<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
I believe this language and double confirmation comes from years ago
when tools like remote key attestation were not available.<br>
<br>
If we are to allow an Applicant to generate keys remotely (i.e.
without the presence of a CA representative and without hardware
that supports remote key attestation), which seems to be the case
with the CSCWG today, we need to rely on policy to accomplish that.
It is reasonable to hold both sides, the Applicant and the CA,
accountable to this policy. See below.<br>
<br>
<br>
<div class="moz-cite-prefix">On 9/3/2022 11:43 π.μ., Adriano Santoni
via Cscwg-public wrote:<br>
</div>
<blockquote type="cite"
cite="mid:0100017f6e0f8fa0-80aa5838-6317-4b87-8a82-536b5aa6651b-000000@email.amazonses.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<p><font face="Calibri">As far as I'm concerned, I find confusing
and overly complex the double requirement:<br>
</font></p>
<p><font face="Calibri">1) customer must make a "representation"
that they will use a hardware crypto module (or signing
service), and ...<br>
</font></p>
</blockquote>
<br>
This is required because a customer could potentially "fake" the
hardware device id and create a virtual driver that emulates the
actual hardware device. The Applicant must be held accountable if
they try to manipulate the process or make any changes to the
process and tools provided by the CA.<br>
<br>
<blockquote type="cite"
cite="mid:0100017f6e0f8fa0-80aa5838-6317-4b87-8a82-536b5aa6651b-000000@email.amazonses.com">
<p><font face="Calibri"> </font></p>
<p><font face="Calibri">2) the CA must ensure that the customer
will really use a hardware crypto module (or signing service).
<br>
</font></p>
</blockquote>
<br>
The CA must establish a process and develop the proper tools to
provide reasonable assurance that the Applicant remotely generates
keys in a hardware crypto module which is usually within a limited
set of devices approved by the CA. The CA is not allowed to say
"please send me a CSR and pinky swear that it was generated in a
crypto device". They must develop tools and middleware and establish
a process to make sure the key is generated in approved
crypto-devices only.<br>
<br>
<blockquote type="cite"
cite="mid:0100017f6e0f8fa0-80aa5838-6317-4b87-8a82-536b5aa6651b-000000@email.amazonses.com">
<p><font face="Calibri"> </font></p>
<p><font face="Calibri">If the CA will be obliged to meet req #2,
then I do not see what use is req #1.<br>
</font></p>
</blockquote>
<br>
Hope this explanation helps.<br>
Dimitris.<br>
<br>
<blockquote type="cite"
cite="mid:0100017f6e0f8fa0-80aa5838-6317-4b87-8a82-536b5aa6651b-000000@email.amazonses.com">
<p><font face="Calibri"> </font></p>
<p>Adriano</p>
<p>-- Actalis</p>
<p><br>
</p>
<div class="moz-cite-prefix">Il 09/03/2022 10:21, Inigo Barreira
via Cscwg-public ha scritto:<br>
</div>
<blockquote type="cite"
cite="mid:0100017f6dfc2194-5907ce20-e61c-43d4-bb3e-5fe293822e38-000000@email.amazonses.com">
<meta http-equiv="Content-Type" content="text/html;
charset=UTF-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]-->
<style>@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}@font-face
{font-family:Cambria;
panose-1:2 4 5 3 5 4 6 3 2 4;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}span.hvr
{mso-style-name:hvr;}span.EstiloCorreo21
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}div.WordSection1
{page:WordSection1;}</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"
lang="EN-GB">Yes, please. <o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"
lang="EN-GB">It looks like this representation means
something like “click here if you are over 18” or “click
here if you agree” because these are also facts not
opinions. <o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"
lang="EN-GB">IMO the message here is that CAs will rely in
whatever the subscriber says, e.g., “yes, I´m a good guy
and promise that I will keep my keys in a hardware device
…” rather on making the corresponding tasks to ensure. Is
this the right approach? This is what I understand from
Dean´s response because CAs are not attesting anything
