<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"MS Gothic";
panose-1:2 11 6 9 7 2 5 8 2 4;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
@font-face
{font-family:"\@MS Gothic";
panose-1:2 11 6 9 7 2 5 8 2 4;}
@font-face
{font-family:"MS PGothic";
panose-1:2 11 6 0 7 2 5 8 2 4;}
@font-face
{font-family:"\@MS PGothic";}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:JA;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
font-size:12.0pt;
font-family:"MS Gothic";
mso-fareast-language:JA;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
mso-fareast-language:JA;}
span.hvr
{mso-style-name:hvr;}
span.EmailStyle25
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:70.85pt 85.05pt 70.85pt 85.05pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="purple" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">Hi Folks, <o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">Coming out of the meeting today we’ve made some additional changes to address the term “representation” in section 16 by adding changing it to “contractual representation”.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">Please review the changes in the attached redline document.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">Tim and Bruce would you review and please reply back with your confirmed willingness to endorse this ballot as CSC-13?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">Thanks,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">Ian<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="mso-fareast-language:EN-US">From:</span></b><span style="mso-fareast-language:EN-US"> Cscwg-public <cscwg-public-bounces@cabforum.org>
<b>On Behalf Of </b>Inigo Barreira via Cscwg-public<br>
<b>Sent:</b> Wednesday, March 9, 2022 12:15 PM<br>
<b>To:</b> Dimitris Zacharopoulos (HARICA) <dzacharo@harica.gr>; cscwg-public@cabforum.org; Adriano Santoni <adriano.santoni@staff.aruba.it><br>
<b>Subject:</b> [EXTERNAL] Re: [Cscwg-public] Update to Subscriber Private Key Protection Requirements (CSC-6 to CSC-13)<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span lang="EN-GB" style="mso-fareast-language:EN-US">Right, it´s not a new thing but I realized now, sorry. It´s just the word “representation” that confuses me and after explanations is more confusing.
<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span lang="ES" style="mso-fareast-language:ES">De:</span></b><span lang="ES" style="mso-fareast-language:ES"> Dimitris Zacharopoulos (HARICA) <dzacharo@harica.gr>
<br>
<b>Enviado el:</b> miércoles, 9 de marzo de 2022 18:00<br>
<b>Para:</b> Inigo Barreira <Inigo.Barreira@sectigo.com>; cscwg-public@cabforum.org; Adriano Santoni <adriano.santoni@staff.aruba.it><br>
<b>Asunto:</b> Re: [Cscwg-public] Update to Subscriber Private Key Protection Requirements (CSC-6 to CSC-13)<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span lang="ES"><o:p> </o:p></span></p>
<div style="border:solid black 1.0pt;padding:2.0pt 2.0pt 2.0pt 2.0pt">
<p class="MsoNormal" style="line-height:12.0pt;background:#FAFA03"><span lang="ES" style="font-size:10.0pt;color:black">CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and
know the content is safe.</span><span lang="ES" style="font-size:10.0pt;color:black;mso-fareast-language:ES"><o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span lang="ES"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES">It's best if we add the subscriber warranties and expectations in one place but my point was that we already expect things from Certificate Subscribers. It's not a new thing, as you presented
it.<br>
<br>
Dimitris.<o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span lang="ES">On 9/3/2022 6:03 μ.μ., Inigo Barreira wrote:<o:p></o:p></span></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span lang="EN-GB" style="mso-fareast-language:EN-US">Nope. In section 7.2 (which is for certificate warranties) there´s no clear indication on this unless you consider 1) compliance and 6) key protection enough. Section 7.3 says nothing
about this. Further, there´s no definition of “representation” in section 4 and hence my question because I was thinking on a different matter.</span><span lang="ES"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="mso-fareast-language:EN-US"> </span><span lang="ES"><o:p></o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span lang="ES" style="mso-fareast-language:ES">De:</span></b><span lang="ES" style="mso-fareast-language:ES"> Dimitris Zacharopoulos (HARICA)
<a href="mailto:dzacharo@harica.gr"><dzacharo@harica.gr></a> <br>
<b>Enviado el:</b> miércoles, 9 de marzo de 2022 14:08<br>
<b>Para:</b> Inigo Barreira <a href="mailto:Inigo.Barreira@sectigo.com"><Inigo.Barreira@sectigo.com></a>;
<a href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a>; Adriano Santoni
