[Cscwg-public] [EXTERNAL] Re: FW: Ballot CSC-22: High Risk Requirements Update

Dimitris Zacharopoulos (HARICA) dzacharo at harica.gr
Wed Jan 17 18:00:07 UTC 2024 


On 17/1/2024 7:58 μ.μ., Bruce Morton wrote:
>
> Yes, that is the email which started the discussion period.
>

Do we need to start over?

Dimitris.

> Bruce.
>
> *From:*Cscwg-public <cscwg-public-bounces at cabforum.org> *On Behalf Of 
> *Dimitris Zacharopoulos (HARICA) via Cscwg-public
> *Sent:* Wednesday, January 17, 2024 12:10 PM
> *To:* cscwg-public at cabforum.org
> *Subject:* [EXTERNAL] Re: [Cscwg-public] FW: Ballot CSC-22: High Risk 
> Requirements Update
>
> Dean, Bruce, Apologies for not spotting this sooner. Can you please 
> confirm if this is the email that was sent to the public list to start 
> the discussion period? 
> https: //lists. cabforum. org/pipermail/cscwg-public/2023-December/001141. html 
> If
>
> Dean, Bruce,
>
> Apologies for not spotting this sooner. Can you please confirm if this 
> is the email that was sent to the public list to start the discussion 
> period?
>
> https://lists.cabforum.org/pipermail/cscwg-public/2023-December/001141.html 
> <https://urldefense.com/v3/__https:/lists.cabforum.org/pipermail/cscwg-public/2023-December/001141.html__;!!FJ-Y8qCqXTj2!fSDk2HOLnm7WIn39bQFF9-yDtQjM_HQmeMzH0CWlB2U54D1EYMxay5UCeLFyDe9zbdbMWsSBCoW8X4fz5-57vaIzDGRk$>
>
> If this is the only email that was sent to start the discussion 
> period, I'm afraid it is not compliant with the Bylaws because when 
> the official discussion period started, the ballot did not include two 
> endorsers. Instead, it seems that it went straight to voting, per 
> https://lists.cabforum.org/pipermail/cscwg-public/2024-January/001145.html 
> <https://urldefense.com/v3/__https:/lists.cabforum.org/pipermail/cscwg-public/2024-January/001145.html__;!!FJ-Y8qCqXTj2!fSDk2HOLnm7WIn39bQFF9-yDtQjM_HQmeMzH0CWlB2U54D1EYMxay5UCeLFyDe9zbdbMWsSBCoW8X4fz5-57vQ0vidAH$>.
>
> Again, sorry for not discovering this earlier and I would definitely 
> need another pair of eyes to confirm this.
>
> Dimitris.
>
> On 17/1/2024 6:36 μ.μ., Dean Coclin via Cscwg-public wrote:
>
>     Resending to the list…
>
>     *Dean Coclin *
>
>     *From:*Dean Coclin
>     *Sent:* Friday, January 12, 2024 4:26 PM
>     *Subject:* Ballot CSC-22: High Risk Requirements Update
>
>     Voting has concluded on Ballot CSC 22 and the results are as follows:
>
>     Certificate Issuers:
>     Yes: (7) Digicert, eMudra, Entrust, Globalsign, HARICA, Sectigo,
>     Viking Cloud
>
>     No: (0)
>
>     Abstain: (0)
>
>     Certificate Consumers:
>     Yes: (1) Microsoft
>
>     No: (0)
>
>     Abstain: (0)
>
>     Quorum was achieved. Therefore the ballot passes.
>
>     *Dean Coclin *
>
>     CSCWG Chair
>
>     *From:*Cscwg-public <cscwg-public-bounces at cabforum.org> *On Behalf
>     Of *Bruce Morton via Cscwg-public
>     *Sent:* Friday, January 5, 2024 3:02 PM
>     *To:* cscwg-public at cabforum.org
>     *Subject:* [Cscwg-public] Voting Period begins - Ballot CSC-22:
>     High Risk Requirements Update
>
>     *Purpose of the Ballot*
>
>     This ballot updates the “Baseline Requirements for the Issuance
>     and Management of Publicly‐Trusted Code Signing Certificates“
>     version 3.4 in order to clarify language regarding Signing Service
>     and signing requests. The main goals of this ballot are to:
