<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
It's best if we add the subscriber warranties and expectations in
one place but my point was that we already expect things from
Certificate Subscribers. It's not a new thing, as you presented it.<br>
<br>
Dimitris.<br>
<br>
<div class="moz-cite-prefix">On 9/3/2022 6:03 μ.μ., Inigo Barreira
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:DM6PR17MB3116F7BA725D5962C3539A29810A9@DM6PR17MB3116.namprd17.prod.outlook.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]-->
<style>@font-face
{font-family:"MS Gothic";
panose-1:2 11 6 9 7 2 5 8 2 4;}@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}@font-face
{font-family:"\@MS Gothic";
panose-1:2 11 6 9 7 2 5 8 2 4;}@font-face
{font-family:"MS PGothic \,sans-serif";
panose-1:0 0 0 0 0 0 0 0 0 0;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:JA;}a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}pre
{mso-style-priority:99;
mso-style-link:"HTML con formato previo Car";
margin:0cm;
font-size:12.0pt;
font-family:"MS Gothic";
mso-fareast-language:JA;}span.HTMLconformatoprevioCar
{mso-style-name:"HTML con formato previo Car";
mso-style-priority:99;
mso-style-link:"HTML con formato previo";
font-family:Consolas;
mso-fareast-language:JA;}span.hvr
{mso-style-name:hvr;}span.EstiloCorreo22
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}div.WordSection1
{page:WordSection1;}</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"
lang="EN-GB">Nope. In section 7.2 (which is for certificate
warranties) there´s no clear indication on this unless you
consider 1) compliance and 6) key protection enough. Section
7.3 says nothing about this. Further, there´s no definition
of “representation” in section 4 and hence my question
because I was thinking on a different matter.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"
lang="EN-GB"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span
style="mso-fareast-language:ES">De:</span></b><span
style="mso-fareast-language:ES"> Dimitris Zacharopoulos
(HARICA) <a class="moz-txt-link-rfc2396E" href="mailto:dzacharo@harica.gr"><dzacharo@harica.gr></a> <br>
<b>Enviado el:</b> miércoles, 9 de marzo de 2022 14:08<br>
<b>Para:</b> Inigo Barreira
<a class="moz-txt-link-rfc2396E" href="mailto:Inigo.Barreira@sectigo.com"><Inigo.Barreira@sectigo.com></a>;
<a class="moz-txt-link-abbreviated" href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a>; Adriano Santoni
<a class="moz-txt-link-rfc2396E" href="mailto:adriano.santoni@staff.aruba.it"><adriano.santoni@staff.aruba.it></a><br>
<b>Asunto:</b> Re: [Cscwg-public] Update to Subscriber
Private Key Protection Requirements (CSC-6 to CSC-13)<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div style="border:solid black 1.0pt;padding:2.0pt 2.0pt 2.0pt
2.0pt">
<p class="MsoNormal"
style="line-height:12.0pt;background:#FAFA03"><span
style="font-size:10.0pt;color:black">CAUTION: This email
originated from outside of the organization. Do not click
links or open attachments unless you recognize the sender
and know the content is safe.</span><span
style="font-size:10.0pt;color:black;mso-fareast-language:ES"><o:p></o:p></span></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On 9/3/2022 2:58 μ.μ., Inigo Barreira
wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span
style="mso-fareast-language:EN-US" lang="EN-GB">I agree
with Adriano. Point 1 does not make customer accountable
for anything (I will promise I´m a good guy) and then
point 2 is useless because with point 1 you´re allowing
the customer to do whatever, independently if they use a
hardw device or not. The CSRs can be generated in a
crypto device or not and with point 1 you, as the CA,
are “sure” that the keys are in a hardware crypto
device. That´s a lot to assume.</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="mso-fareast-language:EN-US" lang="EN-GB"> </span><o:p></o:p></p>
</blockquote>
<p class="MsoNormal"><span style="mso-fareast-language:ES"><br>
You are missing the point of Subscriber representations
and warranties which is clearly included in the BRs.