just relying in a form signed by the subscriber in where
it may say whatever.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"
lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"
lang="EN-GB">Regards<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"
lang="EN-GB"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b>De:</b> Tim Hollebeek <a
class="moz-txt-link-rfc2396E"
href="mailto:tim.hollebeek@digicert.com"
moz-do-not-send="true"><tim.hollebeek@digicert.com></a>
<br>
<b>Enviado el:</b> martes, 8 de marzo de 2022 20:35<br>
<b>Para:</b> Dean Coclin <a
class="moz-txt-link-rfc2396E"
href="mailto:dean.coclin@digicert.com"
moz-do-not-send="true"><dean.coclin@digicert.com></a>;
Inigo Barreira <a class="moz-txt-link-rfc2396E"
href="mailto:Inigo.Barreira@sectigo.com"
moz-do-not-send="true"><Inigo.Barreira@sectigo.com></a>;
<a class="moz-txt-link-abbreviated
moz-txt-link-freetext"
href="mailto:cscwg-public@cabforum.org"
moz-do-not-send="true">cscwg-public@cabforum.org</a>;
Bruce Morton <a class="moz-txt-link-rfc2396E"
href="mailto:bruce.morton@entrust.com"
moz-do-not-send="true"><bruce.morton@entrust.com></a>;
Doug Beattie <a class="moz-txt-link-rfc2396E"
href="mailto:doug.beattie@globalsign.com"
moz-do-not-send="true"><doug.beattie@globalsign.com></a>;
Ian McMillan <a class="moz-txt-link-rfc2396E"
href="mailto:ianmcm@microsoft.com"
moz-do-not-send="true"><ianmcm@microsoft.com></a><br>
<b>Asunto:</b> RE: Update to Subscriber Private Key
Protection Requirements (CSC-6 to CSC-13)<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span lang="EN-US">“representation” is
being used here in the legal sense: “</span><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#404040;background:white"
lang="EN-US">a <span class="hvr">statement</span> of <span
class="hvr">fact.</span> A <span class="hvr">representation</span> <span
class="hvr">should</span> be <span class="hvr">distinguished</span> <span
class="hvr">from</span> a <span class="hvr">statement</span> of <span
class="hvr">opinion</span> <span class="hvr">for</span> <span
class="hvr">many</span> <span class="hvr">legal</span> <span
class="hvr">purposes,</span> <span class="hvr">especially</span> in <span
class="hvr">relation</span> to <span class="hvr">contractual</span> <span
class="hvr">obligations.</span></span><span lang="EN-US">”<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">We should perhaps be
using plain English instead of legalese.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">-Tim<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<div style="border:none;border-left:solid blue
1.5pt;padding:0cm 0cm 0cm 4.0pt">
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US">From:</span></b><span
lang="EN-US"> Dean Coclin <<a
href="mailto:dean.coclin@digicert.com"
moz-do-not-send="true"
class="moz-txt-link-freetext">dean.coclin@digicert.com</a>>
<br>
<b>Sent:</b> Tuesday, March 8, 2022 1:00 PM<br>
<b>To:</b> Inigo Barreira <<a
href="mailto:Inigo.Barreira@sectigo.com"
moz-do-not-send="true"
class="moz-txt-link-freetext">Inigo.Barreira@sectigo.com</a>>;
<a href="mailto:cscwg-public@cabforum.org"
moz-do-not-send="true"
class="moz-txt-link-freetext">cscwg-public@cabforum.org</a>;
Bruce Morton <<a
href="mailto:bruce.morton@entrust.com"
moz-do-not-send="true"
class="moz-txt-link-freetext">bruce.morton@entrust.com</a>>;
Doug Beattie <<a
href="mailto:doug.beattie@globalsign.com"
moz-do-not-send="true"
class="moz-txt-link-freetext">doug.beattie@globalsign.com</a>>;
Ian McMillan <<a
href="mailto:ianmcm@microsoft.com"
moz-do-not-send="true"
class="moz-txt-link-freetext">ianmcm@microsoft.com</a>>;
Tim Hollebeek <<a
href="mailto:tim.hollebeek@digicert.com"
moz-do-not-send="true"
class="moz-txt-link-freetext">tim.hollebeek@digicert.com</a>><br>
<b>Subject:</b> RE: Update to Subscriber Private Key
Protection Requirements (CSC-6 to CSC-13)<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt"
lang="EN-US">This means exactly what it says, some
representation that the subscriber makes to honor the
condition. This traditionally has been something in
writing that the subscriber signs and submits to the CA.
