<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=iso-8859-7"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:"Yu Gothic";
panose-1:2 11 4 0 0 0 0 0 0 0;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
@font-face
{font-family:Cambria;
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:"\@Yu Gothic";
panose-1:2 11 4 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
font-size:10.0pt;
font-family:"Courier New";}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}
span.EmailStyle23
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:334496691;
mso-list-type:hybrid;
mso-list-template-ids:237138134 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l1
{mso-list-id:1107502571;
mso-list-type:hybrid;
mso-list-template-ids:-1584208608 -1 -1 -1 -1 -1 -1 -1 -1 -1;}
@list l1:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:.75in;
text-indent:0in;
mso-ansi-font-size:11.0pt;
mso-bidi-font-size:11.0pt;
mso-ascii-font-family:Cambria;
mso-fareast-font-family:Cambria;
mso-hansi-font-family:Cambria;
mso-bidi-font-family:Cambria;
color:black;
mso-text-animation:none;
border:none windowtext 1.0pt;
mso-border-alt:none windowtext 0in;
padding:0in;
mso-ansi-font-weight:normal;
mso-ansi-font-style:normal;
text-underline:black;
text-decoration:none;
text-underline:none;
text-decoration:none;
text-line-through:none;
vertical-align:baseline;}
@list l1:level2
{mso-level-number-format:alpha-lower;
mso-level-text:%2;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:1.25in;
text-indent:0in;
mso-ansi-font-size:11.0pt;
mso-bidi-font-size:11.0pt;
mso-ascii-font-family:Cambria;
mso-fareast-font-family:Cambria;
mso-hansi-font-family:Cambria;
mso-bidi-font-family:Cambria;
color:black;
mso-text-animation:none;
border:none windowtext 1.0pt;
mso-border-alt:none windowtext 0in;
padding:0in;
mso-ansi-font-weight:normal;
mso-ansi-font-style:normal;
text-underline:black;
text-decoration:none;
text-underline:none;
text-decoration:none;
text-line-through:none;
vertical-align:baseline;}
@list l1:level3
{mso-level-number-format:roman-lower;
mso-level-text:%3;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:1.75in;
text-indent:0in;
mso-ansi-font-size:11.0pt;
mso-bidi-font-size:11.0pt;
mso-ascii-font-family:Cambria;
mso-fareast-font-family:Cambria;
mso-hansi-font-family:Cambria;
mso-bidi-font-family:Cambria;
color:black;
mso-text-animation:none;
border:none windowtext 1.0pt;
mso-border-alt:none windowtext 0in;
padding:0in;
mso-ansi-font-weight:normal;
mso-ansi-font-style:normal;
text-underline:black;
text-decoration:none;
text-underline:none;
text-decoration:none;
text-line-through:none;
vertical-align:baseline;}
@list l1:level4
{mso-level-text:%4;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:2.25in;
text-indent:0in;
mso-ansi-font-size:11.0pt;
mso-bidi-font-size:11.0pt;
mso-ascii-font-family:Cambria;
mso-fareast-font-family:Cambria;
mso-hansi-font-family:Cambria;
mso-bidi-font-family:Cambria;
color:black;
mso-text-animation:none;
border:none windowtext 1.0pt;
mso-border-alt:none windowtext 0in;
padding:0in;
mso-ansi-font-weight:normal;
mso-ansi-font-style:normal;
text-underline:black;
text-decoration:none;
text-underline:none;
text-decoration:none;
text-line-through:none;
vertical-align:baseline;}
@list l1:level5
{mso-level-number-format:alpha-lower;
mso-level-text:%5;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:2.75in;
text-indent:0in;
mso-ansi-font-size:11.0pt;
mso-bidi-font-size:11.0pt;
mso-ascii-font-family:Cambria;
mso-fareast-font-family:Cambria;
mso-hansi-font-family:Cambria;
mso-bidi-font-family:Cambria;
color:black;
mso-text-animation:none;
border:none windowtext 1.0pt;
mso-border-alt:none windowtext 0in;
padding:0in;
mso-ansi-font-weight:normal;
mso-ansi-font-style:normal;
text-underline:black;
text-decoration:none;
text-underline:none;
text-decoration:none;
text-line-through:none;
vertical-align:baseline;}
@list l1:level6
{mso-level-number-format:roman-lower;
mso-level-text:%6;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:3.25in;
text-indent:0in;
mso-ansi-font-size:11.0pt;
mso-bidi-font-size:11.0pt;
mso-ascii-font-family:Cambria;
mso-fareast-font-family:Cambria;
mso-hansi-font-family:Cambria;
mso-bidi-font-family:Cambria;
color:black;
mso-text-animation:none;
border:none windowtext 1.0pt;
mso-border-alt:none windowtext 0in;
padding:0in;
mso-ansi-font-weight:normal;
mso-ansi-font-style:normal;
text-underline:black;
text-decoration:none;
text-underline:none;
text-decoration:none;
text-line-through:none;
vertical-align:baseline;}
@list l1:level7
{mso-level-text:%7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:3.75in;
text-indent:0in;
mso-ansi-font-size:11.0pt;
mso-bidi-font-size:11.0pt;
mso-ascii-font-family:Cambria;
mso-fareast-font-family:Cambria;
mso-hansi-font-family:Cambria;
mso-bidi-font-family:Cambria;
color:black;
mso-text-animation:none;
border:none windowtext 1.0pt;
mso-border-alt:none windowtext 0in;
padding:0in;
mso-ansi-font-weight:normal;
mso-ansi-font-style:normal;
text-underline:black;
text-decoration:none;
