<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
It was noted to me that the procedure of this ballot may have some
issues.<br>
<br>
In the "Motion" section of the ballot, there is no reference to the
<b>actual language changes</b> of the Guideline as noted in the
attached redline when the voting started. Instead, the motion
section contains "descriptions" of the changes.<br>
<br>
I'm afraid this is inconsistent with <a moz-do-not-send="true"
href="https://github.com/cabforum/forum/blob/main/Bylaws.md#24-requirements-for-draft-guideline-ballots">section
2.4 of the Bylaws</a>. More specifically, the ballot should
contain either the "Ballot Version" type of changes or a redline
within the motion section. If they both appear, the "Ballot Version"
takes precedence. This ballot was submitted with the redline outside
the motion. <br>
<br>
I understand that it's disappointing that this is identified so late
in the process. Perhaps I'm wrong with this interpretation but I'd
like other Members to also review and share their opinion.<br>
<br>
<br>
Best regards,<br>
Dimitris.<br>
<br>
PS: We should also avoid including links of websites that are not
publicly accessible when posting on the public list.<br>
<br>
<br>
<div class="moz-cite-prefix">On 30/3/2022 8:01 μ.μ., Ian McMillan
via Cscwg-public wrote:<br>
</div>
<blockquote type="cite"
cite="mid:0100017fdbc62ccd-e92a0d6f-b832-41d0-b4f9-b5692ec43dd6-000000@email.amazonses.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style>@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}@font-face
{font-family:SimSun;
panose-1:2 1 6 0 3 1 1 1 1 1;}@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}@font-face
{font-family:"MS PGothic";
panose-1:2 11 6 0 7 2 5 8 2 4;}@font-face
{font-family:"\@MS PGothic";}@font-face
{font-family:"\@SimSun";
panose-1:2 1 6 0 3 1 1 1 1 1;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-ligatures:standardcontextual;
mso-fareast-language:ZH-CN;}a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}span.EmailStyle18
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
font-family:"Calibri",sans-serif;
mso-ligatures:standardcontextual;}div.WordSection1
{page:WordSection1;}ol
{margin-bottom:0in;}ul
{margin-bottom:0in;}</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><a
href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.cabforum.org%2Fcscwg%2Fcsc_13_-_update_to_subscriber_private_key_protection_requirements&data=04%7C01%7Cianmcm%40microsoft.com%7C31d96159f5ed42ea367808da0ceebaa5%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637836517169400423%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=W9JW6jbaoIP9q5eo5kI9KtC%2FbyLkrPw4%2BknyEac9Fa8%3D&reserved=0"
moz-do-not-send="true">Ballot CSC-13: Update to Subscriber
Private Key Protection Requirements</a><o:p></o:p></p>
<p class="MsoNormal">Purpose of this ballot: Update the
subscriber private key protection requirements in the Baseline
Requirement for the Issuance and Management of
Publicly-Trusted Code Signing Certificates v2.7. The following
motion has been proposed by Ian McMillan of Microsoft and
endorsed by Tim Hollebeek of DigiCert and Bruce Morton of
Entrust.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">— MOTION BEGINS — <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">This ballot updates the “Baseline
Requirements for the Issuance and Management of
Publicly‐Trusted Code Signing Certificates“ version 2.7
according to the attached redline which includes:<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoNormal" style="mso-list:l1 level1 lfo3">Update
section 16.3 “Subscriber Private Key Protection” to
“Subscriber Private Key Protection and Verification”<o:p></o:p></li>
<li class="MsoNormal" style="mso-list:l1 level1 lfo3">Update
section 16.3 “Subscriber Private Key Protection” to include
sub-sections “16.3.1 Subscriber Private Key Protection” and
“16.3.2 Subscriber Private Key Verification”<o:p></o:p></li>
<li class="MsoNormal" style="mso-list:l1 level1 lfo3">Update
section 16.3 under new sub-section 16.3.1 to remove
allowance of TPM key generation and software protected
private key protection, and remove private key protection
requirement differences between EV and non-EV Code Signing
Certificates<o:p></o:p></li>
<li class="MsoNormal" style="mso-list:l1 level1 lfo3">Update
section 16.3 under new sub-section 16.3.1 to include the
allowance of key generation and protection using a
cloud-based key protection solution providing key generation
and protection in a hardware crypto module that conforms to
at least FIPS 140-2 Level 2 or Common Criteria EAL 4+<o:p></o:p></li>
<li class="MsoNormal" style="mso-list:l1 level1 lfo3">Update
section 16.3 under new sub-section 16.3.2 to include
verification for Code Signing Certificates' private key
generation and storage in a crypto module that meets or
exceeds the requirements of FIPS 140-2 level 2 or Common
Criteria EAL 4+ by the CAs. Include additional acceptable
methods for verification including cloud-based key
generation and protection solutions and a stipulation for
CAs to satisfy this verification requirement with additional
means specified in their CPS. Any additional means specified
by a CA in their CPS, must be proposed to the CA/Browser
Forum for inclusion into the acceptable methods for section
16.3.2 by November 15, 2022.<o:p></o:p></li>
</ul>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">— MOTION ENDS —<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The procedure for approval of this ballot
is as follows:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Discussion (7 days) <o:p></o:p></p>
<p class="MsoNormal">Start Time: 2022-03-23, 13:00 Eastern Time
(US) <o:p></o:p></p>
<p class="MsoNormal">End Time: 2022-03-30, 13:00 Eastern Time
(US)<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Vote for approval (7 days) <o:p></o:p></p>
<p class="MsoNormal">Start Time: 2022-03-30, 13:00 Eastern Time
(US) <o:p></o:p></p>
<p class="MsoNormal">End Time: 2022-04-06, 13:00 Eastern Time
(US)<o:p></o:p></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
</div>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Cscwg-public mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Cscwg-public@cabforum.org">Cscwg-public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://lists.cabforum.org/mailman/listinfo/cscwg-public">https://lists.cabforum.org/mailman/listinfo/cscwg-public</a>
</pre>
</blockquote>
<br>
</body>
</html>