<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
Hi Ian,<br>
<br>
There is no way to withdraw a ballot once the voting period starts.
All members that voted "yes" may change their vote to "no" so that
the ballot fails. A new subsequent ballot can be submitted with new
number.<br>
<br>
<br>
Thanks,<br>
Dimitris.<br>
<br>
<div class="moz-cite-prefix">On 28/2/2022 6:58 μ.μ., Ian McMillan
via Cscwg-public wrote:<br>
</div>
<blockquote type="cite"
cite="mid:0100017f41451fe6-5fadf600-6b52-4309-8b39-08c9dca25b48-000000@email.amazonses.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style>@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}@font-face
{font-family:"MS PGothic";
panose-1:2 11 6 0 7 2 5 8 2 4;}@font-face
{font-family:Cambria;
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:"\@MS PGothic";}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:ZH-CN;}a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}div.WordSection1
{page:WordSection1;}ol
{margin-bottom:0in;}ul
{margin-bottom:0in;}</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">Hi
Doug,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">Thanks
for sharing these questions and calling out some minor
changes we need to take to make this right.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">I
am asking now that we WITHDRAW the CSC-6 ballot to address
these questions and revisions under a new ballot.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">For
questions 1-4, I’ve addressed them by removing the term
“hosted”, removed the, “</span>Subscriber Private Keys for
Code Signing Certificates SHALL be
<u>protected</u> per the following requirements” statement in
16.3.2 to attach the effective date to the verification
methods, and sync’d the effective date in 16.3.1 to November
15, 2022. The effective date of November 15, 2022 has also
been reflected in the 16.3.1 and 16.3.2 sections as it
explicitly states the current methods will be prohibited
(which leads to the new requirements on November 15, 2022).
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">For question 5, yes that does satisfy the
requirement, the item 3 under 16.3.2 regarding CA prescribed
crypto libraries and hardware crypto modules is to address
exactly your stated scenario.
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Please look for these changes in attached
redline doc for what will now be CSC-13. I’ll will start a new
thread regarding CSC-13 and look to restart the ballot
process.
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks,<o:p></o:p></p>
<p class="MsoNormal">Ian<span style="mso-fareast-language:EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="mso-fareast-language:JA">From:</span></b><span
style="mso-fareast-language:JA"> Doug Beattie
<a class="moz-txt-link-rfc2396E" href="mailto:doug.beattie@globalsign.com"><doug.beattie@globalsign.com></a>
<br>
<b>Sent:</b> Monday, February 28, 2022 10:46 AM<br>
<b>To:</b> Ian McMillan <a class="moz-txt-link-rfc2396E" href="mailto:ianmcm@microsoft.com"><ianmcm@microsoft.com></a>;
<a class="moz-txt-link-abbreviated" href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a><br>
<b>Subject:</b> [EXTERNAL] RE: VOTING BEGINS: Ballot
CSC-6: Update to Subscriber Private Key Protection
Requirements<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">GlobalSign
Votes No on Ballot CSC-6.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">As
we looked at the ballot in more detail, we have a couple of
questions which we should have asked during the review
period which we think are important to address prior to
voting yes.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-bottom:11.9pt">Question 1:<o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom:11.9pt">What is meant
by: Subscriber uses a hosted Hardware Crypto Module meeting
the specified requirement;
<o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom:11.9pt">The word
hosted makes this sound like a hosted service. Does this
include the use of a token? If so, then we should make a
defined term for “Hosted Hardware Crypto Module” that explains
what this is, or perhaps delete “hosted” from this requirement
if that meant the intent.<span
style="font-family:"Cambria",serif;mso-fareast-language:EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-bottom:11.9pt">Question 2: <o:p></o:p></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">Section
16.3.2, Subscriber Private Key Verification has this
statement:<o:p></o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:.75in">Effective
November, 15, 2022, Subscriber Private Keys for Code Signing
Certificates SHALL be
<u>protected</u> per the following requirements. ….<span
style="font-family:"Cambria",serif;mso-fareast-language:EN-US"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:11.9pt"><span
style="mso-fareast-language:EN-US">Since this is specifying
private key protection, shouldn’t this be in section 16.3.1,
Subscriber Private Key
<u>Protection</u>, or maybe just that statement needs to be
removed or updated? </span>
<o:p></o:p></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">Question
3:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">Section
16.3.1 Subscriber Private Key Protection says the following:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal">For Non-EV Code Signing Certificates, the
CA MUST obtain a representation from the Subscriber that the
Subscriber will use one of the following options to generate
and protect their Code Signing Certificate Private Keys:
<span
style="font-family:"Cambria",serif;mso-fareast-language:EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:11.0pt;margin-left:.75in;text-indent:-.25in;mso-list:l1
level1 lfo2">
<!--[if !supportLists]--><span style="mso-list:Ignore">1.<span
style="font:7.0pt "Times New Roman"">
</span></span><!--[endif]-->A Trusted Platform Module (TPM)
that generates and secures a Key Pair and that can document
the Subscriber’s Private Key protection through a TPM key
attestation.