<a href="mailto:adriano.santoni@staff.aruba.it"><adriano.santoni@staff.aruba.it></a><br>
<b>Asunto:</b> Re: [Cscwg-public] Update to Subscriber Private Key Protection Requirements (CSC-6 to CSC-13)</span><span lang="ES"><o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span lang="ES"> <o:p></o:p></span></p>
<div style="border:solid black 1.0pt;padding:2.0pt 2.0pt 2.0pt 2.0pt">
<p class="MsoNormal" style="line-height:12.0pt;background:#FAFA03"><span lang="ES" style="font-size:10.0pt;color:black">CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and
know the content is safe.</span><span lang="ES"><o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span lang="ES"> <o:p></o:p></span></p>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> <o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span lang="ES">On 9/3/2022 2:58 μ.μ., Inigo Barreira wrote:<o:p></o:p></span></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span lang="EN-GB" style="mso-fareast-language:EN-US">I agree with Adriano. Point 1 does not make customer accountable for anything (I will promise I´m a good guy) and then point 2 is useless because with point 1 you´re allowing the customer
to do whatever, independently if they use a hardw device or not. The CSRs can be generated in a crypto device or not and with point 1 you, as the CA, are “sure” that the keys are in a hardware crypto device. That´s a lot to assume.</span><span lang="ES"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="mso-fareast-language:EN-US"> </span><span lang="ES"><o:p></o:p></span></p>
</blockquote>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES" style="mso-fareast-language:ES"><br>
You are missing the point of Subscriber representations and warranties which is clearly included in the BRs. Subscribers have obligations as well and we must ensure they are aware and bound to those obligations.<br>
<br>
Dimitris.<br>
<br>
<br>
</span><span lang="ES"><o:p></o:p></span></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span lang="ES">De:</span></b><span lang="ES"> Cscwg-public
<a href="mailto:cscwg-public-bounces@cabforum.org"><cscwg-public-bounces@cabforum.org></a>
<b>En nombre de </b>Dimitris Zacharopoulos (HARICA) via Cscwg-public<br>
<b>Enviado el:</b> miércoles, 9 de marzo de 2022 13:27<br>
<b>Para:</b> Adriano Santoni <a href="mailto:adriano.santoni@staff.aruba.it"><adriano.santoni@staff.aruba.it></a>;
<a href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a><br>
<b>Asunto:</b> Re: [Cscwg-public] Update to Subscriber Private Key Protection Requirements (CSC-6 to CSC-13)<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span lang="ES"> <o:p></o:p></span></p>
<div style="border:solid black 1.0pt;padding:2.0pt 2.0pt 2.0pt 2.0pt">
<p class="MsoNormal" style="line-height:12.0pt;background:#FAFA03"><span lang="ES" style="font-size:10.0pt;color:black">CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and
know the content is safe.</span><span lang="ES"><o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span lang="ES" style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"> </span><span lang="ES"><o:p></o:p></span></p>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES">I believe this language and double confirmation comes from years ago when tools like remote key attestation were not available.<br>
<br>
If we are to allow an Applicant to generate keys remotely (i.e. without the presence of a CA representative and without hardware that supports remote key attestation), which seems to be the case with the CSCWG today, we need to rely on policy to accomplish
that. It is reasonable to hold both sides, the Applicant and the CA, accountable to this policy. See below.<br>
<br>
<br>
<o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span lang="ES">On 9/3/2022 11:43 π.μ., Adriano Santoni via Cscwg-public wrote:<o:p></o:p></span></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p><span lang="ES">As far as I'm concerned, I find confusing and overly complex the double requirement:<o:p></o:p></span></p>
<p><span lang="ES">1) customer must make a "representation" that they will use a hardware crypto module (or signing service), and ...<o:p></o:p></span></p>
</blockquote>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"><br>
This is required because a customer could potentially "fake" the hardware device id and create a virtual driver that emulates the actual hardware device. The Applicant must be held accountable if they try to manipulate the process or make any changes to the
process and tools provided by the CA.<br>
<br>
<br>
<br>
<o:p></o:p></span></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p><span lang="ES">2) the CA must ensure that the customer will really use a hardware crypto module (or signing service).
