<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:10.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
font-size:10.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
mso-ligatures:none;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:133377972;
mso-list-template-ids:-2144466724;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7 ;
mso-level-tab-stop:36.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:\F0B7 ;
mso-level-tab-stop:72.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:\F0B7 ;
mso-level-tab-stop:108.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7 ;
mso-level-tab-stop:144.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:\F0B7 ;
mso-level-tab-stop:180.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:\F0B7 ;
mso-level-tab-stop:216.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7 ;
mso-level-tab-stop:252.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:\F0B7 ;
mso-level-tab-stop:288.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:\F0B7 ;
mso-level-tab-stop:324.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1
{mso-list-id:565993578;
mso-list-template-ids:62395878;}
@list l1:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7 ;
mso-level-tab-stop:36.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:72.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l1:level3
{mso-level-number-format:bullet;
mso-level-text:\F0B7 ;
mso-level-tab-stop:108.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7 ;
mso-level-tab-stop:144.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level5
{mso-level-number-format:bullet;
mso-level-text:\F0B7 ;
mso-level-tab-stop:180.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level6
{mso-level-number-format:bullet;
mso-level-text:\F0B7 ;
mso-level-tab-stop:216.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7 ;
mso-level-tab-stop:252.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level8
{mso-level-number-format:bullet;
mso-level-text:\F0B7 ;
mso-level-tab-stop:288.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level9
{mso-level-number-format:bullet;
mso-level-text:\F0B7 ;
mso-level-tab-stop:324.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2
{mso-list-id:595135667;
mso-list-template-ids:-590299696;}
@list l2:level1
{mso-level-tab-stop:36.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l2:level2
{mso-level-tab-stop:72.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l2:level3
{mso-level-tab-stop:108.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l2:level4
{mso-level-tab-stop:144.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l2:level5
{mso-level-tab-stop:180.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l2:level6
{mso-level-tab-stop:216.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l2:level7
{mso-level-tab-stop:252.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l2:level8
{mso-level-tab-stop:288.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l2:level9
{mso-level-tab-stop:324.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l3
{mso-list-id:769669180;
mso-list-template-ids:820259802;}
@list l3:level1
{mso-level-tab-stop:36.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l3:level2
{mso-level-tab-stop:72.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l3:level3
{mso-level-tab-stop:108.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l3:level4
{mso-level-tab-stop:144.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l3:level5
{mso-level-tab-stop:180.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l3:level6
{mso-level-tab-stop:216.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l3:level7
{mso-level-tab-stop:252.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l3:level8
{mso-level-tab-stop:288.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l3:level9
{mso-level-tab-stop:324.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
--></style>
</head>
<body lang="en-SE" link="#0563C1" vlink="#954F72" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;mso-fareast-language:EN-US">Hey Bruce,<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;mso-fareast-language:EN-US"><br>
I’m inclined to say that even the removal of TSC Private Keys, is a new requirement. If we’re not explicitly saying that existing keys up until this point are excluded, then CA’s may need to remove a fair number of keys. If so, we may need to allow for a bit
more time.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;mso-fareast-language:EN-US">That also brings me to another concern that popped up:<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;mso-fareast-language:EN-US">We’re adding more restrictions around timestamp certificates. While these obviously are heavily used for code signing, they’re not used just for that purpose.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;mso-fareast-language:EN-US">With that in mind, I think at least in the next Forum level meeting, we should make all members aware of the proposed changes, since it will probably impact members
that are not a member of the CSWG. Secondly, I’ve started to wonder if we need to get our charter updated to include the scope of timestamping certificates, and possibly allow members that do not issue code signing certificates but that still are a TSA.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="SV" style="font-size:11.0pt;mso-fareast-language:EN-US">Regards,<br>
