[Cscwg-public] [External Sender] Re: [Discussion Period Begins] CSC-24 (v2): Timestamping Private Key Protection
Adriano Santoni
adriano.santoni at staff.aruba.it
Mon Apr 8 08:35:47 UTC 2024
Hi Martijn,
I can't find (in the call minutes) a past discussion about that, however
I assume it's fine for everyone since I haven't seen any objections.
Adriano
Il 08/04/2024 10:08, Martijn Katerbarg ha scritto:
>
> Hi Adriano,
>
> My apologies! It was in the past discussed about limiting timestamping
> to 72 or 75 months alltogether, then not requiring the SubCAs to be
> offline. The compromise here still allows up to 135 month timestamp
> certificates, if the SubCAs are offline.
>
> Mind you there’s no current limit to SubCA validity periods yet, but I
> would like to limit this to in a future ballot as well
>
> Regards,
>
> Martijn
>
> *From: *Adriano Santoni <adriano.santoni at staff.aruba.it>
> *Date: *Monday, 8 April 2024 at 09:47
> *To: *cscwg-public at cabforum.org <cscwg-public at cabforum.org>, Martijn
> Katerbarg <martijn.katerbarg at sectigo.com>
> *Subject: *Re: [External Sender] [Cscwg-public] [Discussion Period
> Begins] CSC-24 (v2): Timestamping Private Key Protection
>
> Hi,
>
> wouldn't it have been a little kinder to wait for an answer to the
> question I asked on Friday 5?
>
> It may be that the answer was obvious, but it remains unclear to me
> where that 72 months comes from.....
>
> Adriano
>
> Il 08/04/2024 09:31, Martijn Katerbarg via Cscwg-public ha scritto:
>
> *Purpose of the Ballot*
>
> This ballot updates the “Baseline Requirements for the Issuance
> and Management of Publicly‐Trusted Code Signing Certificates“
> version 3.7 in order to clarify language regarding Timestamp
> Authority Private Key Protection. The main goals of this ballot
> are to:
>
> 1. Require newly issued Timestamp Authority Subordinate CA
> Private Keys to be stored in offline HSMs
> 2. Add a requirement to remove Private Keys associated with
> Timestamp Certificates after a 18 months
> 3. Add a requirement to reject SHA-1 timestamp requests
>
> The following motion has been proposed by Martijn Katerbarg of
> Sectigo and endorsed by Bruce Morton of Entrust and Ian McMillan
> of Microsoft.
>
> *MOTION BEGINS*
>
> This ballot updates the “Baseline Requirements for the Issuance
> and Management of Publicly‐Trusted Code Signing Certificates”
> ("Code Signing Baseline Requirements") based on version 3.7.
> MODIFY the Code Signing Baseline Requirements as specified in the
> following
> redline:https://github.com/cabforum/code-signing/compare/d431d9104094f2b89f35ed4bf1d64b9a844e762b...84e8586846a0c836d5bccbe9ef74593358c5b421
>
> *MOTION ENDS*
>
> The procedure for this ballot is as follows:
>
> Discussion (7 days)
>
> 1. Start Time: 2024-04-08 09:00 UTC
> 2. End Time: Not before 2024-04-15 17:00 UTC
>
> Vote for approval (7 days)
>
> 1. Start Time: TBD
> 2. End Time: TBD
>
>
>
> _______________________________________________
>
> Cscwg-public mailing list
>
> Cscwg-public at cabforum.org
>
> https://lists.cabforum.org/mailman/listinfo/cscwg-public
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20240408/fc186350/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4620 bytes
Desc: Firma crittografica S/MIME
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20240408/fc186350/attachment.p7s>
More information about the Cscwg-public
mailing list