<o:p></o:p></span></p>
</blockquote>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"><br>
The CA must establish a process and develop the proper tools to provide reasonable assurance that the Applicant remotely generates keys in a hardware crypto module which is usually within a limited set of devices approved by the CA. The CA is not allowed to
say "please send me a CSR and pinky swear that it was generated in a crypto device". They must develop tools and middleware and establish a process to make sure the key is generated in approved crypto-devices only.<br>
<br>
<br>
<br>
<o:p></o:p></span></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p><span lang="ES">If the CA will be obliged to meet req #2, then I do not see what use is req #1.<o:p></o:p></span></p>
</blockquote>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"><br>
Hope this explanation helps.<br>
Dimitris.<br>
<br>
<br>
<br>
<o:p></o:p></span></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p><span lang="ES">Adriano<o:p></o:p></span></p>
<p><span lang="ES">-- Actalis<o:p></o:p></span></p>
<p><span lang="ES"> <o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span lang="ES">Il 09/03/2022 10:21, Inigo Barreira via Cscwg-public ha scritto:<o:p></o:p></span></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span lang="EN-GB" style="mso-fareast-language:EN-US">Yes, please.
</span><span lang="ES"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="mso-fareast-language:EN-US">It looks like this representation means something like “click here if you are over 18” or “click here if you agree” because these are also facts not opinions.
</span><span lang="ES"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="mso-fareast-language:EN-US">IMO the message here is that CAs will rely in whatever the subscriber says, e.g., “yes, I´m a good guy and promise that I will keep my keys in a hardware device …” rather on making
the corresponding tasks to ensure. Is this the right approach? This is what I understand from Dean´s response because CAs are not attesting anything just relying in a form signed by the subscriber in where it may say whatever.</span><span lang="ES"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="mso-fareast-language:EN-US"> </span><span lang="ES"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="mso-fareast-language:EN-US">Regards</span><span lang="ES"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="mso-fareast-language:EN-US"> </span><span lang="ES"><o:p></o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span lang="ES">De:</span></b><span lang="ES"> Tim Hollebeek
<a href="mailto:tim.hollebeek@digicert.com"><tim.hollebeek@digicert.com></a> <br>
<b>Enviado el:</b> martes, 8 de marzo de 2022 20:35<br>
<b>Para:</b> Dean Coclin <a href="mailto:dean.coclin@digicert.com"><dean.coclin@digicert.com></a>; Inigo Barreira
<a href="mailto:Inigo.Barreira@sectigo.com"><Inigo.Barreira@sectigo.com></a>; <a href="mailto:cscwg-public@cabforum.org">
cscwg-public@cabforum.org</a>; Bruce Morton <a href="mailto:bruce.morton@entrust.com">
<bruce.morton@entrust.com></a>; Doug Beattie <a href="mailto:doug.beattie@globalsign.com">
<doug.beattie@globalsign.com></a>; Ian McMillan <a href="mailto:ianmcm@microsoft.com">
<ianmcm@microsoft.com></a><br>
<b>Asunto:</b> RE: Update to Subscriber Private Key Protection Requirements (CSC-6 to CSC-13)<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span lang="ES"> <o:p></o:p></span></p>
<p class="MsoNormal">“representation” is being used here in the legal sense: “<span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#404040;background:white">a <span class="hvr">statement</span> of <span class="hvr">fact.</span> A <span class="hvr">representation</span> <span class="hvr">should</span> be <span class="hvr">distinguished</span> <span class="hvr">from</span> a <span class="hvr">statement</span> of <span class="hvr">opinion</span> <span class="hvr">for</span> <span class="hvr">many</span> <span class="hvr">legal</span> <span class="hvr">purposes,</span> <span class="hvr">especially</span> in <span class="hvr">relation</span> to <span class="hvr">contractual</span> <span class="hvr">obligations.</span></span>”<span lang="ES"><o:p></o:p></span></p>
<p class="MsoNormal"> <span lang="ES"><o:p></o:p></span></p>