CAs can provide a form to the subscriber which they
attest to.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt"
lang="EN-US"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US">From:</span></b><span
lang="EN-US"> Cscwg-public <<a
href="mailto:cscwg-public-bounces@cabforum.org"
moz-do-not-send="true"
class="moz-txt-link-freetext">cscwg-public-bounces@cabforum.org</a>>
<b>On Behalf Of </b>Inigo Barreira via Cscwg-public<br>
<b>Sent:</b> Tuesday, March 8, 2022 11:03 AM<br>
<b>To:</b> Bruce Morton <<a
href="mailto:bruce.morton@entrust.com"
moz-do-not-send="true"
class="moz-txt-link-freetext">bruce.morton@entrust.com</a>>;
<a href="mailto:cscwg-public@cabforum.org"
moz-do-not-send="true"
class="moz-txt-link-freetext">cscwg-public@cabforum.org</a>;
Doug Beattie <<a
href="mailto:doug.beattie@globalsign.com"
moz-do-not-send="true"
class="moz-txt-link-freetext">doug.beattie@globalsign.com</a>>;
Ian McMillan <<a
href="mailto:ianmcm@microsoft.com"
moz-do-not-send="true"
class="moz-txt-link-freetext">ianmcm@microsoft.com</a>>;
Tim Hollebeek <<a
href="mailto:tim.hollebeek@digicert.com"
moz-do-not-send="true"
class="moz-txt-link-freetext">tim.hollebeek@digicert.com</a>><br>
<b>Subject:</b> Re: [Cscwg-public] Update to
Subscriber Private Key Protection Requirements
(CSC-6 to CSC-13)<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal">Hi all,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span lang="EN-GB">Reviewing the
section 16.3.1 I have a “wording” question. What does it
mean that “The CA MUST obtain a representation from the
Subscriber that the Subscriber will use one of the
following options …”. So, what is a “representation from
the subscriber”?<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">Regards<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b>De:</b> Cscwg-public <<a
href="mailto:cscwg-public-bounces@cabforum.org"
moz-do-not-send="true" class="moz-txt-link-freetext">cscwg-public-bounces@cabforum.org</a>>
<b>En nombre de </b>Bruce Morton via Cscwg-public<br>
<b>Enviado el:</b> jueves, 3 de marzo de 2022 15:08<br>
<b>Para:</b> Doug Beattie <<a
href="mailto:doug.beattie@globalsign.com"
moz-do-not-send="true" class="moz-txt-link-freetext">doug.beattie@globalsign.com</a>>;
Ian McMillan <<a href="mailto:ianmcm@microsoft.com"
moz-do-not-send="true" class="moz-txt-link-freetext">ianmcm@microsoft.com</a>>;
Tim Hollebeek <<a
href="mailto:tim.hollebeek@digicert.com"
moz-do-not-send="true" class="moz-txt-link-freetext">tim.hollebeek@digicert.com</a>>;
<a href="mailto:cscwg-public@cabforum.org"
moz-do-not-send="true" class="moz-txt-link-freetext">cscwg-public@cabforum.org</a><br>
<b>Asunto:</b> Re: [Cscwg-public] Update to Subscriber
Private Key Protection Requirements (CSC-6 to CSC-13)<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div style="border:solid black 1.0pt;padding:2.0pt 2.0pt
2.0pt 2.0pt">
<p class="MsoNormal"
style="line-height:12.0pt;background:#FAFA03"><span
style="font-size:10.0pt;color:black" lang="EN-US">CAUTION:
This email originated from outside of the
organization. Do not click links or open attachments
unless you recognize the sender and know the content
is safe.<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><span lang="EN-US">Doug,<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Regarding the 16.2
section, this statement was also struck-out, “After
2021-06-01, the same protection requirements SHALL
apply to Non EV Code Signing Certificates.” So I
believe that the requirement already applied to normal
code signing certificates. The edits are just a
cleanup.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Bruce.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US">From:</span></b><span
lang="EN-US"> Doug Beattie <<a
href="mailto:doug.beattie@globalsign.com"
moz-do-not-send="true"
class="moz-txt-link-freetext">doug.beattie@globalsign.com</a>>
<br>
<b>Sent:</b> Thursday, March 3, 2022 6:56 AM<br>
<b>To:</b> Ian McMillan <<a
href="mailto:ianmcm@microsoft.com"
moz-do-not-send="true"
class="moz-txt-link-freetext">ianmcm@microsoft.com</a>>;
Tim Hollebeek <<a
href="mailto:tim.hollebeek@digicert.com"
moz-do-not-send="true"
class="moz-txt-link-freetext">tim.hollebeek@digicert.com</a>>;
<a href="mailto:cscwg-public@cabforum.org"
moz-do-not-send="true"
class="moz-txt-link-freetext">cscwg-public@cabforum.org</a>;
Bruce Morton <<a
href="mailto:Bruce.Morton@entrust.com"
moz-do-not-send="true"
class="moz-txt-link-freetext">Bruce.Morton@entrust.com</a>><br>
<b>Subject:</b> [EXTERNAL] RE: Update to