<o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:11.0pt;margin-left:.75in;text-indent:-.25in;mso-list:l1
level1 lfo2">
<!--[if !supportLists]--><span style="mso-list:Ignore">2.<span
style="font:7.0pt "Times New Roman"">
</span></span><!--[endif]-->A suitable Hardware Crypto
Module with a unit design form factor certified as conforming
to at least FIPS 140-2 Level 2, Common Criteria EAL 4+, or
equivalent.
<o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:11.0pt;margin-left:.75in;text-indent:-.25in;mso-list:l1
level1 lfo2">
<!--[if !supportLists]--><span style="mso-list:Ignore">3.<span
style="font:7.0pt "Times New Roman"">
</span></span><!--[endif]-->Another type of hardware storage
token with a unit design form factor of SD Card or USB token
(not necessarily certified as conformant with FIPS 140-2 Level
2 or Common Criteria EAL 4+). The Subscriber MUST also warrant
that it will keep the token physically separate from the
device that hosts the code signing function until a signing
session is begun.
<o:p></o:p></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">Then
a bit later it says:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in">Effective
September, 1, 2022, Subscriber Private Keys for Code Signing
Certificates SHALL be protected per the following
requirements.<span
style="font-family:"Cambria",serif;mso-fareast-language:EN-US"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span
style="font-family:"Cambria",serif;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:11.9pt;margin-left:.5in">The
CA MUST obtain a representation from the Subscriber that the
Subscriber will use one of the following options to generate
and protect their Code Signing Certificate Private Keys in a
Hardware Crypto Module with a unit design form factor
certified as conforming to at least FIPS 140-2 Level 2 or
Common Criteria EAL 4+: <o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom:11.9pt">Does this mean
that the first 3 methods are prohibited? If so, then we
should explicitly state that “these methods must not be used
starting September 1, 2022.” In the heading para for those 3
methods.<o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom:11.9pt"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-bottom:11.9pt">Question 4:<o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom:11.9pt">Same as
question 3 but in section 16.3.2: Are the first 3 methods
prohibited as of 15 November 2022? If so, then we should
explicitly state that they are prohibited as of that date.<o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom:11.9pt"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-bottom:11.9pt">Question 5:<o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom:11.9pt">Need
clarification on section 16.3.2, item 3<o:p></o:p></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoNormal"
style="margin-bottom:11.9pt;margin-left:.5in;line-height:100%;mso-list:l0
level1 lfo5">
The Subscriber uses a CA prescribed crypto library and a
suitable Hardware Crypto Module combination for the Key Pair
generation and storage;<span
style="font-family:"Cambria",serif;mso-fareast-language:EN-US"><o:p></o:p></span></li>
</ul>
<p class="MsoNormal" style="margin-bottom:11.9pt">If a CA limits
the list of available CSPs available to the Subscriber to
those that are only suitable for approved tokens, does that
satisfy this requirement?
