<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<br>
<br>
<div class="moz-cite-prefix">On 9/3/2022 2:58 μ.μ., Inigo Barreira
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:DM6PR17MB3116FCCAD60D918C4C7D45C3810A9@DM6PR17MB3116.namprd17.prod.outlook.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]-->
<style>@font-face
{font-family:"MS Gothic";
panose-1:2 11 6 9 7 2 5 8 2 4;}@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}@font-face
{font-family:"\@MS Gothic";
panose-1:2 11 6 9 7 2 5 8 2 4;}@font-face
{font-family:"MS PGothic";
panose-1:2 11 6 0 7 2 5 8 2 4;}@font-face
{font-family:"\@MS PGothic";}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:JA;}a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}pre
{mso-style-priority:99;
mso-style-link:"HTML con formato previo Car";
margin:0cm;
font-size:12.0pt;
font-family:"MS Gothic";
mso-fareast-language:JA;}span.hvr
{mso-style-name:hvr;}span.HTMLconformatoprevioCar
{mso-style-name:"HTML con formato previo Car";
mso-style-priority:99;
mso-style-link:"HTML con formato previo";
font-family:Consolas;
mso-fareast-language:JA;}span.EstiloCorreo23
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}div.WordSection1
{page:WordSection1;}</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"
lang="EN-GB">I agree with Adriano. Point 1 does not make
customer accountable for anything (I will promise I´m a good
guy) and then point 2 is useless because with point 1 you´re
allowing the customer to do whatever, independently if they
use a hardw device or not. The CSRs can be generated in a
crypto device or not and with point 1 you, as the CA, are
“sure” that the keys are in a hardware crypto device. That´s
a lot to assume.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"
lang="EN-GB"><o:p> </o:p></span></p>
</div>
</blockquote>
<br>
You are missing the point of Subscriber representations and
warranties which is clearly included in the BRs. Subscribers have
obligations as well and we must ensure they are aware and bound to
those obligations.<br>
<br>
Dimitris.<br>
<br>
<blockquote type="cite"
cite="mid:DM6PR17MB3116FCCAD60D918C4C7D45C3810A9@DM6PR17MB3116.namprd17.prod.outlook.com">
<div class="WordSection1">
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b>De:</b> Cscwg-public
<a class="moz-txt-link-rfc2396E" href="mailto:cscwg-public-bounces@cabforum.org"><cscwg-public-bounces@cabforum.org></a> <b>En nombre de
</b>Dimitris Zacharopoulos (HARICA) via Cscwg-public<br>
<b>Enviado el:</b> miércoles, 9 de marzo de 2022 13:27<br>
<b>Para:</b> Adriano Santoni
<a class="moz-txt-link-rfc2396E" href="mailto:adriano.santoni@staff.aruba.it"><adriano.santoni@staff.aruba.it></a>;
<a class="moz-txt-link-abbreviated" href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a><br>
<b>Asunto:</b> Re: [Cscwg-public] Update to Subscriber
Private Key Protection Requirements (CSC-6 to CSC-13)<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div style="border:solid black 1.0pt;padding:2.0pt 2.0pt 2.0pt
2.0pt">
<p class="MsoNormal"
style="line-height:12.0pt;background:#FAFA03"><span
style="font-size:10.0pt;color:black">CAUTION: This email
originated from outside of the organization. Do not click
links or open attachments unless you recognize the sender
and know the content is safe.<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"MS
PGothic",sans-serif"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt">I believe
this language and double confirmation comes from years ago
when tools like remote key attestation were not available.<br>
<br>
If we are to allow an Applicant to generate keys remotely
(i.e. without the presence of a CA representative and
without hardware that supports remote key attestation),
which seems to be the case with the CSCWG today, we need to
rely on policy to accomplish that. It is reasonable to hold
both sides, the Applicant and the CA, accountable to this
policy. See below.<br>
<br>
<o:p></o:p></p>
<div>
<p class="MsoNormal">On 9/3/2022 11:43 π.μ., Adriano Santoni
via Cscwg-public wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p>As far as I'm concerned, I find confusing and overly