text-underline:none;
text-decoration:none;
text-line-through:none;
vertical-align:baseline;}
@list l1:level8
{mso-level-number-format:alpha-lower;
mso-level-text:%8;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:4.25in;
text-indent:0in;
mso-ansi-font-size:11.0pt;
mso-bidi-font-size:11.0pt;
mso-ascii-font-family:Cambria;
mso-fareast-font-family:Cambria;
mso-hansi-font-family:Cambria;
mso-bidi-font-family:Cambria;
color:black;
mso-text-animation:none;
border:none windowtext 1.0pt;
mso-border-alt:none windowtext 0in;
padding:0in;
mso-ansi-font-weight:normal;
mso-ansi-font-style:normal;
text-underline:black;
text-decoration:none;
text-underline:none;
text-decoration:none;
text-line-through:none;
vertical-align:baseline;}
@list l1:level9
{mso-level-number-format:roman-lower;
mso-level-text:%9;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:4.75in;
text-indent:0in;
mso-ansi-font-size:11.0pt;
mso-bidi-font-size:11.0pt;
mso-ascii-font-family:Cambria;
mso-fareast-font-family:Cambria;
mso-hansi-font-family:Cambria;
mso-bidi-font-family:Cambria;
color:black;
mso-text-animation:none;
border:none windowtext 1.0pt;
mso-border-alt:none windowtext 0in;
padding:0in;
mso-ansi-font-weight:normal;
mso-ansi-font-style:normal;
text-underline:black;
text-decoration:none;
text-underline:none;
text-decoration:none;
text-line-through:none;
vertical-align:baseline;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>Hi Ian,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>Thank for you for circulating the latest copy of the draft ballot. Comments below.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p> </o:p></span></p><ol style='margin-top:0in' start=1 type=1><li class=MsoListParagraph style='margin-left:0in;mso-list:l0 level1 lfo2'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>As a general comment, it would be more consistent to use the Defined Terms of “Private Key” and “Key Pair” throughout.<o:p></o:p></span></li></ol><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p> </o:p></span></p><ol style='margin-top:0in' start=2 type=1><li class=MsoListParagraph style='margin-left:0in;mso-list:l0 level1 lfo2'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>“Acceptable methods of satisfying this requirement include the following” is unclear whether the list is exhaustive or is merely a list of illustrative examples. I believe the intent is that the list of methods is exhaustive, so I suggest changing this to “</span><span style='mso-fareast-language:EN-US'>One of the following methods MUST be employed to satisfy this requirement:”<o:p></o:p></span></li></ol><p class=MsoNormal><span style='mso-fareast-language:EN-US'><o:p> </o:p></span></p><ol style='margin-top:0in' start=3 type=1><li class=MsoListParagraph style='margin-left:0in;mso-list:l0 level1 lfo2'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>“6. The CA or a Qualified Auditor witnesses the key creation in a suitable Hardware Crypto Module solution including a cloud-based key generation and protection solution;” <o:p></o:p></span></li></ol><p class=MsoListParagraph><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p> </o:p></span></p><p class=MsoListParagraph style='margin-left:1.0in'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>“Qualified Auditor” is a Defined Term that denotes an auditor with specific experience and ability to carry out WebTrust/ETSI audits. Do we need this level of specificity, especially when Section 11.7 prescribes “relying on a report provided by the Applicant that is signed by an auditor who is approved by the CA and who has IT and security training or is a CISA”? If we do not, perhaps it would be best to align on the language in Section 16.3.2 (6) with the auditor qualification requirement in Section 11.7.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>Thanks,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>Corey<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>From:</span></b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'> Cscwg-public <cscwg-public-bounces@cabforum.org> <b>On Behalf Of </b>Ian McMillan via Cscwg-public<br><b>Sent:</b> Tuesday, December 7, 2021 5:24 PM<br><b>To:</b> Adriano Santoni <adriano.santoni@staff.aruba.it>; cscwg-public@cabforum.org; Dimitris Zacharopoulos (HARICA) <dzacharo@harica.gr>; Bruce Morton <bruce.morton@entrust.com><br><b>Subject:</b> Re: [Cscwg-public] [EXTERNAL] Re: Discussion: Proposed Ballot CSC-6: Update to Subscriber Private Key Protection Requirements<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>Hi Folks,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>Coming out of our last call, I’ve made all the updates we discussed including producing a definition for the term “hardware crypto module” (see below). <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p> </o:p></span></p><p class=MsoNormal style='margin-left:.5in'><b><i><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>Hardware Crypto Module:</span></i></b><i><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'> A tamper-resistant device with a dedicated cryptography processor used for the specific purpose of protecting the lifecycle of cryptographic keys (generating, managing, processing, and storing).