but now we’d be make them get audits which are not really applicable. The other question I have now is how this audit requirement will be enforced (CAs, root programs, both)?

I know we have discussed this point and we agreed we do not want to allow someone with a HSM and a laptop to stand up a signing service, but there is really nothing stopping that from happening now because the subscriber private key protection requirements are what come into play if the subscriber chooses to work with a signing service that is not from a CA.

Thanks,
Ian

From: Bruce Morton <Bruce.Morton at entrust.com<mailto:Bruce.Morton at entrust.com>>
Sent: Monday, October 30, 2023 10:38 AM
To: Dean Coclin <dean.coclin at digicert.com<mailto:dean.coclin at digicert.com>>; Ian McMillan <ianmcm at microsoft.com<mailto:ianmcm at microsoft.com>>
Subject: [EXTERNAL] RE: Ballot CSC-21: Signing Service Update

Hi Ian,

Just wanted to follow up on getting your re-endorsement.


Thanks, Bruce.

From: Dean Coclin <dean.coclin at digicert.com<mailto:dean.coclin at digicert.com>>
Sent: Monday, October 23, 2023 3:40 PM
To: Ian McMillan <ianmcm at microsoft.com<mailto:ianmcm at microsoft.com>>
Cc: Bruce Morton <Bruce.Morton at entrust.com<mailto:Bruce.Morton at entrust.com>>
Subject: [EXTERNAL] RE: Ballot CSC-21: Signing Service Update

Ian,
Bruce is out this week but let me know if you want to endorse as he left me instructions to put the ballot out once you endorse.

Thanks
Dean

Dean Coclin
Sr. Director Business Development
M 1.781.789.8686

[cid:image001.jpg at 01DA0B33.689DCA60]


From: Cscwg-public <cscwg-public-bounces at cabforum.org<mailto:cscwg-public-bounces at cabforum.org>> On Behalf Of Bruce Morton via Cscwg-public
Sent: Friday, October 20, 2023 4:27 PM
To: cscwg-public at cabforum.org<mailto:cscwg-public at cabforum.org>
Subject: [Cscwg-public] FW: Ballot CSC-21: Signing Service Update

The ballot has been updated as indicated below. As soon as we get the proposal re-endorsed, then we will send out version 2 of the ballot.


Thanks, Bruce.

From: Bruce Morton
Sent: Friday, October 20, 2023 8:55 AM
To: Ian McMillan <ianmcm at microsoft.com<mailto:ianmcm at microsoft.com>>; Tim Hollebeek (tim.hollebeek at digicert.com<mailto:tim.hollebeek at digicert.com>) <tim.hollebeek at digicert.com<mailto:tim.hollebeek at digicert.com>>
Cc: Corey Bonnell <Corey.Bonnell at digicert.com<mailto:Corey.Bonnell at digicert.com>>; Dean Coclin <dean.coclin at digicert.com<mailto:dean.coclin at digicert.com>>
Subject: FW: Ballot CSC-21: Signing Service Update

Hi Ian and Tim,

Based on the comments and our call yesterday, we have update the proposed ballot, see https://github.com/cabforum/code-signing/compare/93ee9976cdc4e1104952146e3556800459694874..0d5ebf46d712b7922dabec917c3147197dacf216<https://urldefense.com/v3/__https:/url.avanan.click/v2/___https:/github.com/cabforum/code-signing/compare/93ee9976cdc4e1104952146e3556800459694874..0d5ebf46d712b7922dabec917c3147197dacf216___.YXAzOmRpZ2ljZXJ0OmE6bzpiNTE4NTRkNjRhNWVkNTMyODFiNjBjNjg3ZTI4YjQ1YTo2OjI1YmE6N2RmOTcyMmZiZmNiZmI1NTZmZmNkODdkODViZjU3MTgwY2JhODUzZjc0OTM2MTQ5NmE0NTJiY2MzZDlkNTU4MTpoOkY__;!!FJ-Y8qCqXTj2!e5zbSIlB4vz1o5y5nR4egCi7v3C2hjZtjFROMUVTg1gVyyQOEWtHHSMKssLLLkUk9ylt9aR_9-vzgd9jvIo$>

The changes are as follows:
Original proposal - Signing Service: An organization that generates the Key Pair and securely manages the Private Key associated with a Subscriber's Code Signing Certificate.
New proposal - Signing Service: An organization that generates the Key Pair and securely manages the Private Key associated with a Code Signing Certificate, on behalf of a Subscriber.
There were no objections to this change on the call and Martijn also agreed that it addressed his concerns.