complex the double requirement:<o:p></o:p></p>
<p>1) customer must make a "representation" that they will
use a hardware crypto module (or signing service), and ...<o:p></o:p></p>
</blockquote>
<p class="MsoNormal"><br>
This is required because a customer could potentially "fake"
the hardware device id and create a virtual driver that
emulates the actual hardware device. The Applicant must be
held accountable if they try to manipulate the process or
make any changes to the process and tools provided by the
CA.<br>
<br>
<br>
<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p>2) the CA must ensure that the customer will really use a
hardware crypto module (or signing service). <o:p></o:p></p>
</blockquote>
<p class="MsoNormal"><br>
The CA must establish a process and develop the proper tools
to provide reasonable assurance that the Applicant remotely
generates keys in a hardware crypto module which is usually
within a limited set of devices approved by the CA. The CA
is not allowed to say "please send me a CSR and pinky swear
that it was generated in a crypto device". They must develop
tools and middleware and establish a process to make sure
the key is generated in approved crypto-devices only.<br>
<br>
<br>
<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p>If the CA will be obliged to meet req #2, then I do not
see what use is req #1.<o:p></o:p></p>
</blockquote>
<p class="MsoNormal"><br>
Hope this explanation helps.<br>
Dimitris.<br>
<br>
<br>
<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p>Adriano<o:p></o:p></p>
<p>-- Actalis<o:p></o:p></p>
<p><o:p> </o:p></p>
<div>
<p class="MsoNormal">Il 09/03/2022 10:21, Inigo Barreira
via Cscwg-public ha scritto:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span
style="mso-fareast-language:EN-US" lang="EN-GB">Yes,
please. </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="mso-fareast-language:EN-US" lang="EN-GB">It
looks like this representation means something like
“click here if you are over 18” or “click here if you
agree” because these are also facts not opinions. </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="mso-fareast-language:EN-US" lang="EN-GB">IMO
the message here is that CAs will rely in whatever the
subscriber says, e.g., “yes, I´m a good guy and
promise that I will keep my keys in a hardware device
…” rather on making the corresponding tasks to ensure.
Is this the right approach? This is what I understand
from Dean´s response because CAs are not attesting
anything just relying in a form signed by the
subscriber in where it may say whatever.</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="mso-fareast-language:EN-US" lang="EN-GB"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="mso-fareast-language:EN-US" lang="EN-GB">Regards</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="mso-fareast-language:EN-US" lang="EN-GB"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b>De:</b> Tim Hollebeek <a
href="mailto:tim.hollebeek@digicert.com"
moz-do-not-send="true"><tim.hollebeek@digicert.com></a>
<br>
<b>Enviado el:</b> martes, 8 de marzo de 2022 20:35<br>
<b>Para:</b> Dean Coclin <a
href="mailto:dean.coclin@digicert.com"
moz-do-not-send="true"><dean.coclin@digicert.com></a>;
Inigo Barreira <a
href="mailto:Inigo.Barreira@sectigo.com"
moz-do-not-send="true"><Inigo.Barreira@sectigo.com></a>;
<a href="mailto:cscwg-public@cabforum.org"
moz-do-not-send="true"
class="moz-txt-link-freetext">cscwg-public@cabforum.org</a>;
Bruce Morton <a
href="mailto:bruce.morton@entrust.com"
moz-do-not-send="true"><bruce.morton@entrust.com></a>;
Doug Beattie <a
href="mailto:doug.beattie@globalsign.com"
moz-do-not-send="true"><doug.beattie@globalsign.com></a>;
Ian McMillan <a href="mailto:ianmcm@microsoft.com"
moz-do-not-send="true"><ianmcm@microsoft.com></a><br>
<b>Asunto:</b> RE: Update to Subscriber Private Key
Protection Requirements (CSC-6 to CSC-13)<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">“representation”
is being used here in the legal sense: “</span><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#404040;background:white"