Subscriber Private Key Protection Requirements
(CSC-6 to CSC-13)<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">WARNING: This
email originated outside of Entrust.<br>
DO NOT CLICK links or attachments unless you trust the
sender and know the content is safe.<o:p></o:p></span></p>
<div class="MsoNormal" style="text-align:center"
align="center"><span lang="EN-US">
<hr width="100%" size="1" align="center"></span></div>
<p class="MsoNormal"><span lang="EN-US">Hi Ian,<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Good work on
section 16.3, that is much more clear now. I have 2
more comments for your consideration.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Comment #1:<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">In Section 11.7 we
say:<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:36.0pt"><span
lang="EN-US">If the CA is aware that the Applicant was
the victim of a Takeover Attack, the CA MUST verify
that the Applicant is protecting its Code Signing
Private Keys under Section 16.3.1(1) or Section
16.3.1(2). The CA MUST verify the Applicant’s
compliance with Section 16.3.1(1) or Section 16.3.1(2)
(i) through technical means that confirm the Private
Keys are protected using the method described in
16.3.1(1) or 16.3.1(2) or (ii) by relying on a report
provided by the Applicant that is signed by an auditor
who is approved by the CA and who has IT and security
training or is a CISA.</span><span
style="font-family:"Cambria",serif"
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">But now there are
actually 2 lists in sections 16.3.1(1) or Section
16.3.1(2) with those list numbers. Do we need to be
more specific, or renumber the second list a-c? <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">After 15 November,
what is the right remediation for Take Over attack, do
we need to reference one or more of the items in the
new list (the list we might renumber a-c), or is there
no remediation now?<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">There are multiple
references to 16.3.1(1) so we’d want to apply the same
logic to all instances.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Comment #2:<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Section 16.2
removed the reference to EV in the scope so this
applies to normal Code signing certificates. Since
this does not have a date associated with it, do we
assume that this requirement change for normal code
signing certs is effective immediately?<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US">From:</span></b><span
lang="EN-US"> Ian McMillan <<a
href="mailto:ianmcm@microsoft.com"
moz-do-not-send="true"
class="moz-txt-link-freetext">ianmcm@microsoft.com</a>>
<br>
<b>Sent:</b> Wednesday, March 2, 2022 5:56 PM<br>
<b>To:</b> Tim Hollebeek <<a
href="mailto:tim.hollebeek@digicert.com"
moz-do-not-send="true"
class="moz-txt-link-freetext">tim.hollebeek@digicert.com</a>>;
<a href="mailto:cscwg-public@cabforum.org"
moz-do-not-send="true"
class="moz-txt-link-freetext">cscwg-public@cabforum.org</a>;
Doug Beattie <<a
href="mailto:doug.beattie@globalsign.com"
moz-do-not-send="true"
class="moz-txt-link-freetext">doug.beattie@globalsign.com</a>>;
Bruce Morton <<a
href="mailto:bruce.morton@entrust.com"
moz-do-not-send="true"
class="moz-txt-link-freetext">bruce.morton@entrust.com</a>><br>
<b>Subject:</b> RE: Update to Subscriber Private
Key Protection Requirements (CSC-6 to CSC-13)<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Thank you, Tim, I
really like the structure suggestions here. I’ve made
those updates per your suggestion in the attached copy
of the redline document. <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">I’ll note your
endorsement.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Cheers,<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Ian<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US">From:</span></b><span
lang="EN-US"> Tim Hollebeek <<a
href="mailto:tim.hollebeek@digicert.com"
moz-do-not-send="true"
class="moz-txt-link-freetext">tim.hollebeek@digicert.com</a>>
<br>
<b>Sent:</b> Wednesday, March 2, 2022 4:57 PM<br>
<b>To:</b> Ian McMillan <<a
href="mailto:ianmcm@microsoft.com"
moz-do-not-send="true"
class="moz-txt-link-freetext">ianmcm@microsoft.com</a>>;
<a href="mailto:cscwg-public@cabforum.org"
moz-do-not-send="true"
class="moz-txt-link-freetext">cscwg-public@cabforum.org</a>;
Doug Beattie <<a
href="mailto:doug.beattie@globalsign.com"
moz-do-not-send="true"
