<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<br>
<br>
<div class="moz-cite-prefix">On 11/3/2022 9:07 μ.μ., Bruce Morton
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:DM5PR11MB00411C366F6FEBF72B9CD06E820C9@DM5PR11MB0041.namprd11.prod.outlook.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]-->
<style>@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:DengXian;
panose-1:2 1 6 0 3 1 1 1 1 1;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}@font-face
{font-family:"\@DengXian";
panose-1:2 1 6 0 3 1 1 1 1 1;}@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
font-size:10.0pt;
font-family:"Courier New";}span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}span.EmailStyle22
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}div.WordSection1
{page:WordSection1;}ol
{margin-bottom:0in;}ul
{margin-bottom:0in;}</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">Hi Dimitris,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I see the value in creating greater
improvements to signing, but as you stated, I would prefer to
make smaller improvements. I believe that the first phase is
to update the CSBRs based on the model changes which we have
discussed. I don’t think there would be a lot of effort to get
this done. I would be happy to draft proposed changes after we
have changed the CSBR format.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I was reviewing TS 119 431-1, but also need
to see EN 419 241-1. I can’t find this document in my ETSI
search. I am hoping that we will find ETSI requirements which
we might be able to use in the CSBRs, if we find a gap.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</blockquote>
<br>
EN 419 241-1 standard is produced with CEN and it follows a policy
like ISO. You need to purchase a copy.<br>
<br>
We probably need to focus on ETSI TS 119 431-1 (publicly available)
which is precisely what we are trying to accomplish with the
"signing service" in today's CSBRs. At the very minimum, we need to
clarify what "signing service" means. Inigo, please chime-in if I
missed anything related to the ETSI/CEN standards.<br>
<br>
If members detect something in this ETSI document that is "too
European" as some colleagues mentioned in our last call, we can take
a closer look. In my personal opinion, I believe the document can
work as a stand-alone standard that would allow any CA or entity
that wants to manage keys on behalf of subscribers to be audited
separately from the CSBRs.<br>
<br>
As mentioned by others, the current CSBRs don't have any enforceable
audit requirements for entities managing keys on behalf of
subscribers. The goal would be to introduce some audit requirements
in such services so they can be used in 16.2 and 16.3 as an
alternative option for Subscribers to manage
(generate/protect/use/destroy) their private keys.<br>
<br>
<br>
Dimitris.<br>
<br>
<blockquote type="cite"
cite="mid:DM5PR11MB00411C366F6FEBF72B9CD06E820C9@DM5PR11MB0041.namprd11.prod.outlook.com">
<div class="WordSection1">
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks, Bruce. <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Cscwg-public
<a class="moz-txt-link-rfc2396E" href="mailto:cscwg-public-bounces@cabforum.org"><cscwg-public-bounces@cabforum.org></a>
<b>On Behalf Of </b>Dimitris Zacharopoulos (HARICA) via
Cscwg-public<br>
<b>Sent:</b> Friday, March 11, 2022 7:40 AM<br>
<b>To:</b> Bruce Morton via Cscwg-public
<a class="moz-txt-link-rfc2396E" href="mailto:cscwg-public@cabforum.org"><cscwg-public@cabforum.org></a><br>
<b>Subject:</b> [EXTERNAL] Re: [Cscwg-public] Signing
Service Discussion of 10 March 2022<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">WARNING: This email originated outside of
Entrust.<br>
DO NOT CLICK links or attachments unless you trust the sender
and know the content is safe.<o:p></o:p></p>
<div class="MsoNormal" style="text-align:center" align="center">
<hr width="100%" size="2" align="center">
</div>
<p class="MsoNormal">Following-up on the discussion about
signing services, and the decisions of previous meetings that
a signing service is basically an entity that manages private
keys on behalf of Subscribers, please take a look at the
latest relevant ETSI TS available at:<o:p></o:p></p>
<ul type="disc">
<li class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l6
level1 lfo1">
<a
href="https://urldefense.com/v3/__https:/www.etsi.org/deliver/etsi_ts/119400_119499/11943101/01.02.01_60/ts_11943101v010201p.pdf__;!!FJ-Y8qCqXTj2!Ijvhfy-9g01wuZ723tQAyBgBJgGeKkaTuxMc5JXiF3j2ydaMont9Piw0M6hmZP9Hk00$"
moz-do-not-send="true">https://www.etsi.org/deliver/etsi_ts/119400_119499/11943101/01.02.01_60/ts_11943101v010201p.pdf</a><o:p></o:p></li>
</ul>
<p>The responsibility to manage keys on behalf of subscribers is