<br>
Martijn<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div id="mail-editor-reference-message-container">
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal" style="margin-bottom:12.0pt"><b><span lang="EN-US" style="font-size:12.0pt;color:black">From:
</span></b><span lang="EN-US" style="font-size:12.0pt;color:black">Bruce Morton <Bruce.Morton@entrust.com><br>
<b>Date: </b>Thursday, 31 August 2023 at 17:30<br>
<b>To: </b>Martijn Katerbarg <martijn.katerbarg@sectigo.com>, cscwg-public@cabforum.org <cscwg-public@cabforum.org><br>
<b>Subject: </b>RE: [Cscwg-public] Proposed Signing Service, High Risk and Timestamp Changes<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;mso-ligatures:standardcontextual">Hi Martijn,<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;mso-ligatures:standardcontextual"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;mso-ligatures:standardcontextual">Thanks for the Github version!<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;mso-ligatures:standardcontextual"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;mso-ligatures:standardcontextual">We should discuss which items need a future effective date. I assume the only issue is offline Subordinate CA. I would propose 15 September 2024. I don’t think
there should be any impact to TSA certificates, since the private key can only be used for 15-months which is not changing.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;mso-ligatures:standardcontextual"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;mso-ligatures:standardcontextual"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;mso-ligatures:standardcontextual">Bruce.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;mso-ligatures:standardcontextual"> <o:p></o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US" style="font-size:11.0pt">From:</span></b><span lang="EN-US" style="font-size:11.0pt"> Martijn Katerbarg <martijn.katerbarg@sectigo.com>
<br>
<b>Sent:</b> Thursday, August 31, 2023 10:56 AM<br>
<b>To:</b> Bruce Morton <Bruce.Morton@entrust.com>; cscwg-public@cabforum.org<br>
<b>Subject:</b> [EXTERNAL] RE: [Cscwg-public] Proposed Signing Service, High Risk and Timestamp Changes<span style="mso-ligatures:standardcontextual"><o:p></o:p></span></span></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;mso-ligatures:standardcontextual"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US">As discussed on the last call, I’ve moved the language into GitHub, which can be reviewed at
<a href="https://github.com/cabforum/code-signing/compare/main...XolphinMartijn:code-signing:TSA_Changes?expand=1">
https://github.com/cabforum/code-signing/compare/main...XolphinMartijn:code-signing:TSA_Changes?expand=1</a></span><span lang="EN-US" style="font-size:11.0pt;mso-ligatures:standardcontextual"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US"> </span><span lang="EN-US" style="font-size:11.0pt;mso-ligatures:standardcontextual"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US">In this, I’ve also added text on logging key removal and how to handle key recovery scenarios</span><span lang="EN-US" style="font-size:11.0pt;mso-ligatures:standardcontextual"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US"> </span><span lang="EN-US" style="font-size:11.0pt;mso-ligatures:standardcontextual"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US">It occurs to me that we’re missing two details on this item:</span><span lang="EN-US" style="font-size:11.0pt;mso-ligatures:standardcontextual"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US"> </span><span lang="EN-US" style="font-size:11.0pt;mso-ligatures:standardcontextual"><o:p></o:p></span></p>
<ol style="margin-top:0cm" start="1" type="1">
<li class="MsoListParagraph" style="margin-left:0cm;mso-list:l2 level1 lfo3"><span lang="EN-US" style="font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US">What kind of effective date are we looking to attach to this</span><span lang="EN-US" style="font-size:11.0pt;mso-ligatures:standardcontextual"><o:p></o:p></span></li><li class="MsoListParagraph" style="margin-left:0cm;mso-list:l2 level1 lfo3"><span lang="EN-US" style="font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US">What will apply to SubCAs and Timestamp Certificates that have already been
issued. </span><span lang="EN-US" style="font-size:11.0pt;mso-ligatures:standardcontextual"><o:p></o:p></span></li></ol>
<ol style="margin-top:0cm" start="2" type="1">
<ol style="margin-top:0cm" start="1" type="1">
<li class="MsoListParagraph" style="margin-left:0cm;mso-list:l2 level2 lfo3"><span lang="EN-US" style="font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US">If we want the same logic to be applied, do we want to maybe give additional
time for existing setups?</span><span lang="EN-US" style="font-size:11.0pt;mso-ligatures:standardcontextual"><o:p></o:p></span></li></ol>
</ol>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US"> </span><span lang="EN-US" style="font-size:11.0pt;mso-ligatures:standardcontextual"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US">Thoughts?</span><span lang="EN-US" style="font-size:11.0pt;mso-ligatures:standardcontextual"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US"> </span><span lang="EN-US" style="font-size:11.0pt;mso-ligatures:standardcontextual"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US">Regards,<br>
