<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:10.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
font-size:10.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle21
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
mso-ligatures:none;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:204758143;
mso-list-template-ids:1711166036;}
@list l0:level1
{mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level2
{mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level3
{mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level4
{mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level5
{mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level6
{mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level7
{mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level8
{mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level9
{mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1
{mso-list-id:217472588;
mso-list-template-ids:-1906660852;}
@list l2
{mso-list-id:836846052;
mso-list-template-ids:283258796;}
@list l3
{mso-list-id:1756904130;
mso-list-template-ids:-447998268;}
@list l3:level1
{mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level2
{mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level3
{mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level4
{mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level5
{mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level6
{mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level7
{mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level8
{mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level9
{mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l4
{mso-list-id:2020085603;
mso-list-template-ids:-136173630;}
@list l4:level1
{mso-level-start-at:2;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link="#0563C1" vlink=purple style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt'>That’s what we’ve been doing with the server cert charter (discuss on the server list, with intent to vote on forum list), so there’s precedent. I think that’s what we’ve always done before, too.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>-Tim<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:11.0pt'>From:</span></b><span style='font-size:11.0pt'> Dimitris Zacharopoulos (HARICA) <dzacharo@harica.gr> <br><b>Sent:</b> Wednesday, September 13, 2023 5:38 AM<br><b>To:</b> Martijn Katerbarg <martijn.katerbarg@sectigo.com>; Dean Coclin <dean.coclin@digicert.com>; Tim Hollebeek <tim.hollebeek@digicert.com>; cscwg-public@cabforum.org; Bruce Morton <bruce.morton@entrust.com><br><b>Subject:</b> Re: [Cscwg-public] Proposed Signing Service, High Risk and Timestamp Changes<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal style='margin-bottom:12.0pt'>Makes sense. The CWG has the first say in its own Charter.<br><br>Thanks,<br>Dimitris.<span style='font-size:11.0pt'><o:p></o:p></span></p><div><p class=MsoNormal>On 13/9/2023 12:11 μ.μ., Martijn Katerbarg wrote:<o:p></o:p></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><p class=MsoNormal><span style='font-size:11.0pt'>So while updating the charter really is something for the Forum level (ping <a id=OWAAMCF6AE7706B5650409B732264C247E4A9 href="mailto:dzacharo@harica.gr"><span style='font-family:"Calibri",sans-serif;text-decoration:none'>@Dimitris Zacharopoulos (HARICA)</span></a>), I would be inclined to say that a first update draft could be floated in the CSWG mailing list for feedback. Any objections?</span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt'> </span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt'>I’ll start working on a draft update, and include changes to the voting structure language as well.</span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt'><br>Regards,<br><br>Martijn</span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt'> </span><o:p></o:p></p><div id=mail-editor-reference-message-container><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal style='margin-bottom:12.0pt'><b><span style='font-size:12.0pt;color:black'>From: </span></b><span style='font-size:12.0pt;color:black'>Dean Coclin <a href="mailto:dean.coclin@digicert.com"><dean.coclin@digicert.com></a><br><b>Date: </b>Wednesday, 13 September 2023 at 10:14<br><b>To: </b>Tim Hollebeek <a href="mailto:tim.hollebeek@digicert.com"><tim.hollebeek@digicert.com></a>, <a href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a> <a href="mailto:cscwg-public@cabforum.org"><cscwg-public@cabforum.org></a>, Martijn Katerbarg <a href="mailto:martijn.katerbarg@sectigo.com"><martijn.katerbarg@sectigo.com></a>, Bruce Morton <a href="mailto:bruce.morton@entrust.com"><bruce.morton@entrust.com></a><br><b>Subject: </b>RE: [Cscwg-public] Proposed Signing Service, High Risk and Timestamp Changes</span><o:p></o:p></p></div><p class=MsoNormal><span style='font-size:12.0pt'>What “</span><span style='font-size:11.0pt'>current timestamping BRs” are you referring to?</span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt'> </span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt'>As I said, timestamping strictly related to code signing should be in scope.