<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle21
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:480587051;
mso-list-type:hybrid;
mso-list-template-ids:771667684 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l1
{mso-list-id:519972758;
mso-list-type:hybrid;
mso-list-template-ids:-1011433498 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l1:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:63.0pt;
text-indent:-.25in;}
@list l1:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:99.0pt;
text-indent:-.25in;}
@list l1:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
margin-left:135.0pt;
text-indent:-9.0pt;}
@list l1:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:171.0pt;
text-indent:-.25in;}
@list l1:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:207.0pt;
text-indent:-.25in;}
@list l1:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
margin-left:243.0pt;
text-indent:-9.0pt;}
@list l1:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:279.0pt;
text-indent:-.25in;}
@list l1:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:315.0pt;
text-indent:-.25in;}
@list l1:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
margin-left:351.0pt;
text-indent:-9.0pt;}
@list l2
{mso-list-id:595863075;
mso-list-type:hybrid;
mso-list-template-ids:-1881372536 67698703 67698703 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l2:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level2
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l2:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l2:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l3
{mso-list-id:745422541;
mso-list-type:hybrid;
mso-list-template-ids:-314007280 67698703 67698703 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l3:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level2
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l3:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l3:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l4
{mso-list-id:1648702664;
mso-list-type:hybrid;
mso-list-template-ids:318929212 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l4:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:.75in;
text-indent:-.25in;}
@list l4:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:-.25in;
text-indent:-.25in;}
@list l4:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
margin-left:.25in;
text-indent:-9.0pt;}
@list l4:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:.75in;
text-indent:-.25in;}
@list l4:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:1.25in;
text-indent:-.25in;}
@list l4:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
margin-left:1.75in;
text-indent:-9.0pt;}
@list l4:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:2.25in;
text-indent:-.25in;}
@list l4:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:2.75in;
text-indent:-.25in;}
@list l4:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
margin-left:3.25in;
text-indent:-9.0pt;}
@list l5
{mso-list-id:1824927556;
mso-list-type:hybrid;
mso-list-template-ids:338586778 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l5:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l5:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l5:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l5:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l5:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l5:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l5:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l5:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l5:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal">Thanks Bruce!<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">For #1, I am interested in better understanding what advantages level 3 operations provides here. I do feel level 2 will continue to be the best course of requirement as a Signing Service should have the ability to execute on resiliency
scenarios that would be negated by level 3 operations (e.g. HSM vendor and SW diversity/resilience). I also do not want to exclude Signing Services from leveraging cloud-based key protection services which offer level 2 as a base/premium SKU in all cases (not
all have a level 3 option).<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">On #2, I feel the timing is at least one year out from the June 1, 2021 date that we attached to key lengths and hash algorithms. The 1 year from that date should provide most the opportunity to obtain a code signing certificate within
the new standards for key protection. It may be best to state in the timing that any new certificates issued post implementation date (say June 1, 2021) must meet the these key protection standards, but private keys for existing valid certificates have until
June 1, 2022 to meet these requirements. Is this viable in folks mind?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks,<o:p></o:p></p>
<p class="MsoNormal">Ian <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Bruce Morton <Bruce.Morton@entrust.com> <br>
<b>Sent:</b> Sunday, November 1, 2020 11:38 AM<br>
<b>To:</b> Ian McMillan <ianmcm@microsoft.com>; cscwg-public@cabforum.org<br>
<b>Subject:</b> [EXTERNAL] RE: Update to key protection (in 16.2 & 16.3)<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Hi Ian,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I will have our team review.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I have a couple of items:<o:p></o:p></p>
<ol style="margin-top:0in" start="1" type="1">
<li class="MsoListParagraph" style="margin-left:0in;mso-list:l0 level1 lfo1">Signing Service requires FIPS 140-2 level 2. Should this be updated to FIPS 140-2 level 3, as this device will not be operated by the Subscriber and may have many multiple Subscriber