Subscribers have obligations as well and we must ensure
they are aware and bound to those obligations.<br>
<br>
Dimitris.<br>
<br>
<br>
<o:p></o:p></span></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b>De:</b> Cscwg-public <a
href="mailto:cscwg-public-bounces@cabforum.org"
moz-do-not-send="true"><cscwg-public-bounces@cabforum.org></a>
<b>En nombre de </b>Dimitris Zacharopoulos (HARICA)
via Cscwg-public<br>
<b>Enviado el:</b> miércoles, 9 de marzo de 2022 13:27<br>
<b>Para:</b> Adriano Santoni <a
href="mailto:adriano.santoni@staff.aruba.it"
moz-do-not-send="true"><adriano.santoni@staff.aruba.it></a>;
<a href="mailto:cscwg-public@cabforum.org"
moz-do-not-send="true" class="moz-txt-link-freetext">cscwg-public@cabforum.org</a><br>
<b>Asunto:</b> Re: [Cscwg-public] Update to Subscriber
Private Key Protection Requirements (CSC-6 to CSC-13)<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<div style="border:solid black 1.0pt;padding:2.0pt 2.0pt
2.0pt 2.0pt">
<p class="MsoNormal"
style="line-height:12.0pt;background:#FAFA03"><span
style="font-size:10.0pt;color:black">CAUTION: This
email originated from outside of the organization. Do
not click links or open attachments unless you
recognize the sender and know the content is safe.</span><o:p></o:p></p>
</div>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"MS PGothic
,sans-serif",serif"> </span><o:p></o:p></p>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt">I
believe this language and double confirmation comes from
years ago when tools like remote key attestation were
not available.<br>
<br>
If we are to allow an Applicant to generate keys
remotely (i.e. without the presence of a CA
representative and without hardware that supports remote
key attestation), which seems to be the case with the
CSCWG today, we need to rely on policy to accomplish
that. It is reasonable to hold both sides, the Applicant
and the CA, accountable to this policy. See below.<br>
<br>
<br>
<o:p></o:p></p>
<div>
<p class="MsoNormal">On 9/3/2022 11:43 π.μ., Adriano
Santoni via Cscwg-public wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p>As far as I'm concerned, I find confusing and overly
complex the double requirement:<o:p></o:p></p>
<p>1) customer must make a "representation" that they
will use a hardware crypto module (or signing
service), and ...<o:p></o:p></p>
</blockquote>
<p class="MsoNormal"><br>
This is required because a customer could potentially
"fake" the hardware device id and create a virtual
driver that emulates the actual hardware device. The
Applicant must be held accountable if they try to
manipulate the process or make any changes to the
process and tools provided by the CA.<br>
<br>
<br>
<br>
<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p>2) the CA must ensure that the customer will really
use a hardware crypto module (or signing service). <o:p></o:p></p>
</blockquote>
<p class="MsoNormal"><br>
The CA must establish a process and develop the proper
tools to provide reasonable assurance that the Applicant
remotely generates keys in a hardware crypto module
which is usually within a limited set of devices
approved by the CA. The CA is not allowed to say "please
send me a CSR and pinky swear that it was generated in a
crypto device". They must develop tools and middleware
and establish a process to make sure the key is
generated in approved crypto-devices only.<br>
<br>
<br>
<br>
<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p>If the CA will be obliged to meet req #2, then I do
not see what use is req #1.<o:p></o:p></p>
</blockquote>
<p class="MsoNormal"><br>
Hope this explanation helps.<br>
Dimitris.<br>
<br>
<br>
<br>
<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p>Adriano<o:p></o:p></p>
<p>-- Actalis<o:p></o:p></p>
<p> <o:p></o:p></p>
<div>
<p class="MsoNormal">Il 09/03/2022 10:21, Inigo
Barreira via Cscwg-public ha scritto:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span
style="mso-fareast-language:EN-US" lang="EN-GB">Yes,
please. </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="mso-fareast-language:EN-US" lang="EN-GB">It