>
>      1. Remove references to High Risk Certificate Request, since the
>         CSBRs do not provide any actions for a high risk application.
>      2. Remove references to High Risk Region of Concern, since the
>         CSBR appendix has never been populated.
>      3. Remove rules for a Takeover Attack to require the Subscriber
>         to generate keys in a crypto device, since crypto device key
>         generation is now a baseline requirement for all code signing
>         certificates.
>      4. Remove option to transfer private key which has been generated
>         in software.
>      5. Cleanup to remove Subscriber key generation option which
>         expired effective 1 June 2023.
>      6. Cleanup to remove “any other method” to verify the Subscriber
>         key was generated in a crypto device, since this option
>         expired 1 June 2023.
>
>     The following motion has been proposed by Bruce Morton of Entrust
>     and endorsed by Tim Hollebeek of DigiCert and Ian McMillan of
>     Microsoft.
>
>     *MOTION BEGINS*
>
>     This ballot updates the “Baseline Requirements for the Issuance
>     and Management of Publicly‐Trusted Code Signing Certificates”
>     ("Code Signing Baseline Requirements") based on version 3.4.
>     MODIFY the Code Signing Baseline Requirements as specified in the
>     following redline:
>     https://github.com/cabforum/code-signing/compare/e0da5532ab81e35e2e92536c1bc9ea3c36765b26...50871dc08d39102daf6c93fa556a869790643fb6
>     <https://urldefense.com/v3/__https:/url.avanan.click/v2/___https:/urldefense.com/v3/__https:/github.com/cabforum/code-signing/compare/e0da5532ab81e35e2e92536c1bc9ea3c36765b26...50871dc08d39102daf6c93fa556a869790643fb6__;!!FJ-Y8qCqXTj2!eGQ4FLzNANTdAsLaGTDHePbCY7_W0AsXx1qTmmyTqiyaSVcoj5VGsgK7r7e1D0YQaI5U-YDAzAAi90kRle47DpUbNXxd$___.YXAzOmRpZ2ljZXJ0OmE6bzpkNzM2ZWY2OTUzNWVhMjY4M2JhMWY5ZDQ5ZmY0MjRkODo2OjNmNzk6OWNkNzk0NTVmM2U3NTY4NGE1NWE4MmI0M2ZjMmE1YzU0MGZiMDljODdiYzFhZTdhMDdhYTJiODZmZDM3OWQ5ZjpoOkY__;!!FJ-Y8qCqXTj2!fSDk2HOLnm7WIn39bQFF9-yDtQjM_HQmeMzH0CWlB2U54D1EYMxay5UCeLFyDe9zbdbMWsSBCoW8X4fz5-57vdp8Qrzd$>
>
>     *MOTION ENDS*
>
>     The procedure for this ballot is as follows: Discussion (minimum 7
>     days)
>
>      1. Start Time: 2023-12-15 00:00 UTC
>      2. End Time: 2024-01-05 20:00 UTC
>
>     Vote for approval (7 days)
>
>      3. Start Time: 2024-01-05 20:00 UTC
>      4. End Time: 2024-01-12 20:00 UTC
>
>     /Any email and files/attachments transmitted with it are intended
>     solely for the use of the individual or entity to whom they are
>     addressed. If this message has been sent to you in error, you must
>     not copy, distribute or disclose of the information it contains.
>     _Please notify Entrust immediately and delete the message from
>     your system._/
>
>
>
>     _______________________________________________
>
>     Cscwg-public mailing list
>
>     Cscwg-public at cabforum.org
>
>     https://lists.cabforum.org/mailman/listinfo/cscwg-public  <https://urldefense.com/v3/__https:/lists.cabforum.org/mailman/listinfo/cscwg-public__;!!FJ-Y8qCqXTj2!fSDk2HOLnm7WIn39bQFF9-yDtQjM_HQmeMzH0CWlB2U54D1EYMxay5UCeLFyDe9zbdbMWsSBCoW8X4fz5-57vXXfnulw$>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20240117/7eac089e/attachment-0001.html>

More information about the Cscwg-public mailing list