<br>
Martijn</span><span lang="EN-US" style="font-size:11.0pt;mso-ligatures:standardcontextual"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US"> </span><span lang="EN-US" style="font-size:11.0pt;mso-ligatures:standardcontextual"><o:p></o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US" style="font-size:11.0pt">From:</span></b><span lang="EN-US" style="font-size:11.0pt"> Bruce Morton <<a href="mailto:Bruce.Morton@entrust.com">Bruce.Morton@entrust.com</a>>
<br>
<b>Sent:</b> Wednesday, 16 August 2023 20:00<br>
<b>To:</b> Martijn Katerbarg <<a href="mailto:martijn.katerbarg@sectigo.com">martijn.katerbarg@sectigo.com</a>>;
<a href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a><br>
<b>Subject:</b> RE: [Cscwg-public] Proposed Signing Service, High Risk and Timestamp Changes<span style="mso-ligatures:standardcontextual"><o:p></o:p></span></span></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;mso-ligatures:standardcontextual"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;mso-ligatures:standardcontextual">Agreed with the change proposal.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;mso-ligatures:standardcontextual"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;mso-ligatures:standardcontextual">Thanks, Bruce.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;mso-ligatures:standardcontextual"> <o:p></o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US" style="font-size:11.0pt">From:</span></b><span lang="EN-US" style="font-size:11.0pt"> Martijn Katerbarg <<a href="mailto:martijn.katerbarg@sectigo.com">martijn.katerbarg@sectigo.com</a>>
<br>
<b>Sent:</b> Thursday, August 10, 2023 3:54 PM<br>
<b>To:</b> Bruce Morton <<a href="mailto:Bruce.Morton@entrust.com">Bruce.Morton@entrust.com</a>>;
<a href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a><br>
<b>Subject:</b> [EXTERNAL] RE: [Cscwg-public] Proposed Signing Service, High Risk and Timestamp Changes<span style="mso-ligatures:standardcontextual"><o:p></o:p></span></span></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;mso-ligatures:standardcontextual"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US">Thanks Bruce,</span><span lang="EN-US" style="font-size:11.0pt;mso-ligatures:standardcontextual"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US"> </span><span lang="EN-US" style="font-size:11.0pt;mso-ligatures:standardcontextual"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US">I’m going through the TSA changes, and one thing caught my eye:</span><span lang="EN-US" style="font-size:11.0pt;mso-ligatures:standardcontextual"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US"> </span><span lang="EN-US" style="font-size:11.0pt;mso-ligatures:standardcontextual"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US">Section 6.2.7.2 now reads:</span><span lang="EN-US" style="font-size:11.0pt;mso-ligatures:standardcontextual"><o:p></o:p></span></p>
<p class="MsoNormal"><i><span lang="EN-US" style="font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US">A Timestamp Authority MUST protect its Private Key in offline Hardware Crypto Module conforming to FIPS 140-2 level 3, Common Criteria
EAL 4+ (ALC_FLR.2), or higher. The Timestamp Authority MUST protect its signing operations in accordance with the CA/Browser Forum's Network and Certificate System Security Requirements.</span></i><span lang="EN-US" style="font-size:11.0pt;mso-ligatures:standardcontextual"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US"> </span><span lang="EN-US" style="font-size:11.0pt;mso-ligatures:standardcontextual"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US">The definition of “Timestamp Authority” (TSA) reads:</span><span lang="EN-US" style="font-size:11.0pt;mso-ligatures:standardcontextual"><o:p></o:p></span></p>
<p class="MsoNormal"><i><span lang="EN-US" style="font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US">A service operated by the CA or a delegated third party for its own code signing certificate users that timestamps data using a certificate
chained to a public root, thereby asserting that the data (or the data from which the data were derived via a secure hashing algorithm) existed at the specified time.</span></i><span lang="EN-US" style="font-size:11.0pt;mso-ligatures:standardcontextual"><o:p></o:p></span></p>
<p class="MsoNormal"><i><span lang="EN-US" style="font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US"> </span></i><span lang="EN-US" style="font-size:11.0pt;mso-ligatures:standardcontextual"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US">It seems to me that this change would imply that a TSA needs to keep all their private keys in offline HCMs, including private keys
associated with timestamp certificates. I presume this language is intended to only apply to the private key associated with the TSA Root CA (and even the Subordinate CAs, as far as I understood during todays call) , but not to the private key associated with
the Timestamp Certificate itself. </span><span lang="EN-US" style="font-size:11.0pt;mso-ligatures:standardcontextual"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US"> </span><span lang="EN-US" style="font-size:11.0pt;mso-ligatures:standardcontextual"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US">Might I suggest updating this language to:</span><span lang="EN-US" style="font-size:11.0pt;mso-ligatures:standardcontextual"><o:p></o:p></span></p>