looks like this representation means something
like “click here if you are over 18” or “click
here if you agree” because these are also facts
not opinions. </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="mso-fareast-language:EN-US" lang="EN-GB">IMO
the message here is that CAs will rely in whatever
the subscriber says, e.g., “yes, I´m a good guy
and promise that I will keep my keys in a hardware
device …” rather on making the corresponding tasks
to ensure. Is this the right approach? This is
what I understand from Dean´s response because CAs
are not attesting anything just relying in a form
signed by the subscriber in where it may say
whatever.</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="mso-fareast-language:EN-US" lang="EN-GB"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="mso-fareast-language:EN-US" lang="EN-GB">Regards</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="mso-fareast-language:EN-US" lang="EN-GB"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b>De:</b> Tim Hollebeek <a
href="mailto:tim.hollebeek@digicert.com"
moz-do-not-send="true"><tim.hollebeek@digicert.com></a>
<br>
<b>Enviado el:</b> martes, 8 de marzo de 2022
20:35<br>
<b>Para:</b> Dean Coclin <a
href="mailto:dean.coclin@digicert.com"
moz-do-not-send="true"><dean.coclin@digicert.com></a>;
Inigo Barreira <a
href="mailto:Inigo.Barreira@sectigo.com"
moz-do-not-send="true"><Inigo.Barreira@sectigo.com></a>;
<a href="mailto:cscwg-public@cabforum.org"
moz-do-not-send="true"
class="moz-txt-link-freetext">cscwg-public@cabforum.org</a>;
Bruce Morton <a
href="mailto:bruce.morton@entrust.com"
moz-do-not-send="true"><bruce.morton@entrust.com></a>;
Doug Beattie <a
href="mailto:doug.beattie@globalsign.com"
moz-do-not-send="true"><doug.beattie@globalsign.com></a>;
Ian McMillan <a
href="mailto:ianmcm@microsoft.com"
moz-do-not-send="true"><ianmcm@microsoft.com></a><br>
<b>Asunto:</b> RE: Update to Subscriber Private
Key Protection Requirements (CSC-6 to CSC-13)<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">“representation”
is being used here in the legal sense: “</span><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#404040;background:white"
lang="EN-US">a <span class="hvr">statement</span> of <span
class="hvr">fact.</span> A <span class="hvr">representation</span> <span
class="hvr">should</span> be <span class="hvr">distinguished</span> <span
class="hvr">from</span> a <span class="hvr">statement</span> of <span
class="hvr">opinion</span> <span class="hvr">for</span> <span
class="hvr">many</span> <span class="hvr">legal</span> <span
class="hvr">purposes,</span> <span class="hvr">especially</span> in <span
class="hvr">relation</span> to <span class="hvr">contractual</span> <span
class="hvr">obligations.</span></span><span
lang="EN-US">”</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">We should
perhaps be using plain English instead of
legalese.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">-Tim</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<div style="border:none;border-left:solid blue
1.5pt;padding:0cm 0cm 0cm 4.0pt">
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US">From:</span></b><span
lang="EN-US"> Dean Coclin <</span><a
href="mailto:dean.coclin@digicert.com"
moz-do-not-send="true"><span lang="EN-US">dean.coclin@digicert.com</span></a><span
lang="EN-US">> <br>
<b>Sent:</b> Tuesday, March 8, 2022 1:00 PM<br>
<b>To:</b> Inigo Barreira <</span><a
href="mailto:Inigo.Barreira@sectigo.com"
moz-do-not-send="true"><span lang="EN-US">Inigo.Barreira@sectigo.com</span></a><span
lang="EN-US">>; </span><a
href="mailto:cscwg-public@cabforum.org"
moz-do-not-send="true"><span lang="EN-US">cscwg-public@cabforum.org</span></a><span
lang="EN-US">; Bruce Morton <</span><a
href="mailto:bruce.morton@entrust.com"
moz-do-not-send="true"><span lang="EN-US">bruce.morton@entrust.com</span></a><span
lang="EN-US">>; Doug Beattie <</span><a
href="mailto:doug.beattie@globalsign.com"
moz-do-not-send="true"><span lang="EN-US">doug.beattie@globalsign.com</span></a><span
