<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:10.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
font-size:10.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
mso-ligatures:none;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:64184217;
mso-list-template-ids:-2102917928;}
@list l0:level1
{mso-level-start-at:2;
mso-level-tab-stop:36.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l1
{mso-list-id:843475422;
mso-list-template-ids:-1944443760;}
@list l2
{mso-list-id:933902033;
mso-list-template-ids:1846839466;}
@list l2:level1
{mso-level-tab-stop:36.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l2:level2
{mso-level-tab-stop:72.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l2:level3
{mso-level-tab-stop:108.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l2:level4
{mso-level-tab-stop:144.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l2:level5
{mso-level-tab-stop:180.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l2:level6
{mso-level-tab-stop:216.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l2:level7
{mso-level-tab-stop:252.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l2:level8
{mso-level-tab-stop:288.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l2:level9
{mso-level-tab-stop:324.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l3
{mso-list-id:1927687757;
mso-list-template-ids:109632936;}
@list l4
{mso-list-id:2106539142;
mso-list-template-ids:908988948;}
@list l4:level1
{mso-level-tab-stop:36.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l4:level2
{mso-level-tab-stop:72.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l4:level3
{mso-level-tab-stop:108.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l4:level4
{mso-level-tab-stop:144.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l4:level5
{mso-level-tab-stop:180.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l4:level6
{mso-level-tab-stop:216.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l4:level7
{mso-level-tab-stop:252.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l4:level8
{mso-level-tab-stop:288.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l4:level9
{mso-level-tab-stop:324.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=en-SE link="#0563C1" vlink="#954F72" style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;mso-fareast-language:EN-US'>So while updating the charter really is something for the Forum level (ping <a id=OWAAMCF6AE7706B5650409B732264C247E4A9 href="mailto:dzacharo@harica.gr"><span style='font-family:"Calibri",sans-serif;text-decoration:none'>@Dimitris Zacharopoulos (HARICA)</span></a>), I would be inclined to say that a first update draft could be floated in the CSWG mailing list for feedback. Any objections?<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;mso-fareast-language:EN-US'>I’ll start working on a draft update, and include changes to the voting structure language as well.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;mso-fareast-language:EN-US'><br>Regards,<br><br>Martijn<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;mso-fareast-language:EN-US'><o:p> </o:p></span></p><div id=mail-editor-reference-message-container><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal style='margin-bottom:12.0pt'><b><span lang=EN-US style='font-size:12.0pt;color:black'>From: </span></b><span lang=EN-US style='font-size:12.0pt;color:black'>Dean Coclin <dean.coclin@digicert.com><br><b>Date: </b>Wednesday, 13 September 2023 at 10:14<br><b>To: </b>Tim Hollebeek <tim.hollebeek@digicert.com>, cscwg-public@cabforum.org <cscwg-public@cabforum.org>, Martijn Katerbarg <martijn.katerbarg@sectigo.com>, Bruce Morton <bruce.morton@entrust.com><br><b>Subject: </b>RE: [Cscwg-public] Proposed Signing Service, High Risk and Timestamp Changes<o:p></o:p></span></p></div><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt'>What “</span><span lang=EN-US style='font-size:11.0pt'>current timestamping BRs” are you referring to?</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'>As I said, timestamping strictly related to code signing should be in scope.</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'>Dean</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt'> </span><span lang=EN-US><o:p></o:p></span></p><div><div><p class=MsoNormal><b><span lang=EN-US style='font-size:11.0pt;font-family:"Arial",sans-serif;color:#0174C3'>Dean Coclin </span></b><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Arial",sans-serif;color:#48565E'>Sr. Director Business Development</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Arial",sans-serif;color:#48565E'>M 1.781.789.8686</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Arial",sans-serif;color:#48565E'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'><img border=0 width=129 height=37 style='width:1.3437in;height:.3854in' id="Picture_x0020_2" src="cid:image001.jpg@01D9E633.77630940"></span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'> </span><span lang=EN-US><o:p></o:p></span></p></div></div><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt'> </span><span lang=EN-US><o:p></o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US style='font-size:11.0pt'>From:</span></b><span lang=EN-US style='font-size:11.0pt'> Tim Hollebeek <tim.hollebeek@digicert.com> <br><b>Sent:</b> Tuesday, September 12, 2023 8:27 PM<br><b>To:</b> Dean Coclin <dean.coclin@digicert.com>; cscwg-public@cabforum.org; Martijn Katerbarg <martijn.katerbarg@sectigo.com>; Bruce Morton <bruce.morton@entrust.com><br><b>Subject:</b> RE: [Cscwg-public] Proposed Signing Service, High Risk and Timestamp Changes</span><span lang=EN-US><o:p></o:p></span></p></div></div><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'>This is just wrong, and Martijn was trying to say the opposite thing anyway: we should update the charter to explicitly state that timestamping is in scope. And I agree.