<p class="MsoNormal"><i><span lang="EN-US" style="font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US">A Timestamp Authority MUST protect Private Keys associated with its Root CA and Subordinate CA certificates in offline Hardware Crypto
Module conforming to FIPS 140-2 level 3, Common Criteria EAL 4+ (ALC_FLR.2), or higher. The Timestamp Authority MUST protect its signing operations in accordance with the CA/Browser Forum's Network and Certificate System Security Requirements.</span></i><span lang="EN-US" style="font-size:11.0pt;mso-ligatures:standardcontextual"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US"> </span><span lang="EN-US" style="font-size:11.0pt;mso-ligatures:standardcontextual"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US">Regards,<br>
<br>
Martijn</span><span lang="EN-US" style="font-size:11.0pt;mso-ligatures:standardcontextual"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US"> </span><span lang="EN-US" style="font-size:11.0pt;mso-ligatures:standardcontextual"><o:p></o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US" style="font-size:11.0pt">From:</span></b><span lang="EN-US" style="font-size:11.0pt"> Cscwg-public <<a href="mailto:cscwg-public-bounces@cabforum.org">cscwg-public-bounces@cabforum.org</a>>
<b>On Behalf Of </b>Bruce Morton via Cscwg-public<br>
<b>Sent:</b> Friday, 21 July 2023 17:55<br>
<b>To:</b> <a href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a><br>
<b>Subject:</b> [Cscwg-public] Proposed Signing Service, High Risk and Timestamp Changes<span style="mso-ligatures:standardcontextual"><o:p></o:p></span></span></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;mso-ligatures:standardcontextual"> <o:p></o:p></span></p>
<div style="border:solid black 1.0pt;padding:2.0pt 2.0pt 2.0pt 2.0pt">
<p class="MsoNormal" style="line-height:12.0pt;background:#FAFA03"><span lang="EN-US" style="color:black">CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content
is safe.</span><span lang="EN-US" style="font-size:11.0pt;mso-ligatures:standardcontextual"><o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt"> <span style="mso-ligatures:standardcontextual"><o:p></o:p></span></span></p>
<div>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;mso-ligatures:standardcontextual">Based on the discussions we had at the June F2F, I have taken the opportunity to propose markups to derive Signing Service, High Risk and Timestamping ballots.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;mso-ligatures:standardcontextual"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;mso-ligatures:standardcontextual">The base text is from the CSC-19 version of the CSBRs. There may be some conflicting markups or markups.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;mso-ligatures:standardcontextual"> <o:p></o:p></span></p>
<ol style="margin-top:0cm" start="1" type="1">
<li class="MsoListParagraph" style="margin-left:0cm;mso-list:l3 level1 lfo6"><span lang="EN-US" style="font-size:11.0pt;mso-ligatures:standardcontextual">Signing Service – based on the former proposal, plus updates based on the discussions<o:p></o:p></span></li><li class="MsoListParagraph" style="margin-left:0cm;mso-list:l3 level1 lfo6"><span lang="EN-US" style="font-size:11.0pt;mso-ligatures:standardcontextual">High Risk – Removal of high risk and takeover attack, plus removed Subscriber key generation methods prior
to 1 June 2023 and the text about delivering a software based private key. Also propose removing the “any other method” text.<o:p></o:p></span></li><li class="MsoListParagraph" style="margin-left:0cm;mso-list:l3 level1 lfo6"><span lang="EN-US" style="font-size:11.0pt;mso-ligatures:standardcontextual">Timestamping – Maintain allowing 15 month private key usage period and 135 month validity period, but requiring
private keys to be destroyed within 18 months if the timestamp certificate was valid for more than 15 months. Stating that the HSM supporting the Time-stamp CA must be offline. Stating that the TSA must reject SHA-1 signed timestamp requests<o:p></o:p></span></li></ol>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;mso-ligatures:standardcontextual"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;mso-ligatures:standardcontextual">Hoping this will help to clean up this text which we have been discussing for a period of time. These items are on the agenda for next week's meeting.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;mso-ligatures:standardcontextual"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;mso-ligatures:standardcontextual"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;mso-ligatures:standardcontextual">Thanks, Bruce.<o:p></o:p></span></p>
<p class="MsoNormal"><i><span lang="EN-US" style="font-size:11.0pt">Any email and files/attachments transmitted with it are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you
must not copy, distribute or disclose of the information it contains. <u>Please notify Entrust immediately and delete the message from your system.</u></span></i><span lang="EN-US" style="font-size:11.0pt">
<span style="mso-ligatures:standardcontextual"><o:p></o:p></span></span></p>
</div>
</div>
</div>
</div>
</body>
</html>