We also discussed helping Signing Service migrate to their audit requirements. This would also help the auditors know when the audit to these requirements would be applicable. Here is the change:
Original proposal - The Signing Service MUST undergo a conformity assessment audit for compliance with these Requirements performed in accordance with one of the following schemes:
New proposal - For Audit Periods starting after June 30, 2024, the Signing Service MUST undergo a conformity assessment audit for compliance with these Requirements performed in accordance with one of the following schemes:
My assumption is that the ballot will be approved and go through IPR this year, so the current Signing Services would have 6 months to adjust their practices to the new requirements.

Please advise if you approve the changes and I will start the discussion period again.


Thanks, Bruce.

From: Cscwg-public <cscwg-public-bounces at cabforum.org<mailto:cscwg-public-bounces at cabforum.org>> On Behalf Of Bruce Morton via Cscwg-public
Sent: Thursday, October 12, 2023 3:59 PM
To: cscwg-public at cabforum.org<mailto:cscwg-public at cabforum.org>
Subject: [EXTERNAL] [Cscwg-public] Ballot CSC-21: Signing Service Update


Purpose of the Ballot
This ballot updates the “Baseline Requirements for the Issuance and Management of Publicly‐Trusted Code Signing Certificates“ version 3.4 in order to clarify language regarding Signing Service and signing requests. The main goals of this ballot are to:

  1.  Clarify the Signing Service definition and the expected deployment model.
  2.  Remove requirements for signing request.
  3.  Change text so Signing Service is not categorized as a Delegated Third Party.
  4.  Not allow Signing Service to transport Private Key to Subscriber.
  5.  Ensure Network Security Requirements are applicable to Signing Service.
  6.  State audit requirements for Signing Service.
The following motion has been proposed by Bruce Morton of Entrust and endorsed by Tim Hollebeek of DigiCert and Ian McMillan.


MOTION BEGINS

This ballot updates the “Baseline Requirements for the Issuance and Management of Publicly‐Trusted Code Signing Certificates” ("Code Signing Baseline Requirements") based on version 3.4. MODIFY the Code Signing Baseline Requirements as specified in the following redline: https://github.com/cabforum/code-signing/compare/93ee9976cdc4e1104952146e3556800459694874..701d195fa95fe49e8a02435fc40fb0a018686866<https://urldefense.com/v3/__https:/url.avanan.click/v2/___https:/urldefense.com/v3/__https:/github.com/cabforum/code-signing/compare/93ee9976cdc4e1104952146e3556800459694874..701d195fa95fe49e8a02435fc40fb0a018686866__;!!FJ-Y8qCqXTj2!ai_SiHTiSodTE_VWwZi8Z8QT_M2lCkP6nJYlFupqIB2vMo07Rcbx2E0bKw4GyZ1-pOj0h-PvD9Z5okpQ_IY$___.YXAzOmRpZ2ljZXJ0OmE6bzpiNTE4NTRkNjRhNWVkNTMyODFiNjBjNjg3ZTI4YjQ1YTo2OjFhMTI6YzIzOTA4ZGViYmRmMmUyYzlmODY4ZTRlNGVmY2NmZTljZTFhNWI1YTQ4NmExMzNjMjI5ZDY4ODFlN2ExMzZmMDpoOkY__;!!FJ-Y8qCqXTj2!e5zbSIlB4vz1o5y5nR4egCi7v3C2hjZtjFROMUVTg1gVyyQOEWtHHSMKssLLLkUk9ylt9aR_9-vz8Ipl2OY$>


MOTION ENDS
The procedure for this ballot is as follows: Discussion (7 days)


*                 Start Time: 2023-10-12 20:00 UTC

*                 End Time: Not before 2023-10-19 20:00 UTC

Vote for approval (7 days)


*                 Start Time: TBD

*                End Time: TBD

Any email and files/attachments transmitted with it are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20231030/ad1b7546/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 23699 bytes
Desc: image001.jpg
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20231030/ad1b7546/attachment-0001.jpg>

More information about the Cscwg-public mailing list