[Cscwg-public] [External Sender] [Discussion Period Begins] CSC-24 (v2): Timestamping Private Key Protection

Martijn Katerbarg martijn.katerbarg at sectigo.com
Mon Apr 8 08:08:14 UTC 2024 

Hi Adriano,

My apologies! It was in the past discussed about limiting timestamping to 72 or 75 months alltogether, then not requiring the SubCAs to be offline. The compromise here still allows up to 135 month timestamp certificates, if the SubCAs are offline. 

Mind you there’s no current limit to SubCA validity periods yet, but I would like to limit this to in a future ballot as well 

Regards,

Martijn 

From: Adriano Santoni <adriano.santoni at staff.aruba.it>
Date: Monday, 8 April 2024 at 09:47
To: cscwg-public at cabforum.org <cscwg-public at cabforum.org>, Martijn Katerbarg <martijn.katerbarg at sectigo.com>
Subject: Re: [External Sender] [Cscwg-public] [Discussion Period Begins] CSC-24 (v2): Timestamping Private Key Protection 

Hi, 
wouldn't it have been a little kinder to wait for an answer to the question I asked on Friday 5? 
It may be that the answer was obvious, but it remains unclear to me where that 72 months comes from..... 
Adriano 

Il 08/04/2024 09:31, Martijn Katerbarg via Cscwg-public ha scritto: 

Purpose of the Ballot 
This ballot updates the “Baseline Requirements for the Issuance and Management of Publicly‐Trusted Code Signing Certificates“ version 3.7 in order to clarify language regarding Timestamp Authority Private Key Protection. The main goals of this ballot are to: 

1. Require newly issued Timestamp Authority Subordinate CA Private Keys to be stored in offline HSMs 
2. Add a requirement to remove Private Keys associated with Timestamp Certificates after a 18 months 
3. Add a requirement to reject SHA-1 timestamp requests 
The following motion has been proposed by Martijn Katerbarg of Sectigo and endorsed by Bruce Morton of Entrust and Ian McMillan of Microsoft. 
MOTION BEGINS 
This ballot updates the “Baseline Requirements for the Issuance and Management of Publicly‐Trusted Code Signing Certificates” ("Code Signing Baseline Requirements") based on version 3.7. MODIFY the Code Signing Baseline Requirements as specified in the following redline: https://github.com/cabforum/code-signing/compare/d431d9104094f2b89f35ed4bf1d64b9a844e762b...84e8586846a0c836d5bccbe9ef74593358c5b421 <https://github.com/cabforum/code-signing/compare/d431d9104094f2b89f35ed4bf1d64b9a844e762b...84e8586846a0c836d5bccbe9ef74593358c5b421> 
MOTION ENDS 
The procedure for this ballot is as follows: 
Discussion (7 days) 

1. Start Time: 2024-04-08 09:00 UTC 
2. End Time: Not before 2024-04-15 17:00 UTC 
Vote for approval (7 days) 

1. Start Time: TBD 
2. End Time: TBD 





_______________________________________________ Cscwg-public mailing list Cscwg-public at cabforum.org <mailto:Cscwg-public at cabforum.org> https://lists.cabforum.org/mailman/listinfo/cscwg-public <https://lists.cabforum.org/mailman/listinfo/cscwg-public> 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20240408/74823f68/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 8254 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20240408/74823f68/attachment-0001.bin>

More information about the Cscwg-public mailing list