lang="EN-US">a <span class="hvr">statement</span> of <span
class="hvr">fact.</span> A <span class="hvr">representation</span> <span
class="hvr">should</span> be <span class="hvr">distinguished</span> <span
class="hvr">from</span> a <span class="hvr">statement</span> of <span
class="hvr">opinion</span> <span class="hvr">for</span> <span
class="hvr">many</span> <span class="hvr">legal</span> <span
class="hvr">purposes,</span> <span class="hvr">especially</span> in <span
class="hvr">relation</span> to <span class="hvr">contractual</span> <span
class="hvr">obligations.</span></span><span
lang="EN-US">”</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">We should perhaps
be using plain English instead of legalese.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">-Tim</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<div style="border:none;border-left:solid blue
1.5pt;padding:0cm 0cm 0cm 4.0pt">
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US">From:</span></b><span
lang="EN-US"> Dean Coclin <<a
href="mailto:dean.coclin@digicert.com"
moz-do-not-send="true"
class="moz-txt-link-freetext">dean.coclin@digicert.com</a>>
<br>
<b>Sent:</b> Tuesday, March 8, 2022 1:00 PM<br>
<b>To:</b> Inigo Barreira <<a
href="mailto:Inigo.Barreira@sectigo.com"
moz-do-not-send="true"
class="moz-txt-link-freetext">Inigo.Barreira@sectigo.com</a>>;
<a href="mailto:cscwg-public@cabforum.org"
moz-do-not-send="true"
class="moz-txt-link-freetext">cscwg-public@cabforum.org</a>;
Bruce Morton <<a
href="mailto:bruce.morton@entrust.com"
moz-do-not-send="true"
class="moz-txt-link-freetext">bruce.morton@entrust.com</a>>;
Doug Beattie <<a
href="mailto:doug.beattie@globalsign.com"
moz-do-not-send="true"
class="moz-txt-link-freetext">doug.beattie@globalsign.com</a>>;
Ian McMillan <<a
href="mailto:ianmcm@microsoft.com"
moz-do-not-send="true"
class="moz-txt-link-freetext">ianmcm@microsoft.com</a>>;
Tim Hollebeek <<a
href="mailto:tim.hollebeek@digicert.com"
moz-do-not-send="true"
class="moz-txt-link-freetext">tim.hollebeek@digicert.com</a>><br>
<b>Subject:</b> RE: Update to Subscriber Private
Key Protection Requirements (CSC-6 to CSC-13)</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:12.0pt"
lang="EN-US">This means exactly what it says, some
representation that the subscriber makes to honor
the condition. This traditionally has been something
in writing that the subscriber signs and submits to
the CA. CAs can provide a form to the subscriber
which they attest to.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:12.0pt"
lang="EN-US"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US">From:</span></b><span
lang="EN-US"> Cscwg-public <<a
href="mailto:cscwg-public-bounces@cabforum.org"
moz-do-not-send="true"
class="moz-txt-link-freetext">cscwg-public-bounces@cabforum.org</a>>
<b>On Behalf Of </b>Inigo Barreira via
Cscwg-public<br>
<b>Sent:</b> Tuesday, March 8, 2022 11:03 AM<br>
<b>To:</b> Bruce Morton <<a
href="mailto:bruce.morton@entrust.com"
moz-do-not-send="true"
class="moz-txt-link-freetext">bruce.morton@entrust.com</a>>;
<a href="mailto:cscwg-public@cabforum.org"
moz-do-not-send="true"
class="moz-txt-link-freetext">cscwg-public@cabforum.org</a>;
Doug Beattie <<a
href="mailto:doug.beattie@globalsign.com"
moz-do-not-send="true"
class="moz-txt-link-freetext">doug.beattie@globalsign.com</a>>;
Ian McMillan <<a
href="mailto:ianmcm@microsoft.com"
moz-do-not-send="true"
class="moz-txt-link-freetext">ianmcm@microsoft.com</a>>;
Tim Hollebeek <<a
href="mailto:tim.hollebeek@digicert.com"
moz-do-not-send="true"
class="moz-txt-link-freetext">tim.hollebeek@digicert.com</a>><br>
<b>Subject:</b> Re: [Cscwg-public] Update to
Subscriber Private Key Protection Requirements
(CSC-6 to CSC-13)</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal">Hi all,<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-GB">Reviewing the
section 16.3.1 I have a “wording” question. What
does it mean that “The CA MUST obtain a
representation from the Subscriber that the
Subscriber will use one of the following options …”.