<o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom:11.9pt"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-bottom:11.9pt"><o:p> </o:p></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Cscwg-public <<a
href="mailto:cscwg-public-bounces@cabforum.org"
moz-do-not-send="true" class="moz-txt-link-freetext">cscwg-public-bounces@cabforum.org</a>>
<b>On Behalf Of </b>Ian McMillan via Cscwg-public<br>
<b>Sent:</b> Tuesday, February 22, 2022 10:30 AM<br>
<b>To:</b> <a href="mailto:cscwg-public@cabforum.org"
moz-do-not-send="true" class="moz-txt-link-freetext">cscwg-public@cabforum.org</a><br>
<b>Subject:</b> [Cscwg-public] VOTING BEGINS: Ballot
CSC-6: Update to Subscriber Private Key Protection
Requirements<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><a
href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.cabforum.org%2Fcscwg%2Fcsc_6_-_update_to_subscriber_private_key_protection_requirements&data=04%7C01%7Cianmcm%40microsoft.com%7Cdba94eb81c164facf1b508d9f019a88d%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637804815989127861%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=chOc9LY58DjZreBftXXETeYfez6xuBrSzqZxifDxvcQ%3D&reserved=0"
moz-do-not-send="true">Ballot CSC-6: Update to Subscriber
Private Key Protection Requirements</a><o:p></o:p></p>
<p class="MsoNormal">Purpose of this ballot: Update the
subscriber private key protection requirements in the Baseline
Requirement for the Issuance and Management of
Publicly-Trusted Code Signing Certificates v2.7. The following
motion has been proposed by Ian McMillan of Microsoft, and
endorsed by Tim Hollebeek of DigiCert and Bruce Morton of
Entrust.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">— MOTION BEGINS — <o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">This ballot updates the “Baseline
Requirements for the Issuance and Management of
Publicly‐Trusted Code Signing Certificates“ version 2.7
according to the attached redline which includes:<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"> <o:p></o:p></p>
<ol style="margin-top:0in" type="1" start="1">
<li class="MsoNormal" style="mso-list:l2 level1 lfo8">Update
section 16.3 “Subscriber Private Key Protection” to
“Subscriber Private Key Protection and Verification”<o:p></o:p></li>
<li class="MsoNormal" style="mso-list:l2 level1 lfo8">Update
section 16.3 “Subscriber Private Key Protection” to include
sub-sections “16.3.1 Subscriber Private Key Protection” and
“16.3.2 Subscriber Private Key Verification”<o:p></o:p></li>
<li class="MsoNormal" style="mso-list:l2 level1 lfo8">Update
section 16.3 under new sub-section 16.3.1 to remove
allowance of TPM key generation and software protected
private key protection, and remove private key protection
requirement differences between EV and non-EV Code Signing
Certificates<o:p></o:p></li>
<li class="MsoNormal" style="mso-list:l2 level1 lfo8">Update
section 16.3 under new sub-section 16.3.1 to include the
allowance of key generation and protection using a
cloud-based key protection solution providing key generation
and protection in a hardware crypto module that conforms to
at least FIPS 140-2 Level 2 or Common Criteria EAL 4+<o:p></o:p></li>
<li class="MsoNormal" style="mso-list:l2 level1 lfo8">Update
section 16.3 under new sub-section 16.3.2 to include
verification for Code Signing Certificates' private key
generation and storage in a crypto module that meets or
exceeds the requirements of FIPS 140-2 level 2 or Common
Criteria EAL 4+ by the CAs. Include additional acceptable
methods for verification including cloud-based key
generation and protection solutions and a stipulation for
CAs to satisfy this verification requirement with additional
means specified in their CPS. Any additional means specified
by a CA in their CPS, must be proposed to the CA/Browser
Forum for inclusion into the acceptable methods for section
16.3.2 within 6 months of inclusion in their CPS.<o:p></o:p></li>
</ol>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">— MOTION ENDS —<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">The procedure for approval of this ballot
is as follows:<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Discussion (7 days)<o:p></o:p></p>
<p class="MsoNormal">Start Time: 2022-02-14, 19:30 Eastern Time
(US) <o:p></o:p></p>
<p class="MsoNormal">End Time: not before 2022-02-21, 19:30
Eastern Time (US)<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Vote for approval (7 days) <o:p></o:p></p>
<p class="MsoNormal">Start Time: 2022-02-22,10:30 Eastern Time
(US) <o:p></o:p></p>
<p class="MsoNormal">End Time: 2022-03-01,10:30 Eastern Time
(US) <o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"> </span><o:p></o:p></p>
</div>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Cscwg-public mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Cscwg-public@cabforum.org">Cscwg-public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://lists.cabforum.org/mailman/listinfo/cscwg-public">https://lists.cabforum.org/mailman/listinfo/cscwg-public</a>
</pre>
</blockquote>
<br>
</body>
</html>