<p class="MsoNormal">We should perhaps be using plain English instead of legalese.<span lang="ES"><o:p></o:p></span></p>
<p class="MsoNormal"> <span lang="ES"><o:p></o:p></span></p>
<p class="MsoNormal">-Tim<span lang="ES"><o:p></o:p></span></p>
<p class="MsoNormal"> <span lang="ES"><o:p></o:p></span></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt">
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Dean Coclin <<span lang="ES"><a href="mailto:dean.coclin@digicert.com"><span lang="EN-US">dean.coclin@digicert.com</span></a></span>>
<br>
<b>Sent:</b> Tuesday, March 8, 2022 1:00 PM<br>
<b>To:</b> Inigo Barreira <<span lang="ES"><a href="mailto:Inigo.Barreira@sectigo.com"><span lang="EN-US">Inigo.Barreira@sectigo.com</span></a></span>>;
<span lang="ES"><a href="mailto:cscwg-public@cabforum.org"><span lang="EN-US">cscwg-public@cabforum.org</span></a></span>; Bruce Morton <<span lang="ES"><a href="mailto:bruce.morton@entrust.com"><span lang="EN-US">bruce.morton@entrust.com</span></a></span>>;
Doug Beattie <<span lang="ES"><a href="mailto:doug.beattie@globalsign.com"><span lang="EN-US">doug.beattie@globalsign.com</span></a></span>>; Ian McMillan <<span lang="ES"><a href="mailto:ianmcm@microsoft.com"><span lang="EN-US">ianmcm@microsoft.com</span></a></span>>;
Tim Hollebeek <<span lang="ES"><a href="mailto:tim.hollebeek@digicert.com"><span lang="EN-US">tim.hollebeek@digicert.com</span></a></span>><br>
<b>Subject:</b> RE: Update to Subscriber Private Key Protection Requirements (CSC-6 to CSC-13)<span lang="ES"><o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"> <span lang="ES"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt">This means exactly what it says, some representation that the subscriber makes to honor the condition. This traditionally has been something in writing that the subscriber signs and submits to the CA. CAs
can provide a form to the subscriber which they attest to.</span><span lang="ES"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt"> </span><span lang="ES"><o:p></o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Cscwg-public <<span lang="ES"><a href="mailto:cscwg-public-bounces@cabforum.org"><span lang="EN-US">cscwg-public-bounces@cabforum.org</span></a></span>>
<b>On Behalf Of </b>Inigo Barreira via Cscwg-public<br>
<b>Sent:</b> Tuesday, March 8, 2022 11:03 AM<br>
<b>To:</b> Bruce Morton <<span lang="ES"><a href="mailto:bruce.morton@entrust.com"><span lang="EN-US">bruce.morton@entrust.com</span></a></span>>;
<span lang="ES"><a href="mailto:cscwg-public@cabforum.org"><span lang="EN-US">cscwg-public@cabforum.org</span></a></span>; Doug Beattie <<span lang="ES"><a href="mailto:doug.beattie@globalsign.com"><span lang="EN-US">doug.beattie@globalsign.com</span></a></span>>;
Ian McMillan <<span lang="ES"><a href="mailto:ianmcm@microsoft.com"><span lang="EN-US">ianmcm@microsoft.com</span></a></span>>; Tim Hollebeek <<span lang="ES"><a href="mailto:tim.hollebeek@digicert.com"><span lang="EN-US">tim.hollebeek@digicert.com</span></a></span>><br>
<b>Subject:</b> Re: [Cscwg-public] Update to Subscriber Private Key Protection Requirements (CSC-6 to CSC-13)<span lang="ES"><o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"> <span lang="ES"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ES">Hi all,<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ES"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">Reviewing the section 16.3.1 I have a “wording” question. What does it mean that “The CA MUST obtain a representation from the Subscriber that the Subscriber will use one of the following options …”. So, what is a “representation
from the subscriber”?</span><span lang="ES"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> </span><span lang="ES"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">Regards</span><span lang="ES"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> </span><span lang="ES"><o:p></o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span lang="ES">De:</span></b><span lang="ES"> Cscwg-public <<a href="mailto:cscwg-public-bounces@cabforum.org">cscwg-public-bounces@cabforum.org</a>>
<b>En nombre de </b>Bruce Morton via Cscwg-public<br>
<b>Enviado el:</b> jueves, 3 de marzo de 2022 15:08<br>