</span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt'> </span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt'>Dean</span><o:p></o:p></p><p class=MsoNormal><span style='font-size:12.0pt'> </span><o:p></o:p></p><div><div><p class=MsoNormal><b><span style='font-size:11.0pt;font-family:"Arial",sans-serif;color:#0174C3'>Dean Coclin </span></b><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Arial",sans-serif;color:#48565E'>Sr. Director Business Development</span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Arial",sans-serif;color:#48565E'>M 1.781.789.8686</span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Arial",sans-serif;color:#48565E'> </span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt'><img border=0 width=129 height=37 style='width:1.3472in;height:.3888in' id="Picture_x0020_2" src="cid:image001.jpg@01D9E628.719AA1E0"></span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt'> </span><o:p></o:p></p></div></div><p class=MsoNormal><span style='font-size:12.0pt'> </span><o:p></o:p></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:11.0pt'>From:</span></b><span style='font-size:11.0pt'> Tim Hollebeek <a href="mailto:tim.hollebeek@digicert.com"><tim.hollebeek@digicert.com></a> <br><b>Sent:</b> Tuesday, September 12, 2023 8:27 PM<br><b>To:</b> Dean Coclin <a href="mailto:dean.coclin@digicert.com"><dean.coclin@digicert.com></a>; <a href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a>; Martijn Katerbarg <a href="mailto:martijn.katerbarg@sectigo.com"><martijn.katerbarg@sectigo.com></a>; Bruce Morton <a href="mailto:bruce.morton@entrust.com"><bruce.morton@entrust.com></a><br><b>Subject:</b> RE: [Cscwg-public] Proposed Signing Service, High Risk and Timestamp Changes</span><o:p></o:p></p></div></div><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt'>This is just wrong, and Martijn was trying to say the opposite thing anyway: we should update the charter to explicitly state that timestamping is in scope. And I agree.</span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt'> </span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt'>The reason it can’t be true that timestamping is out of scope is because the current timestamping BRs have over 75+ references to timestamping!</span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt'><br>We’ve always considered timestamping to be in scope, because it’s an essential part of a secure code signing ecosystem. </span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt'> </span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt'>-Tim</span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt'> </span><o:p></o:p></p><div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:11.0pt'>From:</span></b><span style='font-size:11.0pt'> Cscwg-public <<a href="mailto:cscwg-public-bounces@cabforum.org">cscwg-public-bounces@cabforum.org</a>> <b>On Behalf Of </b>Dean Coclin via Cscwg-public<br><b>Sent:</b> Tuesday, September 5, 2023 10:15 AM<br><b>To:</b> Martijn Katerbarg <<a href="mailto:martijn.katerbarg@sectigo.com">martijn.katerbarg@sectigo.com</a>>; <a href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a>; Bruce Morton <<a href="mailto:bruce.morton@entrust.com">bruce.morton@entrust.com</a>><br><b>Subject:</b> Re: [Cscwg-public] Proposed Signing Service, High Risk and Timestamp Changes</span><o:p></o:p></p></div></div><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal><span style='font-size:12.0pt'>As has been pointed out many times, the charter of the CSCWG does not include timestamping. Hence anything related to that beyond Code Signing would require a change to the charter.</span><o:p></o:p></p><p class=MsoNormal><span style='font-size:12.0pt'> </span><o:p></o:p></p><p class=MsoNormal><span style='font-size:12.0pt'>Thanks for the point Martijn.</span><o:p></o:p></p><p class=MsoNormal><span style='font-size:12.0pt'><br>Dean</span><o:p></o:p></p><p class=MsoNormal><span style='font-size:12.0pt'> </span><o:p></o:p></p><div><div><p class=MsoNormal><b><span style='font-size:11.0pt;font-family:"Arial",sans-serif;color:#0174C3'>Dean Coclin </span></b><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Arial",sans-serif;color:#48565E'>Sr. Director Business Development</span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Arial",sans-serif;color:#48565E'>M 1.781.789.8686</span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Arial",sans-serif;color:#48565E'> </span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt'><img border=0 width=129 height=37 style='width:1.3472in;height:.3888in' id="Picture_x0020_1" src="cid:image001.jpg@01D9E628.719AA1E0"></span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt'> </span><o:p></o:p></p></div></div><p class=MsoNormal><span style='font-size:12.0pt'> </span><o:p></o:p></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:11.0pt'>From:</span></b><span style='font-size:11.0pt'> Cscwg-public <<a href="mailto:cscwg-public-bounces@cabforum.org">cscwg-public-bounces@cabforum.org</a>> <b>On Behalf Of </b>Martijn Katerbarg via Cscwg-public<br><b>Sent:</b> Tuesday, September 5, 2023 11:47 AM<br><b>To:</b> Bruce Morton <<a href="mailto:bruce.morton@entrust.com">bruce.morton@entrust.com</a>>; <a href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a><br><b>Subject:</b> Re: [Cscwg-public] Proposed Signing Service, High Risk and Timestamp Changes</span><o:p></o:p></p></div></div><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt'>Hey Bruce,</span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt'><br>I’m inclined to say that even the removal of TSC Private Keys, is a new requirement. If we’re not explicitly saying that existing keys up until this point are excluded, then CA’s may need to remove a fair number of keys. If so, we may need to allow for a bit more time.