So, what is a “representation from the subscriber”?</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-GB"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-GB">Regards</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-GB"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b>De:</b> Cscwg-public <<a
href="mailto:cscwg-public-bounces@cabforum.org"
moz-do-not-send="true"
class="moz-txt-link-freetext">cscwg-public-bounces@cabforum.org</a>>
<b>En nombre de </b>Bruce Morton via Cscwg-public<br>
<b>Enviado el:</b> jueves, 3 de marzo de 2022
15:08<br>
<b>Para:</b> Doug Beattie <<a
href="mailto:doug.beattie@globalsign.com"
moz-do-not-send="true"
class="moz-txt-link-freetext">doug.beattie@globalsign.com</a>>;
Ian McMillan <<a
href="mailto:ianmcm@microsoft.com"
moz-do-not-send="true"
class="moz-txt-link-freetext">ianmcm@microsoft.com</a>>;
Tim Hollebeek <<a
href="mailto:tim.hollebeek@digicert.com"
moz-do-not-send="true"
class="moz-txt-link-freetext">tim.hollebeek@digicert.com</a>>;
<a href="mailto:cscwg-public@cabforum.org"
moz-do-not-send="true"
class="moz-txt-link-freetext">cscwg-public@cabforum.org</a><br>
<b>Asunto:</b> Re: [Cscwg-public] Update to
Subscriber Private Key Protection Requirements
(CSC-6 to CSC-13)<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<div style="border:solid black 1.0pt;padding:2.0pt 2.0pt
2.0pt 2.0pt">
<p class="MsoNormal"
style="line-height:12.0pt;background:#FAFA03"><span
style="font-size:10.0pt;color:black" lang="EN-US">CAUTION:
This email originated from outside of the
organization. Do not click links or open
attachments unless you recognize the sender and
know the content is safe.</span><o:p></o:p></p>
</div>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<div>
<p class="MsoNormal"><span lang="EN-US">Doug,</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">Regarding the
16.2 section, this statement was also struck-out,
“After 2021-06-01, the same protection
requirements SHALL apply to Non EV Code Signing
Certificates.” So I believe that the requirement
already applied to normal code signing
certificates. The edits are just a cleanup.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">Bruce.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US">From:</span></b><span
lang="EN-US"> Doug Beattie <<a
href="mailto:doug.beattie@globalsign.com"
moz-do-not-send="true"
class="moz-txt-link-freetext">doug.beattie@globalsign.com</a>>
<br>
<b>Sent:</b> Thursday, March 3, 2022 6:56 AM<br>
<b>To:</b> Ian McMillan <<a
href="mailto:ianmcm@microsoft.com"
moz-do-not-send="true"
class="moz-txt-link-freetext">ianmcm@microsoft.com</a>>;
Tim Hollebeek <<a
href="mailto:tim.hollebeek@digicert.com"
moz-do-not-send="true"
class="moz-txt-link-freetext">tim.hollebeek@digicert.com</a>>;
<a href="mailto:cscwg-public@cabforum.org"
moz-do-not-send="true"
class="moz-txt-link-freetext">cscwg-public@cabforum.org</a>;
Bruce Morton <<a
href="mailto:Bruce.Morton@entrust.com"
moz-do-not-send="true"
class="moz-txt-link-freetext">Bruce.Morton@entrust.com</a>><br>
<b>Subject:</b> [EXTERNAL] RE: Update to
Subscriber Private Key Protection Requirements
(CSC-6 to CSC-13)</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">WARNING: This
email originated outside of Entrust.<br>
DO NOT CLICK links or attachments unless you trust
the sender and know the content is safe.</span><o:p></o:p></p>
<div class="MsoNormal" style="text-align:center"
align="center"><span lang="EN-US">
<hr width="100%" size="1" align="center"></span></div>
<p class="MsoNormal"><span lang="EN-US">Hi Ian,</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">Good work on
section 16.3, that is much more clear now. I have
2 more comments for your consideration.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">Comment #1:</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">In Section
11.7 we say:</span><o:p></o:p></p>
<p class="MsoNormal" style="margin-left:36.0pt"><span
lang="EN-US">If the CA is aware that the Applicant
was the victim of a Takeover Attack, the CA MUST
verify that the Applicant is protecting its Code
Signing Private Keys under Section 16.3.1(1) or
Section 16.3.1(2). The CA MUST verify the
Applicant’s compliance with Section 16.3.1(1) or
Section 16.3.1(2) (i) through technical means that
confirm the Private Keys are protected using the
method described in 16.3.1(1) or 16.3.1(2) or (ii)
by relying on a report provided by the Applicant
that is signed by an auditor who is approved by
the CA and who has IT and security training or is
a CISA.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">But now there
are actually 2 lists in sections 16.3.1(1) or
Section 16.3.1(2) with those list numbers. Do we
need to be more specific, or renumber the second
list a-c? </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">After 15
November, what is the right remediation for Take
Over attack, do we need to reference one or more
of the items in the new list (the list we might
renumber a-c), or is there no remediation now?</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">There are
multiple references to 16.3.1(1) so we’d want to
apply the same logic to all instances.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">Comment #2:</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">Section 16.2
removed the reference to EV in the scope so this
applies to normal Code signing certificates.