<b>Para:</b> Doug Beattie <<a href="mailto:doug.beattie@globalsign.com">doug.beattie@globalsign.com</a>>; Ian McMillan <<a href="mailto:ianmcm@microsoft.com">ianmcm@microsoft.com</a>>; Tim Hollebeek <<a href="mailto:tim.hollebeek@digicert.com">tim.hollebeek@digicert.com</a>>;
<a href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a><br>
<b>Asunto:</b> Re: [Cscwg-public] Update to Subscriber Private Key Protection Requirements (CSC-6 to CSC-13)<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span lang="ES"> <o:p></o:p></span></p>
<div style="border:solid black 1.0pt;padding:2.0pt 2.0pt 2.0pt 2.0pt">
<p class="MsoNormal" style="line-height:12.0pt;background:#FAFA03"><span style="font-size:10.0pt;color:black">CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the
content is safe.</span><span lang="ES"><o:p></o:p></span></p>
</div>
<p class="MsoNormal"> <span lang="ES"><o:p></o:p></span></p>
<div>
<p class="MsoNormal">Doug,<span lang="ES"><o:p></o:p></span></p>
<p class="MsoNormal"> <span lang="ES"><o:p></o:p></span></p>
<p class="MsoNormal">Regarding the 16.2 section, this statement was also struck-out, “After 2021-06-01, the same protection requirements SHALL apply to Non EV Code Signing Certificates.” So I believe that the requirement already applied to normal code signing
certificates. The edits are just a cleanup.<span lang="ES"><o:p></o:p></span></p>
<p class="MsoNormal"> <span lang="ES"><o:p></o:p></span></p>
<p class="MsoNormal">Bruce.<span lang="ES"><o:p></o:p></span></p>
<p class="MsoNormal"> <span lang="ES"><o:p></o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Doug Beattie <<span lang="ES"><a href="mailto:doug.beattie@globalsign.com"><span lang="EN-US">doug.beattie@globalsign.com</span></a></span>>
<br>
<b>Sent:</b> Thursday, March 3, 2022 6:56 AM<br>
<b>To:</b> Ian McMillan <<span lang="ES"><a href="mailto:ianmcm@microsoft.com"><span lang="EN-US">ianmcm@microsoft.com</span></a></span>>; Tim Hollebeek <<span lang="ES"><a href="mailto:tim.hollebeek@digicert.com"><span lang="EN-US">tim.hollebeek@digicert.com</span></a></span>>;
<span lang="ES"><a href="mailto:cscwg-public@cabforum.org"><span lang="EN-US">cscwg-public@cabforum.org</span></a></span>; Bruce Morton <<span lang="ES"><a href="mailto:Bruce.Morton@entrust.com"><span lang="EN-US">Bruce.Morton@entrust.com</span></a></span>><br>
<b>Subject:</b> [EXTERNAL] RE: Update to Subscriber Private Key Protection Requirements (CSC-6 to CSC-13)<span lang="ES"><o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"> <span lang="ES"><o:p></o:p></span></p>
<p class="MsoNormal">WARNING: This email originated outside of Entrust.<br>
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.<span lang="ES"><o:p></o:p></span></p>
<div class="MsoNormal" align="center" style="text-align:center">
<hr size="1" width="100%" align="center">
</div>
<p class="MsoNormal">Hi Ian,<span lang="ES"><o:p></o:p></span></p>
<p class="MsoNormal"> <span lang="ES"><o:p></o:p></span></p>
<p class="MsoNormal">Good work on section 16.3, that is much more clear now. I have 2 more comments for your consideration.<span lang="ES"><o:p></o:p></span></p>
<p class="MsoNormal"> <span lang="ES"><o:p></o:p></span></p>
<p class="MsoNormal"> <span lang="ES"><o:p></o:p></span></p>
<p class="MsoNormal">Comment #1:<span lang="ES"><o:p></o:p></span></p>
<p class="MsoNormal"> <span lang="ES"><o:p></o:p></span></p>
<p class="MsoNormal">In Section 11.7 we say:<span lang="ES"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in">If the CA is aware that the Applicant was the victim of a Takeover Attack, the CA MUST verify that the Applicant is protecting its Code Signing Private Keys under Section 16.3.1(1) or Section 16.3.1(2). The CA MUST
verify the Applicant’s compliance with Section 16.3.1(1) or Section 16.3.1(2) (i) through technical means that confirm the Private Keys are protected using the method described in 16.3.1(1) or 16.3.1(2) or (ii) by relying on a report provided by the Applicant
that is signed by an auditor who is approved by the CA and who has IT and security training or is a CISA.<span lang="ES"><o:p></o:p></span></p>
<p class="MsoNormal"> <span lang="ES"><o:p></o:p></span></p>
<p class="MsoNormal"> <span lang="ES"><o:p></o:p></span></p>
<p class="MsoNormal">But now there are actually 2 lists in sections 16.3.1(1) or Section 16.3.1(2) with those list numbers. Do we need to be more specific, or renumber the second list a-c?