</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'>The reason it can’t be true that timestamping is out of scope is because the current timestamping BRs have over 75+ references to timestamping!</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'><br>We’ve always considered timestamping to be in scope, because it’s an essential part of a secure code signing ecosystem. </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'>-Tim</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'> </span><span lang=EN-US><o:p></o:p></span></p><div style='border:none;border-left:solid blue 1.5pt;padding:0cm 0cm 0cm 4.0pt'><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US style='font-size:11.0pt'>From:</span></b><span lang=EN-US style='font-size:11.0pt'> Cscwg-public <<a href="mailto:cscwg-public-bounces@cabforum.org">cscwg-public-bounces@cabforum.org</a>> <b>On Behalf Of </b>Dean Coclin via Cscwg-public<br><b>Sent:</b> Tuesday, September 5, 2023 10:15 AM<br><b>To:</b> Martijn Katerbarg <<a href="mailto:martijn.katerbarg@sectigo.com">martijn.katerbarg@sectigo.com</a>>; <a href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a>; Bruce Morton <<a href="mailto:bruce.morton@entrust.com">bruce.morton@entrust.com</a>><br><b>Subject:</b> Re: [Cscwg-public] Proposed Signing Service, High Risk and Timestamp Changes</span><span lang=EN-US><o:p></o:p></span></p></div></div><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt'>As has been pointed out many times, the charter of the CSCWG does not include timestamping. Hence anything related to that beyond Code Signing would require a change to the charter.</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt'>Thanks for the point Martijn.</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt'><br>Dean</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt'> </span><span lang=EN-US><o:p></o:p></span></p><div><div><p class=MsoNormal><b><span lang=EN-US style='font-size:11.0pt;font-family:"Arial",sans-serif;color:#0174C3'>Dean Coclin </span></b><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Arial",sans-serif;color:#48565E'>Sr. Director Business Development</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Arial",sans-serif;color:#48565E'>M 1.781.789.8686</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Arial",sans-serif;color:#48565E'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'><img border=0 width=129 height=37 style='width:1.3437in;height:.3854in' id="Picture_x0020_1" src="cid:image001.jpg@01D9E633.77630940"></span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'> </span><span lang=EN-US><o:p></o:p></span></p></div></div><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt'> </span><span lang=EN-US><o:p></o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US style='font-size:11.0pt'>From:</span></b><span lang=EN-US style='font-size:11.0pt'> Cscwg-public <<a href="mailto:cscwg-public-bounces@cabforum.org">cscwg-public-bounces@cabforum.org</a>> <b>On Behalf Of </b>Martijn Katerbarg via Cscwg-public<br><b>Sent:</b> Tuesday, September 5, 2023 11:47 AM<br><b>To:</b> Bruce Morton <<a href="mailto:bruce.morton@entrust.com">bruce.morton@entrust.com</a>>; <a href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a><br><b>Subject:</b> Re: [Cscwg-public] Proposed Signing Service, High Risk and Timestamp Changes</span><span lang=EN-US><o:p></o:p></span></p></div></div><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'>Hey Bruce,</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'><br>I’m inclined to say that even the removal of TSC Private Keys, is a new requirement. If we’re not explicitly saying that existing keys up until this point are excluded, then CA’s may need to remove a fair number of keys. If so, we may need to allow for a bit more time.</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'>That also brings me to another concern that popped up:</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'>We’re adding more restrictions around timestamp certificates. While these obviously are heavily used for code signing, they’re not used just for that purpose.</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'>With that in mind, I think at least in the next Forum level meeting, we should make all members aware of the proposed changes, since it will probably impact members that are not a member of the CSWG. Secondly, I’ve started to wonder if we need to get our charter updated to include the scope of timestamping certificates, and possibly allow members that do not issue code signing certificates but that still are a TSA.</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=SV style='font-size:11.0pt'>Regards,<br><br>Martijn</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'> </span><span lang=EN-US><o:p></o:p></span></p><div id=mail-editor-reference-message-container><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal style='margin-bottom:12.0pt'><b><span lang=EN-US style='font-size:12.0pt;color:black'>From: </span></b><span lang=EN-US style='font-size:12.0pt;color:black'>Bruce Morton <<a href="mailto:Bruce.Morton@entrust.com">Bruce.Morton@entrust.com</a>><br><b>Date: </b>Thursday, 31 August 2023 at 17:30<br><b>To: </b>Martijn Katerbarg <<a href="mailto:martijn.katerbarg@sectigo.com">martijn.katerbarg@sectigo.com</a>>, <a href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a> <<a href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a>><br><b>Subject: </b>RE: [Cscwg-public] Proposed Signing Service, High Risk and Timestamp Changes</span><span lang=EN-US><o:p></o:p></span></p></div><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual'>Hi Martijn,</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual'>Thanks for the Github version!