[Cscwg-public] Voting Period begins - Ballot CSC-22: High Risk Requirements Update
Dimitris Zacharopoulos (HARICA)
dzacharo at harica.gr
Mon Jan 8 06:15:27 UTC 2024
HARICA votes "yes" to ballot CSC-22.
On 5/1/2024 10:02 μ.μ., Bruce Morton via Cscwg-public wrote:
>
> *Purpose of the Ballot*
>
> This ballot updates the “Baseline Requirements for the Issuance and
> Management of Publicly‐Trusted Code Signing Certificates“ version 3.4
> in order to clarify language regarding Signing Service and signing
> requests. The main goals of this ballot are to:
>
> 1. Remove references to High Risk Certificate Request, since the
> CSBRs do not provide any actions for a high risk application.
> 2. Remove references to High Risk Region of Concern, since the CSBR
> appendix has never been populated.
> 3. Remove rules for a Takeover Attack to require the Subscriber to
> generate keys in a crypto device, since crypto device key
> generation is now a baseline requirement for all code signing
> certificates.
> 4. Remove option to transfer private key which has been generated in
> software.
> 5. Cleanup to remove Subscriber key generation option which expired
> effective 1 June 2023.
> 6. Cleanup to remove “any other method” to verify the Subscriber key
> was generated in a crypto device, since this option expired 1 June
> 2023.
>
> The following motion has been proposed by Bruce Morton of Entrust and
> endorsed by Tim Hollebeek of DigiCert and Ian McMillan of Microsoft.
>
> *MOTION BEGINS*
>
> This ballot updates the “Baseline Requirements for the Issuance and
> Management of Publicly‐Trusted Code Signing Certificates” ("Code
> Signing Baseline Requirements") based on version 3.4. MODIFY the Code
> Signing Baseline Requirements as specified in the following redline:
> https://github.com/cabforum/code-signing/compare/e0da5532ab81e35e2e92536c1bc9ea3c36765b26...50871dc08d39102daf6c93fa556a869790643fb6
> <https://urldefense.com/v3/__https:/github.com/cabforum/code-signing/compare/e0da5532ab81e35e2e92536c1bc9ea3c36765b26...50871dc08d39102daf6c93fa556a869790643fb6__;!!FJ-Y8qCqXTj2!eGQ4FLzNANTdAsLaGTDHePbCY7_W0AsXx1qTmmyTqiyaSVcoj5VGsgK7r7e1D0YQaI5U-YDAzAAi90kRle47DpUbNXxd$>
>
> *MOTION ENDS*
>
> The procedure for this ballot is as follows: Discussion (minimum 7 days)
>
> * Start Time: 2023-12-15 00:00 UTC
> * End Time: 2024-01-05 20:00 UTC
>
> Vote for approval (7 days)
>
> * Start Time: 2024-01-05 20:00 UTC
> * End Time: 2024-01-12 20:00 UTC
>
> /Any email and files/attachments transmitted with it are intended
> solely for the use of the individual or entity to whom they are
> addressed. If this message has been sent to you in error, you must not
> copy, distribute or disclose of the information it contains. _Please
> notify Entrust immediately and delete the message from your system._/
>
> _______________________________________________
> Cscwg-public mailing list
> Cscwg-public at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/cscwg-public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20240108/d9f72d0d/attachment.html>
More information about the Cscwg-public
mailing list