<html>
<head>
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
</head>
<body>
<p><font face="Calibri">Let me clarify that I am not trying to delay
the key size effective date. I just wanted to bring to the WG's
attention that the said requirement implies sourcing devices
from a single supplier, which is bad thing competition-wise.</font></p>
<p><font face="Calibri"> I'd love to hear from the other folks here,
what do they think. If it's a "no problem", so much the better
(or worse). <br>
</font></p>
<p><font face="Calibri">If Tomas' interpretation of </font><font
face="Calibri"><font face="Calibri">CSBR §16.3 (item 2)</font>
is shared by most WG members (or at least by those who have an
opinion on it), the problem lessens a bit, although it certainly
does not go away.<br>
</font></p>
<p><font face="Calibri">Thanks,<br>
</font></p>
<p><font face="Calibri">Adriano<br>
</font></p>
<p><font face="Calibri"><br>
</font></p>
<div class="moz-cite-prefix">Il 17/03/2021 21:42, Ian McMillan ha
scritto:<br>
</div>
<blockquote type="cite"
cite="mid:SN2PR00MB009589419074FB26159B3466C46A9@SN2PR00MB0095.namprd00.prod.outlook.com">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]-->
<style>@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
font-size:10.0pt;
font-family:"Courier New";}span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}span.EmailStyle23
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}div.WordSection1
{page:WordSection1;}</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">Hi Folks,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">This key size effective date has already
been delayed by 6 months. I am not keen on further delaying
the requirement of 3072 keys for RSA due to a lack of tokens
that support the requirement in the CSBRs. As Bruce calls out,
there are other means to which subscribers can secure their
private keys to meet the requirements outside of a token
provided by a CA. If this change in key size is what pushes
subscribers to use HSMs (on-prem or cloud based services) or
signing services, it may serve as the call to action for token
suppliers on a requirement they have frankly seemed to have
overlooked for some time now.
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I’ll be interested to discuss how much
additional time the group feels is needed here, and how best
we can help accelerate the transition.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks,<o:p></o:p></p>
<p class="MsoNormal">Ian <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Cscwg-public
<a class="moz-txt-link-rfc2396E" href="mailto:cscwg-public-bounces@cabforum.org"><cscwg-public-bounces@cabforum.org></a>
<b>On Behalf Of </b>Adriano Santoni via Cscwg-public<br>
<b>Sent:</b> Wednesday, March 17, 2021 9:31 AM<br>
<b>To:</b> Bruce Morton <a class="moz-txt-link-rfc2396E" href="mailto:Bruce.Morton@entrust.com"><Bruce.Morton@entrust.com></a><br>
<b>Cc:</b> <a class="moz-txt-link-abbreviated" href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a><br>
<b>Subject:</b> Re: [Cscwg-public] [EXTERNAL] Re: Re FIPS
tokens supporting RSA 3072<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p>Hi Bruce, <o:p></o:p></p>
<p>I certainly agree that - if the said token is the only device
available on the market meeting the said requirement, as it
seems to be the case -- we should promptly revise the
effective date (June 1st, just three months from now) of the
transition to 3072 bits being mandatory for RSA keys.<o:p></o:p></p>
<p>If nothing else, because it would be a really bad thing to
impose a requirement that involves sourcing devices from a
single possible supplier, thereby favouring a monopoly. I hope
everyone agrees on this principle.<o:p></o:p></p>
<p>Adriano<o:p></o:p></p>
<p><o:p> </o:p></p>
<div>
<p class="MsoNormal">Il 17/03/2021 16:45, Bruce Morton ha
scritto:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal">Hi Adriano,<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">We should discuss this issue at the next
meeting. I do think that there are options to using the
SafeNet token, but that might include subscriber hosted HSM,
public-cloud HSM or Signing Service HSM.
<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">I think we all understand that the
options might be hard to implement before 1 June 2021
deadline.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Bruce.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Cscwg-public <a
href="mailto:cscwg-public-bounces@cabforum.org"
moz-do-not-send="true">
<cscwg-public-bounces@cabforum.org></a> <b>On
Behalf Of </b>Adriano Santoni via Cscwg-public<br>
<b>Sent:</b> Wednesday, March 17, 2021 11:18 AM<br>
<b>To:</b> <a href="mailto:cscwg-public@cabforum.org"
moz-do-not-send="true">cscwg-public@cabforum.org</a><br>
<b>Subject:</b> [EXTERNAL] Re: [Cscwg-public] Re FIPS
tokens supporting RSA 3072<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">WARNING: This email originated outside of
Entrust.<br>
DO NOT CLICK links or attachments unless you trust the
sender and know the content is safe.<o:p></o:p></p>
<div class="MsoNormal" style="text-align:center"
align="center">
<hr width="100%" size="1" align="center">
</div>
<p>I should have written "the only CC token", as the FIPS
version of the said token does not support RSA > 2048
bit....<o:p></o:p></p>
<p>But my question remains (after replacing "FIPS" with "CC").<o:p></o:p></p>
<p>Adriano<o:p></o:p></p>
<div>
<p class="MsoNormal">Il 17/03/2021 16:08, Adriano Santoni
via Cscwg-public ha scritto:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p>I already posted this question yesterday, but apparently
it did not get through.<o:p></o:p></p>
<p>I was asking: is the SafeNet eToken 5110 CC the only FIPS
token supporting RSA 3072 available on the market?<o:p></o:p></p>
<p>I am investigating this matter myself, and although I am
not finished it seems there aren't many... possibly just
one.
<o:p></o:p></p>
<p>If so, it would be a rather unfortunate situation
competition-wise.<o:p></o:p></p>
<p>Adriano<o:p></o:p></p>
<p> <o:p></o:p></p>
<p class="MsoNormal"><br>
<br>
<br>
<o:p></o:p></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>Cscwg-public mailing list<o:p></o:p></pre>
<pre><a href="mailto:Cscwg-public@cabforum.org" moz-do-not-send="true">Cscwg-public@cabforum.org</a><o:p></o:p></pre>
<pre><a href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cabforum.org%2Fmailman%2Flistinfo%2Fcscwg-public&data=04%7C01%7Cianmcm%40microsoft.com%7Cd99faf2ab770497a6a6908d8e9620f0b%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637515954677826280%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=t9aEK4G0KBJ%2B2bZw6o7IRjLnLMACUJuSIegwRSV0ecc%3D&reserved=0" moz-do-not-send="true">https://lists.cabforum.org/mailman/listinfo/cscwg-public</a><o:p></o:p></pre>
</blockquote>
</blockquote>
</div>
</blockquote>
</body>
</html>