<o:p></o:p></span></i></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>Please see the attached redline now with all the latest updates and <b>provide feedback and willingness to endorse the ballot</b>. <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>Thanks,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>Ian <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>From:</span></b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'> Cscwg-public <<a href="mailto:cscwg-public-bounces@cabforum.org">cscwg-public-bounces@cabforum.org</a>> <b>On Behalf Of </b>Adriano Santoni via Cscwg-public<br><b>Sent:</b> Tuesday, November 23, 2021 8:34 AM<br><b>To:</b> <a href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a><br><b>Subject:</b> Re: [Cscwg-public] [EXTERNAL] Re: Discussion: Proposed Ballot CSC-6: Update to Subscriber Private Key Protection Requirements<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p><span style='font-family:"Calibri",sans-serif'>Hi all,</span><o:p></o:p></p><p><span style='font-family:"Calibri",sans-serif'>I find the language in "Baseline Requirements for the Issuance and Management of Code Signing.v2.6+CSC-6_redline_v2" rather confusing, about private key protection.</span><o:p></o:p></p><p><span style='font-family:"Calibri",sans-serif'>It seems to me that section 16.3.1, in the added parts, only allows three options for protecting the private key effective Sep 1, 2022: </span><o:p></o:p></p><p><span style='font-family:"Calibri",sans-serif'>1) hosted hardware crypto module (in short "HCM")<br>2) cloud-based key generation and protection solution (backed by an HCM) (I am not clear what's the difference with #1)<br>3) signing service</span><o:p></o:p></p><p><span style='font-family:"Calibri",sans-serif'>But later on, section 16.3.2 seems to allow a wider range of options, including a suitable HCM shipped to the subscriber by the CA.</span><o:p></o:p></p><p><span style='font-family:"Calibri",sans-serif'>Am I reading wrong? </span><o:p></o:p></p><p><span style='font-family:"Calibri",sans-serif'>Also, I am not clear how option #3 in §16.3.2 works: </span><o:p></o:p></p><p><span style='font-family:"Calibri",sans-serif'>"3. The Subscriber uses a CA prescribed CSP and a suitable hardware module combination for the key pair generation and storage;"</span><o:p></o:p></p><p><span style='font-family:"Calibri",sans-serif'>Anybody willing to explain?</span><o:p></o:p></p><p><span style='font-family:"Calibri",sans-serif'>Adriano</span><o:p></o:p></p><div><p class=MsoNormal>Il 23/11/2021 11:07, Dimitris Zacharopoulos (HARICA) via Cscwg-public ha scritto:<o:p></o:p></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><p class=MsoNormal style='margin-bottom:12.0pt'><o:p> </o:p></p><div><p class=MsoNormal>On 18/11/2021 7:03 ì.ì., Dimitris Zacharopoulos (HARICA) via Cscwg-public wrote:<o:p></o:p></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><p class=MsoNormal><br>Ok, so you are thinking of a Subscriber that owns an HSM and gets an IT audit that has an audit report that asserts that all Keys associated with Code Signing Certificates are generated in an on-prem certified HSM. Is this what this method is supposed to cover?<o:p></o:p></p></blockquote><p class=MsoNormal style='margin-bottom:12.0pt'><br>After our recent meeting, we agreed to tweak the language of 4. to cover this use case described by Bruce. I recommend changing<br><br><i>"4. The Subscriber provides a suitable IT audit indicating that its operating environment achieves a level of security specified in section 16.3.1"</i><br><br>to<br><br><i>"4. The Subscriber provides an internal or external IT audit indicating that it is only using a suitable hardware module as specified in section 16.3.1 to generate keys pairs to be associated with Code Signing Certificates"</i><br><br>I also noticed that we don't have consistency among all listed options. Some options just say " suitable hardware module", others point to 16.3.1 and others say both. We could discuss at our next call or someone could take a stab at it and try to use consistent language.<br><br><br>Thanks,<br>Dimitris.<br><br><br><o:p></o:p></p><pre>_______________________________________________<o:p></o:p></pre><pre>Cscwg-public mailing list<o:p></o:p></pre><pre><a href="mailto:Cscwg-public@cabforum.org">Cscwg-public@cabforum.org</a><o:p></o:p></pre><pre><a href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cabforum.org%2Fmailman%2Flistinfo%2Fcscwg-public&data=04%7C01%7Cianmcm%40microsoft.com%7C8ce76500cce0434604b308d9ae85e4f6%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637732712463434560%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=xxI42Sx5hRyvRih1OmIZ0jGoCRwPbLnCr4F0MByiLN4%3D&reserved=0">https://lists.cabforum.org/mailman/listinfo/cscwg-public</a><o:p></o:p></pre></blockquote></div></body></html>