Since this does not have a date associated with
it, do we assume that this requirement change for
normal code signing certs is effective
immediately?</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US">From:</span></b><span
lang="EN-US"> Ian McMillan <<a
href="mailto:ianmcm@microsoft.com"
moz-do-not-send="true"
class="moz-txt-link-freetext">ianmcm@microsoft.com</a>>
<br>
<b>Sent:</b> Wednesday, March 2, 2022 5:56 PM<br>
<b>To:</b> Tim Hollebeek <<a
href="mailto:tim.hollebeek@digicert.com"
moz-do-not-send="true"
class="moz-txt-link-freetext">tim.hollebeek@digicert.com</a>>;
<a href="mailto:cscwg-public@cabforum.org"
moz-do-not-send="true"
class="moz-txt-link-freetext">cscwg-public@cabforum.org</a>;
Doug Beattie <<a
href="mailto:doug.beattie@globalsign.com"
moz-do-not-send="true"
class="moz-txt-link-freetext">doug.beattie@globalsign.com</a>>;
Bruce Morton <<a
href="mailto:bruce.morton@entrust.com"
moz-do-not-send="true"
class="moz-txt-link-freetext">bruce.morton@entrust.com</a>><br>
<b>Subject:</b> RE: Update to Subscriber
Private Key Protection Requirements (CSC-6 to
CSC-13)</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">Thank you,
Tim, I really like the structure suggestions here.
I’ve made those updates per your suggestion in the
attached copy of the redline document. </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">I’ll note your
endorsement.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">Cheers,</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">Ian</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US">From:</span></b><span
lang="EN-US"> Tim Hollebeek <<a
href="mailto:tim.hollebeek@digicert.com"
moz-do-not-send="true"
class="moz-txt-link-freetext">tim.hollebeek@digicert.com</a>>
<br>
<b>Sent:</b> Wednesday, March 2, 2022 4:57 PM<br>
<b>To:</b> Ian McMillan <<a
href="mailto:ianmcm@microsoft.com"
moz-do-not-send="true"
class="moz-txt-link-freetext">ianmcm@microsoft.com</a>>;
<a href="mailto:cscwg-public@cabforum.org"
moz-do-not-send="true"
class="moz-txt-link-freetext">cscwg-public@cabforum.org</a>;
Doug Beattie <<a
href="mailto:doug.beattie@globalsign.com"
moz-do-not-send="true"
class="moz-txt-link-freetext">doug.beattie@globalsign.com</a>>;
Bruce Morton <<a
href="mailto:bruce.morton@entrust.com"
moz-do-not-send="true"
class="moz-txt-link-freetext">bruce.morton@entrust.com</a>><br>
<b>Subject:</b> [EXTERNAL] RE: Update to
Subscriber Private Key Protection Requirements
(CSC-6 to CSC-13)</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">I would
recommend against using parentheticals to express
the deprecation dates, as it makes the sentences
more complicated than they need to be. I’d just
modify the first sentence of each part so the
structure is as follows:</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> For Non-EV
Code Signing Certificates issued prior to November
15, 2022, …</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> For EV Code
Signing Certificates issued prior to November 15,
2022, …</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> Effective
November 15, 2022, …</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">But otherwise,
the updates look good and we are willing to
endorse CSC-13.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">-Tim</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<div style="border:none;border-left:solid blue
1.5pt;padding:0cm 0cm 0cm 4.0pt">
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US">From:</span></b><span
lang="EN-US"> Ian McMillan <<a
href="mailto:ianmcm@microsoft.com"
moz-do-not-send="true"
class="moz-txt-link-freetext">ianmcm@microsoft.com</a>>
<br>
<b>Sent:</b> Wednesday, March 2, 2022 11:31
AM<br>
<b>To:</b> <a
href="mailto:cscwg-public@cabforum.org"
moz-do-not-send="true"
class="moz-txt-link-freetext">cscwg-public@cabforum.org</a>;