</span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt'> </span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt'>That also brings me to another concern that popped up:</span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt'> </span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt'>We’re adding more restrictions around timestamp certificates. While these obviously are heavily used for code signing, they’re not used just for that purpose.</span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt'> </span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt'>With that in mind, I think at least in the next Forum level meeting, we should make all members aware of the proposed changes, since it will probably impact members that are not a member of the CSWG. Secondly, I’ve started to wonder if we need to get our charter updated to include the scope of timestamping certificates, and possibly allow members that do not issue code signing certificates but that still are a TSA.</span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt'> </span><o:p></o:p></p><p class=MsoNormal><span lang=SV style='font-size:11.0pt'>Regards,<br><br>Martijn</span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt'> </span><o:p></o:p></p><div id=mail-editor-reference-message-container><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal style='margin-bottom:12.0pt'><b><span style='font-size:12.0pt;color:black'>From: </span></b><span style='font-size:12.0pt;color:black'>Bruce Morton <<a href="mailto:Bruce.Morton@entrust.com">Bruce.Morton@entrust.com</a>><br><b>Date: </b>Thursday, 31 August 2023 at 17:30<br><b>To: </b>Martijn Katerbarg <<a href="mailto:martijn.katerbarg@sectigo.com">martijn.katerbarg@sectigo.com</a>>, <a href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a> <<a href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a>><br><b>Subject: </b>RE: [Cscwg-public] Proposed Signing Service, High Risk and Timestamp Changes</span><o:p></o:p></p></div><p class=MsoNormal><span style='font-size:11.0pt;mso-ligatures:standardcontextual'>Hi Martijn,</span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;mso-ligatures:standardcontextual'> </span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;mso-ligatures:standardcontextual'>Thanks for the Github version!</span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;mso-ligatures:standardcontextual'> </span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;mso-ligatures:standardcontextual'>We should discuss which items need a future effective date. I assume the only issue is offline Subordinate CA. I would propose 15 September 2024. I don’t think there should be any impact to TSA certificates, since the private key can only be used for 15-months which is not changing.</span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;mso-ligatures:standardcontextual'> </span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;mso-ligatures:standardcontextual'> </span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;mso-ligatures:standardcontextual'>Bruce.</span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;mso-ligatures:standardcontextual'> </span><o:p></o:p></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:11.0pt'>From:</span></b><span style='font-size:11.0pt'> Martijn Katerbarg <<a href="mailto:martijn.katerbarg@sectigo.com">martijn.katerbarg@sectigo.com</a>> <br><b>Sent:</b> Thursday, August 31, 2023 10:56 AM<br><b>To:</b> Bruce Morton <<a href="mailto:Bruce.Morton@entrust.com">Bruce.Morton@entrust.com</a>>; <a href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a><br><b>Subject:</b> [EXTERNAL] RE: [Cscwg-public] Proposed Signing Service, High Risk and Timestamp Changes</span><o:p></o:p></p></div></div><p class=MsoNormal><span style='font-size:11.0pt;mso-ligatures:standardcontextual'> </span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;mso-ligatures:standardcontextual'>As discussed on the last call, I’ve moved the language into GitHub, which can be reviewed at <a href="https://url.avanan.click/v2/___https:/github.com/cabforum/code-signing/compare/main...XolphinMartijn:code-signing:TSA_Changes?expand=1___.YXAzOmRpZ2ljZXJ0OmE6bzo0ZGY3NmNlYWMzMDA4N2ZkOWU0OWFjZmUwNzAxMWY3MTo2OjczZDc6N2JlZWYyZWRjNTU1ZTZmYmIxODIyMDZhNmU5NDY2YTY3ZTU2OTA2OWVhNDQ3YmNlNzVlZGQwY2U4MjdkYmJmMDpoOkY" title="Protected by Avanan: https://github.com/cabforum/code-signing/compare/main...XolphinMartijn:code-signing:TSA_Changes?expand=1">https://github.com/cabforum/code-signing/compare/main...XolphinMartijn:code-signing:TSA_Changes?expand=1</a></span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;mso-ligatures:standardcontextual'> </span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;mso-ligatures:standardcontextual'>In this, I’ve also added text on logging key removal and how to handle key recovery