lang="EN-US">>; Ian McMillan <</span><a
href="mailto:ianmcm@microsoft.com"
moz-do-not-send="true"><span lang="EN-US">ianmcm@microsoft.com</span></a><span
lang="EN-US">>; Tim Hollebeek <</span><a
href="mailto:tim.hollebeek@digicert.com"
moz-do-not-send="true"><span lang="EN-US">tim.hollebeek@digicert.com</span></a><span
lang="EN-US">><br>
<b>Subject:</b> RE: Update to Subscriber
Private Key Protection Requirements (CSC-6
to CSC-13)</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:12.0pt"
lang="EN-US">This means exactly what it says,
some representation that the subscriber makes to
honor the condition. This traditionally has been
something in writing that the subscriber signs
and submits to the CA. CAs can provide a form to
the subscriber which they attest to.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:12.0pt"
lang="EN-US"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US">From:</span></b><span
lang="EN-US"> Cscwg-public <</span><a
href="mailto:cscwg-public-bounces@cabforum.org"
moz-do-not-send="true"><span lang="EN-US">cscwg-public-bounces@cabforum.org</span></a><span
lang="EN-US">> <b>On Behalf Of </b>Inigo
Barreira via Cscwg-public<br>
<b>Sent:</b> Tuesday, March 8, 2022 11:03 AM<br>
<b>To:</b> Bruce Morton <</span><a
href="mailto:bruce.morton@entrust.com"
moz-do-not-send="true"><span lang="EN-US">bruce.morton@entrust.com</span></a><span
lang="EN-US">>; </span><a
href="mailto:cscwg-public@cabforum.org"
moz-do-not-send="true"><span lang="EN-US">cscwg-public@cabforum.org</span></a><span
lang="EN-US">; Doug Beattie <</span><a
href="mailto:doug.beattie@globalsign.com"
moz-do-not-send="true"><span lang="EN-US">doug.beattie@globalsign.com</span></a><span
lang="EN-US">>; Ian McMillan <</span><a
href="mailto:ianmcm@microsoft.com"
moz-do-not-send="true"><span lang="EN-US">ianmcm@microsoft.com</span></a><span
lang="EN-US">>; Tim Hollebeek <</span><a
href="mailto:tim.hollebeek@digicert.com"
moz-do-not-send="true"><span lang="EN-US">tim.hollebeek@digicert.com</span></a><span
lang="EN-US">><br>
<b>Subject:</b> Re: [Cscwg-public] Update to
Subscriber Private Key Protection
Requirements (CSC-6 to CSC-13)</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal">Hi all,<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-GB">Reviewing
the section 16.3.1 I have a “wording” question.
What does it mean that “The CA MUST obtain a
representation from the Subscriber that the
Subscriber will use one of the following options
…”. So, what is a “representation from the
subscriber”?</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-GB"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-GB">Regards</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-GB"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b>De:</b> Cscwg-public
<<a
href="mailto:cscwg-public-bounces@cabforum.org"
moz-do-not-send="true"
class="moz-txt-link-freetext">cscwg-public-bounces@cabforum.org</a>>
<b>En nombre de </b>Bruce Morton via
Cscwg-public<br>
<b>Enviado el:</b> jueves, 3 de marzo de 2022
15:08<br>
<b>Para:</b> Doug Beattie <<a
href="mailto:doug.beattie@globalsign.com"
moz-do-not-send="true"
class="moz-txt-link-freetext">doug.beattie@globalsign.com</a>>;
Ian McMillan <<a
href="mailto:ianmcm@microsoft.com"
moz-do-not-send="true"
class="moz-txt-link-freetext">ianmcm@microsoft.com</a>>;
Tim Hollebeek <<a
href="mailto:tim.hollebeek@digicert.com"
moz-do-not-send="true"
class="moz-txt-link-freetext">tim.hollebeek@digicert.com</a>>;
<a href="mailto:cscwg-public@cabforum.org"
moz-do-not-send="true"
class="moz-txt-link-freetext">cscwg-public@cabforum.org</a><br>
<b>Asunto:</b> Re: [Cscwg-public] Update to
Subscriber Private Key Protection Requirements
(CSC-6 to CSC-13)<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<div style="border:solid black 1.0pt;padding:2.0pt
2.0pt 2.0pt 2.0pt">
<p class="MsoNormal"
style="line-height:12.0pt;background:#FAFA03"><span
style="font-size:10.0pt;color:black"
lang="EN-US">CAUTION: This email originated
from outside of the organization. Do not click