private keys? Level 3 might be better for a third party to protect a multi-tenant HSM.<o:p></o:p></li><li class="MsoListParagraph" style="margin-left:0in;mso-list:l0 level1 lfo1">If this ballot passes, when would it need to be implemented. I think that there may be many impacted to CAs and Subscribers. It would be good to have many months to a year to implement.<o:p></o:p></li></ol>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks, Bruce.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Cscwg-public <<a href="mailto:cscwg-public-bounces@cabforum.org">cscwg-public-bounces@cabforum.org</a>>
<b>On Behalf Of </b>Ian McMillan via Cscwg-public<br>
<b>Sent:</b> Friday, October 30, 2020 6:11 PM<br>
<b>To:</b> <a href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a><br>
<b>Subject:</b> [EXTERNAL][Cscwg-public] Update to key protection (in 16.2 & 16.3)<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><strong><span style="font-family:"Calibri",sans-serif;color:red">WARNING:</span></strong> This email originated outside of Entrust.<br>
<strong><span style="font-family:"Calibri",sans-serif;color:red">DO NOT CLICK</span></strong> links or attachments unless you trust the sender and know the content is safe.<o:p></o:p></p>
<div class="MsoNormal" align="center" style="text-align:center">
<hr size="1" width="100%" align="center">
</div>
<p class="MsoNormal">Hi Folks!<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I’ve drafted up the redline for the changes for an upcoming ballot on the current version of the
<a href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcabforum.org%2Fwp-content%2Fuploads%2Fbaseline_requirements_for_the_issuance_and_management_of_code_signing.v.2.0.pdf&data=04%7C01%7Cianmcm%40microsoft.com%7C7f76fb8beccf4872e87508d87e9db601%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637398563618781485%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=n20Tj9NtxJ%2BN0DYmwZABe04HUShfI70zAG%2BVlDSPyls%3D&reserved=0">
Baseline Requirements for the Issuance and Management of Publicly-Trusted Code Signing Certificates</a> on section 16.2 and 16.3 as it pertains to subscriber private key protection requirements (leaf-signing cert private keys). The goal is to collapse the requirements
on non-EV and EV, and to include support for cloud-based key protection solution offered by GCP, AWS, and Azure. Please review and provide comments on the verbiage below and the redline changes in the document attached, and
<b>if you would be willing to endorse this change in the upcoming ballot, please let me know</b>.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><a name="_Toc17488556"></a><a name="_Toc39753679"></a><a name="_Toc400025925"><span style="mso-bookmark:_Toc39753679"><span style="mso-bookmark:_Toc17488556"><b><i>16.2 Signing Service Requirements</i></b></span></span></a><b><i><o:p></o:p></i></b></p>
<p class="MsoNormal" style="margin-left:.5in">The Signing Service MUST ensure that a Subscriber’s private key is generated, stored, and used in a secure environment that has controls to prevent theft or misuse. A Signing Service MUST enforce multi-factor authentication
to authorize Code Signing and obtain a representation from the Subscriber that they will securely store the tokens required for multi-factor access.
<span lang="EN">A system used to host a Signing Service MUST NOT be used for web browsing. The Signing Service MUST run a regularly updated antivirus solution to scan the service for possible virus infection. The Signing Service MUST comply with the Network
Security Guidelines as a “Delegated Third Party”.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span lang="EN">For Code Signing Certificates,
</span>Signing Services shall protect private keys in a FIPS 140-2 level 2 (or equivalent) crypto module. Techniques that may be used to satisfy this requirement include:<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:1.25in"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:1.25in;text-indent:-.25in;mso-list:l4 level1 lfo2">
<![if !supportLists]><span style="mso-list:Ignore">1.<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>Use of an HSM, verified by means of a manufacturer’s certificate;<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:1.25in;text-indent:-.25in;mso-list:l4 level1 lfo2">
<![if !supportLists]><span style="mso-list:Ignore">2.<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>A hardware crypto module provided by the CA;<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:1.25in;text-indent:-.25in;mso-list:l4 level1 lfo2">
<![if !supportLists]><span style="mso-list:Ignore">3.<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>Contractual terms in the subscriber agreement requiring the Subscriber to protect the private key to a standard equivalent to FIPS 140-2 level 2 and with compliance being confirmed by means of an audit.<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:1.25in;text-indent:-.25in;mso-list:l4 level1 lfo2">
<![if !supportLists]><span style="mso-list:Ignore">4.<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>Cryptographic algorithms, key sizes and certificate life-times for both authorities and Subscribers are governed by the NIST key management guidelines.<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:1.25in;text-indent:-.25in;mso-list:l4 level1 lfo2">
<![if !supportLists]><span style="mso-list:Ignore">5.<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>A Cloud-based key protection solution with the following requirements enabled on the subscription, and a usage pattern as follows:<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:1.5in;text-indent:-.25in;mso-list:l3 level2 lfo3">
<![if !supportLists]><i><span style="mso-list:Ignore">1.<span style="font:7.0pt "Times New Roman"">
</span></span></i><![endif]><i>A hardware crypto module with a unit design form factor certified as conforming to at least FIPS 140-2 Level 2, eIDAS Protection Profile: EN 419 221-5, or equivalent;<o:p></o:p></i></p>