</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual'>We should discuss which items need a future effective date. I assume the only issue is offline Subordinate CA. I would propose 15 September 2024. I don’t think there should be any impact to TSA certificates, since the private key can only be used for 15-months which is not changing.</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual'>Bruce.</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual'> </span><span lang=EN-US><o:p></o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US style='font-size:11.0pt'>From:</span></b><span lang=EN-US style='font-size:11.0pt'> Martijn Katerbarg <<a href="mailto:martijn.katerbarg@sectigo.com">martijn.katerbarg@sectigo.com</a>> <br><b>Sent:</b> Thursday, August 31, 2023 10:56 AM<br><b>To:</b> Bruce Morton <<a href="mailto:Bruce.Morton@entrust.com">Bruce.Morton@entrust.com</a>>; <a href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a><br><b>Subject:</b> [EXTERNAL] RE: [Cscwg-public] Proposed Signing Service, High Risk and Timestamp Changes</span><span lang=EN-US><o:p></o:p></span></p></div></div><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual'>As discussed on the last call, I’ve moved the language into GitHub, which can be reviewed at <a href="https://url.avanan.click/v2/___https:/github.com/cabforum/code-signing/compare/main...XolphinMartijn:code-signing:TSA_Changes?expand=1___.YXAzOmRpZ2ljZXJ0OmE6bzo0ZGY3NmNlYWMzMDA4N2ZkOWU0OWFjZmUwNzAxMWY3MTo2OjczZDc6N2JlZWYyZWRjNTU1ZTZmYmIxODIyMDZhNmU5NDY2YTY3ZTU2OTA2OWVhNDQ3YmNlNzVlZGQwY2U4MjdkYmJmMDpoOkY" title="Protected by Avanan: https://github.com/cabforum/code-signing/compare/main...XolphinMartijn:code-signing:TSA_Changes?expand=1">https://github.com/cabforum/code-signing/compare/main...XolphinMartijn:code-signing:TSA_Changes?expand=1</a></span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual'>In this, I’ve also added text on logging key removal and how to handle key recovery scenarios</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual'>It occurs to me that we’re missing two details on this item:</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual'> </span><span lang=EN-US><o:p></o:p></span></p><ol style='margin-top:0cm' start=1 type=1><li class=MsoListParagraph style='margin-left:0cm;mso-list:l2 level1 lfo3'><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual'>What kind of effective date are we looking to attach to this</span><span lang=EN-US><o:p></o:p></span></li><li class=MsoListParagraph style='margin-left:0cm;mso-list:l2 level1 lfo3'><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual'>What will apply to SubCAs and Timestamp Certificates that have already been issued. </span><span lang=EN-US><o:p></o:p></span></li></ol><ol style='margin-top:0cm' start=2 type=1><ol style='margin-top:0cm' start=1 type=1><li class=MsoListParagraph style='margin-left:0cm;mso-list:l2 level2 lfo3'><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual'>If we want the same logic to be applied, do we want to maybe give additional time for existing setups?</span><span lang=EN-US><o:p></o:p></span></li></ol></ol><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual'>Thoughts?</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual'>Regards,<br><br>Martijn</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual'> </span><span lang=EN-US><o:p></o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US style='font-size:11.0pt'>From:</span></b><span lang=EN-US style='font-size:11.0pt'> Bruce Morton <<a href="mailto:Bruce.Morton@entrust.com">Bruce.Morton@entrust.com</a>> <br><b>Sent:</b> Wednesday, 16 August 2023 20:00<br><b>To:</b> Martijn Katerbarg <<a href="mailto:martijn.katerbarg@sectigo.com">martijn.katerbarg@sectigo.com</a>>; <a href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a><br><b>Subject:</b> RE: [Cscwg-public] Proposed Signing Service, High Risk and Timestamp Changes</span><span lang=EN-US><o:p></o:p></span></p></div></div><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual'>Agreed with the change proposal.</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual'>Thanks, Bruce.</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual'> </span><span lang=EN-US><o:p></o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US style='font-size:11.0pt'>From:</span></b><span lang=EN-US style='font-size:11.0pt'> Martijn Katerbarg <<a href="mailto:martijn.katerbarg@sectigo.com">martijn.katerbarg@sectigo.com</a>> <br><b>Sent:</b> Thursday, August 10, 2023 3:54 PM<br><b>To:</b> Bruce Morton <<a href="mailto:Bruce.Morton@entrust.com">Bruce.Morton@entrust.com</a>>; <a href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a><br><b>Subject:</b> [EXTERNAL] RE: [Cscwg-public] Proposed Signing Service, High Risk and Timestamp Changes</span><span lang=EN-US><o:p></o:p></span></p></div></div><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual'>Thanks Bruce,</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual'>I’m going through the TSA changes, and one thing caught my eye:</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual'>Section 6.2.7.2 now reads:</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><i><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual'>A Timestamp Authority MUST protect its Private Key in offline Hardware Crypto Module conforming to FIPS 140-2 level 3, Common Criteria EAL 4+ (ALC_FLR.2), or higher. The Timestamp Authority MUST protect its signing operations in accordance with the CA/Browser Forum's Network and Certificate System Security Requirements.