Doug Beattie <<a
href="mailto:doug.beattie@globalsign.com"
moz-do-not-send="true"
class="moz-txt-link-freetext">doug.beattie@globalsign.com</a>>;
Bruce Morton <<a
href="mailto:bruce.morton@entrust.com"
moz-do-not-send="true"
class="moz-txt-link-freetext">bruce.morton@entrust.com</a>>;
Tim Hollebeek <<a
href="mailto:tim.hollebeek@digicert.com"
moz-do-not-send="true"
class="moz-txt-link-freetext">tim.hollebeek@digicert.com</a>><br>
<b>Subject:</b> Update to Subscriber Private
Key Protection Requirements (CSC-6 to
CSC-13)</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">Hi Folks,</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">Attached you
will find an updated redline doc of v2.7 of the
CSBRs with the updates to the subscriber private
key protection requirements as outlined
previously in CSC-6. This updated version also
includes edits to address issues Doug Beattie
raised during the voting period of CSC-6, so I
am looking for confirmation from Doug on these
edits addressing the concerns he raised. </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">Additionally,
I’m looking to get endorsements on this ballot
under <a
href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.cabforum.org%2Fcscwg%2Fcsc_13_-_update_to_subscriber_private_key_protection_requirements&data=04%7C01%7Cinigo.barreira%40sectigo.com%7C42db05f8eba549d8f9e308da01c817d1%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637824256154384548%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=9YlDE7BkPySPH%2F8%2FxevYMjwnruchCLOKSfOgLS1xXU0%3D&reserved=0"
title="cscwg:csc_13_-_update_to_subscriber_private_key_protection_requirements"
moz-do-not-send="true">CSC 13 - Update to
Subscriber Private Key Protection Requirements</a>,
and hope that Bruce and Tim, as previous
endorsers can review the edits and endorse the
new ballot. Once we have endorsers I’ll proceed
with the formal ballot process. </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">Cheers,</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">Ian </span><o:p></o:p></p>
</div>
</div>
</div>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"MS
PGothic",sans-serif"><br>
<br>
<o:p></o:p></span></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>Cscwg-public mailing list<o:p></o:p></pre>
<pre><a href="mailto:Cscwg-public@cabforum.org" moz-do-not-send="true" class="moz-txt-link-freetext">Cscwg-public@cabforum.org</a><o:p></o:p></pre>
<pre><a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cabforum.org%2Fmailman%2Flistinfo%2Fcscwg-public&data=04%7C01%7Cinigo.barreira%40sectigo.com%7C42db05f8eba549d8f9e308da01c817d1%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637824256154384548%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=tKrB%2B9FcvgWz7A%2FkaqdKAep1cBK0P9YjumIT9t1cSQo%3D&reserved=0" moz-do-not-send="true">https://lists.cabforum.org/mailman/listinfo/cscwg-public</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"MS
PGothic",sans-serif"><br>
<br>
<o:p></o:p></span></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>Cscwg-public mailing list<o:p></o:p></pre>
<pre><a href="mailto:Cscwg-public@cabforum.org" moz-do-not-send="true" class="moz-txt-link-freetext">Cscwg-public@cabforum.org</a><o:p></o:p></pre>
<pre><a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cabforum.org%2Fmailman%2Flistinfo%2Fcscwg-public&data=04%7C01%7Cinigo.barreira%40sectigo.com%7C42db05f8eba549d8f9e308da01c817d1%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637824256154384548%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=tKrB%2B9FcvgWz7A%2FkaqdKAep1cBK0P9YjumIT9t1cSQo%3D&reserved=0" moz-do-not-send="true">https://lists.cabforum.org/mailman/listinfo/cscwg-public</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"MS
PGothic",sans-serif"><o:p> </o:p></span></p>
</div>
</div>
</blockquote>
<br>
</body>
</html>