scenarios</span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;mso-ligatures:standardcontextual'> </span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;mso-ligatures:standardcontextual'>It occurs to me that we’re missing two details on this item:</span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;mso-ligatures:standardcontextual'> </span><o:p></o:p></p><ol style='margin-top:0in' start=1 type=1><li class=MsoListParagraph style='margin-left:0in;mso-list:l0 level1 lfo3'><span style='font-size:11.0pt;mso-ligatures:standardcontextual'>What kind of effective date are we looking to attach to this</span><o:p></o:p></li><li class=MsoListParagraph style='margin-left:0in;mso-list:l0 level1 lfo3'><span style='font-size:11.0pt;mso-ligatures:standardcontextual'>What will apply to SubCAs and Timestamp Certificates that have already been issued. </span><o:p></o:p></li></ol><ol style='margin-top:0in' start=2 type=1><ol style='margin-top:0in' start=1 type=1><li class=MsoListParagraph style='margin-left:0in;mso-list:l0 level2 lfo3'><span style='font-size:11.0pt;mso-ligatures:standardcontextual'>If we want the same logic to be applied, do we want to maybe give additional time for existing setups?</span><o:p></o:p></li></ol></ol><p class=MsoNormal><span style='font-size:11.0pt;mso-ligatures:standardcontextual'> </span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;mso-ligatures:standardcontextual'>Thoughts?</span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;mso-ligatures:standardcontextual'> </span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;mso-ligatures:standardcontextual'>Regards,<br><br>Martijn</span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;mso-ligatures:standardcontextual'> </span><o:p></o:p></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:11.0pt'>From:</span></b><span style='font-size:11.0pt'> Bruce Morton <<a href="mailto:Bruce.Morton@entrust.com">Bruce.Morton@entrust.com</a>> <br><b>Sent:</b> Wednesday, 16 August 2023 20:00<br><b>To:</b> Martijn Katerbarg <<a href="mailto:martijn.katerbarg@sectigo.com">martijn.katerbarg@sectigo.com</a>>; <a href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a><br><b>Subject:</b> RE: [Cscwg-public] Proposed Signing Service, High Risk and Timestamp Changes</span><o:p></o:p></p></div></div><p class=MsoNormal><span style='font-size:11.0pt;mso-ligatures:standardcontextual'> </span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;mso-ligatures:standardcontextual'>Agreed with the change proposal.</span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;mso-ligatures:standardcontextual'> </span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;mso-ligatures:standardcontextual'>Thanks, Bruce.</span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;mso-ligatures:standardcontextual'> </span><o:p></o:p></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:11.0pt'>From:</span></b><span style='font-size:11.0pt'> Martijn Katerbarg <<a href="mailto:martijn.katerbarg@sectigo.com">martijn.katerbarg@sectigo.com</a>> <br><b>Sent:</b> Thursday, August 10, 2023 3:54 PM<br><b>To:</b> Bruce Morton <<a href="mailto:Bruce.Morton@entrust.com">Bruce.Morton@entrust.com</a>>; <a href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a><br><b>Subject:</b> [EXTERNAL] RE: [Cscwg-public] Proposed Signing Service, High Risk and Timestamp Changes</span><o:p></o:p></p></div></div><p class=MsoNormal><span style='font-size:11.0pt;mso-ligatures:standardcontextual'> </span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;mso-ligatures:standardcontextual'>Thanks Bruce,</span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;mso-ligatures:standardcontextual'> </span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;mso-ligatures:standardcontextual'>I’m going through the TSA changes, and one thing caught my eye:</span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;mso-ligatures:standardcontextual'> </span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;mso-ligatures:standardcontextual'>Section 6.2.7.2 now reads:</span><o:p></o:p></p><p class=MsoNormal><i><span style='font-size:11.0pt;mso-ligatures:standardcontextual'>A Timestamp Authority MUST protect its Private Key in offline Hardware Crypto Module conforming to FIPS 140-2 level 3, Common Criteria EAL 4+ (ALC_FLR.2), or higher. The Timestamp Authority MUST protect its signing operations in accordance with the CA/Browser Forum's Network and Certificate System Security Requirements.</span></i><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;mso-ligatures:standardcontextual'> </span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;mso-ligatures:standardcontextual'>The definition of “Timestamp Authority” (TSA) reads:</span><o:p></o:p></p><p class=MsoNormal><i><span style='font-size:11.0pt;mso-ligatures:standardcontextual'>A service operated by the CA or a delegated third party for its own code signing certificate users that timestamps data using a certificate chained to a public root, thereby asserting that the data (or the data from which the data were derived via a secure hashing algorithm) existed at the specified time.