<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1253">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>
</head>
<body dir="ltr">
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
Hi,</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
I wonder what a "<i><span style="font-size:11pt;font-family:Calibri,sans-serif">dedicated cryptography processor</span></i>" means? Does that include a standard x86 CPU, as long as the CPU is dedicated for "HSM work"?<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
Just checking since there are several FIPS certified HSMs on the market using standard CPUs, i.e. Intel SGX or MPC.</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
Cheers,</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
Tomas</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div id="appendonsend"></div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> Cscwg-public <cscwg-public-bounces@cabforum.org> on behalf of Ian McMillan via Cscwg-public <cscwg-public@cabforum.org><br>
<b>Sent:</b> Tuesday, December 7, 2021 11:24 PM<br>
<b>To:</b> Adriano Santoni <adriano.santoni@staff.aruba.it>; cscwg-public@cabforum.org <cscwg-public@cabforum.org>; Dimitris Zacharopoulos (HARICA) <dzacharo@harica.gr>; Bruce Morton <Bruce.Morton@entrust.com><br>
<b>Subject:</b> Re: [Cscwg-public] [EXTERNAL] Re: Discussion: Proposed Ballot CSC-6: Update to Subscriber Private Key Protection Requirements</font>
<div> </div>
</div>
<style>
<!--
@font-face
{font-family:"Cambria Math"}
@font-face
{font-family:Calibri}
@font-face
{font-family:Consolas}
p.x_MsoNormal, li.x_MsoNormal, div.x_MsoNormal
{margin:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif}
a:link, span.x_MsoHyperlink
{color:blue;
text-decoration:underline}
pre
{margin:0in;
font-size:10.0pt;
font-family:"Courier New"}
span.x_HTMLPreformattedChar
{font-family:Consolas}
span.x_EmailStyle22
{font-family:"Calibri",sans-serif;
color:windowtext}
.x_MsoChpDefault
{font-size:10.0pt}
@page WordSection1
{margin:1.0in 1.0in 1.0in 1.0in}
div.x_WordSection1
{}
-->
</style>
<div lang="EN-US" link="blue" vlink="purple" style="word-wrap:break-word">
<div style="background-color:#FFEB9C; width:100%; border-style:solid; border-color:#9C6500; border-width:1pt; padding:2pt; font-size:10pt; line-height:12pt; font-family:'Calibri'; color:Black; text-align:left">
<span style="color:#9C6500; font-weight:bold">CAUTION:</span> External Sender - Be cautious when clicking links or opening attachments. Please email InfoSec@keyfactor.com with any questions.</div>
<br>
<div>
<div class="x_WordSection1">
<p class="x_MsoNormal"><span style="font-size:11.0pt; font-family:"Calibri",sans-serif">Hi Folks,</span></p>
<p class="x_MsoNormal"><span style="font-size:11.0pt; font-family:"Calibri",sans-serif"> </span></p>
<p class="x_MsoNormal"><span style="font-size:11.0pt; font-family:"Calibri",sans-serif">Coming out of our last call, I’ve made all the updates we discussed including producing a definition for the term “hardware crypto module” (see below).
</span></p>
<p class="x_MsoNormal"><span style="font-size:11.0pt; font-family:"Calibri",sans-serif"> </span></p>
<p class="x_MsoNormal" style="margin-left:.5in"><b><i><span style="font-size:11.0pt; font-family:"Calibri",sans-serif">Hardware Crypto Module:</span></i></b><i><span style="font-size:11.0pt; font-family:"Calibri",sans-serif"> A tamper-resistant device with
a dedicated cryptography processor used for the specific purpose of protecting the lifecycle of cryptographic keys (generating, managing, processing, and storing).</span></i></p>
<p class="x_MsoNormal"><span style="font-size:11.0pt; font-family:"Calibri",sans-serif"> </span></p>
<p class="x_MsoNormal"><span style="font-size:11.0pt; font-family:"Calibri",sans-serif">Please see the attached redline now with all the latest updates and
<b>provide feedback and willingness to endorse the ballot</b>. </span></p>
<p class="x_MsoNormal"><span style="font-size:11.0pt; font-family:"Calibri",sans-serif"> </span></p>
<p class="x_MsoNormal"><span style="font-size:11.0pt; font-family:"Calibri",sans-serif">Thanks,</span></p>
<p class="x_MsoNormal"><span style="font-size:11.0pt; font-family:"Calibri",sans-serif">Ian
</span></p>
<p class="x_MsoNormal"><span style="font-size:11.0pt; font-family:"Calibri",sans-serif"> </span></p>
<div>
<div style="border:none; border-top:solid #E1E1E1 1.0pt; padding:3.0pt 0in 0in 0in">