links or open attachments unless you recognize
the sender and know the content is safe.</span><o:p></o:p></p>
</div>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<div>
<p class="MsoNormal"><span lang="EN-US">Doug,</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">Regarding
the 16.2 section, this statement was also
struck-out, “After 2021-06-01, the same
protection requirements SHALL apply to Non EV
Code Signing Certificates.” So I believe that
the requirement already applied to normal code
signing certificates. The edits are just a
cleanup.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">Bruce.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US">From:</span></b><span
lang="EN-US"> Doug Beattie <</span><a
href="mailto:doug.beattie@globalsign.com"
moz-do-not-send="true"><span lang="EN-US">doug.beattie@globalsign.com</span></a><span
lang="EN-US">> <br>
<b>Sent:</b> Thursday, March 3, 2022 6:56
AM<br>
<b>To:</b> Ian McMillan <</span><a
href="mailto:ianmcm@microsoft.com"
moz-do-not-send="true"><span lang="EN-US">ianmcm@microsoft.com</span></a><span
lang="EN-US">>; Tim Hollebeek <</span><a
href="mailto:tim.hollebeek@digicert.com"
moz-do-not-send="true"><span lang="EN-US">tim.hollebeek@digicert.com</span></a><span
lang="EN-US">>; </span><a
href="mailto:cscwg-public@cabforum.org"
moz-do-not-send="true"><span lang="EN-US">cscwg-public@cabforum.org</span></a><span
lang="EN-US">; Bruce Morton <</span><a
href="mailto:Bruce.Morton@entrust.com"
moz-do-not-send="true"><span lang="EN-US">Bruce.Morton@entrust.com</span></a><span
lang="EN-US">><br>
<b>Subject:</b> [EXTERNAL] RE: Update to
Subscriber Private Key Protection
Requirements (CSC-6 to CSC-13)</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">WARNING:
This email originated outside of Entrust.<br>
DO NOT CLICK links or attachments unless you
trust the sender and know the content is safe.</span><o:p></o:p></p>
<div class="MsoNormal" style="text-align:center"
align="center"><span lang="EN-US">
<hr width="100%" size="1" align="center"></span></div>
<p class="MsoNormal"><span lang="EN-US">Hi Ian,</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">Good work
on section 16.3, that is much more clear now.
I have 2 more comments for your consideration.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">Comment
#1:</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">In Section
11.7 we say:</span><o:p></o:p></p>
<p class="MsoNormal" style="margin-left:36.0pt"><span
lang="EN-US">If the CA is aware that the
Applicant was the victim of a Takeover Attack,
the CA MUST verify that the Applicant is
protecting its Code Signing Private Keys under
Section 16.3.1(1) or Section 16.3.1(2). The CA
MUST verify the Applicant’s compliance with
Section 16.3.1(1) or Section 16.3.1(2) (i)
through technical means that confirm the
Private Keys are protected using the method
described in 16.3.1(1) or 16.3.1(2) or (ii) by
relying on a report provided by the Applicant
that is signed by an auditor who is approved
by the CA and who has IT and security training
or is a CISA.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">But now
there are actually 2 lists in sections
16.3.1(1) or Section 16.3.1(2) with those list
numbers. Do we need to be more specific, or
renumber the second list a-c? </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">After 15
November, what is the right remediation for
Take Over attack, do we need to reference one
or more of the items in the new list (the list
we might renumber a-c), or is there no
remediation now?</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">There are
multiple references to 16.3.1(1) so we’d want
to apply the same logic to all instances.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">Comment
#2:</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">Section
16.2 removed the reference to EV in the scope
so this applies to normal Code signing
certificates. Since this does not have a date
associated with it, do we assume that this
requirement change for normal code signing
