[Cscwg-public] Voting Period begins - Ballot CSC-22: High Risk Requirements Update

Dimitris Zacharopoulos (HARICA) dzacharo at harica.gr
Mon Jan 8 06:15:27 UTC 2024 

HARICA votes "yes" to ballot CSC-22.


On 5/1/2024 10:02 μ.μ., Bruce Morton via Cscwg-public wrote:
>
> *Purpose of the Ballot*
>
> This ballot updates the “Baseline Requirements for the Issuance and 
> Management of Publicly‐Trusted Code Signing Certificates“ version 3.4 
> in order to clarify language regarding Signing Service and signing 
> requests. The main goals of this ballot are to:
>
>  1. Remove references to High Risk Certificate Request, since the
>     CSBRs do not provide any actions for a high risk application.
>  2. Remove references to High Risk Region of Concern, since the CSBR
>     appendix has never been populated.
>  3. Remove rules for a Takeover Attack to require the Subscriber to
>     generate keys in a crypto device, since crypto device key
>     generation is now a baseline requirement for all code signing
>     certificates.
>  4. Remove option to transfer private key which has been generated in
>     software.
>  5. Cleanup to remove Subscriber key generation option which expired
>     effective 1 June 2023.
>  6. Cleanup to remove “any other method” to verify the Subscriber key
>     was generated in a crypto device, since this option expired 1 June
>     2023.
>
> The following motion has been proposed by Bruce Morton of Entrust and 
> endorsed by Tim Hollebeek of DigiCert and Ian McMillan of Microsoft.
>
> *MOTION BEGINS*
>
> This ballot updates the “Baseline Requirements for the Issuance and 
> Management of Publicly‐Trusted Code Signing Certificates” ("Code 
> Signing Baseline Requirements") based on version 3.4. MODIFY the Code 
> Signing Baseline Requirements as specified in the following redline: 
> https://github.com/cabforum/code-signing/compare/e0da5532ab81e35e2e92536c1bc9ea3c36765b26...50871dc08d39102daf6c93fa556a869790643fb6 
> <https://urldefense.com/v3/__https:/github.com/cabforum/code-signing/compare/e0da5532ab81e35e2e92536c1bc9ea3c36765b26...50871dc08d39102daf6c93fa556a869790643fb6__;!!FJ-Y8qCqXTj2!eGQ4FLzNANTdAsLaGTDHePbCY7_W0AsXx1qTmmyTqiyaSVcoj5VGsgK7r7e1D0YQaI5U-YDAzAAi90kRle47DpUbNXxd$>
>
> *MOTION ENDS*
>
> The procedure for this ballot is as follows: Discussion (minimum 7 days)
>
>   * Start Time: 2023-12-15 00:00 UTC
>   * End Time: 2024-01-05 20:00 UTC
>
> Vote for approval (7 days)
>
>   * Start Time: 2024-01-05 20:00 UTC
>   * End Time: 2024-01-12 20:00 UTC
>
> /Any email and files/attachments transmitted with it are intended 
> solely for the use of the individual or entity to whom they are 
> addressed. If this message has been sent to you in error, you must not 
> copy, distribute or disclose of the information it contains. _Please 
> notify Entrust immediately and delete the message from your system._/
>
> _______________________________________________
> Cscwg-public mailing list
> Cscwg-public at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/cscwg-public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20240108/d9f72d0d/attachment.html>

More information about the Cscwg-public mailing list