not to be taken lightly as the current CSBRs do. Agreed that
we can take some small improvements to the current CSBRs but
if we believe that the goal is to define a secure environment
with secure policies/practices that will make the ecosystem
safer for subscribers and ultimately Relying Parties, then we
probably need to invest more time if we want to copy good
practices from other schemes.<o:p></o:p></p>
<p>On the other hand, this ETSI standard is already auditable
and a legal entity could be audited and certified against ETSI
TS 119 431. If a CA or a Subscriber wants to use a signing
service, that signing service could either comply with the
CSBRs and be audited against the requirements of section 17.1,
or be audited against ETSI TS 119 431.<o:p></o:p></p>
<p>Thoughts?<o:p></o:p></p>
<p>Dimitris.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On 10/3/2022 10:00 μ.μ., Bruce Morton via
Cscwg-public wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal">Here is the text we were discussing in
the CSCWG meeting today.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Thanks, Bruce.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">=================================<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Proposed Signing Service items:<o:p></o:p></p>
<ol style="margin-top:0in" type="1" start="1">
<li class="MsoNormal" style="mso-list:l1 level1
lfo4;vertical-align:middle">Signing Service is may be
performed by the CA or a third party<o:p></o:p></li>
<li class="MsoNormal" style="mso-list:l1 level1
lfo4;vertical-align:middle">Signing Service is not a CA
requirement, so is NOT a function of a Delegated Third
Party – this will limit scope<o:p></o:p></li>
<li class="MsoNormal" style="mso-list:l1 level1
lfo4;vertical-align:middle">Signing Service references may
be removed when not required - this will limit implied
scope<o:p></o:p></li>
<li class="MsoNormal" style="mso-list:l1 level1
lfo4;vertical-align:middle">Signing Service is not a
Subscriber, so all Private Keys are only associated to
certificate Subscriber<o:p></o:p></li>
<li class="MsoNormal" style="mso-list:l1 level1
lfo4;vertical-align:middle">Signing Service is not an RA,
so will not receive certificate requests from an Applicant
– CA or Delegated Third Party RA will receive certificate
requests<o:p></o:p></li>
<li class="MsoNormal" style="mso-list:l1 level1
lfo4;vertical-align:middle">Signing Request requirements
will not be defined in the CSBRs<o:p></o:p></li>
</ol>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Private key generation<o:p></o:p></p>
<ol style="margin-top:0in" type="1" start="1">
<li class="MsoNormal" style="mso-list:l0 level1
lfo7;vertical-align:middle">Signing Service must provide
evidence to the CA that the private key was created by the
Signing Service.
<o:p></o:p></li>
<li class="MsoNormal" style="mso-list:l0 level1
lfo7;vertical-align:middle">Question - Ballot CSC-13
allows the Signing Service to use cloud-based key
generation. Can the CA can operate the cloud-based
service?<o:p></o:p></li>
</ol>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Audit<o:p></o:p></p>
<ol style="margin-top:0in" type="1" start="1">
<li class="MsoNormal" style="mso-list:l2 level1
lfo10;vertical-align:middle">Specific compliance sections
of CSBRs and NetSec should be stated in the CSBRs as the
compliance/audit scope should not be determined by the CA,
Signing Service and Auditor. Note, WebTrust for CA or ETSI
EN 319 411-1 would not be in scope for Signing Service.<o:p></o:p></li>
<li class="MsoNormal" style="mso-list:l2 level1
lfo10;vertical-align:middle">For cloud-based key
generation, is there a compliance requirement for the
cloud-based service?<o:p></o:p></li>
</ol>
<p class="MsoNormal"><span style="font-size:18.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><i>Any email and files/attachments
transmitted with it are confidential and are intended
solely for the use of the individual or entity to whom
they are addressed. If this message has been sent to you
in error, you must not copy, distribute or disclose of the
information it contains. <u>Please notify Entrust
immediately</u> and delete the message from your system.</i>
<br>
<br>
<o:p></o:p></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>Cscwg-public mailing list<o:p></o:p></pre>
<pre><a href="mailto:Cscwg-public@cabforum.org" moz-do-not-send="true" class="moz-txt-link-freetext">Cscwg-public@cabforum.org</a><o:p></o:p></pre>
<pre><a href="https://urldefense.com/v3/__https:/lists.cabforum.org/mailman/listinfo/cscwg-public__;!!FJ-Y8qCqXTj2!Ijvhfy-9g01wuZ723tQAyBgBJgGeKkaTuxMc5JXiF3j2ydaMont9Piw0M6hmIfo-ikE$" moz-do-not-send="true">https://lists.cabforum.org/mailman/listinfo/cscwg-public</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</blockquote>
<br>
</body>
</html>