class="moz-txt-link-freetext">doug.beattie@globalsign.com</a>>;
Bruce Morton <<a
href="mailto:bruce.morton@entrust.com"
moz-do-not-send="true"
class="moz-txt-link-freetext">bruce.morton@entrust.com</a>><br>
<b>Subject:</b> [EXTERNAL] RE: Update to
Subscriber Private Key Protection Requirements
(CSC-6 to CSC-13)<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">I would recommend
against using parentheticals to express the
deprecation dates, as it makes the sentences more
complicated than they need to be. I’d just modify the
first sentence of each part so the structure is as
follows:<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> For Non-EV Code
Signing Certificates issued prior to November 15,
2022, …<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> For EV Code
Signing Certificates issued prior to November 15,
2022, …<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> Effective
November 15, 2022, …<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">But otherwise, the
updates look good and we are willing to endorse
CSC-13.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">-Tim<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<div style="border:none;border-left:solid blue
1.5pt;padding:0cm 0cm 0cm 4.0pt">
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US">From:</span></b><span
lang="EN-US"> Ian McMillan <<a
href="mailto:ianmcm@microsoft.com"
moz-do-not-send="true"
class="moz-txt-link-freetext">ianmcm@microsoft.com</a>>
<br>
<b>Sent:</b> Wednesday, March 2, 2022 11:31 AM<br>
<b>To:</b> <a
href="mailto:cscwg-public@cabforum.org"
moz-do-not-send="true"
class="moz-txt-link-freetext">cscwg-public@cabforum.org</a>;
Doug Beattie <<a
href="mailto:doug.beattie@globalsign.com"
moz-do-not-send="true"
class="moz-txt-link-freetext">doug.beattie@globalsign.com</a>>;
Bruce Morton <<a
href="mailto:bruce.morton@entrust.com"
moz-do-not-send="true"
class="moz-txt-link-freetext">bruce.morton@entrust.com</a>>;
Tim Hollebeek <<a
href="mailto:tim.hollebeek@digicert.com"
moz-do-not-send="true"
class="moz-txt-link-freetext">tim.hollebeek@digicert.com</a>><br>
<b>Subject:</b> Update to Subscriber Private Key
Protection Requirements (CSC-6 to CSC-13)<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Hi Folks,<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Attached you
will find an updated redline doc of v2.7 of the
CSBRs with the updates to the subscriber private key
protection requirements as outlined previously in
CSC-6. This updated version also includes edits to
address issues Doug Beattie raised during the voting
period of CSC-6, so I am looking for confirmation
from Doug on these edits addressing the concerns he
raised. <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Additionally,
I’m looking to get endorsements on this ballot under
<a
href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.cabforum.org%2Fcscwg%2Fcsc_13_-_update_to_subscriber_private_key_protection_requirements&data=04%7C01%7Cinigo.barreira%40sectigo.com%7C8c395e17677b473299fe08d9fd1f31e3%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637819132704229104%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=vVY6kf6AeMZd%2FrkLBqxgdyGhAQRLqyqUXVG2B5vGejM%3D&reserved=0"
title="cscwg:csc_13_-_update_to_subscriber_private_key_protection_requirements"
moz-do-not-send="true">CSC 13 - Update to
Subscriber Private Key Protection Requirements</a>,
and hope that Bruce and Tim, as previous endorsers
can review the edits and endorse the new ballot.
Once we have endorsers I’ll proceed with the formal
ballot process. <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Cheers,<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Ian <o:p></o:p></span></p>
</div>
</div>
</div>
</div>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Cscwg-public mailing list
<a class="moz-txt-link-abbreviated moz-txt-link-freetext" href="mailto:Cscwg-public@cabforum.org" moz-do-not-send="true">Cscwg-public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://lists.cabforum.org/mailman/listinfo/cscwg-public" moz-do-not-send="true">https://lists.cabforum.org/mailman/listinfo/cscwg-public</a>
</pre>
</blockquote>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Cscwg-public mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Cscwg-public@cabforum.org">Cscwg-public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://lists.cabforum.org/mailman/listinfo/cscwg-public">https://lists.cabforum.org/mailman/listinfo/cscwg-public</a>
</pre>
</blockquote>
<br>
</body>
</html>