</span></i><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual'>The definition of “Timestamp Authority” (TSA) reads:</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><i><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual'>A service operated by the CA or a delegated third party for its own code signing certificate users that timestamps data using a certificate chained to a public root, thereby asserting that the data (or the data from which the data were derived via a secure hashing algorithm) existed at the specified time.</span></i><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><i><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual'> </span></i><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual'>It seems to me that this change would imply that a TSA needs to keep all their private keys in offline HCMs, including private keys associated with timestamp certificates. I presume this language is intended to only apply to the private key associated with the TSA Root CA (and even the Subordinate CAs, as far as I understood during todays call) , but not to the private key associated with the Timestamp Certificate itself. </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual'>Might I suggest updating this language to:</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><i><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual'>A Timestamp Authority MUST protect Private Keys associated with its Root CA and Subordinate CA certificates in offline Hardware Crypto Module conforming to FIPS 140-2 level 3, Common Criteria EAL 4+ (ALC_FLR.2), or higher. The Timestamp Authority MUST protect its signing operations in accordance with the CA/Browser Forum's Network and Certificate System Security Requirements.</span></i><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual'>Regards,<br><br>Martijn</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual'> </span><span lang=EN-US><o:p></o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US style='font-size:11.0pt'>From:</span></b><span lang=EN-US style='font-size:11.0pt'> Cscwg-public <<a href="mailto:cscwg-public-bounces@cabforum.org">cscwg-public-bounces@cabforum.org</a>> <b>On Behalf Of </b>Bruce Morton via Cscwg-public<br><b>Sent:</b> Friday, 21 July 2023 17:55<br><b>To:</b> <a href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a><br><b>Subject:</b> [Cscwg-public] Proposed Signing Service, High Risk and Timestamp Changes</span><span lang=EN-US><o:p></o:p></span></p></div></div><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual'> </span><span lang=EN-US><o:p></o:p></span></p><div style='border:solid black 1.0pt;padding:2.0pt 2.0pt 2.0pt 2.0pt'><p class=MsoNormal style='line-height:12.0pt;background:#FAFA03'><span lang=EN-US style='color:black'>CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.</span><span lang=EN-US><o:p></o:p></span></p></div><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'> </span><span lang=EN-US><o:p></o:p></span></p><div><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual'>Based on the discussions we had at the June F2F, I have taken the opportunity to propose markups to derive Signing Service, High Risk and Timestamping ballots.</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual'>The base text is from the CSC-19 version of the CSBRs. There may be some conflicting markups or markups.</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual'> </span><span lang=EN-US><o:p></o:p></span></p><ol style='margin-top:0cm' start=1 type=1><li class=MsoListParagraph style='margin-left:0cm;mso-list:l4 level1 lfo7'><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual'>Signing Service – based on the former proposal, plus updates based on the discussions</span><span lang=EN-US><o:p></o:p></span></li><li class=MsoListParagraph style='margin-left:0cm;mso-list:l4 level1 lfo7'><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual'>High Risk – Removal of high risk and takeover attack, plus removed Subscriber key generation methods prior to 1 June 2023 and the text about delivering a software based private key. Also propose removing the “any other method” text.</span><span lang=EN-US><o:p></o:p></span></li><li class=MsoListParagraph style='margin-left:0cm;mso-list:l4 level1 lfo7'><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual'>Timestamping – Maintain allowing 15 month private key usage period and 135 month validity period, but requiring private keys to be destroyed within 18 months if the timestamp certificate was valid for more than 15 months. Stating that the HSM supporting the Time-stamp CA must be offline. Stating that the TSA must reject SHA-1 signed timestamp requests</span><span lang=EN-US><o:p></o:p></span></li></ol><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual'>Hoping this will help to clean up this text which we have been discussing for a period of time. These items are on the agenda for next week's meeting.</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual'>Thanks, Bruce.</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><i><span lang=EN-US style='font-size:11.0pt'>Any email and files/attachments transmitted with it are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. <u>Please notify Entrust immediately and delete the message from your system.</u></span></i><span lang=EN-US style='font-size:11.0pt'> </span><span lang=EN-US><o:p></o:p></span></p></div></div></div></div></div></div></div></body></html>