certs is effective immediately?</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US">From:</span></b><span
lang="EN-US"> Ian McMillan <</span><a
href="mailto:ianmcm@microsoft.com"
moz-do-not-send="true"><span lang="EN-US">ianmcm@microsoft.com</span></a><span
lang="EN-US">> <br>
<b>Sent:</b> Wednesday, March 2, 2022 5:56
PM<br>
<b>To:</b> Tim Hollebeek <</span><a
href="mailto:tim.hollebeek@digicert.com"
moz-do-not-send="true"><span lang="EN-US">tim.hollebeek@digicert.com</span></a><span
lang="EN-US">>; </span><a
href="mailto:cscwg-public@cabforum.org"
moz-do-not-send="true"><span lang="EN-US">cscwg-public@cabforum.org</span></a><span
lang="EN-US">; Doug Beattie <</span><a
href="mailto:doug.beattie@globalsign.com"
moz-do-not-send="true"><span lang="EN-US">doug.beattie@globalsign.com</span></a><span
lang="EN-US">>; Bruce Morton <</span><a
href="mailto:bruce.morton@entrust.com"
moz-do-not-send="true"><span lang="EN-US">bruce.morton@entrust.com</span></a><span
lang="EN-US">><br>
<b>Subject:</b> RE: Update to Subscriber
Private Key Protection Requirements (CSC-6
to CSC-13)</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">Thank you,
Tim, I really like the structure suggestions
here. I’ve made those updates per your
suggestion in the attached copy of the redline
document. </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">I’ll note
your endorsement.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">Cheers,</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">Ian</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US">From:</span></b><span
lang="EN-US"> Tim Hollebeek <</span><a
href="mailto:tim.hollebeek@digicert.com"
moz-do-not-send="true"><span lang="EN-US">tim.hollebeek@digicert.com</span></a><span
lang="EN-US">> <br>
<b>Sent:</b> Wednesday, March 2, 2022 4:57
PM<br>
<b>To:</b> Ian McMillan <</span><a
href="mailto:ianmcm@microsoft.com"
moz-do-not-send="true"><span lang="EN-US">ianmcm@microsoft.com</span></a><span
lang="EN-US">>; </span><a
href="mailto:cscwg-public@cabforum.org"
moz-do-not-send="true"><span lang="EN-US">cscwg-public@cabforum.org</span></a><span
lang="EN-US">; Doug Beattie <</span><a
href="mailto:doug.beattie@globalsign.com"
moz-do-not-send="true"><span lang="EN-US">doug.beattie@globalsign.com</span></a><span
lang="EN-US">>; Bruce Morton <</span><a
href="mailto:bruce.morton@entrust.com"
moz-do-not-send="true"><span lang="EN-US">bruce.morton@entrust.com</span></a><span
lang="EN-US">><br>
<b>Subject:</b> [EXTERNAL] RE: Update to
Subscriber Private Key Protection
Requirements (CSC-6 to CSC-13)</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">I would
recommend against using parentheticals to
express the deprecation dates, as it makes the
sentences more complicated than they need to
be. I’d just modify the first sentence of
each part so the structure is as follows:</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> For
Non-EV Code Signing Certificates issued prior
to November 15, 2022, …</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> For EV
Code Signing Certificates issued prior to
November 15, 2022, …</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">
Effective November 15, 2022, …</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">But
otherwise, the updates look good and we are
willing to endorse CSC-13.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">-Tim</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<div style="border:none;border-left:solid blue
1.5pt;padding:0cm 0cm 0cm 4.0pt">
<div>
<div style="border:none;border-top:solid
#E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US">From:</span></b><span
lang="EN-US"> Ian McMillan <</span><a
href="mailto:ianmcm@microsoft.com"
moz-do-not-send="true"><span
lang="EN-US">ianmcm@microsoft.com</span></a><span
lang="EN-US">> <br>
<b>Sent:</b> Wednesday, March 2, 2022
11:31 AM<br>
<b>To:</b> </span><a
href="mailto:cscwg-public@cabforum.org"
moz-do-not-send="true"><span
lang="EN-US">cscwg-public@cabforum.org</span></a><span
lang="EN-US">; Doug Beattie <</span><a