<p class="x_MsoNormal"><b><span style="font-size:11.0pt; font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt; font-family:"Calibri",sans-serif"> Cscwg-public <cscwg-public-bounces@cabforum.org>
<b>On Behalf Of </b>Adriano Santoni via Cscwg-public<br>
<b>Sent:</b> Tuesday, November 23, 2021 8:34 AM<br>
<b>To:</b> cscwg-public@cabforum.org<br>
<b>Subject:</b> Re: [Cscwg-public] [EXTERNAL] Re: Discussion: Proposed Ballot CSC-6: Update to Subscriber Private Key Protection Requirements</span></p>
</div>
</div>
<p class="x_MsoNormal"> </p>
<p><span style="font-family:"Calibri",sans-serif">Hi all,</span></p>
<p><span style="font-family:"Calibri",sans-serif">I find the language in "Baseline Requirements for the Issuance and Management of Code Signing.v2.6+CSC-6_redline_v2" rather confusing, about private key protection.</span></p>
<p><span style="font-family:"Calibri",sans-serif">It seems to me that section 16.3.1, in the added parts, only allows three options for protecting the private key effective Sep 1, 2022:
</span></p>
<p><span style="font-family:"Calibri",sans-serif">1) hosted hardware crypto module (in short "HCM")<br>
2) cloud-based key generation and protection solution (backed by an HCM) (I am not clear what's the difference with #1)<br>
3) signing service</span></p>
<p><span style="font-family:"Calibri",sans-serif">But later on, section 16.3.2 seems to allow a wider range of options, including a suitable HCM shipped to the subscriber by the CA.</span></p>
<p><span style="font-family:"Calibri",sans-serif">Am I reading wrong? </span></p>
<p><span style="font-family:"Calibri",sans-serif">Also, I am not clear how option #3 in §16.3.2 works:
</span></p>
<p><span style="font-family:"Calibri",sans-serif">"3. The Subscriber uses a CA prescribed CSP and a suitable hardware module combination for the key pair generation and storage;"</span></p>
<p><span style="font-family:"Calibri",sans-serif">Anybody willing to explain?</span></p>
<p><span style="font-family:"Calibri",sans-serif">Adriano</span></p>
<div>
<p class="x_MsoNormal">Il 23/11/2021 11:07, Dimitris Zacharopoulos (HARICA) via Cscwg-public ha scritto:</p>
</div>
<blockquote style="margin-top:5.0pt; margin-bottom:5.0pt">
<p class="x_MsoNormal" style="margin-bottom:12.0pt"> </p>
<div>
<p class="x_MsoNormal">On 18/11/2021 7:03 ì.ì., Dimitris Zacharopoulos (HARICA) via Cscwg-public wrote:</p>
</div>
<blockquote style="margin-top:5.0pt; margin-bottom:5.0pt">
<p class="x_MsoNormal"><br>
Ok, so you are thinking of a Subscriber that owns an HSM and gets an IT audit that has an audit report that asserts that all Keys associated with Code Signing Certificates are generated in an on-prem certified HSM. Is this what this method is supposed to cover?</p>
</blockquote>
<p class="x_MsoNormal"><br>
After our recent meeting, we agreed to tweak the language of 4. to cover this use case described by Bruce. I recommend changing<br>
<br>
<i>"4. The Subscriber provides a suitable IT audit indicating that its operating environment achieves a level of security specified in section 16.3.1"</i><br>
<br>
to<br>
<br>
<i>"4. The Subscriber provides an internal or external IT audit indicating that it is only using a suitable hardware module as specified in section 16.3.1 to generate keys pairs to be associated with Code Signing Certificates"</i><br>
<br>
I also noticed that we don't have consistency among all listed options. Some options just say " suitable hardware module", others point to 16.3.1 and others say both. We could discuss at our next call or someone could take a stab at it and try to use consistent
language.<br>
<br>
<br>
Thanks,<br>
Dimitris.<br>
<br>
<br>
<br>
</p>
<pre>_______________________________________________</pre>
<pre>Cscwg-public mailing list</pre>
<pre><a href="mailto:Cscwg-public@cabforum.org">Cscwg-public@cabforum.org</a></pre>
<pre><a href="https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cabforum.org%2Fmailman%2Flistinfo%2Fcscwg-public&data=04%7C01%7Ctomas.gustavsson%40primekey.com%7C5796113a854447222d3808d9b9d0576f%7Cc9ed4b459f70418aaa58f04c80848ca9%7C0%7C0%7C637745126970203065%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=2EmAwhUFY4KA3%2FAQAG7%2F%2F%2B7WACjlkE8dvYuQEEcUmzc%3D&reserved=0" originalsrc="https://lists.cabforum.org/mailman/listinfo/cscwg-public" shash="bh6zdgyBgAN5AGkPz0jD157PMfDFtrS/THVEI7t3C6kjnoY/GjsFplXqdSfjVDnePWNT7PKxPKVyjdhurk1wHBg9p/BoAX6GPaqXcS7osUwdmthPSjK2rOc3YDjBbhGt31Wje2RcH6CTYGXnKmyGJ8neTKr+ZVlYsAJjS9G5eA4=">https://lists.cabforum.org/mailman/listinfo/cscwg-public</a></pre>
</blockquote>
</div>
</div>
</div>
</body>
</html>