<span lang="ES"><o:p></o:p></span></p>
<p class="MsoNormal"> <span lang="ES"><o:p></o:p></span></p>
<p class="MsoNormal">After 15 November, what is the right remediation for Take Over attack, do we need to reference one or more of the items in the new list (the list we might renumber a-c), or is there no remediation now?<span lang="ES"><o:p></o:p></span></p>
<p class="MsoNormal"> <span lang="ES"><o:p></o:p></span></p>
<p class="MsoNormal">There are multiple references to 16.3.1(1) so we’d want to apply the same logic to all instances.<span lang="ES"><o:p></o:p></span></p>
<p class="MsoNormal"> <span lang="ES"><o:p></o:p></span></p>
<p class="MsoNormal"> <span lang="ES"><o:p></o:p></span></p>
<p class="MsoNormal">Comment #2:<span lang="ES"><o:p></o:p></span></p>
<p class="MsoNormal">Section 16.2 removed the reference to EV in the scope so this applies to normal Code signing certificates. Since this does not have a date associated with it, do we assume that this requirement change for normal code signing certs is effective
immediately?<span lang="ES"><o:p></o:p></span></p>
<p class="MsoNormal"> <span lang="ES"><o:p></o:p></span></p>
<p class="MsoNormal"> <span lang="ES"><o:p></o:p></span></p>
<p class="MsoNormal"> <span lang="ES"><o:p></o:p></span></p>
<p class="MsoNormal"> <span lang="ES"><o:p></o:p></span></p>
<p class="MsoNormal"> <span lang="ES"><o:p></o:p></span></p>
<p class="MsoNormal"> <span lang="ES"><o:p></o:p></span></p>
<p class="MsoNormal"> <span lang="ES"><o:p></o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Ian McMillan <<span lang="ES"><a href="mailto:ianmcm@microsoft.com"><span lang="EN-US">ianmcm@microsoft.com</span></a></span>>
<br>
<b>Sent:</b> Wednesday, March 2, 2022 5:56 PM<br>
<b>To:</b> Tim Hollebeek <<span lang="ES"><a href="mailto:tim.hollebeek@digicert.com"><span lang="EN-US">tim.hollebeek@digicert.com</span></a></span>>;
<span lang="ES"><a href="mailto:cscwg-public@cabforum.org"><span lang="EN-US">cscwg-public@cabforum.org</span></a></span>; Doug Beattie <<span lang="ES"><a href="mailto:doug.beattie@globalsign.com"><span lang="EN-US">doug.beattie@globalsign.com</span></a></span>>;
Bruce Morton <<span lang="ES"><a href="mailto:bruce.morton@entrust.com"><span lang="EN-US">bruce.morton@entrust.com</span></a></span>><br>
<b>Subject:</b> RE: Update to Subscriber Private Key Protection Requirements (CSC-6 to CSC-13)<span lang="ES"><o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"> <span lang="ES"><o:p></o:p></span></p>
<p class="MsoNormal">Thank you, Tim, I really like the structure suggestions here. I’ve made those updates per your suggestion in the attached copy of the redline document.