<p class="MsoNormal" style="margin-left:1.5in;text-indent:-.25in;mso-list:l3 level2 lfo3">
<![if !supportLists]><i><span style="mso-list:Ignore">2.<span style="font:7.0pt "Times New Roman"">
</span></span></i><![endif]><i>Key creation, storage, and usage of private key must remain within the security boundaries of the cloud solutions hardware crypto module;<o:p></o:p></i></p>
<p class="MsoNormal" style="margin-left:1.5in;text-indent:-.25in;mso-list:l3 level2 lfo3">
<![if !supportLists]><i><span style="mso-list:Ignore">3.<span style="font:7.0pt "Times New Roman"">
</span></span></i><![endif]><i>Subscription must be configured to log access, operations, and configuration changes on the key. The configuration change log is available for audits.<o:p></o:p></i></p>
<p class="MsoNormal" style="margin-left:.5in"> <o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><a name="_Toc17488557"></a><a name="_Toc39753680"></a><a name="_Toc400025926"><span style="mso-bookmark:_Toc39753680"><span style="mso-bookmark:_Toc17488557"><b><i>16.3 Subscriber Private Key Protection</i></b></span></span></a><b><i><o:p></o:p></i></b></p>
<p class="MsoNormal" style="margin-left:.5in">For Code Signing Certificates, the CA MUST obtain a representation from the Subscriber that the Subscriber will use one of the following options to generate and protect their Code Signing Certificate private keys:<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"> <o:p></o:p></p>
<p class="MsoNormal" style="margin-left:1.0in;text-indent:-.25in;mso-list:l5 level1 lfo4">
<![if !supportLists]><span style="mso-list:Ignore">1.<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>A hardware crypto module with a unit design form factor certified as conforming to at least FIPS 140-2 Level 2, eIDAS Protection Profile: EN 419 221-5, or equivalent;<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:1.0in;text-indent:-.25in;mso-list:l5 level1 lfo4">
<![if !supportLists]><span style="mso-list:Ignore">2.<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>A Cloud-based key protection solution with the following requirements enabled on the subscription, and a usage pattern as follows:<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:1.5in;text-indent:-.25in;mso-list:l2 level2 lfo5">
<![if !supportLists]><i><span style="mso-list:Ignore">1.<span style="font:7.0pt "Times New Roman"">
</span></span></i><![endif]><i>A hardware crypto module with a unit design form factor certified as conforming to at least FIPS 140-2 Level 2, eIDAS Protection Profile: EN 419 221-5, or equivalent;<o:p></o:p></i></p>
<p class="MsoNormal" style="margin-left:1.5in;text-indent:-.25in;mso-list:l2 level2 lfo5">
<![if !supportLists]><i><span style="mso-list:Ignore">2.<span style="font:7.0pt "Times New Roman"">
</span></span></i><![endif]><i>Key creation, storage, and usage of private key must remain within the security boundaries of the cloud solutions hardware crypto module;<o:p></o:p></i></p>
<p class="MsoNormal" style="margin-left:1.5in;text-indent:-.25in;mso-list:l2 level2 lfo5">
<![if !supportLists]><i><span style="mso-list:Ignore">3.<span style="font:7.0pt "Times New Roman"">
</span></span></i><![endif]><i>Subscription must be configured to log all access, operations, and configuration changes on the key. The configuration change log is available for audits.<o:p></o:p></i></p>
<p class="MsoNormal" style="margin-left:.5in"><i><o:p> </o:p></i></p>
<p class="MsoNormal" style="margin-left:1.0in;text-indent:-.25in;mso-list:l5 level1 lfo4">
<![if !supportLists]><span style="mso-list:Ignore">3.<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>A type of hardware storage token with a unit design form factor of SD Card or USB token certified as conformant with FIPS 140 Level 2 or eIDAS Protection Profile: EN 419 221-5). The Subscriber MUST also warrant that it will keep the
token physically separate from the device that hosts the code signing function until a signing session is begun.<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">For Code Signing Certificates, CAs SHALL ensure that the Subscriber’s private key is generated, stored and used in a crypto module that meets or exceeds the requirements of FIPS 140-2 level 2, eIDAS Protection Profile:
EN 419 221-5, or equivalent. Acceptable methods of satisfying this requirement include (but are not limited to) the following:
<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:99.0pt;text-indent:-.25in;mso-list:l1 level1 lfo6">
<![if !supportLists]><span style="mso-list:Ignore">1.<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>The Subscriber counter-signs certificate requests that can be verified by using a manufacturer’s certificate indicating that the key is managed in a suitable hardware module;<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:99.0pt;text-indent:-.25in;mso-list:l1 level1 lfo6">
<![if !supportLists]><span style="mso-list:Ignore">2.<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>The Subscriber provides a suitable IT audit indicating that its operating environment achieves a level of security at least equivalent to that of FIPS 140-2 level 2, eIDAS Protection Profile: EN 419 221-5, or equivalent;<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:99.0pt;text-indent:-.25in;mso-list:l1 level1 lfo6">
<![if !supportLists]><span style="mso-list:Ignore">3.<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>The Subscriber provides a suitable report of the cloud key protection solution subscription configuration protecting the key in hardware crypto module with a unit design form factor certified as conforming to at least FIPS 140-2 Level
2, eIDAS Protection Profile, EN 419 221-5, or equivalent.<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks,<o:p></o:p></p>
<p class="MsoNormal">Ian McMillan<o:p></o:p></p>
<p class="MsoNormal">Microsoft<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>