<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  </head>
  <body>
    <br>
    <br>
    <div class="moz-cite-prefix">On 8/4/2021 7:20 μ.μ., Dean Coclin via
      Cscwg-public wrote:<br>
    </div>
    <blockquote type="cite"
cite="mid:01000178b248f9f6-980c8030-4506-4d92-8e2d-5b97573dbeb3-000000@email.amazonses.com">
      <p class="MsoNormal"
        style="margin-left:1.25in;text-indent:-.25in;mso-list:l2 level1
        lfo6;vertical-align:middle"><span
          style="font-size:10.0pt;font-family:"Courier New""><span
            style="mso-list:Ignore">o<span style="font:7.0pt "Times
              New Roman"">    </span></span></span><!--[endif]-->Back
        to the key protection change with cloud-based solution in CSC-6<o:p></o:p></p>
      <p class="MsoNormal"
        style="margin-left:153.0pt;text-indent:-.25in;mso-list:l2 level2
        lfo6;vertical-align:middle"><!--[if !supportLists]--><span
          style="font-size:10.0pt;font-family:Wingdings"><span
            style="mso-list:Ignore">§<span style="font:7.0pt "Times
              New Roman"">  </span></span></span><!--[endif]-->The
        group is okay with the current key protection language Ian
        proposed<o:p></o:p></p>
      <p class="MsoNormal"
        style="margin-left:153.0pt;text-indent:-.25in;mso-list:l2 level2
        lfo6;vertical-align:middle"><!--[if !supportLists]--><span
          style="font-size:10.0pt;font-family:Wingdings"><span
            style="mso-list:Ignore">§<span style="font:7.0pt "Times
              New Roman"">  </span></span></span><!--[endif]-->Second
        part on key protection verification is the harder part…<o:p></o:p></p>
      <p class="MsoNormal"
        style="margin-left:3.0in;text-indent:-.25in;mso-list:l2 level3
        lfo6;vertical-align:middle"><!--[if !supportLists]--><span
          style="font-size:10.0pt;font-family:Symbol"><span
            style="mso-list:Ignore">·<span style="font:7.0pt "Times
              New Roman"">         </span></span></span><!--[endif]-->Counter-signed
        CSRs with manufacture's certificates is extremely rare<o:p></o:p></p>
      <p class="MsoNormal"
        style="margin-left:279.0pt;text-indent:-.25in;mso-list:l2 level4
        lfo6;vertical-align:middle"><!--[if !supportLists]--><span
          style="font-size:10.0pt;font-family:Symbol"><span
            style="mso-list:Ignore">·<span style="font:7.0pt "Times
              New Roman"">         </span></span></span><!--[endif]-->Great
        solution, maybe the best means, but not broadly available<o:p></o:p></p>
      <p class="MsoNormal"
        style="margin-left:279.0pt;text-indent:-.25in;mso-list:l2 level4
        lfo6;vertical-align:middle"><!--[if !supportLists]--><span
          style="font-size:10.0pt;font-family:Symbol"><span
            style="mso-list:Ignore">·<span style="font:7.0pt "Times
              New Roman"">         </span></span></span><!--[endif]-->No
        one knows why this is rare, and may be only because it is a
        recent trend<o:p></o:p></p>
      <p class="MsoNormal"
        style="margin-left:3.0in;text-indent:-.25in;mso-list:l2 level3
        lfo6;vertical-align:middle"><!--[if !supportLists]--><span
          style="font-size:10.0pt;font-family:Symbol"><span
            style="mso-list:Ignore">·<span style="font:7.0pt "Times
              New Roman"">         </span></span></span><!--[endif]-->CA's
        shipping suitable hardware crypto module should state with or <b>without
        </b>pre-installed keys<o:p></o:p></p>
      <p class="MsoNormal"
        style="margin-left:279.0pt;text-indent:-.25in;mso-list:l2 level4
        lfo6;vertical-align:middle"><!--[if !supportLists]--><span
          style="font-size:10.0pt;font-family:Symbol"><span
            style="mso-list:Ignore">·<span style="font:7.0pt "Times
              New Roman"">         </span></span></span><!--[endif]-->Shipping
        without pre-installed keys is better option</p>
    </blockquote>
    <br>
    While reviewing the minutes of this WG meeting, I was curious about
    the rationale behind "shipping without pre-installed keys is better
    option". Can Members that supported this opinion provide more
    feedback?<br>
    <br>
    <br>
    <blockquote type="cite"
cite="mid:01000178b248f9f6-980c8030-4506-4d92-8e2d-5b97573dbeb3-000000@email.amazonses.com">
      <p class="MsoNormal"
        style="margin-left:279.0pt;text-indent:-.25in;mso-list:l2 level4
        lfo6;vertical-align:middle"><o:p></o:p></p>
      <p class="MsoNormal"
        style="margin-left:153.0pt;text-indent:-.25in;mso-list:l2 level2
        lfo6;vertical-align:middle"><!--[if !supportLists]--><span
          style="font-size:10.0pt;font-family:Wingdings"><span
            style="mso-list:Ignore">§<span style="font:7.0pt "Times
              New Roman"">  </span></span></span><!--[endif]-->Need
        to have multiple options to help satisfy the requirements<o:p></o:p></p>
      <p class="MsoNormal"
        style="margin-left:153.0pt;text-indent:-.25in;mso-list:l2 level2
        lfo6;vertical-align:middle"><!--[if !supportLists]--><span
          style="font-size:10.0pt;font-family:Wingdings"><span
            style="mso-list:Ignore">§<span style="font:7.0pt "Times
              New Roman"">  </span></span></span><!--[endif]-->Suitable
        IT audit gives a lot of flexibility <o:p></o:p></p>
      <p class="MsoNormal"
        style="margin-left:3.0in;text-indent:-.25in;mso-list:l2 level3
        lfo6;vertical-align:middle"><!--[if !supportLists]--><span
          style="font-size:10.0pt;font-family:Symbol"><span
            style="mso-list:Ignore">·<span style="font:7.0pt "Times
              New Roman"">         </span></span></span><!--[endif]-->Tim
        Crawford never encounters this as an acceptable means to
        satisfying the requirements</p>
    </blockquote>
    <br>
    If this is not used, the best way forward is to remove this from the
    CSBRs.<br>
    <br>
    <br>
    Thanks,<br>
    Dimitris.<br>
  </body>
</html>