<span lang="ES"><o:p></o:p></span></p>
<p class="MsoNormal"> <span lang="ES"><o:p></o:p></span></p>
<p class="MsoNormal">I’ll note your endorsement.<span lang="ES"><o:p></o:p></span></p>
<p class="MsoNormal"> <span lang="ES"><o:p></o:p></span></p>
<p class="MsoNormal">Cheers,<span lang="ES"><o:p></o:p></span></p>
<p class="MsoNormal">Ian<span lang="ES"><o:p></o:p></span></p>
<p class="MsoNormal"> <span lang="ES"><o:p></o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Tim Hollebeek <<span lang="ES"><a href="mailto:tim.hollebeek@digicert.com"><span lang="EN-US">tim.hollebeek@digicert.com</span></a></span>>
<br>
<b>Sent:</b> Wednesday, March 2, 2022 4:57 PM<br>
<b>To:</b> Ian McMillan <<span lang="ES"><a href="mailto:ianmcm@microsoft.com"><span lang="EN-US">ianmcm@microsoft.com</span></a></span>>;
<span lang="ES"><a href="mailto:cscwg-public@cabforum.org"><span lang="EN-US">cscwg-public@cabforum.org</span></a></span>; Doug Beattie <<span lang="ES"><a href="mailto:doug.beattie@globalsign.com"><span lang="EN-US">doug.beattie@globalsign.com</span></a></span>>;
Bruce Morton <<span lang="ES"><a href="mailto:bruce.morton@entrust.com"><span lang="EN-US">bruce.morton@entrust.com</span></a></span>><br>
<b>Subject:</b> [EXTERNAL] RE: Update to Subscriber Private Key Protection Requirements (CSC-6 to CSC-13)<span lang="ES"><o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"> <span lang="ES"><o:p></o:p></span></p>
<p class="MsoNormal">I would recommend against using parentheticals to express the deprecation dates, as it makes the sentences more complicated than they need to be. I’d just modify the first sentence of each part so the structure is as follows:<span lang="ES"><o:p></o:p></span></p>
<p class="MsoNormal"> <span lang="ES"><o:p></o:p></span></p>
<p class="MsoNormal"> For Non-EV Code Signing Certificates issued prior to November 15, 2022, …<span lang="ES"><o:p></o:p></span></p>
<p class="MsoNormal"> <span lang="ES"><o:p></o:p></span></p>
<p class="MsoNormal"> For EV Code Signing Certificates issued prior to November 15, 2022, …<span lang="ES"><o:p></o:p></span></p>
<p class="MsoNormal"> <span lang="ES"><o:p></o:p></span></p>
<p class="MsoNormal"> Effective November 15, 2022, …<span lang="ES"><o:p></o:p></span></p>
<p class="MsoNormal"> <span lang="ES"><o:p></o:p></span></p>
<p class="MsoNormal">But otherwise, the updates look good and we are willing to endorse CSC-13.<span lang="ES"><o:p></o:p></span></p>
<p class="MsoNormal"> <span lang="ES"><o:p></o:p></span></p>
<p class="MsoNormal">-Tim<span lang="ES"><o:p></o:p></span></p>
<p class="MsoNormal"> <span lang="ES"><o:p></o:p></span></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt">
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Ian McMillan <<span lang="ES"><a href="mailto:ianmcm@microsoft.com"><span lang="EN-US">ianmcm@microsoft.com</span></a></span>>
<br>
<b>Sent:</b> Wednesday, March 2, 2022 11:31 AM<br>
<b>To:</b> <span lang="ES"><a href="mailto:cscwg-public@cabforum.org"><span lang="EN-US">cscwg-public@cabforum.org</span></a></span>; Doug Beattie <<span lang="ES"><a href="mailto:doug.beattie@globalsign.com"><span lang="EN-US">doug.beattie@globalsign.com</span></a></span>>;
Bruce Morton <<span lang="ES"><a href="mailto:bruce.morton@entrust.com"><span lang="EN-US">bruce.morton@entrust.com</span></a></span>>; Tim Hollebeek <<span lang="ES"><a href="mailto:tim.hollebeek@digicert.com"><span lang="EN-US">tim.hollebeek@digicert.com</span></a></span>><br>
<b>Subject:</b> Update to Subscriber Private Key Protection Requirements (CSC-6 to CSC-13)<span lang="ES"><o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"> <span lang="ES"><o:p></o:p></span></p>
<p class="MsoNormal">Hi Folks,<span lang="ES"><o:p></o:p></span></p>
<p class="MsoNormal"> <span lang="ES"><o:p></o:p></span></p>
<p class="MsoNormal">Attached you will find an updated redline doc of v2.7 of the CSBRs with the updates to the subscriber private key protection requirements as outlined previously in CSC-6. This updated version also includes edits to address issues Doug Beattie
raised during the voting period of CSC-6, so I am looking for confirmation from Doug on these edits addressing the concerns he raised.
