<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:dt="uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-7">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
font-size:10.0pt;
font-family:"Courier New";}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}
span.EmailStyle22
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Hi Folks,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Coming out of our last call, I’ve made all the updates we discussed including producing a definition for the term “hardware crypto module” (see below).
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><b><i><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Hardware Crypto Module:</span></i></b><i><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> A tamper-resistant device with a dedicated
cryptography processor used for the specific purpose of protecting the lifecycle of cryptographic keys (generating, managing, processing, and storing).<o:p></o:p></span></i></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Please see the attached redline now with all the latest updates and
<b>provide feedback and willingness to endorse the ballot</b>. <o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Thanks,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Ian
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> Cscwg-public <cscwg-public-bounces@cabforum.org>
<b>On Behalf Of </b>Adriano Santoni via Cscwg-public<br>
<b>Sent:</b> Tuesday, November 23, 2021 8:34 AM<br>
<b>To:</b> cscwg-public@cabforum.org<br>
<b>Subject:</b> Re: [Cscwg-public] [EXTERNAL] Re: Discussion: Proposed Ballot CSC-6: Update to Subscriber Private Key Protection Requirements<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p><span style="font-family:"Calibri",sans-serif">Hi all,</span><o:p></o:p></p>
<p><span style="font-family:"Calibri",sans-serif">I find the language in "Baseline Requirements for the Issuance and Management of Code Signing.v2.6+CSC-6_redline_v2" rather confusing, about private key protection.</span><o:p></o:p></p>
<p><span style="font-family:"Calibri",sans-serif">It seems to me that section 16.3.1, in the added parts, only allows three options for protecting the private key effective Sep 1, 2022:
</span><o:p></o:p></p>
<p><span style="font-family:"Calibri",sans-serif">1) hosted hardware crypto module (in short "HCM")<br>
2) cloud-based key generation and protection solution (backed by an HCM) (I am not clear what's the difference with #1)<br>
3) signing service</span><o:p></o:p></p>
<p><span style="font-family:"Calibri",sans-serif">But later on, section 16.3.2 seems to allow a wider range of options, including a suitable HCM shipped to the subscriber by the CA.</span><o:p></o:p></p>
<p><span style="font-family:"Calibri",sans-serif">Am I reading wrong? </span><o:p></o:p></p>
<p><span style="font-family:"Calibri",sans-serif">Also, I am not clear how option #3 in §16.3.2 works:
</span><o:p></o:p></p>
<p><span style="font-family:"Calibri",sans-serif">"3. The Subscriber uses a CA prescribed CSP and a suitable hardware module combination for the key pair generation and storage;"</span><o:p></o:p></p>
<p><span style="font-family:"Calibri",sans-serif">Anybody willing to explain?</span><o:p></o:p></p>
<p><span style="font-family:"Calibri",sans-serif">Adriano</span><o:p></o:p></p>
<div>
<p class="MsoNormal">Il 23/11/2021 11:07, Dimitris Zacharopoulos (HARICA) via Cscwg-public ha scritto:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal" style="margin-bottom:12.0pt"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On 18/11/2021 7:03 ì.ì., Dimitris Zacharopoulos (HARICA) via Cscwg-public wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><br>
Ok, so you are thinking of a Subscriber that owns an HSM and gets an IT audit that has an audit report that asserts that all Keys associated with Code Signing Certificates are generated in an on-prem certified HSM. Is this what this method is supposed to cover?<o:p></o:p></p>
</blockquote>
<p class="MsoNormal"><br>
After our recent meeting, we agreed to tweak the language of 4. to cover this use case described by Bruce. I recommend changing<br>
<br>
<i>"4. The Subscriber provides a suitable IT audit indicating that its operating environment achieves a level of security specified in section 16.3.1"</i><br>
<br>
to<br>
<br>
<i>"4. The Subscriber provides an internal or external IT audit indicating that it is only using a suitable hardware module as specified in section 16.3.1 to generate keys pairs to be associated with Code Signing Certificates"</i><br>
<br>
I also noticed that we don't have consistency among all listed options. Some options just say " suitable hardware module", others point to 16.3.1 and others say both. We could discuss at our next call or someone could take a stab at it and try to use consistent
language.<br>
<br>
<br>
Thanks,<br>
Dimitris.<br>
<br>
<br>
<br>
<o:p></o:p></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>Cscwg-public mailing list<o:p></o:p></pre>
<pre><a href="mailto:Cscwg-public@cabforum.org">Cscwg-public@cabforum.org</a><o:p></o:p></pre>
<pre><a href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cabforum.org%2Fmailman%2Flistinfo%2Fcscwg-public&data=04%7C01%7Cianmcm%40microsoft.com%7C8ce76500cce0434604b308d9ae85e4f6%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637732712463434560%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=xxI42Sx5hRyvRih1OmIZ0jGoCRwPbLnCr4F0MByiLN4%3D&reserved=0">https://lists.cabforum.org/mailman/listinfo/cscwg-public</a><o:p></o:p></pre>
</blockquote>
</div>
</body>
</html>