href="mailto:doug.beattie@globalsign.com" moz-do-not-send="true"><span
lang="EN-US">doug.beattie@globalsign.com</span></a><span
lang="EN-US">>; Bruce Morton <</span><a
href="mailto:bruce.morton@entrust.com"
moz-do-not-send="true"><span
lang="EN-US">bruce.morton@entrust.com</span></a><span
lang="EN-US">>; Tim Hollebeek <</span><a
href="mailto:tim.hollebeek@digicert.com"
moz-do-not-send="true"><span
lang="EN-US">tim.hollebeek@digicert.com</span></a><span
lang="EN-US">><br>
<b>Subject:</b> Update to Subscriber
Private Key Protection Requirements
(CSC-6 to CSC-13)</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">Hi
Folks,</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">Attached
you will find an updated redline doc of v2.7
of the CSBRs with the updates to the
subscriber private key protection
requirements as outlined previously in
CSC-6. This updated version also includes
edits to address issues Doug Beattie raised
during the voting period of CSC-6, so I am
looking for confirmation from Doug on these
edits addressing the concerns he raised. </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">Additionally,
I’m looking to get endorsements on this
ballot under </span><a
href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.cabforum.org%2Fcscwg%2Fcsc_13_-_update_to_subscriber_private_key_protection_requirements&data=04%7C01%7CInigo.Barreira%40sectigo.com%7Cd546bfa279f44594c2ce08da01cde35f%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637824281051972448%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=DWMHXOAyED1RmBGi1ruL0D7tq1oYE%2BpyGeKGwcKeZ18%3D&reserved=0"
title="cscwg:csc_13_-_update_to_subscriber_private_key_protection_requirements"
moz-do-not-send="true"><span lang="EN-US">CSC
13 - Update to Subscriber Private Key
Protection Requirements</span></a><span
lang="EN-US">, and hope that Bruce and Tim,
as previous endorsers can review the edits
and endorse the new ballot. Once we have
endorsers I’ll proceed with the formal
ballot process. </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">Cheers,</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">Ian </span><o:p></o:p></p>
</div>
</div>
</div>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"MS
PGothic ,sans-serif",serif"><br>
<br>
<br>
</span><o:p></o:p></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>Cscwg-public mailing list<o:p></o:p></pre>
<pre><a href="mailto:Cscwg-public@cabforum.org" moz-do-not-send="true" class="moz-txt-link-freetext">Cscwg-public@cabforum.org</a><o:p></o:p></pre>
<pre><a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cabforum.org%2Fmailman%2Flistinfo%2Fcscwg-public&data=04%7C01%7CInigo.Barreira%40sectigo.com%7Cd546bfa279f44594c2ce08da01cde35f%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637824281051972448%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=x8BFJ2B9IL%2FVc9B5TidmtN8KCeJ8bqVTz6FoaCwfPZI%3D&reserved=0" moz-do-not-send="true">https://lists.cabforum.org/mailman/listinfo/cscwg-public</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"MS PGothic
,sans-serif",serif"><br>
<br>
<br>
</span><o:p></o:p></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>Cscwg-public mailing list<o:p></o:p></pre>
<pre><a href="mailto:Cscwg-public@cabforum.org" moz-do-not-send="true" class="moz-txt-link-freetext">Cscwg-public@cabforum.org</a><o:p></o:p></pre>
<pre><a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cabforum.org%2Fmailman%2Flistinfo%2Fcscwg-public&data=04%7C01%7CInigo.Barreira%40sectigo.com%7Cd546bfa279f44594c2ce08da01cde35f%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637824281051972448%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=x8BFJ2B9IL%2FVc9B5TidmtN8KCeJ8bqVTz6FoaCwfPZI%3D&reserved=0" moz-do-not-send="true">https://lists.cabforum.org/mailman/listinfo/cscwg-public</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"MS PGothic
,sans-serif",serif"> </span><o:p></o:p></p>
</div>
</blockquote>
<p class="MsoNormal"><span style="mso-fareast-language:ES"><o:p> </o:p></span></p>
</div>
</div>
</blockquote>
<br>
</body>
</html>