<span lang="ES"><o:p></o:p></span></p>
<p class="MsoNormal"> <span lang="ES"><o:p></o:p></span></p>
<p class="MsoNormal">Additionally, I’m looking to get endorsements on this ballot under
<span lang="ES"><a href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.cabforum.org%2Fcscwg%2Fcsc_13_-_update_to_subscriber_private_key_protection_requirements&data=04%7C01%7Cianmcm%40microsoft.com%7Ce6a5592ea98440d1462508da01f05f7d%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637824429178363769%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=9so2%2BiOyK9XXEQ8Y%2F%2FnOEd0ZymEoU%2Fub9lk8VS6ucbE%3D&reserved=0" title="cscwg:csc_13_-_update_to_subscriber_private_key_protection_requirements"><span lang="EN-US">CSC
13 - Update to Subscriber Private Key Protection Requirements</span></a></span>, and hope that Bruce and Tim, as previous endorsers can review the edits and endorse the new ballot. Once we have endorsers I’ll proceed with the formal ballot process.
<span lang="ES"><o:p></o:p></span></p>
<p class="MsoNormal"> <span lang="ES"><o:p></o:p></span></p>
<p class="MsoNormal">Cheers,<span lang="ES"><o:p></o:p></span></p>
<p class="MsoNormal">Ian <span lang="ES"><o:p></o:p></span></p>
</div>
</div>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES" style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"><br>
<br>
<br>
</span><span lang="ES"><o:p></o:p></span></p>
<pre><span lang="ES">_______________________________________________<o:p></o:p></span></pre>
<pre><span lang="ES">Cscwg-public mailing list<o:p></o:p></span></pre>
<pre><span lang="ES"><a href="mailto:Cscwg-public@cabforum.org">Cscwg-public@cabforum.org</a><o:p></o:p></span></pre>
<pre><span lang="ES"><a href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cabforum.org%2Fmailman%2Flistinfo%2Fcscwg-public&data=04%7C01%7Cianmcm%40microsoft.com%7Ce6a5592ea98440d1462508da01f05f7d%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637824429178363769%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=LnP7dwOGGX87Z6tZNa%2BnglvDc7Px%2BrqaClOqrPsfS48%3D&reserved=0">https://lists.cabforum.org/mailman/listinfo/cscwg-public</a><o:p></o:p></span></pre>
</blockquote>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES" style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"><br>
<br>
<br>
</span><span lang="ES"><o:p></o:p></span></p>
<pre><span lang="ES">_______________________________________________<o:p></o:p></span></pre>
<pre><span lang="ES">Cscwg-public mailing list<o:p></o:p></span></pre>
<pre><span lang="ES"><a href="mailto:Cscwg-public@cabforum.org">Cscwg-public@cabforum.org</a><o:p></o:p></span></pre>
<pre><span lang="ES"><a href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cabforum.org%2Fmailman%2Flistinfo%2Fcscwg-public&data=04%7C01%7Cianmcm%40microsoft.com%7Ce6a5592ea98440d1462508da01f05f7d%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637824429178363769%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=LnP7dwOGGX87Z6tZNa%2BnglvDc7Px%2BrqaClOqrPsfS48%3D&reserved=0">https://lists.cabforum.org/mailman/listinfo/cscwg-public</a><o:p></o:p></span></pre>
</blockquote>
<p class="MsoNormal"><span lang="ES" style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"> </span><span lang="ES"><o:p></o:p></span></p>
</div>
</blockquote>
<p class="MsoNormal"><span lang="ES" style="mso-fareast-language:ES"> </span><span lang="ES"><o:p></o:p></span></p>
</div>
</blockquote>
<p class="MsoNormal"><span lang="ES" style="mso-fareast-language:ES"><o:p> </o:p></span></p>
</div>
</div>
</body>
</html>