</span></i><o:p></o:p></p><p class=MsoNormal><i><span style='font-size:11.0pt;mso-ligatures:standardcontextual'> </span></i><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;mso-ligatures:standardcontextual'>It seems to me that this change would imply that a TSA needs to keep all their private keys in offline HCMs, including private keys associated with timestamp certificates. I presume this language is intended to only apply to the private key associated with the TSA Root CA (and even the Subordinate CAs, as far as I understood during todays call) , but not to the private key associated with the Timestamp Certificate itself. </span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;mso-ligatures:standardcontextual'> </span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;mso-ligatures:standardcontextual'>Might I suggest updating this language to:</span><o:p></o:p></p><p class=MsoNormal><i><span style='font-size:11.0pt;mso-ligatures:standardcontextual'>A Timestamp Authority MUST protect Private Keys associated with its Root CA and Subordinate CA certificates in offline Hardware Crypto Module conforming to FIPS 140-2 level 3, Common Criteria EAL 4+ (ALC_FLR.2), or higher. The Timestamp Authority MUST protect its signing operations in accordance with the CA/Browser Forum's Network and Certificate System Security Requirements.</span></i><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;mso-ligatures:standardcontextual'> </span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;mso-ligatures:standardcontextual'>Regards,<br><br>Martijn</span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;mso-ligatures:standardcontextual'> </span><o:p></o:p></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:11.0pt'>From:</span></b><span style='font-size:11.0pt'> Cscwg-public <<a href="mailto:cscwg-public-bounces@cabforum.org">cscwg-public-bounces@cabforum.org</a>> <b>On Behalf Of </b>Bruce Morton via Cscwg-public<br><b>Sent:</b> Friday, 21 July 2023 17:55<br><b>To:</b> <a href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a><br><b>Subject:</b> [Cscwg-public] Proposed Signing Service, High Risk and Timestamp Changes</span><o:p></o:p></p></div></div><p class=MsoNormal><span style='font-size:11.0pt;mso-ligatures:standardcontextual'> </span><o:p></o:p></p><div style='border:solid black 1.0pt;padding:2.0pt 2.0pt 2.0pt 2.0pt'><p class=MsoNormal style='line-height:12.0pt;background:#FAFA03'><span style='color:black'>CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.</span><o:p></o:p></p></div><p class=MsoNormal><span style='font-size:11.0pt'> </span><o:p></o:p></p><div><p class=MsoNormal><span style='font-size:11.0pt;mso-ligatures:standardcontextual'>Based on the discussions we had at the June F2F, I have taken the opportunity to propose markups to derive Signing Service, High Risk and Timestamping ballots.</span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;mso-ligatures:standardcontextual'> </span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;mso-ligatures:standardcontextual'>The base text is from the CSC-19 version of the CSBRs. There may be some conflicting markups or markups.</span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;mso-ligatures:standardcontextual'> </span><o:p></o:p></p><ol style='margin-top:0in' start=1 type=1><li class=MsoListParagraph style='margin-left:0in;mso-list:l3 level1 lfo7'><span style='font-size:11.0pt;mso-ligatures:standardcontextual'>Signing Service – based on the former proposal, plus updates based on the discussions</span><o:p></o:p></li><li class=MsoListParagraph style='margin-left:0in;mso-list:l3 level1 lfo7'><span style='font-size:11.0pt;mso-ligatures:standardcontextual'>High Risk – Removal of high risk and takeover attack, plus removed Subscriber key generation methods prior to 1 June 2023 and the text about delivering a software based private key. Also propose removing the “any other method” text.</span><o:p></o:p></li><li class=MsoListParagraph style='margin-left:0in;mso-list:l3 level1 lfo7'><span style='font-size:11.0pt;mso-ligatures:standardcontextual'>Timestamping – Maintain allowing 15 month private key usage period and 135 month validity period, but requiring private keys to be destroyed within 18 months if the timestamp certificate was valid for more than 15 months. Stating that the HSM supporting the Time-stamp CA must be offline. Stating that the TSA must reject SHA-1 signed timestamp requests</span><o:p></o:p></li></ol><p class=MsoNormal><span style='font-size:11.0pt;mso-ligatures:standardcontextual'> </span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;mso-ligatures:standardcontextual'>Hoping this will help to clean up this text which we have been discussing for a period of time. These items are on the agenda for next week's meeting.</span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;mso-ligatures:standardcontextual'> </span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;mso-ligatures:standardcontextual'> </span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;mso-ligatures:standardcontextual'>Thanks, Bruce.</span><o:p></o:p></p><p class=MsoNormal><i><span style='font-size:11.0pt'>Any email and files/attachments transmitted with it are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. <u>Please notify Entrust immediately and delete the message from your system.</u></span></i><span style='font-size:11.0pt'> </span><o:p></o:p></p></div></div></div></div></div></div></blockquote><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p></div></div></body></html>